Securing Desktops with Flow

Flow application security policies can prevent VMs from communicating with each other while still allowing inbound and outbound access. This is perfect for applications such as web servers, or even desktops, where preventing the spread of VM to VM traffic is critical to stop attacks.

In this task we will place desktop VMs into an application policy as part of an application tier that restricts VM to VM communication within the tier. The desktops will have normal inbound and outbound access, but traffic between desktops will be blocked.

Categorizing the Desktop VMs

  1. In Prism Central, select > Virtual Infrastructure > Categories.

  2. Select the checkbox for AppType and click Actions > Update.

    ../../../_images/149.png

  3. Click the icon beside the last value to add an additional Category value.

  4. Specify Initials-FrameDesktops as the value name.

    ../../../_images/238.png

  5. Click Save.

  6. Select the checkbox for AppTier and click Actions > Update.

  7. Click the icon beside the last value to add an additional Category value.

  8. Specify Initials-Frame-W10NP value name.

    ../../../_images/336.png

  9. Click Save.

    Next we need to ensure all of our Frame desktops are running for testing. We also need to determine which frame-instance-prod… VMs in Prism Central correspond to your environment.

  10. Return to the Frame Admin Portal. Select Capacity from the sidebar and increase your Minimum number of instances to 3 and click Save. This will ensure all 3 VMs are booted once the new image is published.

    ../../../_images/3g.png

    Note

    Depending on your prior configuration, you may need to decrease Buffer instances to 0.

  11. Select Status from the sidebar and copy the Machine ID for your Sandbox VM.

    ../../../_images/3c.png

  12. In Prism Central > Virtual Infrastructure > VMs, paste the Machine ID into the Name filter to identify your Sandbox VM.

    ../../../_images/3d.png

  13. Select the VM and click Actions > Manage Categories. Copy the FrameAccountID value that corresponds to your Frame account. Click Cancel

    ../../../_images/3h.png

  14. In Prism Central > Virtual Infrastructure > VMs, paste the FrameAccountID into the Category filter to identify your Frame VMs. Select all of your frame-instance-prod… VMs and click Actions > Manage Categories.

    ../../../_images/3i.png

  15. Specify AppType:Initials-FrameDesktops in the search bar.

  16. Click the icon beside the last value to add AppTier:Initials-Frame-W10NP and click the Save.

    ../../../_images/3j.png

Creating a Desktop Security Policy

  1. In Prism Central, select > Policies > Security Policies.

  2. Click Create Security Policy > Secure Applications (App Policy) > Create.

  3. Fill out the following fields:

    • Name - Initials-FrameDesktops

    • Purpose - Restrict unnecessary traffic between Frame desktops

    • Secure this app - AppType: Initials-FrameDesktops

    • Do NOT select Filter the app type by category.

    ../../../_images/612.png

  4. Click Next.

  5. If prompted, click OK, Got it! on the tutorial diagram of the Create App Security Policy wizard.

  6. To allow for more granular configuration of the security policy, click Set rules on App Tiers, instead rather than applying the same rules to all desktop groups.

    ../../../_images/711.png

  7. Click + Add Tier.

  8. Select AppTier:Initials-Frame-W10NP from the drop down.

  9. Repeat Steps 7-8 for AppTier:Default.

    ../../../_images/811.png

    Next you will define the Inbound rules, which control which sources you will allow to communicate with your application. In this case we want to allow all inbound traffic.

  10. On the left side of the policy edit page, change Inbound from Whitelist Only to Allow All

    ../../../_images/911.png

  11. Repeat the previous step to also change Outbound to Allow All.

  12. To define intra-desktop communication, click Set Rules within App.

    ../../../_images/1010.png

  13. Click AppTier:Initials-Frame-W10NP and select No to prevent communication between VMs in this tier. This will block desktops from communicating with each other.

    ../../../_images/1113.png

  14. While AppTier:Initials-PD is still selected, click the icon to the right of AppTier:Default to create a tier to tier rule.

  15. Fill out the following fields to allow communication on TCP port 7680 between the Frame desktops and VMs in the Default tiers to allow peer-to-peer Windows updates:

    • Protocol - TCP

    • Ports - 7680

    ../../../_images/1211.png

  16. Click Save.

  17. Click Next to review the security policy.

  18. Click Save and Monitor to save the policy.

Verifying Desktop Security

  1. Return to the Frame Admin Portal. Select Status from the sidebar and note the Private IP addresses of your desktop VMs.

    ../../../_images/12a.png

  2. Click Launchpad and log into your Frame Desktop.

  3. Within the desktop, open a Command Prompt and run ping -t ANOTHER-FRAME-VM-IP to verify connectivity between the persistent desktops.

    ../../../_images/1310.png

    Can you ping between the desktops now? Why?

  4. In Prism Central > Policies > Security Policies, select the Initials-FrameDesktops policy.

  5. Click Actions > Apply.

    ../../../_images/1410.png

  6. Type APPLY and click OK to apply the Desktop security policy.

    What happens to the continuous ping between the desktops?

Takeaways

  • Application policies can be used to protect virtual infrastructure like desktops, as well as traditional applications.

  • In this exercise you utilized Flow to block traffic between desktops, a simple policy that can be implemented to prevent unneeded access between desktop VMs and assist with preventing the spread of malware on a network.

  • Monitor mode is used to visualize traffic to the defined application, but Apply mode enforces the policy.