[가상화] Understanding VMware vShield Endpoint And Agentless Malware Protection

By Krishnan Subramanian on September 10, 2010


When I wrote my analysis on VMware’s VMworld 2010 announcements earlier this week, I didn’t cover a product which piqued my interest. It is about VMware’s moves to beef up virtualization and cloud security through their vShield offering. I decided to wait because I wanted to talk to one of VMware’s partners, Trend Micro, before digging deeper into it. Now that I have spoken to folks at Trend Micro and learned how they could integrate their security product into vSphere 4.1, it is time for my brief analysis of VMware’s endpoint security.

                         

The Problem:

Of many security issues surrounding the IT, the endpoint security is very important and crucial for regulatory compliance requirements. Traditionally, endpoint security used the client/server model where every end point device (servers, desktops, laptops, etc..) had a client installed on all these devices and centrally managed by the IT security. The “hefty” client will monitor the device, analyze the content, process and act based on the set of rules. This approach was not efficient but there was no better approach to the problem. As the IT moved to virtualized environment and cloud, this problem only became bigger. Not only this approach increased the complexity of endpoint security on virtualized and cloud environments but, also, had an impact on the overall performance. Some of the problems with the client/server approach to endpoint security are

• We have to install the clients on all the VMs with each client software storing the engine, signatures, etc. locally. This had a significant impact on CPU and RAM usage along with additional storage requirements
• When updates were done, this approach involved simultaneous download of updates by all the VMs and simultaneous install/update on all VMs. This lead to huge spikes in both network usage and internal resource usage, leading to significant performance hits
• Already virtualization impacts the performance of the servers (but don’t despair. Virtualization vendors are working hard on reducing this impact and you can see the performance comparison of different hypervisors in this Taneja group Report). If the endpoint security adds # of VMs x endpoint security resource usage load to this virtualized environment, the performance hit is going to be significant
• A certain amount of complexity is also added on the management layer due to the large number of clients on VMs
• Add VM sprawl and its impact to the above

Clearly, even though the client/server approach offers reliable endpoint security, it is not an efficient way to do security in virtualized environments. There was definitely a need for a better approach. So far, the virtualization vendors were relying on the third party providers in the ecosystem to fill the gap and third party providers were waiting for the virtualization vendors to offer something better because there is not much they can do with the client/server model.

VMware’s approach to endpoint security:

At VMworld 2010 last week, VMware announced the first step towards having a more efficient endpoint security model. The VMware vShield Endpoint solution for vSphere 4.1 and View 4.5 environments offered library and APIs for integrating partner security appliances that can introspect into file activity at the hypervisor layer. Imagine taking an endpoint security appliance from a vendor, putting it into the virtualized/cloud environment and tapping into their APIs to do all the protection without installing any agent on the virtual machines. This simple and elegant approaches vastly reduces the performance impact on the virtual environment and, may, even offer considerable cost savings in terms of license fees, etc.. Not only that it simplifies the compliance auditing processes making clouds more palatable to enterprise customers with heavy compliance requirements.

vShield Endpoint plugs directly into vSphere and it has the following three components to carry out the protection as mentioned in the above paragraph.

• Hardened Security Virtual Machines, provided by VMware partners like Trend Micro. This is a highly secured third party appliance with the anti-virus/malware engines, signature and other components needed for the protection. The most important part about separating the anti-virus/malware engine and signatures from the virtual machines is that there is no threat to them even if the VM is compromised completely. This advantage is not available in the client/server approach in the traditional computing world.
• Driver for virtual machines to offload file events. This is the thin client VMware uses to “interact” with the security appliance provided by the partners
• VMware Endpoint Security (EPSEC) Loadable Kernel Module (LKM) to link the above two components with the hypervisor

vShield Endpoint monitors the file events on virtual machines through its “thin agents” and notifies the anti-virus/malware engine vial EPSEC, which scans and returns the result. The same approach also supports regularly schedules partial and full scans of VMs. In the event of any exploit/vulnerability/attack, admins can specify the actions through the management tools integrated into vCenter/vCloud Director and these actions will be carried out on the affected virtual machines by vShield Endpoint.

Conclusion:

In my opinion (keep in mind I am not a security guru but someone who only observes them and talk to them), this is a very elegant solution by VMware to tackle this problem. Not only they made it simple and easy, they also help their customers achieve increased performance with their implementation of VMware virtualization/cloud. I am pretty sure other virtualization vendors will soon come up with similar solutions. In fact, when I spoke to Trend Micro, they told me that they will support other platforms with agent-less endpoint security once they offer APIs similar to what VMware is offering. Next week, I will build upon this and talk about how Trend Micro tapped into vShield Endpoint to offer powerful malware protection without “any” impact on the performance.