Remote Access Security: VPN vs VDI

January 7, 2021 | By IANS Faculty

For most organizations, virtual private network (VPN) access will continue to be a sound, reliable remote access strategy. Virtual desktop infrastructure (VDI) can be expensive, but may offer more granular security controls and restrictions, while keeping all content in the core data center. Depending on the use cases, both are viable remote access options. In this piece, we explain the tradeoffs with each technology for organizations evaluating options and offer tips for implementing a secure remote access strategy.

VPN for Remote Access:  Benefits

  • Easy deployment: VPNs are usually simple to deploy, whether they are SSL-based or agent-based (IPsec) VPNs with pre-configured security policies.
  • Inexpensive: VPNs can be relatively cost-effective for a moderate number of simultaneous users.
  • Flexibility: VPNs can be used with just about any type of remote device.
  • Well-understood, time-tested technology: Consequently, there are readily available skills for configuration and management/oversight.
  • Easy logging/monitoring: Many security operations teams understand well how to log and monitor VPN connections.

VPN for Remote Access:  Disadvantages

  • Performance issues: VPN concentrators can become overloaded with a high number of simultaneous users, and bandwidth can also become saturated.
  • Client/endpoint issues: VPN clients must be configured and deployed, and can cause conflict on endpoints. Plus, not all VPN providers/vendors support all endpoint configurations.
  • Lack of visibility: VPNs do nothing inherently to secure the endpoint source, other than possibly performing posture checks like patch level, antivirus signatures, etc.

VDI for Remote Access:  Benefits

  • Centralized control: VDI offers full central data center control over all aspects of OS and application security.
  • Malware protection: Ephemeral images disappear after use, eliminating many persistent malware threats.
  • Reduced data center threats: All resource access comes from VDI central farms, not distributed endpoints.

VDI for Remote Access:  Disadvantages

  • Additional resource requirements, including storage, virtualization platforms, etc.
  • More complexity, which requires more operational oversight.
  • Potentially higher costs for licensing.

VDI Security Best Practices

  • Secure all endpoints where the client will be installed, with patches, OS configuration standards and anti-malware technology.
  • Implement multifactor authentication (MFA) for all clients to access VDI instances remotely. At the very least, ensure privileged clients use MFA.
  • Use a virtualization-aware endpoint security suite within your VDI cluster for the VDI instances themselves. This helps limit resource utilization. Most major endpoint security vendors have solutions that integrate with VMware.
  • Disable all USB and external drive connections on remote clients, if possible.
  • Set client timeout values, consider 30 minutes or less.
  • Set VDI administrator timeouts to a value of 15 minutes or less as a best practice.
  • Ensure accurate time sync between all components, including connection servers and other load balancers, security servers, vSphere management, etc., using the Network Time Protocol (NTP).
  • Restrict all ports and services between VDI servers to only those needed for operation. These will differ from one solution to the next.
  • Enable logging for all connection services, including load balancers, connection brokers and security servers/services.

VPN vs VPI Comparison Chart

chart comparing VPN and VDI for remote access security

 

Remote Access Security Strategy

Remote access security considerations your company should keep in mind when evaluating VDI vs. VPN:

  • Use of company-owned devices: If all remote assets are 100 percent controlled by the organization, a VPN is a very viable and sustainable remote access option for the foreseeable future. It can also serve to minimize impact on end users in terms of complexity and configuration.
  • Bandwidth concerns: Bandwidth constraints are likely to be a concern, irrespective of which option is used.
  • View vs. RDP: View connections are likely to be superior to standard RDP because:
  • RDP is not robust enough to handle numerous connections simultaneously, but View is well-suited to handling many connections at once.
  • View is much more flexibly configured for explicit types of remote access beyond just Windows servers.
  • Dedicated VMs vs. pooled: For highly sensitive access to data and/or privileged users, setting up dedicated VDI instances or VMs is a sound approach, provided you have the infrastructure capacity to support this.

Remote Access Security Recommendations

While every organization is different, here are a few guidelines when valuating VPN vs. VDI for remote access.

Consider VPNs unless bandwidth and performance issues crop up: If existing VPN access is functional and reasonably well locked down, VPNs are a sustainable method of enabling remote access as long as excess congestion (bandwidth and concentrator overload) doesn’t occur.

Consider VDI, if cost isn’t an issue: If the existing infrastructure is in place and license costs are not an issue, VDI offers more flexible remote access options in terms of desktop control, access controls and maintenance of applications locally in the data center.

Consider using a VDI with a wide range of security and performance features. Key features to consider are PCoIP protocols that be configured to manage bandwidth and streaming, along with restrictions on endpoint clients accessing and using virtual desktop images.

Pooled vs. dedicated VMs: For most users and scenarios, a pool of VMs will be a sensible option. Dedicated VMs are preferable for more privileged users and data.

Use of MFA: Consider using it with all users where possible (for VPN and VDI).

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.