Protection for VMware environments

Trend Micro Deep Security has worked closely with VMware to offer agentless security at the hypervisor level. This security is provided by the Deep Security Virtual Appliance. The virtual appliance is deployed at the cluster level through NSX Manager to offer protection to VMs on a given host.

Deep Security Virtual Appliance features

Scan caching

The scan cache allows the results of an anti-malware scan to be used when scanning multiple machines with the same files. When the virtual appliance scans the original machine, it keeps track of attributes of the files it is scanning. When other virtual machines are scanned, it can compare these attributes for each file. This means that subsequent files with the same attributes do not need to be scanned fully a second time, which reduces the overall scan time. In situations like virtual desktop infrastructure (VDI) where the images are nearly identical, the performance savings from scan cache are greater.

Scan storm avoidance

When scanning is done by the Deep Security Virtual Appliance, the virtual appliance has knowledge of all of the machines it is protecting. When performing anti-malware scanning, the virtual appliance can manage resource usage and prevent scan storms from occurring.

Ease of management

Generally, deploying one Deep Security Virtual Appliance to each ESXi host is easier than deploying an agent on multiple VMs. With NSX, this management savings increases because deployment of the Deep Security service is done through NSX Manager and applied to the cluster. Any new hosts added to the cluster automatically get Deep Security protection deployed.

The virtual appliance can also help with network flexibility. Each Deep Security Agent requires network connectivity to resolve the Deep Security Manager and Relay. By using the Deep Security Virtual Appliance, this network connectivity is limited to the virtual appliance and connectivity to each VM is not required.

In some cases, the infrastructure and VMs may be managed by different teams. By using the virtual appliance, the infrastructure team does not require access to the virtual machine to add protection because it can be deployed at the hypervisor level to protect each of the virtual machines.

Deep Security Agent features

Deep Security also offers protection for many server platforms using the Deep Security Agent. The Deep Security Agent is a lightweight agent (Smart Agent) that only installs the modules that are needed on each host. On install, a small bootstrap agent is installed and logic is used to deploy the specific protection modules to the host once a policy is assigned. Logic has been built in to Deep Security to prevent scan storms even when agents are used and Deep Security has the concept of recommendation scanning, which allows you to only assign rules necessary for the specific workload you are protecting. Using the functionality available in Deep Security gives you maximum protection with minimum impact on your servers.

VMware deployment options

VMware deployments with NSX Advanced or Enterprise

Through deep integration with VMware NSX Advanced or Enterprise, the Deep Security Virtual Appliance can perform firewall, intrusion prevention, anti-malware (Windows only) and file integrity monitoring capabilities (Windows only) for all protected VMs. For details on how to set up this environment, see Deploy Deep Security.

VMware Deployments with the NSX for vShield Endpoint (NSX 6.2.4 or higher)

Deep Security previously had a deep integration with VMware vCloud Networking and Security (vCNS). VMware has recently stated end of general support for vCNS and at the same time released a new version of NSX (NSX 6.2.4) that comes with a default license. This default license version of NSX 6.2.4 allows the Deep Security Virtual Appliance to provide agentless anti-malware and integrity monitoring. When using this default license version of NSX, you must use a Deep Security Agent if you want firewall and intrusion prevention capabilities. For details on how to set up this environment, see Deploy Deep Security. There are two main use cases:

NSX for vShield Endpoint (NSX 6.2.4 or higher) for anti-malware and integrity monitoring only

With the new default license in NSX 6.2.4 or higher, you can use the Deep Security Virtual appliance for hypervisor-based protection of your VMs. This license allows you to use the anti-malware and integrity monitoring functionality agentlessly.

NSX for vShield Endpoint (NSX 6.2.4 or higher) for anti-malware and Deep Security Agent for intrusion prevention and firewall (combined mode)

If you want to use the default license version of NSX 6.2.4 but also require the intrusion prevention or integrity monitoring capabilities of Deep Security, you will need to install an agent on each VM. Some key points in considering this option:

  • Management: Deep Security has deployment scripts that can be used to script the deployment of the Deep Security Agent using various orchestration tools (Chef, Puppet, etc). Using the deployment scripts allows for easier deployment of the agent. These scripts also allow activation and assignment of policy. They help to reduce the manual intervention required and reduce the management cost when deploying the agent in a VMware environment.
  • Scan Cache performance improvements and Scan Storm Avoidance: The Deep Security Agent has been designed to only install a small bootstrap agent. Then, as policy is assigned, the protection modules get loaded. In the case of combined mode, if the Deep Security Virtual Appliance is deployed and an agent is then installed on the machine, the virtual appliance will do the anti-malware scanning. Because the agent will only be doing network scanning, only the network driver will be put on each guest VM. This provides the benefits of the scan cache and scan storm avoidance for anti-malware scanning via the virtual appliance while maintaining a very small agent footprint on each server.

VMware deployments without NSX

Customers protecting VMware environments without NSX can use the Deep Security Agent on each of their VMs. By using the Deep Security Agent, the VMware environment can be protected and all of the benefits described in the Deep Security Agent section above apply.

Additional information