iXBT Labs - Computer Hardware in Detail






Virtualization: Secure Virtual User Environments in VMware ACE

Computer security has become one of the most important problems in the IT sphere. Various complex systems of computer security and tools available to OS and software developers allow to protect the IT infrastructure of an enterprise from external attacks. Enterprise environment security tools have advanced far forward of late. But the problem of insider attacks is one of the most burning issues now. Enterprises have to spend a lot of time and effort to develop complex security policies for workstations and servers used by various groups of employees.

A significant progress in virtualization technologies allows many companies to cut down expenses on maintaining IT infrastructures of desktop and server platforms by consolidating several virtual machines on a single physical computer. Virtual systems can be integrated into the enterprise environment to raise IT efficiency of the company. However, just like physical platforms (or even more), they require much attention as far as their security is concerned. VMware is one of the first companies to take care of virtualization security and protected environments. The first product of this company to solve these problems for workstations was VMware ACE 1.0. It allowed to create secure virtual machines and use them as work environments for employees as well as to demonstrate software and to train staff. However, the product lacked many features for corporate use, such as centralized deployment and integration with other virtualization platforms from VMware. So it did not become very popular. The second version of VMware ACE released in Q2 2007 got so many new features that many companies will certainly use it to create secure virtual environments.

About VMware ACE 2.0

VMware released the second version of VMware ACE simultaneously with VMware Workstation 6 for a reason: VMware ACE is an extension of Workstation with additional features to create secure computing environments. ACE Option Pack can be included into VMware Workstation 6 by entering a license key for VMware ACE. Key features of the product:

Centralized policy-based management.

That is you can control virtual machines from the ACE Management Server with the following features:

  • control access rights and security policies applied to workstations using VRM (Virtual Rights Management)
  • secure access to virtual environments from any point
  • control devices connected to virtual machines (USB devices, printers, or CD/DVD drives)
  • configure VMware ACE to expire at a pre-determined time, or after a pre-set period

Strong security

Protect sensitive and proprietary information with robust security features such as full-volume encryption and granular access control over all network and peripheral ports.

  • rules-based network access
  • encrypt files of virtual drives and configuration files with AES 128-bit
  • flexible endpoint lockdown

Flexible deployment

VMware ACE can be used to create environments, which can be distributed on any media and deployed to workstations in a centralized manner. It's very easy:

  • provision desktops on portable media using Pocket ACE
  • integration with VMware Workstation, these packages may run on this platform with ACE Option Pack enabled
  • ACE client packages are easy to back up and easy to restore
  • you can create shapshots of virtual machines, to which you can quickly roll back; it's very useful when you demonstrate software

VMware ACE Applications

VMware ACE can be used in various aspects, when you must protect vital information in virtual machines, stave off unauthorized data copying, and secure environments from a single place. Main applications of VMware ACE:

  • Secure virtual desktops with public access. Users can carry these desktops from computer to computer without any risk of leaking critical information.
  • Isolated hardware-independent secure environments with centralized policies (for example, a system administrator can block access to a USB flash drive).
  • Support for old insecure operating systems
  • Create time-limited Virtual Appliances, good for demo purposes as well as for distributing software on the SaaS basis (Software-as-a-Service).

How VMware ACE Works

VMware ACE allows to deploy and service packages consisting of a virtual machine, security and access policies from the ACE Management Server. You can automatically update virtual desktops and deactivate them when necessary. That's how the general VMware ACE usage diagram looks like:

Using VMware ACE

Here is a step-by-step procedure of deploying VMware ACE virtual environments:

  1. Create a virtual machine in VMware Workstation, install a guest operating system and applications. Secure VMware ACE environments can be created only for Windows host systems so far. But ACE for Linux will be released soon as well.
  2. Create security policies to access VMware Workstation with activated ACE Option Pack:
    • Delimit network access (ports and traffic)
    • Limit devices by types or ID
    • Protect a virtual machine from changes
    • Specify expiration dates of virtual machines
    • Protect with passwords

