What is VMware ACE?

Enterprise applications and confidential data are accessed by an increasing number of unmanaged PCs used by contractors, outsourcers, telecommuters, and partners. Unmanaged PCs are not owned or maintained by IT and therefore present increased costs and security risks.

VMware ACE gives security administrators the ability to lock down PC endpoints and protect critical company resources against the risks presented by unmanaged PCs. With VMware ACE, security administrators package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC. Once installed, VMware ACE provides a secured and IT-compliant PC endpoint, enabling safe access to IT resources.

VMware ACE offers complete control of the hardware configuration and networking capabilities of an unmanaged PC, transforming it into an IT-compliant PC endpoint. This unique capability for improving endpoint security can be used internally, remotely, connected or disconnected from the trusted network. VMware ACE increases the security and reduces the cost of enabling unmanaged PCs to access IT resources.

VMware ACE is composed of two parts:

1. VMware ACE Manager.
   Used by security administrators to package an IT-managed PC within a secured virtual machine, an ACE Package, that can be provisioned to any PC.
2. VMware ACE for end-user PCs.
   Installed by end users to run an pre-configured, sandboxed and IT-compliant PC endpoint on their PC.

How Does VMware ACE work?

Using VMware ACE Manager, security administrators create MSI-compliant deployment packages that are comprised of:

• One or more self-contained virtual machines with an operating system, enterprise and security applications, and data
• Security policies that control encryption, authentication, expiration, copy protection, network access, and device access for the virtual machine(s)
  

Security administrators then distribute the VMware ACE package to end users via direct download, provisioning tool, or DVD/CD media. End users install this package to create a secured and IT-managed endpoint.

VMware ACE Virtual Rights Management (VRM) centralises management of security policies and access rights applied to VMware virtual machines in order to control PC environment lifecycles, and enable endpoint compliance with IT policies.

The unique capability of VMware ACE for improving endpoint security and reducing the cost to enable access to IT resources can be used internally, remotely, connected or disconnected from the trusted network.

The unique capability of VMware ACE for improving endpoint security and reducing the cost to enable access to IT resources can be used internally, remotely, connected or disconnected from the trusted network.

How is VMware ACE used in the Enterprise?

VMware ACE is used by security administrators to:

• Provision secured, IT-managed endpoints on unmanaged PCs.
• Secure confidential data on endpoint PCs.
• Run multiple secure PC environments on a single PC.
  

What is "Virtual Rights Management" (VRM) technology?

Virtual Rights Management (VRM) is new VMware technology that enables policies to be applied to virtual machines that govern:

• Who can access the virtual machine
• When the virtual machine can be used
• What network resources can accessed
• What hardware on the host computer can be accessed
• What copy protection and encryption will be enforced
  

Through VRM, IT security administrators can control PC environment expiration dates, secure enterprise data through authentication, encryption, and copy protection controls, and ensure compliance with IT policies through rules-based network access.

Does VMware ACE run on Linux?

The initial release of VMware ACE (both ACE Manager and VMware ACE for end-user PCs) runs on Microsoft Windows 2000 or later operating systems. Linux host support is being evaluated and is a high priority. In addition, ACE supports a wide variety of guest operating systems, including most versions of Windows, Linux, and NetWare.

How does VMware ACE compare to VMware Workstation?

While both products are built on the same core virtualisation technology, are hosted products (install on top of a host operating system), and are installed on a single user's PC, they are targeted at different audiences and applications and offer different features and capabilities.

• VMware ACE is sold to security administrators. Security administrators use ACE Manager to create, package and provision ACE onto end-user PCs. VMware ACE is centrally configured and deployed and the end-user has very limited control over the virtual machine. ACE is used primarily to ensure more secure guest worker, partner, and remote PC access.
• Workstation is sold to, and used by, software developers and IT professional for software testing and development, IT support, computer-based training and software demos. Workstation users have essentially unlimited control on how they use Workstation and how they create and modify the virtual machines within it.
  

How does VMware ACE enforce patch compliance?

The Virtual Rights Management interface in VMware ACE provides a Network Quarantine Wizard. Through this wizard, Security administrators can set different network quarantine policies for virtual machines based on their build version. For example, security administrators can give out-of-date virtual machines access to the server that provides a required patch or software update but not to other parts of the network.

How does VMware ACE prevent malicious software on the host from compromising the network? Doesn't the host need network access for the ACE virtual machine to connect?

The Host Quarantine function can prevent the host PC from accessing the network while still allowing the ACE to connect to the network. This configuration does require the security administrator to use bridged networking for the virtual machine.

How does VMware ACE prevent a contractor from stealing information by connecting a USB disk-on-key to the host PC?

Through Virtual Rights Management, a security administrator can deny access to the host USB ports (as well as floppy drives and CD burners) from within the ACE environment. Therefore, an end user would not be able to copy information from within the ACE environment onto a USB memory device, floppy disk, or CD.

How are OS patches and application updates delivered to VMware ACE on end-users' PCs?

Security administrators can use existing system management tools such as those offered by Microsoft (SMS), Altiris, and LANDesk to push out operating system and application updates. If security administrators use the VMware ACE version-based network quarantine function, they should also patch the ACE project in ACE Manager and update the version number.

What type of encryption does VMware ACE use? Is VMware ACE restricted from export?

VMware ACE files are encrypted with the AES 128-bit algorithm. VMware has received approval from the US Department of Commerce to export VMware ACE internationally.

Does the ACE virtual machine share the IP address of the host (NAT), or does it have its own IP address?

The ACE virtual machine can use bridged networking to receive its own IP address (when available from a DHCP server), or it can use NAT and share the host's IP address.

What kind of technical support is available from VMware?

Our support team is available to answer your questions and provide consulting services.

Where can I get an evaluation copy of VMware ACE?

You can evaluate the full working version of VMware ACE for free, for up to 30 days. Click here

For more information call us on +44 (0)8707 520570 or email sales@thinstore.net