ACHIEVE EXCEPTIONAL CLIENT END�POINT SECURITYusing Amulet Hotkey's PCoIP zero clients for security, access and performancewithout compromising your desktop or workstation user experience.

THE CHALLENGE

To deliver essential desktop services related to mission critical or sensitive mandates forgovernment, defense and intelligence organizations that must maximize end-pointprotection. This has been traditionally achieved with layers of software running on standarddesktop, laptop or thin client systems using X86-based processors, creating a number ofproblems for security, integrity, reliability and maintenance that can put operationalreadiness at risk.

Intelligence data access, real-time analysis multi-level security, and privacy are critical tomeet the constant demands of government leaders. However, PCs or laptops withconfiguration and application data stored locally on end-points are vulnerable to theft andcorruption. Also, desktop operating systems require constant patching and maintenanceto attempt to keep them secure.

Part of the solution is to move the applications and data to a central and secure locationand provide users remote access to the desktop or workstation. However, if the clientaccess device is another general purpose X86-based processor it actually increases thepotential attack surface and adds to the cost and complexity by the need to secure boththe centralized desktop as well as the client endpoint.

These software solutions are more invasive to the computer operating system build processwhich IT must modify to be able to use the software in a security sensitive environmentwhich is time consuming and complicates upgrades. Also, software based remotingsolutions do not offer real-time performance since they take longer to compress applicationand visualization graphics.

AT A GLANCE

Situation

● Mandate to deliver essential desktopservices securely for Government,defense, intelligence as well as businesscritical environments.

● Require flexibility, mobility and reliabilitywhile maximizing end-point security.

Challenge

● Eliminate client attack surfaces such asoperating system, memory, graphics andstorage.

● Support any desktop experience from basicoffice users to extreme 3D graphics.

● Support local users as well as long-distanceremote locations.

Solution

● Amulet Hotkey PCoIP Zero clients withextensive security features and design formission/business critical environments.

● Connect securely to remote physical orvirtual workstations, virtual desktops suchas VMware Horizon or managed clouddesktops such as Amazon Web ServicesWorkspaces.

High Security EnvironmentsSolutions blueprint

End-point clients based on software security increase attack surface and reducebenefit of virtual desktops/workstations

Ultra-Secure Virtual Desktop and Remote Workstation with Zero Client Endpoints

Amulet Hotkey design and manufacture ultra-secure PCoIP Zero Clients that have been certified by the UKgovernment and NATO to deliver exceptional information assurance security without compromising desktopor workstation performance.

Centralizing desktops and workstations within a secure datacenter is an important step to increase securitywhether using virtual desktops, managed cloud desktops, physical or virtual workstations. A critical next stepis to deploy secure PCoIP Zero Clients to avoid the security and manageability challenges of an X86-based clientwith a Windows or Linux client OS. This helps to significantly reduce the potential attack surface while providingan extensive set of security features.

Remove user data from the end-point device

When using PCoIP Zero Clients with centralized virtual or physical desktops and workstations only send displaypixels to the client endpoint which avoids having applications and user data residing on the end-point device.Applications and sensitive data remain within the secure data center and allow PCoIP zero clients to operatewith no local storage.

Amulet Hotkey Zero Client Security Benefits for Enterprise and Government Organizations

Amulet Hotkey designs and manufactures PCoIP zero clients from the ground up to ensure a robust design andmaintain control over quality, reliability and EMI. This includes models where the zero clients and manufacturinghas been certified by the UK CESG which is the Cyber Security arm of GCHQ and MI5. These models are listedon the NATO Catalog for use in classified and non-classified environments.

All zero client models are fully TAA compliant.

Zero clients security-by-design

PCoIP zero clients are purpose built clients using Teradici PCoIP processors that decode PCoIP protocol inhardware. As such the zero clients do not have local storage and no sensitive application data is ever processedor stored on the client. Amulet Hotkey zero clients provide an extensive set of security features. PCoIP zeroclient design eliminates components and functions found in other client devices to eliminate or avoid securityrisks.

Key zero client features:

● Simple, secure and easy tomanage

● Support for desktop orworkstation user experienceincluding demanding 3D graphics

● Exceptional performance includingreal-time video and demanding 3Dgraphics.

● Support for dual, quad and octaldisplay configurations.