  3. Package a virtual machine and prepare it for deployment. This step also includes the following actions:
    • include VMware ACE Player in *.msi format (for Windows) or *.tar (for Linux). VMware ACE Player supports the following host platforms:
      • Windows Vista
      • Windows Server 2003
      • Windows XP
      • Windows 2000
      • Windows Vista x64
      • Windows Server 2003 x64
      • Windows XP Professional x64
      • Mandriva Linux
      • Mandrake Linux
      • Red Hat Enterprise Linux
      • Red Hat Linux
      • SUSE Linux Enterprise Server
      • openSUSE
      • SUSE Linux
      • Ubuntu Linux
      • Mandriva Linux x64
      • Mandriva Corporate x64
      • Red Hat Enterprise Linux x64
      • SUSE Linux Enterprise Server x64
      • openSUSE 10.2 x64
      • SUSE Linux x64
      • Ubuntu Linux x64

    • Use sysprep.exe automatically (in guest Windows systems) to prepare OS for deployment
    • Add virtual machines into a domain remotely, setup VPN (Virtual Private Network) to control a virtual machine with domain policies
    • Integrate guest OS authentication with Active Directory

  4. Deploy virtual machines on any supported media.
  5. Control VMware ACE clients with ACE Management Server, which requires the following platform:
    • CPU: 1200 MHz and higher
    • RAM: 1 GB
    • 10 GB on a hard drive (to store information in the internal SQLite database or in the external Microsoft SQL Server or Oracle)
    • Host OS: Windows 2000/XP/2003 or Red Hat Linux

VMware ACE Editions

VMware offers three editions of VMware ACE: Starter, Standard, and Enterprise. The last two editions are licensed with Volume License Key - you enter the license key and automatically include licenses into created packages. It's very convenient for mass deployment of packages. The table below lists features of each edition.

 ACE 2
Starter Kit
Standard Kit
Enterprise Kit
Client licenses 1050200
Volume Licensing Keynot availableavailableavailable
ACE Management Servernot availableavailableavailable

Installation and Setup of Virtual Environments in VMware ACE

After you install VMware Workstation 6 in the host operating system, you should enter the license key to unlock VMware ACE. Restart the product. You will see a new VMware ACE window, where you can still create regular virtual machines. In order to create a new virtual secure ACE environment, choose New->ACE Master in the File menu. You will see the following window:

Creating an secure ACE Master environment

Then you should specify the same settings as in VMware Workstation. But a virtual machine cannot use a physical hard disk directly. Virtual environments use NAT (Network Address Translation) as the safest option by default. So secure virtual machines can connect to an external network, while other computers in the external network cannot connect to them. After a virtual machine is created, you should install a guest OS and VMware Tools. Then you can get busy with environment policies. Just choose Edit policies in the main window.

VMware ACE. Main window.

You will see the following window:

Configuring policies for ACE environments

You can control various parameters of access policies and environment security in the following aspects:

- Access Control
You can protect a virtual machine from activation. If you set a password, users can get access to a package with a virtual machine only after entering the password. On the Authentication panel, you can specify users who can turn a virtual machine on. You can also specify a key to restore a password, and create your own authentication script, which will specify access rights for Linux and Windows host platforms in VMware ACE Player.

- Host-Guest Data Script
You can choose a script to be executed in host and guest operating systems, when a virtual machine starts up. It's convenient, when you need to use resources shared between host and guest systems.

- Expiration
Here you can specify expiration time of a virtual machine. You can also add a message to display several days prior to the expiration date and a message after the expiration date.

- Copy protection
You can protect an environment from copying on this tabbed page. That's how it works: CPID (Copy Protection Identifier) is generated from the path to the folder with a virtual machine and ID BIOS of the host system. If you use Pocket ACE for portable storage drives, file system ID is used instead of BIOS ID. If copy protection is enabled, a virtual machine runs only on a certain host platform and cannot be copied. CPID is stored on ACE Management Server and can be modified by a system administrator.

