When I wrote my analysis on VMware’s VMworld 2010 announcements earlier this week, I didn’t cover a product which piqued my interest. It is about VMware’s moves to beef up virtualization and cloud security through their vShield offering. I decided to wait because I wanted to talk to one of VMware’s partners, Trend Micro, before digging deeper into it. Now that I have spoken to folks at Trend Micro and learned how they could integrate their security product into vSphere 4.1, it is time for my brief analysis of VMware’s endpoint security.
The Problem:
Of many security issues surrounding the IT, the endpoint security is very important and crucial for regulatory compliance requirements. Traditionally, endpoint security used the client/server model where every end point device (servers, desktops, laptops, etc..) had a client installed on all these devices and centrally managed by the IT security. The “hefty” client will monitor the device, analyze the content, process and act based on the set of rules. This approach was not efficient but there was no better approach to the problem. As the IT moved to virtualized environment and cloud, this problem only became bigger. Not only this approach increased the complexity of endpoint security on virtualized and cloud environments but, also, had an impact on the overall performance. Some of the problems with the client/server approach to endpoint security are
- We have to install the clients on all the VMs with each client software storing the engine, signatures, etc. locally. This had a significant impact on CPU and RAM usage along with additional storage requirements
- When updates were done, this approach involved simultaneous download of updates by all the VMs and simultaneous install/update on all VMs. This lead to huge spikes in both network usage and internal resource usage, leading to significant performance hits
- Already virtualization impacts the performance of the servers (but don’t despair. Virtualization vendors are working hard on reducing this impact and you can see the performance comparison of different hypervisors in this Taneja group Report). If the endpoint security adds # of VMs x endpoint security resource usage load to this virtualized environment, the performance hit is going to be significant
- A certain amount of complexity is also added on the management layer due to the large number of clients on VMs
- Add VM sprawl and its impact to the above
Clearly, even though the client/server approach offers reliable endpoint security, it is not an efficient way to do security in virtualized environments. There was definitely a need for a better approach. So far, the virtualization vendors were relying on the third party providers in the ecosystem to fill the gap and third party providers were waiting for the virtualization vendors to offer something better because there is not much they can do with the client/server model.
VMware’s approach to endpoint security:
At VMworld 2010 last week, VMware announced the first step towards having a more efficient endpoint security model. The VMware vShield Endpoint solution for vSphere 4.1 and View 4.5 environments offered library and APIs for integrating partner security appliances that can introspect into file activity at the hypervisor layer. Imagine taking an endpoint security appliance from a vendor, putting it into the virtualized/cloud environment and tapping into their APIs to do all the protection without installing any agent on the virtual machines. This simple and elegant approaches vastly reduces the performance impact on the virtual environment and, may, even offer considerable cost savings in terms of license fees, etc.. Not only that it simplifies the compliance auditing processes making clouds more palatable to enterprise customers with heavy compliance requirements.
vShield Endpoint plugs directly into vSphere and it has the following three components to carry out the protection as mentioned in the above paragraph.
- Hardened Security Virtual Machines, provided by VMware partners like Trend Micro. This is a highly secured third party appliance with the anti-virus/malware engines, signature and other components needed for the protection. The most important part about separating the anti-virus/malware engine and signatures from the virtual machines is that there is no threat to them even if the VM is compromised completely. This advantage is not available in the client/server approach in the traditional computing world.
- Driver for virtual machines to offload file events. This is the thin client VMware uses to “interact” with the security appliance provided by the partners
- VMware Endpoint Security (EPSEC) Loadable Kernel Module (LKM) to link the above two components with the hypervisor
vShield Endpoint monitors the file events on virtual machines through its “thin agents” and notifies the anti-virus/malware engine vial EPSEC, which scans and returns the result. The same approach also supports regularly schedules partial and full scans of VMs. In the event of any exploit/vulnerability/attack, admins can specify the actions through the management tools integrated into vCenter/vCloud Director and these actions will be carried out on the affected virtual machines by vShield Endpoint.
Conclusion:
In my opinion (keep in mind I am not a security guru but someone who only observes them and talk to them), this is a very elegant solution by VMware to tackle this problem. Not only they made it simple and easy, they also help their customers achieve increased performance with their implementation of VMware virtualization/cloud. I am pretty sure other virtualization vendors will soon come up with similar solutions. In fact, when I spoke to Trend Micro, they told me that they will support other platforms with agent-less endpoint security once they offer APIs similar to what VMware is offering. Next week, I will build upon this and talk about how Trend Micro tapped into vShield Endpoint to offer powerful malware protection without “any” impact on the performance.
I’m less impressed by vShield. The problem is that it is just what you said, “… a library and APIs for integrating partner security appliances that can introspect into file activity at the hypervisor layer.”
You see, this is only about file level security. Look at any decent endpoint protection product – and you will see layers of protection including packet inspection, real-time behavioral analysis, HIPS, device control, application control, sandboxing . . .
vShield doesn’t allow for any of the non-file based security. Sure, Trend claims to support it – but has anyone tested if they detect anything? No, their solution has not been certified by Virus Bulletin, av-comparatives.org, av-test.org . . . . in fact the only recent test of their detection that I know of is from PC Magazine – and it wasn’t pretty and it wasn’t of of their far more limited VMware product.
vShield isn’t ready for prime-time.
I do agree that it is not ready for prime time. But I do see it as a good starting point which could add market pressure on others to innovate. I see the cloud security as a long evolving one than one that could be implemented overnight with a magic pill by one single vendor. However, I definitely agree with you that there are many loose ends to be tightened up.
If you look deeper and see what exactly is needed to be installed on each VM, you can see file system filter driver called “Antivirus”. This is what is installed at each VM. So, basically I do not see any difference between agentfull and agentless AV in this very case. And, if you look at the overall scheme, you can see that vShield Endpoint makes it easier just to maintain the databases. Nothing else is not improved. This filter driver is really EASY to overcome by any more or less modern virus or rootkit, as it is plain file system filter driver, nothing sophisticated.
In general, I would be much more interested in real agentless solution, which is NOT depending on anything installed inside the VM, thus, not possible to circumvent from inside the VM.
Unfortunately, nothing similar exists at the market.
–
Dennis.
>>>Next week, I will build upon this and talk about how Trend Micro tapped into
>>>vShield Endpoint to offer powerful malware protection without “any” impact
>>>on the performance.
Couldn’t find ‘next week’ post, have you finished it yet? The topic is very exciting.
By the way, it Endpoint API documented? I think, it could be interesting to try it out and build smth.
Looking forward to the followup to this post.
hi,I know that trend micro use VMsafe API to integrete antivirus ability in vmware vitirual mathines.but i can not understand what is VMware vShield Endpoint different from VMsafe API.and how does trend use VMsafe API togeter with vShield Endpoint to give strong secure ability?