Out with the Desktop PC, In with the Thin Client: Let’s Start the Conversation

Tuesday, July 30, 2013

Allan Pratt, MBA


Back in the early days of computing, desktop PC’s where the only way to go for employees to get work done. With those desktop PC’s came ports, floppy drives, and eventually CD/DVD drives. As USB became the standard and desktop PC’s started having USB ports in the front along with the CD/DVD drive, it became easier to insert malware and other types of viruses into the PC and behind the firewall.

Whether by accident or on purpose, the PC is now becoming an attack vector. Employees can bring USB drives from home – that are infected without their knowledge – and infect their office machines as well as the network. Malicious individuals can do the same.

Other problems with PC’s are that they have to be maintained. The more PC’s in your office, the more man hours it takes to maintain them including patch management and hardware replacement. Depending on the type of machines, you may have to keep spare parts handy, which translates into purchasing inventory that you are not currently using or may never use.

Let’s not forget how easily documents can be stolen. An employee can move confidential documents from the desktop or network if they have the clearance, and put them onto an easily-hidden USB thumb drive. This is exactly what an infamous NSA analyst did earlier this year.

These days, for all of these reasons, thin clients make much more sense. According to Wikipedia, a think client is “a computer that depends on its server to fulfill its computational roles. This is different from the traditional fat client (desktop PC), which is a computer designed to take on these roles by itself. Thin clients occur as components of a broader computer infrastructure, where many clients share their computations with the same server. Thin-client computing is also a way of easily maintaining computational services at a reduced total cost of ownership. The most common type of modern thin client is a low-end computer terminal which only provides a graphical user interface to the end user. The remaining functionality, in particular the operating system, is provided by the server.”

It’s important to reiterate for all cost-conscious IT department budgets that thin clients cost less than the average desktop PC. Also, patch management for each PC is no longer an issue. And hardware replacement happens rarely. There is no hard drive, so it cannot crash and lose all of the data that was residing on it. Thin clients have very little in the way of internal hardware, so malfunctions are practically unheard of. (Yes they still malfunction, but anything electronic can break.)

Since thin clients have no hard drive, software is updated at the server. This means that IT employees no longer need to schedule time to visit each and every computer in the company to perform updates. Another benefit of thin clients is that you can easily run multiple operating systems within a virtual network.

However, probably the best reason for changing over to a thin client environment is SECURITY. Although thin clients have USB ports, their use can be modified by the administrator to not allow booting, uploading, or downloading. Because thin clients run using a virtual machine (VM), they are “sandboxed,” which means that they cannot infect the rest of the network. And by using a Virtual Local Area Network (VLAN), there is added protection if you group different sets of employees into the same network, such as, accounting, engineering, marketing, etc.

Since attacks that come through your regular network can still attack your virtual network, the requirements for securing virtual machines are the same as those for physical machines. To mitigate attacks, patch any security updates that your VM software provider releases. Use separate physical network adapters to separate your VM network from your physical network, use a firewall on both your VM and physical networks, and be sure to use virus/malware protection on the server holding your VM network.

Thin clients need a server to work, since the thin client relies on the server for everything. Since servers are much faster and capable these days, they can handle many VM’s at once. There are several different vendors that make VM software. For some vendors, each user must have a license. For other vendors, the software is available for free. I suggest experimenting with a few thin clients and software vendors before making long-term commitments.

Using a thin client is not an end-all for securing your network against a breach, but at least you will be removing one potential attack vector from your network. What do you think?

About the Author: Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. Expertise includes installation and maintenance of all aspects of the PC and peripheral lifecycle and the planning and integration of end-to-end security solutions. Allan also teaches both the CompTIA A+ cert course and the CompTIA Security+ cert course. 

Cross-Posted from Tips4Tech

Possibly Related Articles:
Insider Threats Security
Post Rating I Like this!
Gregory MacPherson Clueless newbie! Where have you been since 1981 (the year IBM released the PC)? PCs are *not* attack vectors - operating systems, applications, software - *those* are the attack vectors. And we have successfully attacked them - on every hardware platform - for decades. Next time you decide to write something, check your massive ego at the door. Better yet, ask someone older than you who has been around lest you exhibit yourself as yet another over credentialed yuppie!

Mike Adams Well, despite Gregory's insensitive way of putting it, some of what he says is true. I often wonder why people feel the need to be so offensive when expressing an opinion. Must be something going on there.

In any event thin clients are nothing new and do sometimes make sense. I have assisted in several thin client migrations that despite our warnings went forward and then failed miserably. If you do migrate to thin clients be absolutely positive that your network infrastructure can deal with the data load. Make sure your servers remain local and not on the other end of a substandard data pipeline.

One city government I know of forgot that rule and increased the time to type a one page letter from one minute to ten minutes. It took that long for the data to flow. They ripped it all out three weeks later. HA!
Gregory MacPherson @Mike - insensitive and offensive..."must be something going on there". Fine, I'll take that - I've been called worse :-)

What's "going on" is called twenty years in the information security community, pre and post September Eleventh. What’s going on is frustration with uneducated MBAs who start pontificating about topics without doing their homework, with the arrogant belief that they somehow have solved the world's problems just because some college bestowed a degree (for which they likely over paid) on them.

What's worse than clueless newbies is the fact that despite rogue nation states, criminal organizations, terrorists, and other readily acknowledged competent threats to the confidentiality, integrity, and availability of data, both private and public sector organizations (with a very small list of exceptions) neither adequately understand the threat nor adequately protect the data entrusted to them.

Examples are legion, and since you seem unencumbered in your ability to analyze and judge me, I suspect you will have little difficulty verifying that what I have said is true.

Besides, you agreed with me, so criticize my delivery all you like. There already is enough 'noise' in the InfoSec community. What is needed is more leadership and fewer people muddying the discussion. Instead of inciting flame wars, perhaps your time might be better spent architecting solutions?

Call me what you like, but after watching this circus for twenty years yes I do not suffer fools gladly. I've earned the right to make that choice, and I promise you that whatever I may have said pales in comparison with some of the flames that you can go read in archives.

Finally, yes, thin client does have some useful applications. To quote you, thin clients are nothing new. But viewing it as a panacea for InfoSec is foolish. Perhaps ^clueless^foolish would have offended your sensibilities less.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.