- Resource Signing
You can specify here whether a virtual environment can be started, if files in the ACE Resources folder are damaged. This folder holds scripts, user licenses, and some files, which integrity is critical for the correct operation of a virtual machine. If you distribute software with VMware ACE, you may find this policy quite useful.

- Network Access
Network access policies determine how a virtual machine uses network resources of the host system. You can configure a firewall, specify sub-networks for a virtual machine, etc. ACE Management Server can disable or limit network access for a virtual environment, for example in case of a virus threat.

- Removable Devices and USB Devices
Here you can limit access to physical devices from a virtual machine, including USB devices. These features are necessary to prevent data theft from user environments.

- Virtual Printer
This option allows applications in a guest system to print documents on a printer, installed in a host system, without installing any drivers. A virtual printer is connected to an emulated serial port, you can see it on the Hardware tabbed page in the Settings menu of a virtual machine.

- Runtime Preferences
Here you can choose some of the virtual machine's options, such as full-screen only, resize the allocated memory size, and change behavior of the virtual machine as you shut it down (for example, to go to Suspend mode - it's similar to Hibernate).

- Snapshots
Here you can configure the program to take automatic snapshots of the system, so that users could roll back to them, if a system is damaged.

- Administrator mode
This policy allows to set a password for administrative access to settings of a virtual machine, which can be modified on client computers using GUI as well as vmware-acetool.

- Hot Fix
This policy allows users of secure environments to ask a system administrator for help, if...

  • they lost the password
  • a virtual machine expired
  • they use a copy-protected virtual machine

This mechanism is very convenient for mass deployment of virtual machines.

After your policies are specified, you must configure the package, which will be created from various components of an secure virtual environment. Click Edit package setting in the main VMware ACE window.

Editing VMware ACE package settings

In this window a system administrator can prepare a package with a virtual machine for deployment:

  • Encryption
    This tabbed page allows to protect a package (an entire package or the configuration file only) and to encrypt a virtual machine after the package is installed.
  • Package Lifetime
    These settings control the period of time when the package can be installed: always, for a specified number of days since the installation time, and during a certain range of dates. These features help distribute packages to demonstrate software
  • Instance Customization
    Here you can configure various parameters for automatic deployment of virtual environments in the Microsoft infrastructure. To unlock these parameters, you should enter a license key for a guest system. It unlocks the following features:
    • System Options
      You can specify a name, organization, and computer name of a user, as well as to generate SID (Security ID) for each copy of a guest system, and to allow time sync between the host and guest operating systems.
    • Initialization Scripts
      System administrators can specify scenarios to be executed in a guest system after a virtual machine is set up.
    • Workgroup or Domain
      You can specify a domain login or add a computer to a workgroup. You can include a configuration script, which will add a computer to a domain using a remote server and a VPN connection.

  • Custom EULA
    On this tabbed-page you can specify a EULA file (End User License Agreement). This text will be displayed the first time a virtual machine will start up. A user must agree with the license to use a virtual environment.
  • Deployment Platform
    This option defines a platform (Windows or Linux), where a virtual environment will be deployed. You can also choose both options.

After a package is properly configured, a system administrator must create a ready-for-deployment package of one of two types: to be used on a hard drive or to be recorded on a removable medium using Pocket ACE. To create a package of the first type, click Create new package in the main VMware ACE window. Then you should type a package name, location of its files, and notes. Then you will be prompted to choose on of three options:

  • Full
  • Policy Update
  • Custom

Choose Custom and select necessary components.

Selecting package contents

A package may include:

  • The virtual machine itself
  • ACE policies that we configured in the Policies window
  • Resources of a virtual machine in the ACE Resources folder in the directory with a virtual machine
  • Virtual machine players for Windows and Linux
  • Installation files in *.msi or *.tar format

The Disk Space panel also shows package size and free space required to deploy a virtual environment.

After a packages is created, it can be deployed on workstations or servers for VDI (Virtual Desktop Infrastructure). If there aren't many of them, you can do without centralized control. However, if you create a lot of secure environments, which are transferred from computer to computer, you'll need constant control and centralized security policy updates.

