Skip to main content

F5 Friday: The Dynamic VDI Security Game

Balancing security, speed, and scalability is easy if you have the right infrastructure. A dynamic infrastructure.
All the talk about “reusing” and “sharing” resources in highly virtualized and cloud computing environments makes it sound as if IT has never before understood how to leverage dynamic, on-demand services before. After all, while Infrastructure 2.0 (dynamic infrastructure) may only have been given its moniker since the advent of cloud computing, it’s not as if it didn’t exist before then and organizations weren’t taking advantage of its flexibility. It’s a lot like devops: we’ve been talking about bridging that gap between operations and development for years now – we just never had a way to describe it so succinctly until devops came along. The ability to dynamically choose delivery profiles – whether it be those associated with acceleration and optimization or those associated with security – is an important facet of application delivery solutions in today’s highly virtualized and cloud computing environments. Call it “reuse” of policies, or “sharing” of profiles, whatever you like – this ability has been a standard feature of F5’s application delivery platform for a long, long time.
This dynamic, on-demand provisioning of services based on context is the defining characteristic of an infrastructure 2.0 solution. In the case of VDI, and specifically VDI implemented using VMware View 4.5 or later, it’s specifically about the ability to dynamically provision the right encryption solution at the right time, which is paramount to the success of VDI when remote access is required.


Secure remote access (you know, for us remote and roaming folks who rarely see the inside of corporate headquarters) to hosted desktops that reside behind corporate firewalls (where they belong) requires tunneling all VMware View connections. Not an uncommon scenario in general, right? Tunneling access to corporate resources is a pretty common theme when talking secure remote access. The key here is secure, meaning encrypted which for most applications delivered today via the Web means SSL.
For VMware View when RDP (remote desktop protocol) is the protocol of choice, that means a solution that scales poorly due to the intensive CPU consumption for SSL by the View security servers. And if PCoIP is chosen for its enhanced ability to deliver rich-media and perform better over long distances instead of RDP, then the challenge becomes enabling security in an architecture in which it is not supported (PCoIP is UDP based, which is not supported by View security servers). SSL VPN solutions can be leveraged and tunnel PCoIP in SSL, but there’s a significant degradation of performance associated with that decision that will negatively impact the user experience.
So the challenge is: enable secure remote access to virtual desktops within the corporate data center without negatively impacting performance or scalability of the architecture.


This particular challenge can be met by employing the use of Datagram Transport Layer Security (DTLS) in lieu of SSL. DTLS is a derivative of TLS that provides the same security measures for UDP-based protocols as SSL provides for TCP-based protocols, without the performance degradation. F5 BIG-IP Edge Gateway supports both SSL and DTLS encryption tunnels. This becomes important because View security servers do not support DTLS and while falling back to SSL may be an option, the performance degradation for the user combined with the increased utilization on View security servers to perform SSL operations do not make for a holistically successful implementation.
BIG-IP Edge Gateway addresses this challenge in three ways:
  1. BIG-IP Edge Gateway offloads the cryptographic processing from the servers, increasing utilization and scalability of the supporting infrastructure and improving performance. Because the cryptographic processing is handled by dedicated hardware designed to accelerate and process such operations efficiently, the implementation scales better whether using DTLS or SSL or a combination of both.
  2. BIG-IP Edge Gateway can dynamically determine which encryption protocol to use depending on the display protocol and client support for that user and device. It’s context-aware, and makes the decision when the client begins their session. It leverages a dynamic and reusable set of policies designed to aid in optimizing connectivity between the client and corporate resources based on conditions that exist at the time requests are made.
  3. Lastly, BIG-IP Edge Gateway automatically falls back to using TCP if a high-performance UDP tunnel cannot be established. This an important capability, as a slower connection is generally preferred over no connection, and there are scenarios in which a high-performance UDP tunnel simply can’t be setup for the client. 
Infrastructure should support security, not impede it. It’s great to be able to leverage the improvement in display protocol performance offered by PCoIP, but not at the expense of security. Leveraging an intermediary capable of dynamically providing the best security services for remote access to virtual desktops residing within the corporate data center means not having to sacrifice speed or scalability for security.


Popular posts from this blog

Top 5 Women Who Impacted Technology in 2010

Katie Stanton, International Strategist for Twitter Katie Stanton has impressively long names of companies in her resume. They include the White House, Google Inc, and her latest addition is Twitter. Her remit is working on Twitter’s international strategy and her experience in social media will be a key asset to the company. Katie has a history of working in technology, and her knowledge of departmental laws will help Twitter work alongside government agencies, as she’ll be spearheading the free information approach, especially after the Wikileaks incident. Stanton has been a key player in the techsphere for some time, and this extends to her private life. Following the Haiti disaster she worked with a group of engineers to create a free texting service to help those in need and she is constantly in demand as an expert in both social media and government policy.
Caterina Fake, Co-Founder of Flickr and Hunch Despite having a surname which sounds like a pseudonym for a spy (it’…

AT&T MiFi 2372 review

In the week or so that I have been testing the AT&T MiFi 2372 by Novatel Wireless, it has already saved no less than three lives. First, it saved my cable guy’s life. You see, Time Warner Cable provides the worst home Internet service I have ever experienced. I can’t even think of a close second. If providing terrible home Internet service was a sport, Time Warner Cable would be on its tenth consecutive undefeated season. Forget the fact that my upload speed is capped at 60Kbps and I’m lucky if I can get half that — it has been months since I’ve gone through a full day without at least one service interruption. Months. Unfortunately, Time Warner Cable has an exclusive contract with my building so I have no choice but to endure its abysmal service. Last week, as a Time Warner Cable technician entered my home for the sixth time in two months, I realized that this certainly would have spelled serious trouble had it not been for my trusty new back up device. Before the Mi…

Evolution Of Computer Virus [infographic]