AF Center Takes an Unusual Approach to Client Virtualization

The Air Force Security Forces Center took a novel step toward improving its security posture a decade ago when it moved its client computers out of users’ workspaces and into a data center. Now, the Security Forces Center is taking another big step, moving to a virtual desktop infrastructure, which is expected to save money and improve IT efficiency.

“Ten years since this started, I still have people in the communications community within Air Force come in and say that what we did before was virtualization,” says Richard Johnsen, the center’s senior network engineer. “It wasn’t. It was still one PC per person. But now, through desktop virtualization, we can take what we did before and reduce our desktop footprint.”

The Security Forces Center, located at Lackland Air Force Base, Texas, moved to blade PCs after the Sept. 11 attacks. In 2002, as Johnsen describes it, the United States had just entered Iraq, concerns about the nation’s security were high, and Lackland was working increasingly with classified information. As a result, the center’s commander wanted classified systems on the desks of all 200 of the center’s action officers. At the time, only six desktops in the center were capable of running classified applications.

Among the missions of the Security Forces Center — the Air Force’s military police — is to use modeling and simulation software to identify force-protection needs and solutions. When it started handling classified information more frequently, Johnsen says, conventional wisdom suggested the officers needed traditional computers with secure hard drives, which they’d keep in a safe and use only when they required classified access. “So we could have bought 194 more desktops and 194 hard drives, but that option wasn’t very attractive,” Johnsen says. “We could try thin clients, but our system administrators were all MCSEs — Microsoft people — and for thin clients, we would have needed some Unix or Linux people. That would have driven up the cost.”

Johnsen opted for ClearCube blade PCs, which typically reside in a data center and provide desktop access to a client located elsewhere. The center provided two for each user — one classified and one unclassified, with a secure Avocent KVM switch for moving between desktop environments. To transmit classified information from the blades in the data center to the displays on users’ desktops, the Air Force required fiber-optic connections. In 2002, ClearCube had copper-based solutions. “But they said, ‘If you work with us, we’ll make you a fiber solution,’ ” Johnsen says.

In the end, the Security Forces ­Center purchased about 400 ClearCube PCs and deployed them throughout the base, enabling classified access where necessary, at the same time reducing system downtime and desktop administration by as much as two-thirds. “We were able to go from 11 administrators to six,” Johnsen says.

Virtualizing the Blades

Fast-forward to 2012. If the blade PC migration was prompted by the Security Forces Center’s mission, the current phase is driven by IT efficiency. Starting with the classified blades, Johnsen and his staff are using VMware software to virtualize the center’s desktop environment. “On the IT side, our manpower resources are being stretched,” he says. “It was time for a tech refresh, and it was time for a more efficient way to use our manpower. I’ve got other uses for system administrators than having them manage users’ desktop computers.”

The first virtualized desktops are just rolling out at Lackland. Johnsen says he bought 64 new ClearCubes to replace the 200 from 2002 that were serving classified applications. After the classified deployment, he’ll turn his attention to the 200 unclassified blades.

Virtualizing blade PCs may not be the norm, but it fits a deployment model that analysts say agencies should keep in mind when they think about desktop virtualization — namely, that it’s more of a data center solution than a desktop solution. Virtual desktop infrastructures (VDI) require the right storage and networking before agencies can think of pushing desktops out to clients, especially to mobile devices such as tablets or smartphones. “With VDI, we recommend clients build out from back to front,” says Laura Hansen-Kohls, senior research analyst at Info-Tech Research Group. “The access device is the last thing you want to focus on.”

At Lackland, the goal is to run up to three virtualized desktops per ClearCube blade, says system administrator Keith Allen. Each blade has one fiber-optic connection, but the virtualization software assigns multiple IP addresses to the network interface card. “They say they can support four desktops per blade, but we’re going to start slowly, with two at a time, and see how they perform,” Allen says. “Then we’ll try to get up to three.”

Classified users at the Security Forces Center tend to use graphically intense applications, Allen says, which could limit the number of virtualized desktops each blade can deliver, depending on the amount of memory the blades hold. But what works to users’ advantage, according to Allen, is that they aren’t all working at the same time and therefore don’t need to access the resource-intensive analytical software simultaneously. In instances where multiple users need to run the same analytical software at the same time, “I’d probably let our users know who was on which blade — a little cooperation among the teams,” Allen says.

Such challenges prompt the question: Why virtualize the classified desktops first? Best practices suggest virtualizing common applications before turning IT’s attention to custom, proprietary programs. At Lackland, the unclassified computers run Microsoft productivity applications and other software. Yet it’s the secret systems they’re tackling first.

“It was actually a smaller job for us,” Johnsen explains. “We have more power users on the unclassified side. So we’ll get the classified side up and running first and measure the effectiveness and see, day-to-day, if our users see any degradation due to the virtualization. We need to look and see if there’s any overhead because of our security constraints. If we notice that there isn’t any degradation, deploying virtual desktops on the unclassified side will be a piece of cake. I’d rather take on the hard stuff first.”

So far, the Security Forces Center hasn’t noticed any performance or latency problems. The most significant issue that it’s run into has been with video drivers that were unable to deliver content to the displays. But IT quickly figured that out. “We lock things down so tightly that sometimes nothing works,” Johnsen says. “Then we find it’s a driver here or a security setting there. But we have no complaints at all about the technology.”

When he first started transforming the center’s desktop infrastructure, Johnsen says it was a hard sell. “I had to give tours and explain that what we were doing at the time really wasn’t virtualization.” Now, at least on the server side, virtualization is more accepted, and he’s been able to secure the budget he needs to phase in desktop virtualization throughout his environment.

“On the IT side, my bosses count on me to make the best decisions,” Johnsen says. “And I believe this is the way we can most efficiently manage the desktop infrastructure we require.”