Many speculated that Virtual Desktop Infrastructure (VDI) was just going to be a phase, but on the contrary, VDI has not only proven to be a contender, but has become a growing necessity for IT departments. Although it may appear that interest in VDI has gone into a downward spiral, this enabling technology, according to a certain number of analysts, is actually on the rebound.

Renuke Mendis – Principal Technical Marketing Engineer, Extreme Networks.

Historically, data centers have been designed for physical environments. This means that companies today are applying yesterday’s tools and capabilities to address current and future opportunities: trying to virtualize IT architectures that were not necessarily optimized for virtualization, especially in terms of the network. VDI, in particular, has and will continue to become a staple in the new data center and crop up in progressive IT departments at colleges, law firms, hotels and retail establishments. The business and technical efficiencies involved with establishing VDI are relatively simple and straightforward considering the significant improvements VDI can deliver to network manageability, security and energy efficiency.

According to The Cloud-Based Virtual Desktop Infrastructure Market 2012-2017 published in September 2012 by VisionGain, the VDI market was expected to grow to $11.2 billion by the end of 2012 and continue to increase at a compound annual growth rate (CAGR) of 14.77% through 2015. Large enterprises are drawn to VDI because of its ability to reduce desktop support and management costs, as well as lower overall energy requirements of virtual desktops.

To meet compliance and security regulations, VDI also provides business continuity and disaster recovery capabilities within the data center. VDI does, however, demand an identity approach and a more aware network. Policy and identity management are critical network security considerations as users can connect to the data center from any location, using a variety of devices. At the network level, more granular network access policies based upon user roles, device types and physical locations are required. The network then has to scale bandwidth, manage converged communications appropriately and implement network layer security policy independently from any single device or application. The access management and lack of identity features of old networks, however, won’t be up to par. Before making the move to VDI, data center managers must understand how the enterprise’s network performance will be impacted while maintaining cost, delivery of multiple converged services and power efficiency.

How will VDI help increase energy efficiency?

While VDI is partially driven by the use of lighter-weight devices, such as smartphones and tablets, the network plays a key role. It helps to reduce energy consumption through the centralization of resources and by bringing much higher speeds at the port level. VDI allows higher density 10 Gigabit Ethernet (GbE) port modules on chassis type switches providing the advantage to collapse all traffic easily into just a few network switches. This is all possible through the consolidation of horsepower into a single core layer as opposed to deploying distributed GbE LANs and multiple tiers, thus providing the necessary bandwidth for all VDI connections. Overall, VDI has shown itself to be more powerful and easier for IT departments to manage, while also achieving many businesses’ goals of being “green” and highly efficient.

How can the network converge voice, video and data for VDI deployments?

After addressing the considerations for system centralization and bandwidth, IT departments will be faced with the next issue of how to carry converged media – mixed voice, video and data. To deliver voice and video traffic to users on predetermined priorities, it is imperative that the network be capable of not only 10 Gigabit and Gigabit to the Edge, but also intelligence, Quality of Service (QoS) and ultra-low latency switching. Just like traditional networks, for users to be able to experience consistent and predictable interactions, the backbone of a VDI network must be capable of handling convergence flawlessly. Once the network has been deemed seamless and demonstrates the required quality, it is at this point that critical activities like IP phone calls and collaboration, e-learning activities using IP video and customer call centers can be functional.

How does the network support the security of VDI deployments?

With the VDI network, traditional operating systems are eliminated, yet user log on, security policies, visibility and monitoring are required more than ever. Until today, many companies have relied upon the security of traditional networks that entailed complex “application layer” elements of sign-on security, including strong authentication, Single Sign-On (SSO) systems and LDAP directories. For the companies that have taken the leap toward the emergence of VDI, security, including network identity, is now simplified, centralized and managed by the network instead of a PC OS. With the growing number of secure government facilities choosing to use advanced identity management, which is only possible via VDI, we can expect the private sector to follow by enabling similar deployments for their mobile workforces. To this end, today’s businesses looking to deploy VDI securely require a new model called identity-aware networking – a term Jon Oltsik, principal analyst of Enterprise Strategy Group at Extreme Networks defines as “a policy-based network architecture that understands and acts upon the identity and location of users and devices.”

With identity-aware networking, the network gathers information from multiple existing sources in an integration process enabling IT departments and managers to use this data to build and enforce access policies. With this rich data (i.e., user, device, and location) in hand, network administrators can easily configure extremely granular network access policies that can then be enforced based upon any or all of this information and/or other factors. For example, the CFO of a company could be granted access to the end-of-quarter financials from their laptop on the corporate LAN or on a home computer connected over a VPN, but not from other devices or networks. In other cases, a contractor may be able to access engineering plans during specified hours only. In this situation, user and device location is important for several reasons. For starters, identity-aware networking confirms if the user is logging on from a trusted or untrusted network. This location awareness may also be important depending upon whether a user is accessing the network from a wired port or over Wi-Fi. Furthermore, depending on the device location, whether within a single facility or between two facilities on the same campus, the network access policies may change. In addition to who is connecting to the network, identity-aware networking verifies what is connecting to the network. This is important as different devices (i.e., laptops, tablets, smartphones, power meters, etc.) have different security and performance characteristics. Just as a contractor may only have access during certain times of the day, their laptop may also be treated differently than a remote employee’s PC that meets all corporate security and configuration policies.

Network-based identity is associated with information including IP and MAC addresses, VLAN tags and subnets which can all play a significant role in device authentication, VPNs and IPSEC – thus network layer security takes over. The network-based identity looks at a number of specifics when securing the network ranging from the number of inputs (user ID and the role of the user), device characteristics and capabilities which are specific to that unique device, and user/device location. With most deployments, IT managers and departments strive to meet daily challenges and varying mobile users and devices. To make this possible, more granular network access policies based upon user roles, device types, and physical locations will be required at the network level – a situation that can be handled by VDI. Once this has been achieved, the network then has to scale bandwidth, implement network layer security policy independently from any single device or application, and manage converged communication appropriately.

Although virtualization may have started out as a technology driven by server consolidation, today’s evolving network takes it well beyond servers to a means of centralizing IT itself. The evolution starts with desktop PCs and the new class of wireless computing devices proliferating throughout the enterprise, including smartphones, tablets and PCs. In today’s Internet-connected world, large organizations need their networks to enable any user to connect securely to applications and services from any authorized device. What companies, both enterprises and SMBs, need is a “best of breed” network with the intelligence to not only enforce their policies once users are on the network, but to also dynamically collect information about the users in the network, the devices trying to connect to the network and where the users are physically when trying to connect to the VDI infrastructure. In the end, IT departments will be able to focus more on other tasks such as doing business, regulatory compliance and security ROI benefits because they will dedicate less time to maintaining and managing application-layer security.

VDI demands an identity approach and a more aware network, and only when data center managers closely examine the network’s role in meeting key criteria such as cost savings, power efficiency, user and device identity, and ease-of-use can VDI truly progress towards becoming a new norm in computing.