Protection for VMware environments

Trend Micro Deep Security has worked closely with VMware to offer agentless security at the hypervisor level. This security is provided by the Deep Security Virtual Appliance. The appliance is deployed at the cluster level through NSX Manager to offer protection to VMs on the same ESXi host.

Topics on this page:

Deep Security Virtual Appliance features

Scan caching

The scan cache allows the results of an Anti-Malware scan to be used when scanning multiple machines with the same files. When the appliance scans the original guest virtual machine, it keeps track of attributes of the files it is scanning. When other virtual machines are scanned, it can compare these attributes for each file. This means that subsequent files with the same attributes do not need to be scanned fully a second time, which reduces the overall scan time. In situations like virtual desktop infrastructure (VDI) where the images are nearly identical, the performance savings from scan cache are greater.

Scan storm optimization

A 'scan storm' occurs where many scans occur concurrently, causing performance slowdowns. Typically, scan storms occur in large-scale VDI deployments. When performing Anti-Malware scanning, the appliance can use the Scan caching feature to optimize its resource usage during a scan storm.

Ease of management

Generally, deploying one Deep Security Virtual Appliance to each ESXi host is easier than deploying a Deep Security Agent on multiple VMs. With NSX, this management savings increases because deployment of the Deep Security service is done through NSX Manager and applied to the cluster. Any new hosts added to the cluster automatically get Deep Security protection deployed.

The virtual appliance can also help with network flexibility. Each Deep Security Agent requires network connectivity to resolve the Deep Security Manager and Relay. By using the Deep Security Virtual Appliance, this network connectivity is limited to the virtual appliance and connectivity to each VM is not required.

In some cases, the infrastructure and VMs may be managed by different teams. By using the virtual appliance, the infrastructure team does not require access to the virtual machine to add protection because it can be deployed at the hypervisor level to protect each of the virtual machines.

VMware deployments with the virtual appliance and NSX 6.3 or higher

If you want to use the Deep Security Virtual Appliance to protect your guest VMs, you'll need to use VMware NSX. NSX has four license types, which affect the Deep Security features that are available agentlessly. The four NSX license types are shown in the table below, along with the Deep Security features supported by each.

For an exhaustive list of supported features and sub-features that are supported by the Deep Security Virtual Appliance, see Deep Security Virtual Appliance (NSX) (with embedded 11.0 agent).

  Deep Security Virtual Appliance deployment (agentless)
 

NSX Advanced

OR

NSX Enterprise

NSX for vShield Endpoint (free)

OR

NSX Standard

OR

NSX Professional

Anti-Malware ✔ (Windows guest VMs only) ✔ (Windows guest VMs only)
Integrity Monitoring ✔ (Windows guest VMs only) ✔(Windows guest VMs only)
Firewall X1
Intrusion Prevention X1
Web Reputation X1
Log Inspection X1 X1
Application Control X1 X1

1 Available if you install an agent on each of your guest VMs (combined mode)

With NSX Advanced or Enterprise, the Deep Security Virtual Appliance can perform Anti-Malware (for Windows guest VMs only), Integrity Monitoring (for Windows guest VMs only), Firewall, Intrusion Prevention, and Web Reputation for all guest VMs. There is no need to install agents on the VMs. If however, you want Log Inspection and Application Control, or you want Anti-Malware and Integrity Monitoring for Linux VMs, you'll need to install agents.

With NSX for vShield Endpoint (free), NSX Standard, or NSX Professional, the Deep Security Virtual Appliance supports Anti-Malware, and Integrity Monitoring on Windows VMs. You'll need to install agents if you want the Firewall, Intrusion Prevention, Web Reputation, Log Inspection, Application Control features, or if you want Anti-Malware and Integrity Monitoring for Linux VMs.

When you install agents to supplement the virtual appliance's functionality, this is known as combined mode.

Some key points when considering combined mode:

  • Management: Deep Security has deployment scripts that can be used to script the deployment of the Deep Security Agent using various orchestration tools (Chef, Puppet, etc). Using the deployment scripts allows for easier deployment of the agent. These scripts also allow activation and assignment of policy. They help to reduce the manual intervention required and reduce the management cost when deploying the agent in a VMware environment.
  • Scan caching performance improvements and Scan storm optimization: In combined mode, the virtual appliance will do scan caching and scan storm optimization for Anti-Malware scanning. This allows the agent footprint on each VM to remain small because only a network driver needs to be installed.

For details on how to set up the Deep Security Virtual Appliance environment, see Deploy the Deep Security Virtual Appliance with NSX.

VMware deployments with the agent only

If you want to protect VMware environments without NSX, you can do so by deploying the Deep Security Agent to each of your VMs. In this scenario, you don't need the Deep Security Virtual Appliance, since all protection is provided by the agents. By using the Deep Security Agent, you get all of the main features of Deep Security, namely: Anti-Malware, Integrity Monitoring, Firewall, Intrusion Prevention, Web Reputation, Log Inspection, and Application Control. In addition, the agent has the following characteristics:

  • It is lightweight (a Smart Agent). Only the protection modules that you specify (for example, Anti-Malware and Integrity Monitoring) are installed using a policy that you set up on the manager. Further, Deep Security has a feature called 'recommendation scanning', which allows you to only assign rules necessary for the specific workload you are protecting.
  • Windows agents include an Anti-Malware scan cache, containing hashes of previously-scanned files that are frequently accessed, so that they don't need to be rescanned.

To deploy agents, Trend Micro has provided deployment scripts that can be used with various orchestration tools (Chef, Puppet, etc). You can also install the agent manually.

Additional information