Security in a Virtualized Environment with...
Transcript of Security in a Virtualized Environment with...
Security in a Virtualized Environment with TrendMicro
Bob van der Werf
Partner Systems Engineer
Andre Noordam
Trend Micro
Agenda
• VMware vShield
• VMware VMSafe API
• TrendMicro solutions integration
• Smart Protection Strategy introduction
• Virtualization Security for VMware
VMware vSphere 4.0™
Application Services
Infrastructure Services
ESXESXi
DRS/DPM
VMFSThin Provisioning
Distributed Switch
VMware
vSphere 4.0
Internal Cloud External Cloud
VMotionStorage VMotion
HAFault Tolerance
Data Recovery
vShield ZonesVMSafe
DRSHot Add
Availability Security Scalability
vCompute vStorage vNetwork
.Net SaaSGridJ2EELinuxWindows Web 2.0vApp
vCenter Suite
Challenges with Traditional Network Security
Physical Network Security in Virtual Environments
External chokepoints that splinter resource pools
Disrupts cloud vision of seamless pool of resources
No inter-VM visibility
Unable to monitor traffic within an ESX host
Statically configured
Too rigid to adapt to changes in infrastructure
Unable to maintain network session state with live migration (VMotion) or live failover (FT)
CapabilitiesBridge, firewall, or isolate VM zones based on familiar VI containersMonitor allowed and disallowed activity by application-based protocols (Windows RPC, Oracle TNS, FTP, etc)One-click flow-to-firewall blocks precise network traffic
BenefitsWell-defined security posture within virtual environment Monitoring and assured policies, even through Vmotion and VM lifecycle eventsSimple zone-based rules reduces policy errors
vShield Zones
Key Use Cases for vShield Zones
Virtualizing the datacenter DMZ servers
Collapsing DMZ boundary using virtual firewalls
Compliance
Intrusion prevention, web app firewalls, other prescribed network security
Monitoring of successful and unsuccessful network connections
Consistent network security policies for replicated environments
Failover and high availability backups
Datacenter-in-a-box for SMB and Remote Office/Branch Office
Network isolation for multi-tenant clouds
VMware vShield Zones Architecture
vShield Host Gateway
Virtual Network Monitoring
Virtual Network Firewall
Transparently Managed
vShield Manager
Centralized Monitoring
Centralized Policy Assignment
Web-based interface
VMware ESX VMware ESX
vShieldvShield
VMware ESX
vShieldVMwarevCenter
VMwarevShield
Manager
Introducing VMsafe™
New security solutions can be developed and integrated into VMware virtual infrastructure
Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)
Complete integration and awareness of VMotion, Storage VMotion, HA, etc.
Provides an unprecedented level of security for the application and the data inside the VM
Security VM
Security API
ESX
HIPSFirewallIPS/IDSAnti-Virus
VMsafe™ APIs
API’s for all virtual hardware components of the VM
CPU/Memory Inspection
Inspection of specific memory pages being used by the VM or it applications
Knowledge of the CPU state
Policy enforcement through resource allocation of CPU and memory pages
Networking
View all IO traffic on the host
Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host.
