Security | Feature

Delivering BYOD Security

This Washington state K-12 district is turning to desktop virtualization to help maintain network security in its new BYOD environment for users who require more than just access to the Internet.

Richland School District Network Engineer Curtis Webb expects a "free-for-all" when the 12,000-student district introduces a bring-your-own-device program to students later this year. At the same time he's making sure the district's desktop virtualization environment is ready to handle the new load because it's a key ingredient for helping maintain network integrity when users require more than just access to the Internet.

The route to desktop virtualization started in the summer of 2010. Faced with a tight budget and a crop of decade-old machines, the IT organization knew a PC refresh was in store. But the district wasn't sure where it could come up with the $800 to $1,000 it would need to replace each of those computers. So Mike Leseberg, executive director of information technology, and his crew decided to leverage the existing hardware and turn them into thin clients.

The servers in use at the district were already virtualized running VMware, and the IT team could have simply gone down that route and continued with VMware for desktop virtualization. "We put forth a massive effort to educate ourselves about what product we thought met our needs," recalled Webb. Citrix XenDesktop was the winner. "We use both products side by side. VMware virtualizes our servers; Citrix virtualizes our desktops."

What especially struck him as useful was the way XenDesktop allows IT to create pooled desktops, in which a user is assigned a virtual desktop; when the session is over, the machine is wiped back to its original image and returned to the pool for use by the next user. (The program also allows for assigned desktops, in which the user is assigned to a specific virtual machine.)

"Where would [pools] work really well? Where is our infrastructure aging the most? Where do the machines get beat up the most? Labs," Webb noted. "That's where we're primarily using them."

The Challenges of Supporting Virtual Desktops
But preparing for the conversion of networked PCs to virtual PCs wasn't without its challenges. First, there was the initial expense. "Lots of people move to Citrix for cost savings," Webb explained. But, he added, "It's an investment over the long term." The return on investment doesn't really come until the device being converted to a virtual desktop is at its end of life. "We would have thrown it out. Now we keep it. Now we're getting ROI."

Second, there was a computing infrastructure that had to be bolstered to support multiple users tapping into the same computing resources. "While we have nice, fast links to and from our data center where everything is housed, you've still got to put more [storage], more servers, more horsepower into the backend," Webb said.

The initial implementation required replacing a data center that ran in an "old back office" "and "had stuff stacked on the floor." The upgraded operation went into a new building that had a sizable room in the back that could accommodate racks, independent cooling, and a giant uninterruptible power supply. "Much nicer," Webb concluded. The new set-up relied on Cisco Systems networking gear and EMC storage, plus Citrix software to virtualize user operations.

IT acquired 800 licenses for XenDesktop 4 and loaded the software on 400 computers, out of 4,000 in use in the district. Desktop virtualization is a type of program that separates the applications, data, and operating system from the physical machine a user is working on. XenDesktop enables older hardware capable of running only Windows XP, for example, to act as a workstation for letting users access Windows 7 and newer applications.

The district also purchased the same number of licenses for XenApp. This Citrix program does application virtualization, which allows the IT organization to deliver a given application to a user from a central datacenter without having to install the application on the user's local computer.

The goal in that first major upgrade was to make sure that desktop virtualization was "transparent." Said Webb, "When people are running XenDesktop, they don't care what the physical device looks like. [But] if you bring on too many resources at once, they'll start complaining about sluggishness or slowness. They're going to say, 'This is not usable.' We need to make sure when they click, it's snappy."

Since that first upgrade, however, the district has refreshed its network again to prepare for BYOD. At the same time IT was hoping to regain user faith in the virtual desktop experience. "It was no longer transparent there for a little while," noted Webb. "We had a time where, people said, 'It's a virtual desktop? No thanks.' We now have to make end users feel comfortable again using a virtual desktop rather than the physical desktop."

During summer 2012, with the help of system integrator Structured, IT replaced Cisco equipment with networking gear from Juniper Networks; the EMC storage hardware has been replaced with an Hitachi storage area network running solid state disks; and Cisco wireless has given way to a Ruckus Wireless network. The district has also upgraded XenDesktop to version 5.5.

All that's left is implementation of a new network access control (NAC) system from Bradford Networks to ensure that whatever devices students bring onto the network "have the appropriate patch levels and anti-virus," Webb said.

Granting Access to Secure Network Resources
When BYOD goes live student users will be able to gain access through the wireless network to the Internet. But should somebody need access to secure resources--those stashed on the district network--they'll receive instructions from IT for installing the Citrix Receiver. Working in tandem with the other Citrix programs, this utility is installed on the computing device--a computer, a tablet, or a smartphone--to allow the user to access applications, desktops, and files from that specific device. Teachers and staff already have that capability. In the new scenario, students will too.

"If they need access to secure resources, they can just load a Receiver on whatever device they're running and then get into an even more secure environment, which is what I would call our production environment," Webb explained. "So they can get access to district resources that would be [running] locally in our data center."

IT maintains user accounts in Active Directory. The same service will be used to manage student users as well. "We could say, all middle school students will have access to these applications. When they get into Citrix, they have access to a Windows 7 desktop and they can just pick or choose what they want to run," Webb said.

The Receiver software lets the user access an entire XenDesktop or, if the application is already virtualized, he or she can click on the application to launch it with an instance of XenApp.

The use of Receiver will also enable Webb and the rest of the IT team to help troubleshoot common problems for users. "Once you get Receiver connected, you now come into an IT-controlled environment. Once you've launch a desktop or application, you're now working on district resources," Webb said. "So you're just using your device as a dumb terminal at that point. As long as that connection works, all issues can be troubleshot from IT on the back-end hardware. We don't have to touch the device as long as that connection is working. That's the separation we want to have. We don't want to be in the business where we're touching personal devices."

Webb said students are excited to bring in their own devices on the network. "It should be pretty interesting to see if we can still balance security versus usability and try to give users that home experience while being on our network. That's the goal--while not compromising any type of security. It's definitely going to be an interesting couple of next months."