1 Reply Latest reply on Feb 19, 2018 5:59 AM by carruzzom

    Prevent Changes to User's Hard Drive Like Deep Freeze

    tecole Lurker

      I work at a government agency and security is our number one concern. Mirage helps with keeping laptops up-to-date, but does not prevent malware from persisting on user's computers. Yes, I know there are backups and enforced base images, but that assumes that we are even aware of the malware. We're against sophisticated adversaries, such as foreign governments, who use custom zero day exploits. This stuff is hard to detect.

       

      For our desktops, we use Citrix Provisioning Server, and it not only allows updating images like Mirage, but also prevents malware from persisting. On each boot of the computer it reverts to the single gold image. This is ideal for security, but doesn't work with laptops.

       

      Faronics Deep Freeze causes all writes to a laptop's hard drive to get discarded on reboot. This solves the problem of persistent malware on laptops. Unfortunately, it doesn't seem practical to integrate it with Mirage. All of the changes downloaded by Mirage would also get discarded on reboot. Deep Freeze does allow rebooting into a "thawed" mode to do updates, but the process would be very awkward. Once the user was aware of an update they'd have to reboot into thawed mode, let mirage download all the updates, reboot to apply the updates, then reboot again to frozen mode. And presumably no work could be done during this whole period, since the machines would be vulnerable to malware while in thawed mode. Our users are not that patient.

       

      I don't think it would be that difficult for VMWare to create their own version of a frozen hard drive and integrate it with Mirage. There are other implementations of read-only hard drives, such as the write filters in Win 7 embedded. Some people have even rolled their own by booting from differencing VHD files. The challenge with all this stuff isn't preventing writes to the hard drive, but making it easy to update the image. And that's where Mirage shines.

       

      If this feature were implemented I think it would be a significant selling point for Mirage. I've noticed that some of your competitors such as Citrix XenClient and MokaFive have touted the ability to use nonvolatile images as a security advantage. Even VMWare touts this as a big advantage to using virtual desktops on View, but of course there are times when laptops with all software installed locally makes sense. If Mirage had this ability it would provide the best of both worlds. In my organization, I could foresee Mirage going from a small project to an enterprise-wide deployment. Security is that important to us. Thanks.