Skip to content
December 11, 2012 / Simon Crosby

vSentry for XP, RDS and VDI is here!

The incredible Bromium dev team has just delivered vSentry 1.1, which includes the first features that will allow us to extend the groundbreaking security capabilities of micro-virtualization to all enterprise desktops.  vSentry 1.1 helps enterprises to secure Windows® XP, both 32 and 64 bit versions of Windows 7, and virtual desktops delivered with Microsoft Remote Desktop Services (including Citrix XenDesktop and VMware View).

Our goal is to enable enterprises to protect all desktops by design – whether native or hosted – using CPU features for virtualization to hardware-isolate each untrustworthy task, without impacting user experience.

Other than the imminent EOL of XP support, one of the key reasons to move off XP is that it is as much as 5 times more vulnerable than Windows 7.  Hanging onto XP for presumed challenges of application compatibility is in my view not tenable: both Windows 7 and Windows 8 offer superb application compatibility, and leaving the enterprise massively exposed to malware is simply irresponsible.  So if you haven’t started your migration, get on with it.

But increasing user mobility, and the potential use of tablets and other client form factors, including Macs, has thrown a wrench into what would traditionally have been a relatively straightforward enterprise PC upgrade – including hardware refresh.   Suddenly the concept of “Bring Your Own Device” has been injected into discussions about the strategic planning for the future of the enterprise desktop.  The young, cool and hip are great fans of this approach, as are senior executives, including CFOs are natural allies: if the user owns the device, that’s less for the enterprise to buy and maintain.  As a result, many enterprises are evaluating VDI as a way to deliver Windows 7 to users on any client.   But simply moving a user from XP to a VDI delivered Windows 7 desktop will not necessarily improve security – indeed it can make it worse.

Virtual desktops are vulnerable to exactly the same attacks as native PCs.  If you doubt this, you’ll find considerable discussion and evidence on, penned by Shawn Bass – one of the most respected desktop technologists in the industry. A compromised virtual desktop puts the attacker in an ideal location – the data center – from which he can further penetrate the infrastructure.  Moreover, since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another.  Legacy signature-based AV protection doesn’t scale well in virtual desktop environments, despite the architectural modifications made by AV vendors, so the vast majority of VDI desktops today have no endpoint protection at all – leaving IT to rely solely on perimeter protection.  And unfortunately a successful attack on a VDI desktop is just as likely to persist long enough for the attacker to succeed as on a traditional PC running AV – because VDI desktops are not refreshed on a time-scale relevant to security.

A security-centric analysis behooves us to ask how long it takes for an attack to execute and further penetrate the infrastructure, and the unsurprising answer –  seconds – is the final proof that there is nothing that VDI can do to help security, though for paper-trail purposes it certainly appears to help with compliance.  But users of virtual desktops will still be tricked into clicking on bad links, and opening poisoned documents and media that downloads malware onto the virtual desktop to attack the enterprise with the goal of stealing (elegantly centralized, but nonetheless accessible) enterprise data.

Now we can start to fix that.  vSentry 1.1 will allow Bromium to begin to deliver the benefits of micro-virtualization and hardware based security to all enterprise desktops, reducing the enterprise attack surface for all users – without new management tools or skill sets. Our hosted virtual desktop capabilities begin with web based protection, but will rapidly evolve to support all untrustworthy content and services.

We believe that in the context of RDS and VDI it is also important to address  security concerns related to the device to which the desktop is delivered – a PC, a thin client or a tablet, and even BYO PCs – including Macs.    Each of these absolutely needs to be properly secured.    Re-purposed legacy PCs are particularly worrisome because they typically only have AV and still need to be patched and managed.  My recommendation would be to upgrade the client to modern PC hardware – a Windows 7 PC or Mac that has Intel VT support.  This will allow you to take advantage of hardware-based security – such as micro-virtualization – to protect the delivered desktop or applications (the RDS/HDX/PCoIP client), and to protect the user when they browse the internet or interact with untrusted content from the client device.  We hope to  have more news about micro-virtualization for Macs early in 2013.