Capability to provide inline or passive protection
Storage
Ability to mount and read virtual disks (VMDK)
Inspect IO read/writes to the storage devices
Transparent to the device and inline of the ESX Storage stack
TrendMicro START
Trend Micro solutions integrationImmediate protection, less complexity, greater flexibility
Andre NoordamSenior Pre Sales Engineer
Agenda
• VMware vShield
• VMware VMSafe API
• TrendMicro solutions integration
• Smart Protection Strategy introduction
• Virtualization Security for VMware
Agenda
• VMware vShield
• VMware VMSafe API
• TrendMicro solutions integration
• Smart Protection Strategy introduction
• Virtualization Security for VMware
Company overviewFounded
Headquarters
Employees
Market
2008 Revenue
United States in 1988
Tokyo, Japan
4,120
Internet Content Security
US $985 Million
• 10 global TrendLabs locations; 9 global R&D centers • Tokyo Stock Exchange (4704)
CEO | Eva Chen
Security Evolution
Continuous Innovation
Web Filtering InterScan WebManager
Software asa ServiceSecureCloud™
Web Threat ProtectionWeb Reputation
Web-based Centralized ManagementTrend Micro Control Manager
Network Access ControlNetwork VirusWall™
Email Reputation Services
Gateway Virus ProtectionInterScan™
2-Hour Virus ResponseSLA
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
LAN Server Virus ProtectionServerProtect™
Server-based Email Virus ProtectionScanMail™
Threat Lifecycle Management StrategyEnterprise Protection
Strategy (EPS)
Trend Microand Cisco Integrated Security in the Network
Integrated Gateway Content Security InterScan Messaging Security Suite
Botnet Identification Service
ComplianceMessage Archiver & Email Encryption
Data Leak PreventionLeakProof™
Trend Micro Smart Protection Network
Threat Environment Evolutionto Crimeware
Com
ple
xity
Crimeware
Spyware
SpamMass Mailers
IntelligentBotnets
Web Threats
• Information Stealing
• Botnet Enabled
• Multi-Vector
• Multi-Component
• Web Polymorphic
• Rapid Variants
• Single Instance
• Single Target
• Regional Attacks
• Silent, Hidden
• Hard to Clean
VulnerabilitiesWorm Outbreaks
Example of todays threats
• Social engineering takes on a physical form as flyers are placed on car windshields in a North Dakota parking lot.
• These flyers bear a malicious URL.
Example of todays threats
• This series of malicious activities happens when a user tries to access the URL printed in the flyer
Pattern Matching a challenge for everyone
Uniq
ue S
am
ple
s A
dded
AV-Test.org’s Sample Collection
Source: AV-Test.org, June 2008
11,000,000+
Actual
Forecast
57 205 7991,484
2,3973,881
6,279
10,160
16,438
26,598
2007 2009 2011 2013 2015
Signature file updates take too long
� Delay protection across all clients and servers
� Leave a critical security gap
� Require multiple updates a day to keep up
with threats, complicating signature management
Signature files are becoming too big
� Increase endpoint memory footprint
� Increase impact on endpoint performance
� Increase bandwidth utilization
� Unpredictable increase of client size
Traditional Endpoint Security
Can’t Keep Up
Unique threat samples PER HOUR
Next generation architecture
Threat Protection Databases
PASTPast
Small Pattern DBSlowly Updating Patterns< 50 Per Day
Patterns
FILEREPUTATION
WEBREPUTATION
Trend Micro Smart Protection Network™
Security Made Smarter
Threat Collection
Threats
EMAILREPUTATION
Back-end
Correlation
Trend Micro Smart Protection Network™
Trend Micro Multi-Layered Architecture
Reputation
Anti-Spyware
Antivirus
Anti-Spam
Anti-Phishing
Inappropriate Content
EXTERNAL
THREATS
Viruses
Spyware & Adware
Spam & Phishing
Web Threats
INTERNAL THREATS
Information Leaks
Compliance
Vulnerabilities
Threats EndpointGateway
Services
Servers
Management
InterScan Web Security
Solutions
InterScan Messaging
Security Solutions
ScanMail Solutions
IM Security for LCS Solution
ServerProtect Security Solutions
SharePoint Portal Security Solution
OfficeScan Client Security Solution
LeakProof Data Leak Prevention
Solution
Trend Micro Mobile Security
Solution
Web and Email Reputation
InterScan Messaging Hosted Security
OfficeScan Client SecuritySolution
Off Network
Trend Micro Control Manager
A complete suite of
endpoint security
products protecting
all clients, servers,
and mobile devices
regardless of
location or network
connectivity.
