Virtual PC Security Solution - 26 Sep 2006

Although Microsoft Virtual PC 2004 is a versatile product, you probably don't think of it as a security tool. But when Mike Nichol, an IT server architect for Telstra Business Systems (TBS), a provider of managed IT services for converged networks (and subsidiary of the Australian telecom giant Telstra), needed to find a simple method to let TBS staff log on to a remote customer's system, he turned to Virtual PC 2004 for the solution. I spoke with Mike about his innovative use of Microsoft's free desktop virtualization product and his current biggest security challenge.

Explain the security problem that you needed to solve.
We were providing managed services to a customer whose legacy network didn't adhere to TBS's security requirements—in fact, their corporate network actually linked into their phone network. We were at pains to avoid connecting that system to TBS's corporate network, particularly so we didn't compromise our own security. Also, we do managed services for a lot of government and corporate bodies and have to adhere to stringent security requirements. Plugging into an unsecure network would void all those requirements.

But the TBS staff members who were involved in the day-to-day business of providing managed services to that customer had to have some connectivity to the client's network and also connect to our corporate WAN. In the past, we accomplished this by giving the staff members two separate PCs on their desktops: a PC connected to the TBS network and another that they used to connect to the client's network. As you can imagine, this solution was awkward to use and took up a lot of space on the desk.

What made you think of using Virtual PC 2004 to solve the sign-on problem?
Sometimes the obvious solution is to try and make the client's network more secure, so we do that. But this client—for their own security requirements—didn't want us plugging into their network. I'm a great believer in working smarter, not harder, and using existing technology to do so. We needed a low-cost, easy-to-use solution that our existing staff could support without needing additional training. Virtual PC 2004 fit those requirements.

How does the solution work?
We provided our standard operating environment PCs with additional RAM—we increased RAM from 512MB to 1GB—dual NICs, and dual screens. We then ran Virtual PC 2004 with a dedicated NIC patched into the existing customer LAN and unbound this from the host PC to prevent any cross-connectivity. In the morning when our users come in, they turn on their PCs and log on as they normally would to the corporate network (the host), usually just by simply clicking an icon to get to the customer's network. Some of our users spend most of their time in the customer's legacy network, whereas others jump between the two networks. When we introduced the solution, some of the users were a little skeptical, just because it was new technology. But then, a month or two into it, it was business as usual, and some of the users even forget that they're on a virtual system.

The solution's simplicity is what makes it such a good fit for our organization and our customers. We used Virtual PC 2004 in a different way than most IT pros would typically consider using it and as a result saved additional cost and desk space and provided ease of use for our clients. The end result is supportable and complies with existing and future security requirements. We're now using our Virtual PC solution and variations of it across the company in both lab and production environments.

You solved the dual sign-on problem fairly easily by applying a widely used technology in an original way. What's the biggest security issue you now face?
I guess the biggest security challenge for us is our own workforce, not so much technically as in social engineering. We've got almost 200 technicians who work out in the field with clients providing managed services as well as corporate PABX \[private automatic branch exchange, aka PBX\] services. They use laptops to plug in to a client's network via a serial port or Internet cable and have access to clients' networks that they normally wouldn't have on our corporate network. Additionally, they need to keep their machines up to date and make sure that they're clean because we don't want the technicians to infect the clients— or the clients to infect our network.

What have you done to make your technical staff more security conscious?
As we in IT make personal contact with staff, we try to approach security from the point of view that we're not trying to stop you from doing your job or tell you what to do, we're only trying to make sure everyone's safe. Once most people understand that, they realize that you're not just trying to be the security police; you really are trying to help them. You're not imposing a particular security policy because you don't want them to have MP3s, for example, you're doing it for a purpose: to keep our corporate network and customers secure.

I think IT tends to impose security policy-in a blanket fashion. I think I realized a number of years ago, when someone came back to me and said, "Well, why is there a security problem? Can you explain it to me?" that you can't just impose a policy with no explanation. People will resent that. But if you go the extra little bit and explain—for example, we're locking this down for these reasons—users still might not being happy with the restriction, but they'll be more understanding about it.