F5 Friday: The Dynamic VDI Security Game

Balancing security, speed, and scalability is easy if you have the right infrastructure. A dynamic infrastructure.

All the talk about “reusing” and “sharing” resources in highly virtualized and cloud computing environments makes it sound as if IT has never before understood how to leverage dynamic, on-demand services before. After all, while Infrastructure 2.0 (dynamic infrastructure) may only have been given its moniker since the advent of cloud computing, it’s not as if it didn’t exist before then and organizations weren’t taking advantage of its flexibility. It’s a lot like devops: we’ve been talking about bridging that gap between operations and development for years now – we just never had a way to describe it so succinctly until devops came along. The ability to dynamically choose delivery profiles – whether it be those associated with acceleration and optimization or those associated with security – is an important facet of application delivery solutions in today’s highly virtualized and cloud computing environments. Call it “reuse” of policies, or “sharing” of profiles, whatever you like – this ability has been a standard feature of F5’s application delivery platform for a long, long time.

This dynamic, on-demand provisioning of services based on context is the defining characteristic of an infrastructure 2.0 solution. In the case of VDI, and specifically VDI implemented using VMware View 4.5 or later, it’s specifically about the ability to dynamically provision the right encryption solution at the right time, which is paramount to the success of VDI when remote access is required.

THE CHALLENGE

Secure remote access (you know, for us remote and roaming folks who rarely see the inside of corporate headquarters) to hosted desktops that reside behind corporate firewalls (where they belong) requires tunneling all VMware View connections. Not an uncommon scenario in general, right? Tunneling access to corporate resources is a pretty common theme when talking secure remote access. The key here is secure, meaning encrypted which for most applications delivered today via the Web means SSL.

For VMware View when RDP (remote desktop protocol) is the protocol of choice, that means a solution that scales poorly due to the intensive CPU consumption for SSL by the View security servers. And if PCoIP is chosen for its enhanced ability to deliver rich-media and perform better over long distances instead of RDP, then the challenge becomes enabling security in an architecture in which it is not supported (PCoIP is UDP based, which is not supported by View security servers). SSL VPN solutions can be leveraged and tunnel PCoIP in SSL, but there’s a significant degradation of performance associated with that decision that will negatively impact the user experience.

So the challenge is: enable secure remote access to virtual desktops within the corporate data center without negatively impacting performance or scalability of the architecture.

THE SOLUTION

This particular challenge can be met by employing the use of Datagram Transport Layer Security (DTLS) in lieu of SSL. DTLS is a derivative of TLS that provides the same security measures for UDP-based protocols as SSL provides for TCP-based protocols, without the performance degradation. F5 BIG-IP Edge Gateway supports both SSL and DTLS encryption tunnels. This becomes important because View security servers do not support DTLS and while falling back to SSL may be an option, the performance degradation for the user combined with the increased utilization on View security servers to perform SSL operations do not make for a holistically successful implementation.

BIG-IP Edge Gateway addresses this challenge in three ways:

1. BIG-IP Edge Gateway offloads the cryptographic processing from the servers, increasing utilization and scalability of the supporting infrastructure and improving performance. Because the cryptographic processing is handled by dedicated hardware designed to accelerate and process such operations efficiently, the implementation scales better whether using DTLS or SSL or a combination of both.
   
2. BIG-IP Edge Gateway can dynamically determine which encryption protocol to use depending on the display protocol and client support for that user and device. It’s context-aware, and makes the decision when the client begins their session. It leverages a dynamic and reusable set of policies designed to aid in optimizing connectivity between the client and corporate resources based on conditions that exist at the time requests are made.
   
3. Lastly, BIG-IP Edge Gateway automatically falls back to using TCP if a high-performance UDP tunnel cannot be established. This an important capability, as a slower connection is generally preferred over no connection, and there are scenarios in which a high-performance UDP tunnel simply can’t be setup for the client. 

Infrastructure should support security, not impede it. It’s great to be able to leverage the improvement in display protocol performance offered by PCoIP, but not at the expense of security. Leveraging an intermediary capable of dynamically providing the best security services for remote access to virtual desktops residing within the corporate data center means not having to sacrifice speed or scalability for security.

      

Related blogs & articles:

•  WILS: The Importance of DTLS to Successful VDI 
•  F5 Friday: It’s a Data Tsunami for Service Providers 
•  F5 Friday: Beyond the VPN to VAN
• All F5 Friday Posts on DevCentral
• Some Services are More Equal than Others
• Service Delivery Networking Presentation 
•  Why Virtualization is a Requirement for Private Cloud Computing
•  What is Network-based Application Virtualization and Why Do You Need It?
•  You Can’t Have IT as a Service Until IT Has Infrastructure as a Service