I’ve been involved in countless virtual desktop conversations over the past several years, and this is a question that continues to surface and generate interesting dialogue with IT security teams. While security is only one of the numerous considerations for VDI, it is at the top of a lot of customers' lists. So, is anti-virus/anti-malware a requirement for a virtual desktop? Well, the short answer is yes, of course it is, but we need to dig a bit deeper here.
For traditional desktops using traditional agent based A/V, the five percent CPU overhead, 100MB RAM, and constant disk I/O, it’s not a big deal. After all, my laptop has a dual core hyper threaded processor (4 logical processors), 8GB of RAM, and a SSD drive; way more horsepower than most servers had just a few short years ago. I don’t even notice the slightest hit in performance. When we look at VDI however, the picture changes quite drastically. With the latest server hardware, I can pack two 10 core hyper threaded processors (40 logical processors) and close to a half terabyte of RAM in a half height blade. This quickly leads to VDI densities approaching 300-400 desktops on that tiny little blade server. Now, when I do the math, that 5 percent CPU and 100MB of RAM add up quickly, and that constant real time disk I/O can bring a standard SAN to its knees. This can potentially knock my desktop density down significantly, which has a negative impact on overall costs of the solution, not to mention the poor impact it has on user experience.
Couple the above data with the fact that almost all viruses and malware these days are zero day exploits, and that most users are still running around with admin rights on their workstations, means that definition based A/V scanning is almost useless. My parents are a prime example. I build them a brand spanking new workstation with Windows 7, fully patched, automatic updates enabled daily, and one of the top A/V solutions on the market installed, yet I still get that dreaded phone call from my mother that the machine is infested with malware. While I’m pretty sure my parents do not frequent internet sites like the pirate bay, I’m pretty sure that whenever a message comes up in the browser saying ‘Your computer might be infected, click here for a free scan’ they still click the darn thing. To an A/V agent that’s like inviting a vampire into your house. You’re basically powerless to do anything about it once you say ‘yes, please come in’.
So, how do we design a VDI environment which is reasonably protected without killing the underlying infrastructure from a performance aspect? We need to remove A/V from the picture. But how do we do that?
- We can use non-persistent shared images which get blown away every time the user logs off ensuring that every new session starts with a brand new copy of the master image.
- We can utilize advancements in unified threat management (UTM) firewalls to scan for malware at the edge of the network.
- We can ensure that users do not have local admin rights to their VDI sessions.
- We can still use A/V agents on file servers where user data and profiles are stored.