Re: How secure is View Security Gateway???

lbragg · ‎04-04-2011

Ok--so we are in the middle of a pilot of View 4.6 and are getting ready to move torward production in the next few months.

Everything has been working really well and we just implemented the View security server in our DMZ.

Basically we have one Security Server in our DMZ with the appropriate ports opened up on the internal and external firewalls.

We have two internal connection servers with the Security Server only paired with one of them.

Everything is working great from the outside and i'm pretty impressed.

Here's the thing though, our IT managers do not have a "warm & fuzzy" about how secure it is.

I have been informed that RSA and Smart Cards are not an option in our environment, so basically what can i do to make them feel better about the security?

They are concerned that basically anybody out there trolling around will find the external IP and as soon as they hit it they are presented with a VMware View page where they can download the client.

Once they install the client it auto-populates our domain, so realistically all they would have to hack is a userid and password. Once they get into the user's virtual desktop then they would have access to anything on our network that that user has access to.

With our VPN setup we use two-part authentication so they would have to hack a private encrypted key first and then the userid and password.

Is there a similar way to enable some sort of two-part authentication without RSA or Smart Card type setups?

Any suggestions would be welcome.

markbenson · ‎04-04-2011

These posts may help.

http://communities.vmware.com/message/1718545

http://communities.vmware.com/community/cto/desktop/blog/2010/12/13/secure-remote-access-with-view-a...

http://communities.vmware.com/docs/DOC-14974

Ultimately, if you want to use something stronger than password authentication, you'll need to introduce RSA SecurID or Smart Card authentication. You can have different authentication methods depending on location, so you can have a View environment where local users use password authentication and remote access users need to also use SecurID authentication. That way you limit SecurID use to remote access users only.

Another option is to still use password authentication, but introduce an stronger password policy in terms of password length, password expiry time, restricted login hours etc.

Hope this helps.

Mark.

lbragg · ‎04-04-2011

mark--thanks for the info. I've read most of the articles you referenced. I was just wanting to make sure that RSA or SMart Card were the only two-part authentication avenues that VMware View supports. Didn't know if anyone was using anything else?

Also I think my main hurdle is making IT management feel confident that stronger user authentication is enough.

markbenson · ‎04-04-2011

Yes, the full list of authentication methods for View 4.6 is:

Active Directory Username/password.
Kerberos Realm Usernam/password in mixed AD/MIT Kerberos environments.
RSA SecurID.
X.509 Certificate (usually CAC/Smart Card).

More methods may be added in future versions.

Various third party security vendors have inovative solutions to extend these methods. Also, there are options to add further authentication methods on the virtual desktops themselves.

An important feature of View Security Server is that the right to put any sort of desktop protocols into the green-zone of the data center is only available to authenticated users. Also, those authenticated users can only access virtual desktop pools that the user is authorized to access.

It is necessary to chose an appropriate authentication method according to your security requirements using one of the supported methods.

It is also possible to use View in conjunction with a third-party VPN using other authentication methods if that is required.

Mark.

All

How secure is View Security Gateway???