VMware ACE Management Server

ACE Management Server from VMware is a powerful tool to maintain an enterprise desktop infrastructure. Main functions of ACE Management Server include the following:

  • control VMware ACE package activations
  • control access rights to virtual environments
  • dynamically deploy virtual environment updates
  • configure guest operating systems on the Windows platform

ACE Management Server is distributed as an installation package for Windows and Linux host systems, as well as a virtual appliance, which can be started in VMware Workstation or VMware Server. ACE Server uses LDAP to integrate guest systems into Active Directory and HTTPS for interaction of virtual machines with a server. ACE Management Server is accessed via a thin client. The server side is based on Apache 2.0 web server.

To connect virtual environments to ACE Management Server, you should specify a server address when you create a virtual machine. When used in an industrial environment, Management Server collects information about client virtual environments and stores it in SQLite 3 database. A great number of client computers will probably require a large database, which can be provided by Oracle or Microsoft SQL Server. VMware ACE Standard and Enterprise editions are intended to manage up to 50 and 200 clients correspondingly. Additional licenses can be bought any time your requirements in secure environments grow.

Bottom line

VMware ACE is a unique virtualization solution from the point of view of creating secure computing environments. Wide opportunities for centralized deployment of virtual machines, including security and data access policies, as well as expiration control give software developers a new way of delivering their products to end users. VMware ACE is also convenient for software demonstrations. And of course, VMware ACE is ideal for deploying a virtual infrastructure of desktops in the industrial environment, which must have tools for protection against unauthorized access. VMware ACE users don't worry about security of their portable virtual environments, even if they are stolen with their notebooks. Out of doubt, VMware ACE has future in the sector of middle and large business, where data protection plays one of the key roles.

Alexander Samoilenko (admin@vmgu.ru, www.vmgu.ru)

September 14, 2007

Write a comment below. No registration needed!

Article navigation:

blog comments powered by Disqus

  Most Popular Reviews More    RSS  

AMD Phenom II X4 955, Phenom II X4 960T, Phenom II X6 1075T, and Intel Pentium G2120, Core i3-3220, Core i5-3330 Processors

Comparing old, cheap solutions from AMD with new, budget offerings from Intel.
February 1, 2013 · Processor Roundups

Inno3D GeForce GTX 670 iChill, Inno3D GeForce GTX 660 Ti Graphics Cards

A couple of mid-range adapters with original cooling systems.
January 30, 2013 · Video cards: NVIDIA GPUs

Creative Sound Blaster X-Fi Surround 5.1

An external X-Fi solution in tests.
September 9, 2008 · Sound Cards

AMD FX-8350 Processor

The first worthwhile Piledriver CPU.
September 11, 2012 · Processors: AMD

Consumed Power, Energy Consumption: Ivy Bridge vs. Sandy Bridge

Trying out the new method.
September 18, 2012 · Processors: Intel
  Latest Reviews More    RSS  

i3DSpeed, September 2013

Retested all graphics cards with the new drivers.
Oct 18, 2013 · 3Digests

i3DSpeed, August 2013

Added new benchmarks: BioShock Infinite and Metro: Last Light.
Sep 06, 2013 · 3Digests

i3DSpeed, July 2013

Added the test results of NVIDIA GeForce GTX 760 and AMD Radeon HD 7730.
Aug 05, 2013 · 3Digests

Gainward GeForce GTX 650 Ti BOOST 2GB Golden Sample Graphics Card

An excellent hybrid of GeForce GTX 650 Ti and GeForce GTX 660.
Jun 24, 2013 · Video cards: NVIDIA GPUs

i3DSpeed, May 2013

Added the test results of NVIDIA GeForce GTX 770/780.
Jun 03, 2013 · 3Digests
  Latest News More    RSS  

Platform  ·  Video  ·  Multimedia  ·  Mobile  ·  Other  ||  About us & Privacy policy  ·  Twitter  ·  Facebook

Copyright © Byrds Research & Publishing, Ltd., 1997–2011. All rights reserved.