PCoIP zero client architecturebenefits:

● No Windows or Linux ApplicationOS

● No local application execution

● No local application data storageso no sensitive data ever reachesthe client.

● No hard disk drive

● No X86-processor

● No GPU eliminating client displayrendering, DirectX, and ActiveXtype of exploit risks.

● No fan for silent operation andimproved reliability

Amulet Hotkey PCoIP zero clientsare fully compatible with

vmware Horizon View

Amulet Hotkey Zero Clients bring certified Secure Client Endpoints to Government,Defense and Intelligence organizations and to the security conscious enterprise

Quad & Octal display with dual networkconnections (copper or fiber)

Dual display with copper or fiber networkconnections

Rack mounted, high-density for displaywalls and up to 48 high-resolution displays

Dual display with copper or fiber networkconnections & integrated Smartcard reader

Amulet HotkeyThe only Zero Clientscertified as secure byUK CESG and NATO

User Authentication

PCoIP zero clients support a number of pre-sessionand post-session user authentication methods.Some options have dependencies on theconnection broker and/or middleware.

● Smart card reader, including models withan integrated Smart Card reader

● Common Access Card (CAC) andPersonal Identity Verification (PIV) smartcards

● SIPR hardware tokens

● SafeNet eToken models

● RSA SecureID

● Proximity Cards

Encryption

PCoIP zero clients support a variety ofencryption types.Session negotiation security:

● TLS1.0 with RSA keys and AES128-CBC-SHA or AES-256-CBC-SHA

● TLS 1.1 with AES128-CBC-SHA or AES-256-CBC-SHA

● TLS 1.2 with AES128-CBC-SHA or AES-256-CBC-SHA

● NSA Suite B ciphers

Session security:

● PCoIP zero clients encrypt both mediastream traffic (display pixel data, USBdata and audio data) and managementchannel traffic

● Suite-B compliant 192-bit elliptic curveencryption

● AES-256-GCM

● AES-128-GCM

● Salsa20-256-Round12 (legacy withTera1-based zero clients)

Network

● Zero client models with built-in RJ45connector or models with SFP slot thatsupport copper or fiber networkconnections

● Models with dual network ports forredundancy

● PCoIP Zero Clients support 802.1xnetwork device authentication

● IEEE 802.1x network authenticationusing EAP-TLS certificates

● SCEP Certificate management

● IPv6 ready

Unique USB lockdown control

● Unique USB peripheral lockdowncapability by being able to block USBplug-events in hardware

● Flexible control to blacklist or white listUSB by device class or specific deviceIDs

Management and Administrative

● Client On-screen-display menu lockdownoptions

● Empty SSL certificate trust store bydefault. IT can populate trust store withauthorized SSL root certificates

● Zero client reset-to-default control

● Zero client management interfacepassword protection and enable/disablecontrol

● Build-to-lossless imaging to ensure usersor operators are not analyzing displayprotocol compression artifacts

● Optional on-screen message whennetwork connection is lost to alert useror operator that the display informationmay not be current

● Ability to disable device event logging.

Physical

● Manufactured by Amulet Hotkey withinthe UK and all components and materialsare sourced ethically from conflict freezones

● TAA compliant

● TEMPEST models are available

● Rugged metal enclosure with advancedEMI-suppression design

● No moving parts such as HDD or fanwhich eliminates noise sources andimproves reliability

● Locking power cord to prevent accidentalremoval

● Ability to disable zero client buttons forwhen endpoint is located in a cable trayto prevent accidental operation

● Low power and passively cooled

● No noise or vibration

● Tamper detection (CESG CPA andNATO certified models)

● Kensington lock slot

Key Zero Client Security features

Amulet Hotkey zero clients have many security features including:

“Since the new PCoIP zero clients have nolocal storage, as soon as a session isdisconnected, the client is no longerclassified. Employees don’t have to worryabout locking doors or removing andlocking up hard drives.”

