Securing Citrix Virtual Apps and Desktops With Nutanix Flow | Nutanix Community
Skip to main content

Executive Summary

Securing business critical applications is a key requirement for organizations, because agility depends on efficient and reliable IT infrastructure. Organizations with virtual desktop infrastructure (VDI) must secure VDI assets from malware, malicious users, and unprivileged access to critical enterprise applications. With Nutanix Flow, organizations can use microsegmentation to secure their Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) environment running on Nutanix AHV. Nutanix Flow–based microsegmentation in Citrix Virtual Apps and Desktops environments offers the following security benefits:

  • Prevent lateral movement
    Many modern attacks spread by compromising an internal asset and spreading laterally through the internal network, causing an even larger compromise or eventually gaining access to critical assets. Flow-based microsegmentation prevents this lateral movement from one VDI desktop VM to another by securing all VM-to-VM access in a desktop pool. In a VDI environment protected by Nutanix Flow, even if a desktop VM is compromised, the L4 (TCP/UDP/ICMP) stateful, inspection-based policy enforcement prevents access to other desktop VMs and stops the attack.

  • Whitelist inbound traffic to desktops and applications
    You can secure the TCP/IP traffic connections coming into a desktop VM using Flow 5-Tuple inbound policies based on either incoming subnets or defined Prism Central categories. This method prevents any unauthorized network access to desktop VMs. You can also protect any application VM running on AHV using Flow security policies and an inbound whitelist.

  • Whitelist outbound traffic from desktops
    You can secure the outbound TCP/IP traffic connections using Flow 5-Tuple outbound policies based on either outbound subnets or defined Prism Central categories. This method prevents any unauthorized network access from desktop VMs.

Nutanix Enterprise Cloud Overview

Nutanix delivers a web-scale, hyperconverged infrastructure solution purpose-built for virtualization and cloud environments. This solution brings the scale, resilience, and economic benefits of web-scale architecture to the enterprise through the Nutanix Enterprise Cloud Platform, which combines three product families—Nutanix Acropolis, Nutanix Prism, and Nutanix Calm.

Attributes of this Enterprise Cloud OS include:

  • Optimized for storage and compute resources.

  • Machine learning to plan for and adapt to changing conditions automatically.

  • Self-healing to tolerate and adjust to component failures.

  • API-based automation and rich analytics.

  • Simplified one-click upgrade.

  • Native file services for user and application data.

  • Native backup and disaster recovery solutions.

  • Powerful and feature-rich virtualization.

  • Flexible software-defined networking for visualization, automation, and security.

  • Cloud automation and life cycle management.

Nutanix Flow Overview

Nutanix Flow delivers advanced networking and security services for AHV VMs, providing visibility into the virtual network, application-centric protection from network threats, and automation of common networking operations.

Fully integrated into AHV virtualization and the Nutanix Enterprise Cloud OS, Flow allows organizations to deploy software-defined virtual networking without installing additional products that have separate management and independent software maintenance requirements.

Flow provides application-centric policies that enable complete visibility and traffic control. This policy model allows administrators to implement fine-grained rules regarding traffic sources and destinations, or microsegmentation. These same policies make it possible to visualize traffic flowing within and between VMs. This granular level of control is an important part of a defense-in-depth strategy against modern datacenter threats.

Designing Flow for Citrix Virtual Apps and Desktops

Flow is an application-centric security offering for enterprise applications running on Nutanix AHV, such as Citrix Virtual Apps and Desktops. In a typical Citrix Virtual Apps and Desktops environment, you can protect two distinct types of entities with Flow:

  • Desktop VMs.

  • Infrastructure VMs (also called the Citrix control plane), which include License Server, Studio, Delivery Controllers, and more.

In addition, you can use Flow categories to secure the other applications accessed by desktop VMs if those applications run on AHV. You can control outbound access to applications not running on AHV using outbound IP address–based policies.

To start securing the infrastructure, assign categories to the different VMs in the Nutanix environment. Nutanix recommends designing the simplest possible set of categories and policies to meet your security and connectivity requirements. Creating fewer categories and policies is preferred over creating a unique category for every VM. Categorize VMs into several groups based on their intended use, looking for natural boundaries between groups of VMs. Use these categories to build effective security policies in Monitor mode with application and isolation policies. Move the security policies to Apply mode after evaluating the output of Monitor-mode detected flows in the created policies. Once you’ve applied the policies, modify them as required to permit the desired traffic.

For more information on this, please visit the Portal Documentation for Securing Citrix Virtual Apps and Desktops With Nutanix Flow