Finally, in vSentry 1.1 Bromium LAVA (Live Attack Visualization and Analysis)  goes GA, having notched up several successful PoCs during Q3/4.  Rahul Kashyap, our chief security architect, will explain those features in more detail.  In addition, to help enterprises scale our solution across large numbers of endpoints, vSentry 1.1 includes the first version of the Bromium Management Server (BMS), which provides a centralized web service for vSentry policy management, collection of LAVA events from all desktops in the enterprise, and correlation of attack data.  It also provides a centralized console for visualization and analysis of malware forensics.  It also collects events from all vSentry enabled systems for input into enterprise security analysis systems such as SIEMs, 3rd party consoles such as McAfee ePO or Symantec SEP, or big data platforms such as Splunk.


  1. Guise Bule / Dec 11 2012 9:43 am

    This is a much appreciated and very welcome move from Bromium for those of us in VDI/DaaS/HVD. Today is a good day, vSentry goodness on your VDI 🙂

    Good work that team !

  2. Guise Bule / Dec 11 2012 2:07 pm

    Initial enthusiasm over, I just wanted to comment a little around my thoughts on the way VDI is being used right now for security purposes and also disagree with one point you make above.

    Whilst I do agree that virtual desktops are subject to the same attacks as traditional PC’s, infrastructures built to leverage virtualization for cyber-defense are being built as standalone private clouds and designed to handle (and expect) the very specific risk normal user behaviour generates.

    Nobody is swapping out traditional desktops for VDI instances and thinking they are safe, but what is happening is that more and more highly secure orgs are pushing out a second ‘disposable’ desktop to their users for ‘risky’ activity, giving them throwaway desktops for their everyday internet facing use and this is actually a wildly successful model in production.

    So whilst I do agree that virtual desktops are subject to the same attacks, building a private VDI cloud for use in this way significantly reduces the attack vectors against your organization.

    Various Federal agencies have proven that this VDI model really does significantly improve their cyber-security posture by deploying these infrastructures into production over the last few years.

    Non-persistency is the norm in these infrastructures, but I do agree with you that non-persistent desktop refresh does not occur on a timescale relevant to security, although the refresh between sessions means that infections are destroyed along with the desktop upon log out.

    What I think particularly exciting about your announcement today is the idea that we can now take that non-persistency on VDI platforms down way deeper than the session level, we do not have to tolerate an infection on the desktop for even as long as a session because of micro-virtualization.

    THIS is why I think its particularly exciting that vSentry is being prepped for VDI, I see this as a natural evolution of the way virtualization is being used for cyber defense and I see this a a significant means of gaining traction with vSentry, you just created an easier sell for yourselves.

    All of my customers using private cloud DaaS for cyber-defense right now would simply not consider ripping out all of their traditional computers and trusting vSentry, but they would consider deploying Bromium immediately using a second DaaS layer and pushing all of their users internet facing activity onto it, then sitting back and watching how vSentry performs in real-time.

    Those using VDI for cyber-security love their private desktop cloud honeypots, they use them for analysis and education, but also to primarily mitigate risky, untrusted, internet-facing user behaviour away from their internal networks. Its easy to trust a platform that is physically isolated from your internal networks and this kind of VDI platform is actually the perfect POC environment to properly test vSentry out on.

    We can now test vSentry in production, but without worrying about it being compromised and infecting our internal networks, this is a big win for the cyber-security community and a big win for Bromium once it sinks in and you embrace it. Doubly so when you enable LAVA.

    You also just dramatically lowered the barriers and cost to Bromium adoption.

    The private cloud DaaS cyber-defense model is highly cost-effective and painless to adopt, non-persistent desktops for your users are less than ten dollars a month per user and can be accessed and used on almost any endpoint OS.

    So now instead of trying to get an org to swap out their fat PC for a Bromium enabled Intel VT fat PC, you can deploy them a $10 a month hosted virtual bromium desktop, its a MUCH easier sell.

    You just made it incredibly cost-effective and painless for an organization to adopt Bromium without upsetting their existing environment or having to just trust you.

    Very smart moves from you guys, but I wish you would understand why we have been getting the traction in cyber-defense we have with VDI and see that this SBC vSentry compliments our efforts beautifully in a way that the client-side version does not.

    A prediction for you Simon, this VDI enabled vSentry model will enable more traction for Bromium than your initial hardware based Intel VT specific model in terms of adoption, it generates less friction.

    Bet you a bottle of Hine.


  1. Release: Bromium vSentry 1.1 | Knowledge Hub Networks
  2. Bromium vSentry now runs on Windows Server, but what’s all this about supporting XP and VDI desktops, too? « TUG Sweden

Comments are closed.

%d bloggers like this: