Five Reasons Thin/Zero Is In
New thin/zero client workstations and data center servers running virtual instances of application software are replacing traditional desktop PCs in installations where security must rule, but that’s not the only reason thin is in.
The data breach by Edward Snowden and network penetration by various nation state-sponsored hackers highlight the need for security in the military computing space. President Obama’s budget proposal for 2017 includes $19B for cyber security, an increase of $5B over 2016. The White House is proposing $5.5B in cyber spending for the military for each year for 2016 through 2020.
Driving the military conversion to secure thin and zero client computing, the U.S. Army released a 72-page document, “U.S. Army Thin/Zero Client Computing Reference Architecture, Version 1.0, 14 Mar 2013,” which promotes the conversion away from desktop and laptop computers to centralized servers and thin/zero client architectures.
Gary Blohm, Director, Architecture Integration Center, Army Chief Information Officer, named five reasons “the Army will implement a centrally managed, thin/zero client end-user computing technology that will standardize the end-user computing experience, back-end management and control.” According to Blohm, implementation will result in:
1. Improved security
2. Standardization of the end-user experience
3. Increased transparency
4. Enhanced accessibility
5. Reduced costs
Motivating the Move to Thin/Zero
Thin/zero workstation clients don’t run the application software directly, nor do they store the data itself, improving security. The applications run on the server and the data is stored in managed mass storage. Only keystrokes and screen refreshes are transmitted over the internal network.
Clients are connected to a managed internal network with central auditing, not directly to the Internet, affording protection against cyber-attacks (Figure 1). What’s more, it’s possible to block transfer of data from the data center to the client for offloading to a USB stick or other mass storage device.
Software applications are standardized on the server so that all users are on the same version, which lessens the need for IT support and makes collaboration on team projects easier. And, as Gigabit Ethernet increasingly takes hold, the thin/zero client user experience is improving. Gigabit Ethernet provides higher bandwidth, allowing faster and more responsive screen updates on the zero client.
Small Form Factor
Now, let’s examine the differences between Thin Clients and true Zero Clients.
Both zero clients and thin clients are small form factor and are typically attached to the back of the display monitor, freeing up desk space. They are also fairly simple to install, not requiring the massive task of locally loading all the application software during the initial installation. They are also very low power.
Thin clients are end point devices with some type of skinny, locked down operating system such as Linux or Windows Embedded, typically stored in flash memory. They use more traditional hardware such as CPU boards and graphics cards and run such applications as browsers, e-mail clients and PDF viewers. The application is rendered at the terminal and provides for user interaction with the program running on the server. This makes it almost impossible to get a virus or other malware. Configurable and ideally suited for multi-protocol environments, thin clients are more flexible than zero clients and offer more peripheral support.
With no operating system, zero clients rely instead on a specifically designed processor or ASIC controller that runs a specific protocol. The image is rendered on the host server and only the raw pixels and keystrokes are transmitted over the network. This reduces the bandwidth required on the network as dedicated hardware codecs on the host server compress the pixel data before sending it to the client. This offers exceptional video performance but is less flexible as it cannot support various protocols.
Zero clients also rarely require any software updates/patches and are completely immune to viruses. With the single purpose of image decompression and decoding, the PCoIP processor eliminates endpoint hard drives, graphics processors, operating systems, applications and security software. With no operating systems, no codecs and no software to maintain, zero clients offer a straightforward approach to managing endpoints.
An Example VDI Installation
The key vendors dominating the Virtual Desktop Infrastructure (VDI) space are: VMware, Inc., Oracle Corp., Microsoft and Citrix Systems.
The U.S. Army had proposed a sole-source $1.6B contract with VMware in 2015, which was retracted after protests by other VDI vendors. It can be construed the Army prefers VMware, given this proposed award and subsequent smaller contracts, though that is not its official position.
The point of a VDI (Figure 1) is to centralize the processing with remote zero or thin clients providing access to virtual desktops for applications running on the server. As mentioned, the advantages to this architecture are increased security, centralized data and simplified deployment.
At the core of a VDI installation is a software suite, which is the foundation for delivering virtualization-based distributed services to IT environments. The server provides a robust virtualization layer that abstracts processor, memory, storage and networking resources into multiple virtual machines that run side-by-side on the same physical server.
The virtualization suite installs directly on the server hardware, or “bare metal.” This software partitions a physical server into multiple secure and portable virtual machines that run on the same physical server. Each virtual machine represents a complete system—with processors, memory, networking, storage and BIOS—so Windows, Linux, Solaris and NetWare operating systems and software applications run in virtualized machines without any modification.
The VDI suite allows connection to the centralized server(s) via a variety of methods including PCoIP and proprietary protocols. The remote client can be a dedicated zero or thin client or a desktop or laptop computer running a client application. Connection can be via a dedicated PCoIP link, network connection or the Internet.
For the purposes of this article, examining a military installation where security is foremost, the preferred interface is via a hard-wired Ethernet connection with PCoIP. This precludes WiFi and the Internet.
User interface to the server applications is via a thin or zero client connected through Ethernet to the server to display the virtualized desktop. An available solution is a Teradici powered PCoIP host card providing PCoIP to zero client end-point terminals. This configuration provides high bandwidth, low latency display of the VDI application pixels on the end-point terminal without the requirement to run software on the end-point. An important feature of a VDI installation is the bit stream is encrypted with AES-level security—for data to the thin and zero clients and for keystroke/mouse inputs back to the server.
While zero client implementations for office and non-rugged installations typically consist of a small zero client box attached to the rear of an office-grade monitor, military installations demand more robust solutions. Military thin/zero client implementations must be capable of operating in harsh environments that office-grade systems would not be appropriate for. An example of a military-centric system would be one that offers an integrated 15.6-inch LCD and Power over Ethernet (PoE) for tethered single-cable connection.
One such system is the Chassis Plans’ CPZ-156T Rugged Zero Client (Figure 2). Utilizing the industry standard PCoIP Protocol (Teradici Chipset), Chassis Plans’ Zero Clients are designed to be compliant with currently available Desktop Zero Clients but in a rugged form factor for deployment abroad.
Adopting a security first and foremost approach, the Chassis Plans’ CPZ-156T is powered through the IEEE- 802.3at PoE connection. This means a single push-pull connector is all that is required to lose all display information on the Ruggedized Client. As in all true zero client architectures, no information is ever contained on the client, it is just an encrypted rendering of the actual Virtualized Desktop Infrastructure (VDI) on the server.
Because no information is stored on zero clients and there are no vectors for malware or system intrusion, system security is significantly improved versus the use of desktop or laptop computers. Unplug a zero client and all displayed data is deleted. The USB ports can only be used for interface devices such as mice and keyboards, not USB storage media such as thumb drives. There is no local non-volatile memory or disk storage, so there is no security risk associated with losing a zero client.
Use of Power over Ethernet has the advantage of simplified cabling by removing the necessity of providing access to AC mains power with associated power cords, transformers, power strips, etc.
David Lippincott is Chief Technology Officer, Chassis Plans. He founded Chassis Plans to provide custom industrial and military computer designs allowing customers to have these computers manufactured locally. The company morphed from an engineering design firm to a full-service manufacturer designing and manufacturing highly regarded rugged computer and LCD display systems to all branches of the military as well as all the prime contractors and leading industrial companies. Chassis Plans is the vendor of record in many high-profile programs within the military as well as transportation infrastructure. An example is Chassis Plans is providing the rugged computers for the persistent surveillance aerostats for the upcoming Olympics to be held in Rio de Janeiro, Brazil.
 Executive Summary, 14 Mar 2013, U.S. Army Thin/Zero Client Computing Reference Architecture, v1.0