Controlling the mobile sales force with VMware ACE

Posted by Staff   |   Monday, July 10th, 2006   |  

One of the most complex things an IT Manager or Security Manager has to face in a corporate environment is enforcing the mobile computer population.
Laptops, PDAs, Smartphones are all critical viral vectors, which are under control when behind million dollars company security infrastructures, but totally at risk when connected to home or public networks during owners’ daily travels.

Infection of these devices and consequent corporate network compromising is not the only problem: they usually store business, sensible data and have configuration sets able to easily reach inner part of company datacenter. As soon as a laptop is stolen an IT Manager has to handle something even more painful than a virus infection: an authorized remote access with partial or complete clearance to reserved informations.

Today’s products can hardly mitigate these kinds of scenarios, and upcoming endpoint security technologies are just partially committed to solve problems like ones described.

A real effective solution is provided by a virtualization product from VMware called Assured Computing Environment (ACE).
ACE is a special VMware Workstation version featuring a powerful and flexible security wrapper, able to control how a virtual machine interact with outside world, at host and guest level, in a centralized way.

In this article we’ll describe a real world scenario where ACE is perfect to handle all arising security and privacy issues.

The problem
Our today’s scenario involves a SMB company working in a small niche provisioning market, where competition is very aggressive.

The company bases the majority of revenue on its territory sales force carrying out direct sales on customers’ sites.

Sales agents are required to order customers material accessing an online provisioning portal. They also have to access company intranet by VPN with a custom application to see, modify or cancel on-going orders and to verify their commissions.

The company develops its own orders management application for Windows operating system but doesn’t adopt Microsoft Active Directory technology.

To lower costs the company populates its sales force with contractors, which are required to provide computer equipment from themselves.
On these machines company IT staff has to install and regularly update the orders management application, the Internet browser to access the online portal without problems, and the VPN.

The scenario presents many problems for the IT management:

  • Centralized control Sales agents have to move along their competency territory with laptops, often where no Internet connectivity is available and the company cannot count on Group Policy feature offered by Active Directory: laptops are not easily controllable in a centralized way.
  • Heterogenic environments Sales agents have to provide their own computer equipment, which means IT staff has no guarantees the operating system will always be secure for corporate network remote access and compatible for company provisioning application.
  • Data disclosure Sales agents have complete control over their laptops and can illegally replicate corporate data in personal storages for different purposes: backup, personal benefits, etc.
    At the same time equipment can get lost or stolen, leaking downloaded data and configuration details for company remote access.

In our particular scenario the computer equipment is also owned by sales agents and when they resign they are not obliged to give anything back.

Last but not least, sales agents could sell a copy of their application to competitors, providing them a continuous access to corporate data.

The VMware ACE solution
To address security issues of this scenario with ACE we’ll create a minimal configured, secured and compatible operating system inside a virtual machine where to install and setup the company orders management application, a browser working with the online provisioning portal and the VPN to the corporate network.

Then we’ll limit this virtual machine’s capabilities to reach external networks, also preventing it from being moved or copied around. And finally we’ll ship it in a 1-click installation package to be deployed in every sales agent laptop.

Preparing the virtual machine
The first step is creating the wanted virtual machine. We can do this by creating a new one from scratch inside the ACE environment, which is pretty identical to the Workstation one, or import an existing virtual machine created with another VMware product.

In this second case we should act carefully: if we created our VM with a version of Workstation 5.x it will not be available for use inside ACE.
This compatibility issue exists because at time of writing this article VMware is shipping Workstation 5.5.1 and ACE 1.0.2, which can only works with virtual hardware coming from Workstation 4.x family.

Luckily there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, actually available just as beta, which is able to convert recent virtual machines hardware in legacy hardware, working with Workstation 4.x products and ACE 1.0.2:

It’s a waste of time trying to do the same with the released Virtual Machine Imported 1.5 because that version is not able to work on VMware virtual machines but just on third party images.

Defining security policy
After the virtual machine creation or import it’s time to define security policy to limit network access and availability.

One of the biggest security need here is to avoid that the corporate data is illegally accessed or copied, and that users can manipulate virtual machine configuration to workaround restrictions.
To achieve both objectives we can configure encryption for virtual machine image and configuration files, and request the creation of a complex password to access it:

Note that to avoid a management nightmare we also have to setup an administrative password for recovery purposes, which will generate a recovery key:

Finally, we have to prevent a virtual machine copy:

The leak of reserved informations can also happen by copying them on a USB memory stick, a floppy or a recordable CDROM.

A possible approach could be creating the original virtual machine already without these devices but it’s unpractical for any administrative task or further needs.
So better configure ACE to block access to existing virtual devices without removing them:

The last and most critical media, network, has to be restricted as well, both for data leaking and risk of security compromising: as we already said it could both ruin the safety of local environment, preventing correct working of business applications, and propagate in the corporate network when connected in VPN.

ACE helps us in all these problems offering 4 kinds of network quarantine. We’ll use the Version-based dynamic quarantine:

To maintain tightest control we want our virtual machine to check for latest available network quarantine policy at every startup and on regular basis.
In this way we can update the restrictions upon needs just updating a single file:

Consider that the quarantine policy check and update is done at host level and not at the virtual machine level, so we should put our policy file in a location easily reachable by any point on the Internet (like a non-linked and non-indexed directory on company’s website).

