Securing Amazon Workspaces with VNS3

by | 21 May 2020

The recent upsurge in remote working may have you thinking about new ways to achieve centralised control of a distributed workforce. One way to do this is to use a Desktop-as-a-Service(DaaS), Amazon Workspaces is one offering. We’ll show you how VNS3 can improve security, visibility and control of your DaaS infrastructure.

But First, What are Amazon Workspaces?

Amazon Workspaces are AWS’s managed DaaS solution which allows you to provision Linux or Windows desktop environments. Your users access and use the desktop via the Workspaces app as if it were installed locally. They can surf the web, download software and access other resources on the network, great, right?

What’s Going on in the Background?

When you launch Workspaces via the wizard, AWS creates a VPC, 3 Subnets, 2 AD servers and the Workspace instances, that’s a lot of stuff going on in the background. 

Whilst some of this is managed from a maintenance perspective; with the shared responsibility model you are still responsible for what can be accessed, shared, downloaded and installed on and in your DaaS infrastructure.

How VNS3 Secures Your Workspaces

VNS3 deployed in your public subnet can be configured as the ingress/egress point for your VPC. This allows you to control traffic in and out of your network, including your Workspaces. When we route the traffic to the internet via VNS3’s Elastic Network Interface (ENI), coupled with our overlay network you have complete visibility of what’s going where. 

Sounds like a fancy NAT device, I hear you say?

Sort of, but VNS3 is much more. With visibility comes the ability to control what’s happening on your network. VNS3’s Network Sniffer allows you to filter and watch live traffic or you can capture trace files for export and analysis later. 

For automated traffic monitoring our plugins are the way to go, to control web and application traffic our WAF plugin can be used inline to log, alert or restrict certain activity. If our curated plugins aren’t compatible with your current tech stack, we can easily create and deploy a custom plugin using technologies you’re already familiar with.

VNS3 Secure workspaces in AWS

In this diagram we have VNS3 centrally controlling traffic, with the addition of Nginx, ModSecurity and OWASP. Out to the right we have Cloudwatch and Datadog for external monitoring of VNS3.

If you’d like to discuss this deployment, or some of the features of VNS3 not mentioned in this post, including VPN’s, HA, Peering please contact us at contactme@cohesive.net.