Controlling the mobile sales force with VMware ACE

One of the most complex things an IT Manager or Security Manager has to face in a corporate environment is enforcing the mobile computer population.
Laptops, PDAs, Smartphones are all critical viral vectors, which are under control when behind million dollars company security infrastructures, but totally at risk when connected to home or public networks during owners’ daily travels.

Infection of these devices and consequent corporate network compromising is not the only problem: they usually store business, sensible data and have configuration sets able to easily reach inner part of company datacenter. As soon as a laptop is stolen an IT Manager has to handle something even more painful than a virus infection: an authorized remote access with partial or complete clearance to reserved informations.

Today’s products can hardly mitigate these kinds of scenarios, and upcoming endpoint security technologies are just partially committed to solve problems like ones described.

A real effective solution is provided by a virtualization product from VMware called Assured Computing Environment (ACE).
ACE is a special VMware Workstation version featuring a powerful and flexible security wrapper, able to control how a virtual machine interact with outside world, at host and guest level, in a centralized way.

In this article we’ll describe a real world scenario where ACE is perfect to handle all arising security and privacy issues.

The problem
Our today’s scenario involves a SMB company working in a small niche provisioning market, where competition is very aggressive.

The company bases the majority of revenue on its territory sales force carrying out direct sales on customers’ sites.

Sales agents are required to order customers material accessing an online provisioning portal. They also have to access company intranet by VPN with a custom application to see, modify or cancel on-going orders and to verify their commissions.

The company develops its own orders management application for Windows operating system but doesn’t adopt Microsoft Active Directory technology.

To lower costs the company populates its sales force with contractors, which are required to provide computer equipment from themselves.
On these machines company IT staff has to install and regularly update the orders management application, the Internet browser to access the online portal without problems, and the VPN.

The scenario presents many problems for the IT management:

  • Centralized control Sales agents have to move along their competency territory with laptops, often where no Internet connectivity is available and the company cannot count on Group Policy feature offered by Active Directory: laptops are not easily controllable in a centralized way.
  • Heterogenic environments Sales agents have to provide their own computer equipment, which means IT staff has no guarantees the operating system will always be secure for corporate network remote access and compatible for company provisioning application.
  • Data disclosure Sales agents have complete control over their laptops and can illegally replicate corporate data in personal storages for different purposes: backup, personal benefits, etc.
    At the same time equipment can get lost or stolen, leaking downloaded data and configuration details for company remote access.

In our particular scenario the computer equipment is also owned by sales agents and when they resign they are not obliged to give anything back.

Last but not least, sales agents could sell a copy of their application to competitors, providing them a continuous access to corporate data.

The VMware ACE solution
To address security issues of this scenario with ACE we’ll create a minimal configured, secured and compatible operating system inside a virtual machine where to install and setup the company orders management application, a browser working with the online provisioning portal and the VPN to the corporate network.

Then we’ll limit this virtual machine’s capabilities to reach external networks, also preventing it from being moved or copied around. And finally we’ll ship it in a 1-click installation package to be deployed in every sales agent laptop.

Preparing the virtual machine
The first step is creating the wanted virtual machine. We can do this by creating a new one from scratch inside the ACE environment, which is pretty identical to the Workstation one, or import an existing virtual machine created with another VMware product.

In this second case we should act carefully: if we created our VM with a version of Workstation 5.x it will not be available for use inside ACE.
This compatibility issue exists because at time of writing this article VMware is shipping Workstation 5.5.1 and ACE 1.0.2, which can only works with virtual hardware coming from Workstation 4.x family.

Luckily there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, actually available just as beta, which is able to convert recent virtual machines hardware in legacy hardware, working with Workstation 4.x products and ACE 1.0.2:

It’s a waste of time trying to do the same with the released Virtual Machine Imported 1.5 because that version is not able to work on VMware virtual machines but just on third party images.

Defining security policy
After the virtual machine creation or import it’s time to define security policy to limit network access and availability.

One of the biggest security need here is to avoid that the corporate data is illegally accessed or copied, and that users can manipulate virtual machine configuration to workaround restrictions.
To achieve both objectives we can configure encryption for virtual machine image and configuration files, and request the creation of a complex password to access it:

Note that to avoid a management nightmare we also have to setup an administrative password for recovery purposes, which will generate a recovery key:

Finally, we have to prevent a virtual machine copy:

The leak of reserved informations can also happen by copying them on a USB memory stick, a floppy or a recordable CDROM.

A possible approach could be creating the original virtual machine already without these devices but it’s unpractical for any administrative task or further needs.
So better configure ACE to block access to existing virtual devices without removing them:

The last and most critical media, network, has to be restricted as well, both for data leaking and risk of security compromising: as we already said it could both ruin the safety of local environment, preventing correct working of business applications, and propagate in the corporate network when connected in VPN.

ACE helps us in all these problems offering 4 kinds of network quarantine. We’ll use the Version-based dynamic quarantine:

To maintain tightest control we want our virtual machine to check for latest available network quarantine policy at every startup and on regular basis.
In this way we can update the restrictions upon needs just updating a single file:

Consider that the quarantine policy check and update is done at host level and not at the virtual machine level, so we should put our policy file in a location easily reachable by any point on the Internet (like a non-linked and non-indexed directory on company’s website).

At the same time, since sales agents in our scenario are not always connected we want to permit them to work even without checking policy, allowing a policy caching that expires after a week:

If, for any reason after the caching period, the virtual machine doesn’t update its quarantine policy, it goes in a restricted status, limiting even more access to resources.

So while in a allowed status it can reach corporate intranet servers for data access, in restricted status it loose this permission, only accessing security servers for antivirus checking and patch management.

Now that we defined limitations for virtual machines interaction with real world, we have to handle the case in which sales agents resign and, in our scenario, don’t have to give back any equipment.

Let’s define an expiration date for the virtual machine with a warning before the last day, so that renewed contractors can request an IT staff intervention:

Distributing the package
Once we completely defined the virtual machine and ACE environment policies we can assemble the distribution package.
For the first deployment we’ll ask to include every part of the solution, while in subsequent updates, if needed, we’ll just package the virtual machine part:

An ACE package can easily become very large in dimension and deployment can become pretty complex. To simplify delivery we just have to ask ACE to split executable package in several CD-sized or DVD-sized images:

Installation is 1-click operation without further intervention and the final user interface is almost identical to the one offered by free VMware Player: the virtual machine can be powered on with a single button and if the sales agent is in hurry and cannot shut down operating system, it will be suspended until next use.

Bottom line
It’s not a secret VMware never pushed ACE as much as other more popular products like Workstation or ESX Server, but it turned to be a great product in managing hard to control productivity environments.

At the price of $795 for ACE Manager (which can be used a standard Workstation installation) and $99 for each ACE virtual machine, this product can easily be a more affordable solution than traditional security alternatives to address issues of this scenario and others not contemplated, and customers should seriously consider it when planning their security strategy.

This article originally appeared on