Securing Desktops with Flow

Another benefit of running virtual desktop workloads on Nutanix AHV is the ability to take advantage of native microsegmentation capabilities with Flow. Flow provides the ability to graphically monitor and model powerful East/West firewall rules between VMs, and control inbound and outbound access. This is perfect for applications such as web servers, or even desktops, where preventing the spread of VM to VM traffic is critical to stop attacks.

In this task we will place desktop VMs into an application policy as part of an application tier that restricts VM to VM communication within the tier. The desktops will have normal inbound and outbound access, but traffic between desktops will be blocked.

Categorizing the Desktop VMs

  1. In Prism Central, select > Virtual Infrastructure > Categories.

  2. Select the checkbox for AppType and click Actions > Update.

    ../../../_images/119.png

  3. Click the icon beside the last value to add an additional Category value.

  4. Specify Initials-Desktops as the value name.

    ../../../_images/226.png

  5. Click Save.

  6. Select the checkbox for AppTier and click Actions > Update.

  7. Click the icon beside the last value to add an additional Category value.

  8. Specify Initials-PD.

  9. Click the again and specify Initials-NPD.

    ../../../_images/325.png

  10. Click Save.

  11. In Prism Central, select > Virtual Infrastructure > VMs.

  12. Use the checkbox to select the persistent desktop VMs Initials-PD and navigate to Actions > Manage Categories.

    ../../../_images/412.png

  13. Specify AppType:Initials-Desktops in the search bar.

  14. Click the icon beside the last value to add AppTier:Initials-PD and click the Save.

    ../../../_images/514.png

  15. Repeat the previous steps to assign the AppType:Initials-Desktops and AppTier:Initials-NPD categories to the non-persistent desktops.

Creating a Desktop Security Policy

  1. In Prism Central, select > Policies > Security Policies.

  2. Click Create Security Policy > Secure Applications (App Policy) > Create.

  3. Fill out the following fields:

    • Name - Initials-Desktops

    • Purpose - Restrict unnecessary traffic between desktops

    • Secure this app - AppType: Initials-Desktops

    • Do NOT select Filter the app type by category.

    ../../../_images/66.png

  4. Click Next.

  5. If prompted, click OK, Got it! on the tutorial diagram of the Create App Security Policy wizard.

  6. To allow for more granular configuration of the security policy, click Set rules on App Tiers, instead rather than applying the same rules to all desktop groups.

    ../../../_images/75.png

  7. Click + Add Tier.

  8. Select AppTier:Initials-PD from the drop down.

  9. Repeat Steps 7-8 for AppTier:Initials-NPD.

    ../../../_images/85.png

    Next you will define the Inbound rules, which control which sources you will allow to communicate with your application. In this case we want to allow all inbound traffic.

  10. On the left side of the policy edit page, change Inbound from Whitelist Only to Allow All

    ../../../_images/95.png

  11. Repeat the previous step to also change Outbound to Allow All.

  12. To define intra-desktop communication, click Set Rules within App.

    ../../../_images/105.png

  13. Click AppTier:Initials-PD and select No to prevent communication between VMs in this tier. This will block persistent desktops from communicating with each other.

    ../../../_images/1110.png

  14. While AppTier:Initials-PD is still selected, click the icon to the right of AppTier:Initials-NPD to create a tier to tier rule.

  15. Fill out the following fields to allow communication on TCP port 7680 between the persistent and non-persistent tiers to allow peer-to-peer Windows updates:

    • Protocol - TCP

    • Ports - 7680

    ../../../_images/127.png

  16. Click Save.

  17. Select AppTier:Initials-NPD and select No to block VM to VM communication for the non-persistent desktops.

  18. Click Next to review the security policy.

  19. Click Save and Monitor to save the policy.

Verifying Desktop Security

  1. Use the Prism Central VM list to note the IP addresses of your persistent desktops.

  2. From your Initials-WinToolsVM, open http://ddc.ntnxlab.local/Citrix/NTNXLABWeb in a browser to access the Citrix StoreFront server.

  3. Specify the following credentials and click Log On:

    • Username - NTNXLAB\devuser01

    • Password - nutanix/4u

  4. Select the Desktops tab and click your Personal Win10 Desktop to launch the session.

  5. In the persistent desktop, Open a Command Prompt and run ping -t XYZ-PD-VM-IP to verify connectivity between the persistent desktops.

    ../../../_images/136.png

    Can you ping between the desktops now? Why?

  6. In Prism Central > Policies > Security Policies, select the Initials-Desktops policy.

  7. Click Actions > Apply.

    ../../../_images/146.png

  8. Type APPLY and click OK to apply the Desktop security policy.

    What happens to the continuous ping between the desktops?

Takeaways

  • In this exercise you utilized Flow to block traffic between desktops to prevent the spread of malware.

  • Monitor mode is used to visualize traffic to the defined application, but Apply mode enforces the policy.

  • Application policies can be used to protect desktops as well as traditional applications.