Although Microsoft Virtual PC 2004 is a versatile product, you probably don't think of it as a security tool. But when Mike Nichol, an IT server architect for Telstra Business Systems (TBS), a provider of managed IT services for converged networks (and subsidiary of the Australian telecom giant Telstra), needed to find a simple method to let TBS staff log on to a remote customer's system, he turned to Virtual PC 2004 for the solution. I spoke with Mike about his innovative use of Microsoft's free desktop virtualization product and his current biggest security challenge.
Explain the security problem that you needed to solve.
We were providing managed services to a customer whose legacy network didn't
adhere to TBS's security requirements—in fact, their corporate network
actually linked into their phone network. We were at pains to avoid connecting
that system to TBS's corporate network, particularly so we didn't compromise
our own security. Also, we do managed services for a lot of government and corporate
bodies and have to adhere to stringent security requirements. Plugging into
an unsecure network would void all those requirements.
But the TBS staff members who were involved in the day-to-day business of providing
managed services to that customer had to have some connectivity to the client's
network and also connect to our corporate WAN. In the past, we accomplished
this by giving the staff members two separate PCs on their desktops: a PC connected
to the TBS network and another that they used to connect to the client's network.
As you can imagine, this solution was awkward to use and took up a lot of space
on the desk.
What made you think of using Virtual PC 2004 to solve the sign-on problem?
Sometimes the obvious solution is to try and make the client's network more
secure, so we do that. But this client—for their own security requirements—didn't
want us plugging into their network. I'm a great believer in working smarter,
not harder, and using existing technology to do so. We needed a low-cost, easy-to-use
solution that our existing staff could support without needing additional training.
Virtual PC 2004 fit those requirements.
How does the solution work?
We provided our standard operating environment PCs with additional RAM—we
increased RAM from 512MB to 1GB—dual NICs, and dual screens. We then ran
Virtual PC 2004 with a dedicated NIC patched into the existing customer LAN
and unbound this from the host PC to prevent any cross-connectivity. In the
morning when our users come in, they turn on their PCs and log on as they normally
would to the corporate network (the host), usually just by simply clicking an
icon to get to the customer's network. Some of our users spend most of their
time in the customer's legacy network, whereas others jump between the two networks.
When we introduced the solution, some of the users were a little skeptical,
just because it was new technology. But then, a month or two into it, it was
business as usual, and some of the users even forget that they're on a virtual
system.
The solution's simplicity is what makes it such a good fit for our organization
and our customers. We used Virtual PC 2004 in a different way than most IT pros
would typically consider using it and as a result saved additional cost and
desk space and provided ease of use for our clients. The end result is supportable
and complies with existing and future security requirements. We're now using
our Virtual PC solution and variations of it across the company in both lab
and production environments.
You solved the dual sign-on problem fairly easily by applying a widely used
technology in an original way. What's the biggest security issue you now face?
I guess the biggest security challenge for us is our own workforce, not so
much technically as in social engineering. We've got almost 200 technicians
who work out in the field with clients providing managed services as well as
corporate PABX [private automatic branch exchange, aka PBX] services. They use
laptops to plug in to a client's network via a serial port or Internet cable
and have access to clients' networks that they normally wouldn't have on our
corporate network. Additionally, they need to keep their machines up to date
and make sure that they're clean because we don't want the technicians to infect
the clients— or the clients to infect our network.
What have you done to make your technical staff more security conscious?
As we in IT make personal contact with staff, we try to approach security
from the point of view that we're not trying to stop you from doing your job
or tell you what to do, we're only trying to make sure everyone's safe. Once
most people understand that, they realize that you're not just trying to be
the security police; you really are trying to help them. You're not imposing
a particular security policy because you don't want them to have MP3s, for example,
you're doing it for a purpose: to keep our corporate network and customers secure.
I think IT tends to impose security policy-in a blanket fashion. I think I
realized a number of years ago, when someone came back to me and said, "Well,
why is there a security problem? Can you explain it to me?" that you can't just
impose a policy with no explanation. People will resent that. But if you go
the extra little bit and explain—for example, we're locking this down
for these reasons—users still might not being happy with the restriction,
but they'll be more understanding about it.
)
Register
By unbound do you mean you unchecked the "Internet Protocol (TCP/IP)" for the dedicated NIC's properties on the host machine. What items did you leave checked for the dedicated NIC on the host system?
Great solution, Thanks
hurtley March 20, 2007 (Article Rating: