Antivirus específicos para entornos virtualizados

Protección eficiente para entornos virtuales
Alvaro Sierra
Major Account Manager
Alvaro_sierra@trendmicro.es
Copyright 2009 Trend Micro Inc.

Trend Micro Smart Protection Network
Security Made Smarter WEB
REPUTATION

Threats

EMAIL FILE
REPUTATION REPUTATION
Threat Collection

Management

SaaS/Managed
Partners

• ISPs Cloud
• Routers
• Etc.
Endpoint
Off Network Gateway

Messaging

Copyright 2009 Trend Micro Inc. 2

DEEP SECURITY 7.5
http://www.vmware.com/solutions/partners/alliances
/trendmicro.html


Security: the #1 Cloud Challenge
Security and privacy were the foremost concerns by far, with a weighted
score higher than the next three (performance, immaturity and regulatory
compliance) combined.

Gartner (April 2010)

The Dynamic Datacenter

88% of North American enterprises 2012, 60% of virtualized servers.. less
[no] virtualization security strategy secure than… physical servers….
Forrester Research / Info Week “Addressing the Most Common Security Risks in Data Center
Virtualization Projects” Gartner, 25 January 2010

Physical Virtual Cloud

Technologies and practices for
Number one concern (87.5%)
securing physical servers won’t
about cloud services is security.
provide sufficient protections for VMs. Frank Gens, IDC, Senior VP & Chief Analyst
Neil MacDonald, Gartner, June 2009


¿En qué punto es vulnerable?

Transcurren días e Desarrolladores no
incluso meses hasta disponibles para
que los parches soluconar las
están disponibles y vulnerabilidades
se han probado/ • Ya no están en la
desplegado compañía
• “Microsoft Tuesday” • Trabajan en otros
• Oracle proyectos
• Adobe
No pueden ser
parcheados por el
elevado coste,
normativas o SLAs
Los parches ya no se despliegan • POS: puntos de venta
más • casetas de obra
• Red Hat 3 -- Oct 2010 • dispositivos
• Windows 2000 -- Jul 2010 médicos…
• Solaris 8 -- Mar 2009
• Oracle 10.1 -- Jan 2009


VMs Need Specialized Protection

Same threats in virtualized servers
as physical

+ New challenges:
1. Dormant VMs 
2. Resource contention 
3. VM Sprawl 
4. Inter-VM traffic 
5. vMotion 


Server Virtualization Security
Overcoming resource contention

The old way
3:00am Scan
Typical AV
Console

Classification 6/27/2011 Copyright 2009 Trend Micro Inc. 8

Server Virtualization Security
Overcoming resource contention

A new, better way Security
Virtual
Appliance

3:00am Scan
4:00am
5:00am
6:00am

Classification 6/27/2011 Copyright 2009 Trend Micro Inc. 9

vSphere 4 - VMsafe™ APIs

CPU/Memory Inspection
• Inspection of specific memory pages
• Knowledge of the CPU state
• Policy enforcement through resource allocation

Networking
• View all IO traffic on the host
• Intercept, view, modify and replicate IO traffic
• Provide inline or passive protection

Storage
• Mount and read virtual disks (VMDK)
• Inspect IO read/writes to the storage devices
• Transparent to device & inline with ESX Storage stack

Agentless Anti-Virus Overview
These are the key “building blocks” for VMware customers

Agent-less Anti-Virus for VMware
The idea
Protection for virtualized
desktops and datacenters

Trend Micro
The components VMware
Deep Security
vShield Endpoint
Anti-malware

Enables offloading of antivirus A virtual appliance that detects
processing to Trend Micro Deep and blocks malware (web threats,
Security Anti-malware – a viruses & worms, Trojans).
dedicated, security-hardened VM.

Customer
Benefits Higher Faster Better Stronger
Consolidation Performance Manageability Security

Differ-
entiator The first and only agentless anti-virus solution architected for VMware

11 Copyright 2009 Trend Micro Inc.

Arquitectura de Deep Security

12

Protection beyond Anti-Malware
Beyond providing Agentless AV, Trend Micro Deep Security provides additional protection for VMware customers

DEEP SECURITY
Agentless
1
vShield Detects and blocks malware (web threats,
Anti-Malware viruses & worms, Trojans). (PCI*)
Endpoint

Agentless
2 Detects and blocks known and zero-day
IDS / IPS attacks that target vulnerabilities (PCI*)
VMsafe
APIs Web Application Protection Shields web application vulnerabilities (PCI*)
Provides increased visibility into, or control
Application Control
over, applications accessing the network
Firewall Reduces attack surface. Prevents DoS &
detects reconnaissance scans (PCI*)

Agent-based
3
Detects malicious and unauthorized changes
Integrity Monitoring
to directories, files, registry keys. (PCI*)

Agent-based
4
Log Inspection Optimizes the identification of important
security events buried in log entries. (PCI*)

(PCI*): Helps address one or more PCI Data Security Standards and other compliance

requirements

Deep Packet Inspection

Web Application Protection
IDS/IPS – Enables compliance with PCI DSS 6.6
– Shield vulnerabilities in custom web
– Vulnerability rules: shield applications, until code fixes can be
known vulnerabilities from completed
unknown attacks
– Shield legacy applications that cannot be
– Exploit rules: stop known fixed
attacks – Prevent SQL injection, cross-site scripting
(XSS)
– Smart rules: Zero-day
protection from unknown Application Control
exploits against an unknown
vulnerability – Detect suspicious inbound/outbound traffic
such as allowed protocols over non-
– Microsoft Tuesday protection standard ports
is delivered in synch with – Restrict which applications are allowed
public vulnerability network access
announcements.
– Detect and block malicious software from
– On the host/server (HIPS) network access


Alrededor de 100 aplicaciones protegidas

Operating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE
Linux (10,11)
Database servers Oracle, MySQL, Microsoft SQL Server, Ingres
Web app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint
Mail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,,
MailEnable Professional,
FTP servers Ipswitch, War FTP Daemon, Allied Telesis

Backup servers Computer Associates, Symantec, EMC

Storage mgt servers Symantec, Veritas

DHCP servers ISC DHCPD

Desktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer,
Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime,
RealNetworks RealPlayer
Mail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client

Web browsers Internet Explorer, Mozilla Firefox

Anti-virus Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft

Other applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior,
Rsync, OpenSSL, Novell Client


Microsoft Active Protections Program (MAPP)

• Microsoft Active Protections Program (MAPP)
– Program for security software vendors
– Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly
security update
– Members use this information to deliver protection to their customers
after the Microsoft Security Bulletins have been published

• Trend Micro’s protection is delivered to customers within 2 hours of
Microsoft Security Bulletins being published
– This enables customers to shield their vulnerable systems from attack
– Systems can then be patched during the next scheduled maintenance window


Recommendation Scans

• The server being protected is analyzed to determine:
– OS, service pack and patch level
– Installed applications and version
– DPI rules are recommended to shield the unpatched vulnerabilities from attacks
– As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:
• Recommend new rules for assignment
• Recommend removal of rules no longer required after system patching
– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are
supported


Sample Microsoft Patch Tuesday Protection


In IT, do you know the differences???
Agent Agent Agent Agent Agent Agent

Ahora

vSphere

Futuro

19

Deep Security Virtual Appliance

Architecture of Coordinated approach

vNIC vNIC vNIC vNIC

Vmsafe API

ESX 4 vSwitch
Hypervisor


Deep Security enables higher VM densities
• SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle
more than 25 desktop VMs/host
• DS supports 2-3 times no. of desktop VMs/host than traditional AV
• DS supports 40-60% more server VMs/host than traditional AV

CPU IOPS
Symantec Trend McAfee Symantec Trend McAfee

2143
307% 2053
%
%
273%

692%
81%

Symantec Trend McAfee Symantec Trend McAfee

Scheduled scan resource usage over baseline – 50 VMs per host

Agentless approach uses less ESX memory

Anti-Virus “B”

Anti-Virus “Y”
Anti-Virus “R”

# of Guest VMs
22

Agentless approach uses less bandwidth
Signature update for 10 agents

Anti-Virus “B”

Anti-Virus “Y”

Anti-Virus “R”

Agentless
Anti-Virus “T”

Time (Seconds)

23

Coordinated Approach …
Coordinated Security Approach
• Agent Disappears (removed / reverted to previous snapshot)
• Virtual Appliance auto-protects VM

Deep Security VMware
Virtual Appliance* vCenter

VMware vSphere 4

* VMware vSphere 4
VMsafe API based solution

Deep Security 7.5: Funcionalidades Clave
• Escaneo en tiempo real sin agentes
– Notificaciones al motor de antivirus
– Acceso a ficheros de datos para escaneo

• Escaneo manual y/o programado sin agentes
– Los escaneos bajo demanda son coordinados y organizados SPN
– Notificaciones

• Se integra con vShield Endpoint ( vSphere 4.1)
• Protección día Zero
– Integración con Smart Protection Network

• Limpieza sin agentes Virtual
– Active Action, Delete, Pass, Quarantine, Clean
Appl.
• Caching a nivel de API
– Cacheo de datos para optimizar el rendimiento
vShield Endpoint


¿Cuáles es la diferencia?


Addressing Payment Card Industry (PCI)
Requirements

Key Deep Security features & capabilities

 (1.) – Network Segmentation

 (1.x) – Firewall

 (6.1) – Virtual Patching* 81% NOT
PCI compliant
 (6.5) – Web Application Firewall prior to breach
Verizon 2009 Data Breach
 (10.6) – Review Logs Daily Investigation Report

 (11.4) – Deploy IDS / IPS

 (11.5) – Deploy File Integrity Monitoring

* Compensating control subject to QSA approval

Trend Micro: Server Security Leadership
IDC Market Analysis: Worldwide Corporate Server Security Market Share

Trend Micro
22.9%

All Others
77.1%

These products are generally more robust than desktop endpoint security
and are available for a much wider set of operating systems (Windows, Unix, and Linux).
This category also includes products that are designed to protect hypervisors and virtual
servers.” Source: Worldwide Endpoint Security 2010-2014
Forecast and 2009 Vendor Shares, IDC


Improves Security Improves Virtualization
by providing security solutions
by providing the most
architected to fully leverage
secure virtualization infrastructure,
the VMware platform
with APIs, and certification programs

The most comprehensive suite of next-generation,
virtualization security solutions:

 Virtual appliance- and guest-based

 Tightly integrated with, and leverages,
VMware APIs and technologies.

 Architected to fully leverage the VMware platform
for delivering better-than-physical security.
29

Antivirus específicos para entornos virtualizados

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (15)

En vedette

En vedette (19)

Similaire à Antivirus específicos para entornos virtualizados

Similaire à Antivirus específicos para entornos virtualizados (20)

Plus de Nextel S.A.

Plus de Nextel S.A. (20)

Dernier

Dernier (20)

Antivirus específicos para entornos virtualizados