- Jan-Arve HansenIT Architect

NEC CCIS System Support Center (SSC)North Atlantic Treaty Organization

(NATO)*

* For full case study of NATO Operations in Northern Europe seehttps://www.teradici.com/docs/default-source/resources/case-studies/cs_nato-ssc-case-study-final.pdf

Working in partnership with…

1:1 SECURE REMOTE WORKSTATION

Amulet Hotkey zero clients can connect to secure remote workstation hosts such as:

● CoreStation DXM630 blade workstation

● Any rack or tower workstation with an Amulet Hotkey remote workstation card (DXP4, DXH4) installed

Applications

1:N VIRTUAL WORKSTATION OR VIRTUAL DESKTOPAmulet Hotkey zero clients can connect to virtual workstations or virtual desktops such as● VMware Horizon vVirtual workstations using Enterprise Graphics Virtualization with nvidia GRID and AMD

MxGPU graphics cards.● VMware Horizon virtual desktops

CLOUD MANAGED DESKTOPSAmulet Hotkey zero clients can connect to cloud managed desktops such as● VMware Horizon Air Cloud-Hosted desktops and applications● Amazon Web Services Workspaces desktops

Advanced High-Resolution Display Walls

Amulet Hotkey’s unique rack mounted zero clients provide a high-density, reliable and secure solution foradvanced display walls for first responder, government and military command and control centers.

Avoid Workstation Hard Disk Drive Lockup

Certain environments are required to remove and lock up workstation hard drives after each shift. A way toavoid this lockup procedure is to move the workstations into a secure datacenter and users would connect inremotely using an Amulet Hotkey zero client.

Browse DownCESG and NATO certified zero client models can be used to “Browse Down” where a user in a more trustedenvironment can connect and interact with systems in a less trusted environment. For example, a zero clientin a secure network connecting to a virtual desktop or remote workstation at a lower classification level whichmay have access to the Internet.

Browse AcrossCESG and NATO certified zero client models can be used to “Browse Across” where a user can connect andinteract with systems that may be at the same trust level, but where the networks are segregated. For example,a system administrator access a management terminal within another network, or a user in one departmentconnects to a machine in another department, all at the same level of protective marking.

Note: network connections can be across the office, cross-town, cross-country and continent to continent.

Secure remote access to:

● Dedicated performancegraphics and computeworkstations

● High density graphics andcompute virtual workstations

● Virtual Desktops

● Cloud Managed Desktops

● Command & Control DisplayWalls

Key Features and Benefits

Feature Security Benefit

No Windows/Linuxclient OS No viruses, spyware or patches.

No Persistent User data Office buildings can be reduced to a lower security level once users disconnect and leavethe premise. Also, there is no local storage to lock up at night.

No Application Datasent over the network

No application data is sent over the network, also no applications run on the client whichavoids application-based exploits. All applications run on the remote workstation orvirtual desktop with only an encrypted stream of pixel data sent to the client.

USB lockdown

Lock down USB to prevent the use of unauthorized peripherals. Whenun-authorized, the zero client PCoIP processor blocks the USB plug-events in silicon toprovide an additional layer of security so that the host desktop/workstation cannot seeor access the USB peripheral device. Attempts to use an un-authorized USB device isflagged in the zero client device event log. Flexible control allows IT to blacklist or whitelist USB by device class or specific device IDs. For example, all USB flash devices can beblocked with the exception of an encrypted flash drive that has been approved for use.

PCoIP ProtocolAdaptive Networking

There are many adaptive features within the PCoIP remote display protocol to allow usersto connect to their workstation or desktop from long distances including cross-continentconnections. The PCoIP protocol automatically adapts to the available network tomaximize the use experience. Whether connecting from a remote office or a remoteoperational theater.

PCoIP ProtocolAdvanced Imaging

The PCoIP protocol was designed to support any desktop regardless of the graphicsperformance of the remote workstation or desktop. The PCoIP protocol supports bothsoftware and hardware encoding options in the workstation or virtual desktop whichmeans that the performance is determined by the host system in a secure datacenter.Zero clients simply decode the PCoIP protocol in hardware to maximize the userexperience including the most demanding users.

CESG CPA Certification

UK Government has certified Amulet Hotkey zero clients as secure for use at OFFICIALlevel for Government and Public Sector use. The CPA Certification testing includes thedesign, firmware and manufacturing process compared to the CPA Security Characteristicsfor Remote Destkop version 1.

NATO IAPC Listing The DXZC-A certified remote access zero clients are listed on the NATO InformationAssurance Product Catalogue.

IEEE 802.1x NetworkAuthentication

Allows zero clients to be authenticated prior to use. Also ensure that only zero clientswith the appropriate security configuration (including the required 802.1x certificates)can operate on the network.

SFP Network Port Supports copper or fibre network connections for deployment flexibility. Fibre option tofurther secure endpoints on the network.

