We recently discussed the perfect IT storm that is currently brewing in business. BYOD, Unified Access, Video, the Many Clouds, SDN… all happening at once, on current infrastructure, and yet demanding more.

Some of the comments you made further emphasized the need to have an architectural approach.

VXI/VDI deployments are no exception.

Discussing VDI deployments with our customers in EMEAR, two things really are at the centre of our discussions from an infrastructure standpoint.

–         Security, which I’ll  discuss in today’s post.

–         Latency and user experience.  Two recent posts, here and here, provide great insight on how to tackle this challenge.

I have therefore asked Steinthor Bjarnason (sbjarnas@cisco.com), Senior EMEAR Security Consultant, based out of Norway, to give me his perspective.  He has 15 year experience in the security space and his perspectives are drawn from numerous customer projects, both in the Enterprise and the Service Provider space.

Q. Steinthor, what challenges are you seeing in VDI Deployments?

“The deployment of Virtual Desktop Infrastructure (VDI) solutions has dramatically increased during in recent years, primarily due to the increase of remote workers but also due to the increased use of Bring-Your-Own-Device (BYOD).  VDI solutions consolidate the user working environment within a virtual environment, creating pools of virtual machines (VMs), which give the users access to their workspace from any location using any type of device.

The challenge is that that the different users groups (HR, Finance, Development, …) will require different type of access to their resources, HR users should only be allowed to access HR services, Finance users should only be allowed to access Finance services, etc.

Q. How has this challenge traditionally been addressed?
This has traditionally been solved by directing the different user groups to dedicated groups of servers which host the VM’s for that specific group.  The security privileges are then linked to the physical servers by using VLANs or other separation technologies.  The user identification is done using the Connection Broker, which will then map the user to his server group and connect him to the least loaded server within that group.

This approach is both labour intensive and will result in sub optimal usage of the different server groups.  If many HR users connect at the same time, the servers hosting their VM’s could be overloaded while the Finance servers could at the same time, be lightly loaded.

Q.  How are you addressing this problem for your customers?

Using TrustSec Security Group Tagging (see the recent post on “Demystifying the Catalyst: Cisco Context Aware Secure Access (Security Group Tags – SGT) Technology”, the approach explained above can be greatly simplified and at the same time, increase the efficiency of the entire solution itself.

Q. How does that work?

TrustSec SGA in VDI enviroment 2

  • Instead of grouping the servers and the VM’s based on the user group, all servers and VM’s are deployed in the same manner, creating a single pool of available VMs.
  • By deploying Cisco Anyconnect (3.0) on the VM images, it is possible to trigger 802.1X user authentication when the user connects to the VM.
  • The VM access switch which the server hosting the VM connects to, will contact the Identity Services Engine (ISE) for authentication and authorization.  ISE will return the appropriate Security Group Tag based on the user identify.
  • This tag can then be used to tag all the traffic from the VM which the user is using, making it possible to control the flow of data using SGT’s instead of relying on which VLAN the users VM server is connected to.

This solution simplifies VDI deployment as all VMs and servers can now be used for any type of user, removing the need for keeping separate pools of VMs for each user group.  Also, the requirement for advanced configuration of the Connection Broker is removed, making the entire VDI deployment a lot more streamlined and optimized.”

Thank you Steinthor.

Megatrends bring their own set of security challenges. Solving them architecturally using technologies that can be pervasively deployed throughout the network is in my opinion the only sustainable and cost effective way.

I hope this has been useful.  So now you’re turn: How have you been addressing the VDI security challenges in your networks?

–         TrustSec main page: http://www.cisco.com/go/TrustSec

–         TrustSec Design zone: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html



Eric Marin


Borderless Network Architecture, EMEAR