At the same time, since sales agents in our scenario are not always connected we want to permit them to work even without checking policy, allowing a policy caching that expires after a week:

If, for any reason after the caching period, the virtual machine doesn’t update its quarantine policy, it goes in a restricted status, limiting even more access to resources.

So while in a allowed status it can reach corporate intranet servers for data access, in restricted status it loose this permission, only accessing security servers for antivirus checking and patch management.

Now that we defined limitations for virtual machines interaction with real world, we have to handle the case in which sales agents resign and, in our scenario, don’t have to give back any equipment.

Let’s define an expiration date for the virtual machine with a warning before the last day, so that renewed contractors can request an IT staff intervention:

Distributing the package
Once we completely defined the virtual machine and ACE environment policies we can assemble the distribution package.
For the first deployment we’ll ask to include every part of the solution, while in subsequent updates, if needed, we’ll just package the virtual machine part:

An ACE package can easily become very large in dimension and deployment can become pretty complex. To simplify delivery we just have to ask ACE to split executable package in several CD-sized or DVD-sized images:

Installation is 1-click operation without further intervention and the final user interface is almost identical to the one offered by free VMware Player: the virtual machine can be powered on with a single button and if the sales agent is in hurry and cannot shut down operating system, it will be suspended until next use.

Bottom line
It’s not a secret VMware never pushed ACE as much as other more popular products like Workstation or ESX Server, but it turned to be a great product in managing hard to control productivity environments.

At the price of $795 for ACE Manager (which can be used a standard Workstation installation) and $99 for each ACE virtual machine, this product can easily be a more affordable solution than traditional security alternatives to address issues of this scenario and others not contemplated, and customers should seriously consider it when planning their security strategy.

This article originally appeared on

blog comments powered by Disqus Newest articles
Release: VMware vRealize Log Insight 4.5

June 13th, 2017

Log Insight is a log aggregation, management and analysis tool, that VMware first introduced in 2013 and considered a competitor of Splunk.
Yesterday VMware announced the release of version 4.5, available for…

Release: VMware vRealize Automation 7.3

June 6th, 2017

Today VMware announced the latest release of its cloud management platform vRealize Automation, former vCloud Automation Center.
VMware vRealize Automation 7.3 release notes can be found at this link.


Paper: Introducing the NSX-T Platform

February 9th, 2017

“We see greater potential strategic opportunity in NSX over the next decade than our franchise product vSphere has had for the past decade.”
said VMware’s CEO Pat Gelsinger talking about…

Paper: VMware vSphere Virtual Machine Encryption Performance

November 22nd, 2016

Encryption of virtual machines is something that has been requested for years by the security community. VMware continued to postpone its implementation due to the negative operational impact that many…

Quest Software leaves Dell

November 1st, 2016

In September 2012 Dell announced to have completed the acquisition of Quest Software, a Californian company with an history in systems management, security, business intelligence and, falling back in our…

Citrix announces Q3 2016 results

October 21st, 2016

Citrix announced its financial results for third quarter 2016.
The revenues for the second quarter were $841 million for an increase of 3% compared to Q3 2015.
Net income was $132…

Release: VMware vSphere 6.5 & Virtual SAN 6.5

October 19th, 2016

2016 edition of VMworld US has been quite turbulent, on the other hand during VMworld Europe, happening these days in Barcelona, the company announced a few more products for the…

Release: VMware vRealize Log Insight 4.0

October 18th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is usually compared with Splunk.
Yesterday VMware announced Log Insight’s new major…

Release: Windows Server 2016 with support for Window Server & Hyper-V containers

October 13th, 2016

Yesterday Microsoft announced the general availability of Windows Server 2016 which the company defines as a cloud-ready OS.
Beside fancy definitions, one of the most relevant perks of this release…

Release: Oracle VM 3.4.2

September 22nd, 2016

During Oracle OpenWorld 2016 the company released version 3.4.2 of its enterprise virtualization solution.
Oracle VM is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor…

VMworld US 2016 Wrap-up

September 1st, 2016

Today was the last day of VMware’s flagship conference VMworld in Las Vegas, an highly controversial edition which left a good chunk of the audience disoriented if not properly disappointed….

Gartner releases its Magic Quadrant for Cloud Infrastructure as a Service for 2016

August 11th, 2016

Last week Gartner updated its Magic Quadrant for Cloud Infrastructure as a Service (IaaS) for the year 2016. The Magic Quadrant for the year 2015 was released in May last year…

Release: Ansible Tower 3 by Red Hat

August 2nd, 2016

Ansible is one of the four main players in the automation market, younger then the well known Chef and Puppet, has been launched in 2013 in Durham, N.C. and acquired…

IBM announces earnings for Q2 2016

July 19th, 2016

Yesterday IBM announced its results for Q2 2016.

If we compare with the same quarter in 2015 earnings per share, from continuing operations, decreased 22%. Net income, from continuing operations,…

Monthly Archive