IPv6 Ready Ability to take advantage of the larger address space and IPv6 security features.

Empty Certificate TrustStore by Default

PC’s and Internet browsers typically have the certificate trust store pre-populated witha large set of certificates which increases an attack surface if and when certificates arecompromised. An empty trust store requires that IT explicitly add the required certificateswhich increases security and minimizes the attack surface.

Rugged metal case andadvanced EMI shieldeddesign

Reliable operation and EMI shielding to meet secure facility requirements.

Contact Details

EMEA Sales & Support+44 207 960 2400

US & Canada Sales & Support+1 212 269 9300

APAC Sales & Support+61 431 745 057

London Demo Suite

Amulet Hotkey Ltd.32 Southwark Bridge RoadLondon SE1 9EU England

More about PCoIP

PCoIP is a ground-breaking technology thatcompresses and encrypts computer video,USB and audio data using a host device andtransmits it over a standard networkconnection (using AES 256 bit encryption) toa desktop receiver or zero client.

The zero client decrypts and decompressesthe data stream delivering it to the desktopperipherals. The system is completely secure(CPA accredited versions available on request)and always builds video to a loss-less imagemaking it ideal for the most demandingapplications.

The zero client creates a secure interface tothe computer making it virtually impossible togain unauthorized access to the remotehardware or data it contains.

The zero client stores no data, it cannot beinfected by a virus and does not have anoperating system to license, maintain, orprotect. In addition, all USB devices aremanaged in hardware at the desktop usingblack or white lists allowing complete desktoplock-down where appropriate.

Ordering Information

DXZC-A DXZC-AM DXZC-AC DXZC-AMC DXZ4-A DXZC-AM

Displays 2 2 2 2 4 4

Max resolution 1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

2 25x164 19x12

2 25x164 19x12

PCoIP decodecapability 150 150 150 150 250 250

USB ports 4 4 3 3 4 4

IntegratedSmartcard reader • •

Network ports 1 1 1 1 2 2

Networkinterface RJ45 SFP RJ45 SFP RJ45 SFP

Certified Zero Clients

DXZC DXZC-M DXZC-E DXZC-EM DXZC-C DXZC-MC DXZC-EC DXZC-EMC

Displays 2 2 2 2 2 2 2 2

Max resolution 1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

1- 25x162 19x12

PCoIP decodecapability 150 150 150 150 150 150 150 150

USB ports 4 4 8 8 3 3 8 8

IntegratedSmartcard reader • • • •

Network ports 1 1 1 1 1 1 1 1

Networkinterface RJ45 SFP RJ45 SFP RJ45 SFP RJ45 SFP

Standard Dual Display Zero Clients

DXZ4 DXZ4-M DXR-Z4*

Displays 4 4 4

Max resolution 2- 25x164 19x12

2- 25x164 19x12

2- 25x163 19x12

PCoIP decodecapability 250 250 250

USB ports 4 4 3

Network ports 2 2 2

Networkinterface RJ45 SFP SFP

Standard Quad+ Display Zero Clients

Note: DXR-Z4 is a zero client card for a DXR-Z rack that holds up to 12 quad monitor zero clients in a 3U 19” rackmount chassis.

Part# SFP Module Reach

SFPF-001G-1 1 Gbps Fibre Up to 500m

SFPF-SM1G 1Gbps Single Mode Fibre Up to 10km

SFPF-100M 100 Mbps Fibre Up to 2km

SFPC-001G 1Gbps Copper Up to 100m

SFPC-100M 100 Mbps Copper Up to 100m

Compatible SFP Modules

©2016 Amulet Hotkey Ltd. All rights reserved. Information in this document is subject to change. No part of this document may be reproduced through any means including (butnot limited to) electronic or mechanical, without express written permission from Amulet Hotkey Ltd. Amulet Hotkey Ltd may have patents, patent applications, trademarks orcopyrights or other intellectual property rights covering subject matter in this document. PC-over-IP, PCoIP and the PCoIP logo are registered trademarks of Teradici Corp. AmuletHotkey and ‘solutions you can bank on’ are registered trademarks of Amulet Hotkey Ltd. Other product names and company names listed within this document may be trademarksof their respective owners. Amulet Hotkey products are designed and built in the UK.

Zero

Clie

nts i

n Se

cure

Env

ironm

ents

v1-

US