Magic Words of VDI Security: How "Agentless" and "Aware
1. Magic Words of VDI Security:
“Agentless” and “Aware”
David Girard, Senior Security Advisor – Trend Micro Canada
1
1
2. Virtualization Project ?
Desktop Server Cloud Virtual Appliance
10/4/2010 Copyright 2009 Trend Micro Inc. 2
2
3. Security Built for VMware
The most comprehensive suite
of next-generation
virtualization security solutions
Desktop Server Cloud Virtual Appliance
10/4/2010 Copyright 2009 Trend Micro Inc. 3
3
4. Security Built for VMware
IT Operations Security Compliance
Consolidation rates Protect data Ensure
Operational efficiencies & applications compliance
Flexibility
Savings
10/4/2010 Copyright 2009 Trend Micro Inc. 4
4
5. Security Built for VMware
Desktop Server Cloud Virtual Appliance
10/4/2010 Copyright 2009 Trend Micro Inc. 5
5
6. Key Issue:
Resource Contention
High impact : Employee’s arrival or schedule scans
9:00am Scan
Typical AV
Console
If several, or all, VMs start a full anti-malware scan at the same time, the underlying
shared hardware will experience extreme load (memory, CPU, I/O), causing a
slowdown of all virtual systems on the server.
Large pattern file updates require significant memory and can impact, network and
storage I/O resources.
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 6
6
7. VDI Security option #1: OfficeScan
(First AV optimized for VDI)
Trend Micro OfficeScan
Protects virtual & physical endpoints
• VDI Intelligence with VDI plug-in
• Serializes updates and scans per VDI-host
• Leverages base-images to further shorten scan times
• Smart Scan limit Endpoints pattern updates since it is
mostly in the cloud
10/4/2010 Copyright 2009 Trend Micro Inc. 7
7
8. OfficeScan 10.5 has VDI-Intelligence
• Detects whether endpoints are physical or virtual
– With VMware View
• Serializes updates and scans per VDI-host
– Controls the number of concurrent scans and updates per VDI host
– Maintains availability and performance of the VDI host
– Faster than concurrent approach
• Leverages Base-Images to further shorten scan times
– Pre-scans and white-lists VDI base-images
– Prevents duplicate scanning of unchanged files on a VDI host
– Further reduces impact on the VDI host
Copyright 2009 Trend Micro Inc.
8
10. CPU
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 10
10
11. CPU - Analysis
• Only 10.5 can support 20+ desktop images with mixed user profile.
• With no AV, average CPU utilization while 4 heavy and 16 light user
script is running is 33%
• With 10.5 with ALL 4 heavy and 16 light user machines scanning,
CPU utilization is 41%. Very Impressive.
• With powerful machines typically used in VDI environment CPU’s
typically are not the breaking point.
• With 20 desktop images, 10.5 adds marginal load to CPU where as
other solutions can not even get to support baseline number of
desktop images
• With 10 desktop images, 10.5 adds only 11% CPU overhead
compared to baseline (no AV and no scanning) versus Symantec
which adds 29% CPU overhead , 10.1 which adds 50% CPU
overhead and McAfee which is the worst which adds 83% CPU
overhead
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 11
11
13. IOPS - Analysis
• Only 10.5 can support 20+ desktop images with mixed
user profile.
• With 10 desktop images, 10.5 has 4.25 IOPS, 10.1 has
10.95 IOPS, Symantec has 9.02 IOPS and McAfee has
whopping 22.39 IOPS
• Trend Micro Office Scan 10.5 IOPS has small deviation of
0.77 MB/s and 3.66 MB/s only from baseline and mixed
20 user profile
• Lets recap why 10.5 is so much better with IOPS
• 10.5 Serializes updates and scans per VDI-host
• Pre-scans and white-lists VDI base-images
• Prevents duplicate scanning of unchanged files on a VDI host
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 13
13
14. IOPS – How many Systems?
• A VDI environment sized for 20
desktop images with 4 heavy
and 16 light users.
• Keep IOPS between 6-8 and
see how many desktop images
can be supported with each AV
deployment (Apples to Apples
comparison)
• All about return of investment
• If you deploy McAfee, you can deploy ONLY 2 desktop images in an
environment which supports 20 images without AV
• If you deploy Symantec, you can deploy ONLY 4 desktop images in an
environment which supports 20 images without AV
• If you deploy Trend 10.5, you can deploy ALL 20 desktop images
Customers no longer have to choose
between Security and Return On Investment
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 14
14
16. Memory - Analysis
• Only 10.5 can support 20+ desktop images with mixed
user profile.
• Automatic Pool of 20 desktop images without AV in
Mixed user Profile is consuming around 7.74 GB of
Active Memory
• Trend Micro Office scan 10.5 is putting an overhead of
only 1.32 GB in maximum VDI Density environment.
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 16
16
17. Scan Time with 10.5
VDI Profile Other AV Solution Trend Micro 10.5
Mixed Maximum High Density Approx 1-2 Hours 16 Minutes
VDI Pool(4H &16 L)
Mixed Low Density VDI Pool Approx. 27- 49 minutes 2 Minutes
(1H & 3 L)
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 17
17
18. Scan Time - Analysis
• Trend Micro Office scan 10.5 is performing Approx. 15 -
25 times better in Mixed Low Density VDI pool and 4 -8
times better in Mixed Maximum High Density VDI pool.
• Trend Micro office scan 10.5 with its Smart Scan and VDI
aware capability is consuming remarkably less scan time
than other AV solutions.
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 18
18
19. VDI Security option #2:
Deep Security
Trend Micro Deep Security
Protects virtualized endpoints & servers
• First agent-less anti-malware solution
• Hypervisor-based introspection
• Eliminates “AV storms”
10/4/2010 Copyright 2009 Trend Micro Inc. 19
19
20. Security Built for VMware
Desktop Server Cloud Virtual Appliance
10/4/2010 Copyright 2009 Trend Micro Inc. 20
20
21. Key Issue:
Resource Contention
9:00am Scan
Typical AV
Console
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 21
21
22. Key Issue:
Instant On Gaps
Active, with
Active Dormant security
out-of-date
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 22
22
23. Key Issue:
Mixed Trust Level VMs
ERP Email Web Test CRM
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 23
23
24. Trend Micro Deep Security
IDS / IPS Integrity Log
Anti-Virus Firewall
Monitoring Inspection
Physical Virtual Cloud Desktop/Laptop
Core Protection for Virtual Machines or CPVM deliver Agent Less AV for ESX 3.5 and 4.0.
Deep Security 7.5 will go deeper with vShield on ESX or ESXi 4.1
10/4/2010 Copyright 2009 Trend Micro Inc. 24
24
31. Security Built for VMware
Desktop Server Cloud Virtual Appliance
10/4/2010 Copyright 2009 Trend Micro Inc. 31
31
32. Virtual Appliances
Virtual Appliance
Application
Operating
System
Hypervisor Hypervisor
Hardware Hardware
10/4/2010 Copyright 2009 Trend Micro Inc. 32
32
33. Virtual Appliance Benefits
Virtual Appliance
Costs
70%
IT Flexibility
Per-User
Improve Business Cost of Virtual
Continuity Appliance
A solution that scale over time. Don’t need to buy a bigger physical
appliance. Just add more resources. Don’t need to buy an extra box
for pre-production environment, just fire a new VM or install on any
box that can run CentOS or Red Hat.
10/4/2010 Copyright 2009 Trend Micro Inc. 33
33
34. Trend Micro
Security Virtual Appliances
Virtual Appliance
Web Security
Email Security
Other Trend Micro Product are offered as a virtual appliance :
-Data Loss Prevention Server
-Threat Discovery Virtual Appliance (part of Threat Management Services (TMS)
10/4/2010 Copyright 2009 Trend Micro Inc. 34
34
35. Security Built for VMware
Deep Security Deep Security Deep Security InterScan Web Security
OR AND InterScan Messaging
OfficeScan SecureCloud Security
Desktop Server Cloud Virtual Appliance*
Encryption of the *VMware Certified
virtual file system Appliances
10/4/2010 Copyright 2009 Trend Micro Inc. 35
35
36. Security Built for VMware
10/4/2010 Copyright 2009 Trend Micro Inc. 36
36
37. Trend Micro
Global leader in Internet content security and threat management.
Catalyst for faster adoption of virtualization.
Our Vision:
A world safe for exchanging digital information
Founded • United States in 1988
Headquarters • Tokyo, Japan
Offices • 23 countries
Employees • 4,350
Leadership • US $1 Billion annual revenue
• 3rd largest security company 1,000+ Threat Research Experts
10 labs. 24x7 ops
• “Global 100 Most Sustainable Corporations” Real-time alerts for new threats
• Top 3 in Messaging, Web and Endpoint security
• Leader in virtualization & cloud computing
security
Copyright 2009 Trend Micro Inc.
37
37
38. Questions?
Thank you, merci
New Threats Informations For more informations:
http://blog.trendmicro.com/ Technical:
david_girard@trendmicro.com
514-629-1680
User group Sales:
Groupe d’utilisateurs Michel_bouasria@trendmicro.com
Trend Micro du Québec 514-653-2257
http://www.linkedin.com/groups?gid=2296257 Jean_houle@trendmicro.com
514 893-1512
Classification 10/4/2010 Copyright 2009 Trend Micro Inc. 38
38