Trend Micro™ OfficeScan™
Client-Server Suite
Immediate Protection
Endpoint Defense• Web and File Reputation in the
Smart Protection Network
• Endpoint-centric security
• HIPS and new device control
Less Complexity
Easy Management• Single Web-based management console
• Role-based administration
• Active Directory integration
More Flexibility
Plug-in Architecture• Adaptive approach to changing threats
• Multiple device and OS support
OfficeScan™ Client-Server Suite
More Flexibility
Desktops
Laptops
Servers
Virtual Machines
Macs
Smartphones
PDAs
Storage Appliances
Windows XP
Windows Vista
Windows Server2003
Windows Server2008
Mac OS 10.4 + 10.5
Linux
Windows Mobile 5.x
Windows Mbile 6.x
Symbian OS
VMware ESX
More Platforms
More Protection Points
OfficeScan Plug-in architecture
MODULAR PLUG-IN ARCHITECTURE
Anti-malwareFile & Folder
Encryption
HIPS &
Vulnerability shielding
MobileSecurity
Security forMacintosh
VirtualizationSecurity
Select the security you want to deploy, when, and where
• Easily add new modules, as needed
– As soon as new technologies become available
– At any time your needs change
• Extends your solution lifecycle
• Protects your investment
• No need to rip-and-replace to be protected
OfficeScan™ Client-Server Suite
More Flexibility
Plug-in Manager
Agenda
• VMware vShield
• VMware VMSafe API
• TrendMicro solutions integration
• Smart Protection Strategy introduction
• Virtualization Security for VMware
Trend Micro Virtualization Security™
Current Market Situation
� Existing content security
solutions underperform in
virtual environments
� They are unable to scan vulnerable dormant VMs
� Simultaneous full system malware scans causes huge performance degradation
(X86) Physical Server
ESX Server
Virtual Machines
Trend Micro Virtualization Security™
Dormant Virtual Machines Need Protection
Dormant VMs have no anti-malware agent running but can still get infected
Aged dormant VMs will be way behind with pattern update
AppAVAppAVAppAVAppAVAppAV
ESX Server
Active
VMActive
VM
Active
VM
Dormant
VMDormant
VM
AppAV
Trend Micro Virtualization Security™
Scheduled Scanning with Existing Solutions
Typical AV solutions are not VI-aware
Simultaneous full AV scans will cause system thrashing
AppAVAppAVAppAVAppAVAppAV
ESX Server
Typical AV Console
Scan
3:00AM
Scan
3:00AM
Scan
3:00AM
Scan
3:00AM
Scan
3:00AMScan
3:00AM
Trend Micro Virtualization Security
Anti-malware protection for offline and online virtual machines.
Signature update for offline Virtual Machines.
Full integration with OfficeScan and Vmware ESX.
―Supports VMsafe API.
―Management via vCenter console.
―Plug-in for Trend Micro OfficeScan.
―Supports Trend Micro Lightweight Smart Protection agent for
realtime AV protection
Trend Micro Virtualization Security™
Scanning with Virtualization Security
Virtualization Security scans and remediates offline VMs
Virtualization Security integrates with VMware Virtual Center
AppAVAppAVAppAVAppAVAppAV
Scanning
agent
ESX Server
VMsafe APIs
Active
VMActive
VM
Active
VM
Dormant
VM
Dormant
VM
VirtualCenter
Virtualization Security Console
Trend Micro Virtualization Security™
Scheduled Scanning
AppAVAppAVAppAVAppAVAppAV
Scanning
agent
ESX Server
Active
VMActive
VM
Active
VM
Dormant
VM
Dormant
VM
VirtualCenter
VirtualizationSecurity Console
ESX Server ESX Server
VMsafe APIsVMsafe APIsVMsafe APIs
Virtualization Security is set up to be VI Aware
Scheduled scans on the same physical server are automatically staggered
Scan
3:10AM
Scan
3:00AM
Scan
3:10AM
Scan
3:00AM
Scan
3:00AM
Trend Micro Virtualization Security™
Summary
We solve the pattern volume problem
File Reputation
Web Reputation
Vulnerability shielding
We solve the Endpoint performance drop problem
Cloud-Client Architecture Frees resources
Offloads growing patterns to the cloud
We provide full VMware support
OfficeScan VMSafe Plug-in architecture
Virtual Appliances
All current products are support in a vmware environment
www.trendmicro.com/go/virtualization
Thank you