Virtualization: Secure Virtual User Environments in VMware ACE
Computer security has become one of the most important problems in the IT sphere. Various complex systems of computer security and tools available to OS and software developers allow to protect the IT infrastructure of an enterprise from external attacks. Enterprise environment security tools have advanced far forward of late. But the problem of insider attacks is one of the most burning issues now. Enterprises have to spend a lot of time and effort to develop complex security policies for workstations and servers used by various groups of employees.
A significant progress in virtualization technologies allows many companies to cut down expenses on maintaining IT infrastructures of desktop and server platforms by consolidating several virtual machines on a single physical computer. Virtual systems can be integrated into the enterprise environment to raise IT efficiency of the company. However, just like physical platforms (or even more), they require much attention as far as their security is concerned. VMware is one of the first companies to take care of virtualization security and protected environments. The first product of this company to solve these problems for workstations was VMware ACE 1.0. It allowed to create secure virtual machines and use them as work environments for employees as well as to demonstrate software and to train staff. However, the product lacked many features for corporate use, such as centralized deployment and integration with other virtualization platforms from VMware. So it did not become very popular. The second version of VMware ACE released in Q2 2007 got so many new features that many companies will certainly use it to create secure virtual environments.
About VMware ACE 2.0
VMware released the second version of VMware ACE simultaneously with VMware Workstation 6 for a reason: VMware ACE is an extension of Workstation with additional features to create secure computing environments. ACE Option Pack can be included into VMware Workstation 6 by entering a license key for VMware ACE. Key features of the product:
Centralized policy-based management.
That is you can control virtual machines from the ACE Management Server with the following features:
- control access rights and security policies applied to workstations using VRM (Virtual Rights Management)
- secure access to virtual environments from any point
- control devices connected to virtual machines (USB devices, printers, or CD/DVD drives)
- configure VMware ACE to expire at a pre-determined time, or after a pre-set period
Strong security
Protect sensitive and proprietary information with robust security features such as full-volume encryption and granular access control over all network and peripheral ports.
- rules-based network access
- encrypt files of virtual drives and configuration files with AES 128-bit
- flexible endpoint lockdown
Flexible deployment
VMware ACE can be used to create environments, which can be distributed on any media and deployed to workstations in a centralized manner. It's very easy:
- provision desktops on portable media using Pocket ACE
- integration with VMware Workstation, these packages may run on this platform with ACE Option Pack enabled
- ACE client packages are easy to back up and easy to restore
- you can create shapshots of virtual machines, to which you can quickly roll back; it's very useful when you demonstrate software
VMware ACE Applications
VMware ACE can be used in various aspects, when you must protect vital information in virtual machines, stave off unauthorized data copying, and secure environments from a single place. Main applications of VMware ACE:
- Secure virtual desktops with public access. Users can carry these desktops from computer to computer without any risk of leaking critical information.
- Isolated hardware-independent secure environments with centralized policies (for example, a system administrator can block access to a USB flash drive).
- Support for old insecure operating systems
- Create time-limited Virtual Appliances, good for demo purposes as well as for distributing software on the SaaS basis (Software-as-a-Service).
How VMware ACE Works
VMware ACE allows to deploy and service packages consisting of a virtual machine, security and access policies from the ACE Management Server. You can automatically update virtual desktops and deactivate them when necessary. That's how the general VMware ACE usage diagram looks like:
Using VMware ACE
Here is a step-by-step procedure of deploying VMware ACE virtual environments:
- Create a virtual machine in VMware Workstation, install a guest operating system and applications. Secure VMware ACE environments can be created only for Windows host systems so far. But ACE for Linux will be released soon as well.
- Create security policies to access VMware Workstation with activated ACE Option Pack:
- Delimit network access (ports and traffic)
- Limit devices by types or ID
- Protect a virtual machine from changes
- Specify expiration dates of virtual machines
- Protect with passwords
- Package a virtual machine and prepare it for deployment. This step also includes the following actions:
- include VMware ACE Player in *.msi format (for Windows) or *.tar (for Linux). VMware ACE Player supports the following host platforms:
- Windows Vista
- Windows Server 2003
- Windows XP
- Windows 2000
- Windows Vista x64
- Windows Server 2003 x64
- Windows XP Professional x64
- Mandriva Linux
- Mandrake Linux
- Red Hat Enterprise Linux
- Red Hat Linux
- SUSE Linux Enterprise Server
- openSUSE
- SUSE Linux
- Ubuntu Linux
- Mandriva Linux x64
- Mandriva Corporate x64
- Red Hat Enterprise Linux x64
- SUSE Linux Enterprise Server x64
- openSUSE 10.2 x64
- SUSE Linux x64
- Ubuntu Linux x64
- Use sysprep.exe automatically (in guest Windows systems) to prepare OS for deployment
- Add virtual machines into a domain remotely, setup VPN (Virtual Private Network) to control a virtual machine with domain policies
- Integrate guest OS authentication with Active Directory
- Deploy virtual machines on any supported media.
- Control VMware ACE clients with ACE Management Server, which requires the following platform:
- CPU: 1200 MHz and higher
- RAM: 1 GB
- 10 GB on a hard drive (to store information in the internal SQLite database or in the external Microsoft SQL Server or Oracle)
- Host OS: Windows 2000/XP/2003 or Red Hat Linux
VMware ACE Editions
VMware offers three editions of VMware ACE: Starter, Standard, and Enterprise. The last two editions are licensed with Volume License Key - you enter the license key and automatically include licenses into created packages. It's very convenient for mass deployment of packages. The table below lists features of each edition.
| | ACE 2
Starter Kit | ACE 2
Standard Kit | ACE 2
Enterprise Kit |
| Client licenses | 10 | 50 | 200 |
| Volume Licensing Key | not available | available | available |
| ACE Management Server | not available | available | available |
