Security in a Virtualized Environment with...

Security in a Virtualized Environment with TrendMicro

Bob van der Werf

Partner Systems Engineer

Andre Noordam

Trend Micro

Agenda

• VMware vShield

• VMware VMSafe API

• TrendMicro solutions integration

• Smart Protection Strategy introduction

• Virtualization Security for VMware

VMware vSphere 4.0™

Application Services

Infrastructure Services

ESXESXi

DRS/DPM

VMFSThin Provisioning

Distributed Switch

VMware

vSphere 4.0

Internal Cloud External Cloud

VMotionStorage VMotion

HAFault Tolerance

Data Recovery

vShield ZonesVMSafe

DRSHot Add

Availability Security Scalability

vCompute vStorage vNetwork

.Net SaaSGridJ2EELinuxWindows Web 2.0vApp

vCenter Suite

Challenges with Traditional Network Security

Physical Network Security in Virtual Environments

External chokepoints that splinter resource pools

Disrupts cloud vision of seamless pool of resources

No inter-VM visibility

Unable to monitor traffic within an ESX host

Statically configured

Too rigid to adapt to changes in infrastructure

Unable to maintain network session state with live migration (VMotion) or live failover (FT)

CapabilitiesBridge, firewall, or isolate VM zones based on familiar VI containersMonitor allowed and disallowed activity by application-based protocols (Windows RPC, Oracle TNS, FTP, etc)One-click flow-to-firewall blocks precise network traffic

BenefitsWell-defined security posture within virtual environment Monitoring and assured policies, even through Vmotion and VM lifecycle eventsSimple zone-based rules reduces policy errors

vShield Zones

Key Use Cases for vShield Zones

Virtualizing the datacenter DMZ servers

Collapsing DMZ boundary using virtual firewalls

Compliance

Intrusion prevention, web app firewalls, other prescribed network security

Monitoring of successful and unsuccessful network connections

Consistent network security policies for replicated environments

Failover and high availability backups

Datacenter-in-a-box for SMB and Remote Office/Branch Office

Network isolation for multi-tenant clouds

VMware vShield Zones Architecture

vShield Host Gateway

Virtual Network Monitoring

Virtual Network Firewall

Transparently Managed

vShield Manager

Centralized Monitoring

Centralized Policy Assignment

Web-based interface

VMware ESX VMware ESX

vShieldvShield

VMware ESX

vShieldVMwarevCenter

VMwarevShield

Manager

Introducing VMsafe™

New security solutions can be developed and integrated into VMware virtual infrastructure

Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)

Complete integration and awareness of VMotion, Storage VMotion, HA, etc.

Provides an unprecedented level of security for the application and the data inside the VM

Security VM

Security API

ESX

HIPSFirewallIPS/IDSAnti-Virus

VMsafe™ APIs

API’s for all virtual hardware components of the VM

CPU/Memory Inspection

Inspection of specific memory pages being used by the VM or it applications

Knowledge of the CPU state

Policy enforcement through resource allocation of CPU and memory pages

Networking

View all IO traffic on the host

Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host.

Capability to provide inline or passive protection

Storage

Ability to mount and read virtual disks (VMDK)

Inspect IO read/writes to the storage devices

Transparent to the device and inline of the ESX Storage stack

TrendMicro START

Trend Micro solutions integrationImmediate protection, less complexity, greater flexibility

Andre NoordamSenior Pre Sales Engineer

Agenda

• VMware vShield





Company overviewFounded

Headquarters

Employees

Market

2008 Revenue

United States in 1988

Tokyo, Japan

4,120

Internet Content Security

US $985 Million

• 10 global TrendLabs locations; 9 global R&D centers • Tokyo Stock Exchange (4704)

CEO | Eva Chen

Security Evolution

Continuous Innovation

Web Filtering InterScan WebManager

Software asa ServiceSecureCloud™

Web Threat ProtectionWeb Reputation

Web-based Centralized ManagementTrend Micro Control Manager

Network Access ControlNetwork VirusWall™

Email Reputation Services

Gateway Virus ProtectionInterScan™

2-Hour Virus ResponseSLA

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

LAN Server Virus ProtectionServerProtect™

Server-based Email Virus ProtectionScanMail™

Threat Lifecycle Management StrategyEnterprise Protection

Strategy (EPS)

Trend Microand Cisco Integrated Security in the Network

Integrated Gateway Content Security InterScan Messaging Security Suite

Botnet Identification Service

ComplianceMessage Archiver & Email Encryption

Data Leak PreventionLeakProof™

Trend Micro Smart Protection Network

Threat Environment Evolutionto Crimeware

Com

ple

xity

Crimeware

Spyware

SpamMass Mailers

IntelligentBotnets

Web Threats

• Information Stealing

• Botnet Enabled

• Multi-Vector

• Multi-Component

• Web Polymorphic

• Rapid Variants

• Single Instance

• Single Target

• Regional Attacks

• Silent, Hidden

• Hard to Clean

VulnerabilitiesWorm Outbreaks

Example of todays threats

• Social engineering takes on a physical form as flyers are placed on car windshields in a North Dakota parking lot.

• These flyers bear a malicious URL.

Example of todays threats

• This series of malicious activities happens when a user tries to access the URL printed in the flyer

Pattern Matching a challenge for everyone

Uniq

ue S

am

ple

s A

dded

AV-Test.org’s Sample Collection

Source: AV-Test.org, June 2008

11,000,000+

Actual

Forecast

57 205 7991,484

2,3973,881

6,279

10,160

16,438

26,598

2007 2009 2011 2013 2015

Signature file updates take too long

� Delay protection across all clients and servers

� Leave a critical security gap

� Require multiple updates a day to keep up

with threats, complicating signature management

Signature files are becoming too big

� Increase endpoint memory footprint

� Increase impact on endpoint performance

� Increase bandwidth utilization

� Unpredictable increase of client size

Traditional Endpoint Security

Can’t Keep Up

Unique threat samples PER HOUR

Next generation architecture

Threat Protection Databases

PASTPast

Small Pattern DBSlowly Updating Patterns< 50 Per Day

Patterns

FILEREPUTATION

WEBREPUTATION

Trend Micro Smart Protection Network™

Security Made Smarter

Threat Collection

Threats

EMAILREPUTATION

Back-end

Correlation

Trend Micro Smart Protection Network™

Trend Micro Multi-Layered Architecture

Reputation

Anti-Spyware

Antivirus

Anti-Spam

Anti-Phishing

Inappropriate Content

EXTERNAL

THREATS

Viruses

Spyware & Adware

Spam & Phishing

Web Threats

INTERNAL THREATS

Information Leaks

Compliance

Vulnerabilities

Threats EndpointGateway

Services

Servers

Management

InterScan Web Security

Solutions

InterScan Messaging

Security Solutions

ScanMail Solutions

IM Security for LCS Solution

ServerProtect Security Solutions

SharePoint Portal Security Solution

OfficeScan Client Security Solution

LeakProof Data Leak Prevention

Solution

Trend Micro Mobile Security

Solution

Web and Email Reputation

InterScan Messaging Hosted Security

OfficeScan Client SecuritySolution

Off Network

Trend Micro Control Manager

A complete suite of

endpoint security

products protecting

all clients, servers,

and mobile devices

regardless of

location or network

connectivity.

Trend Micro™ OfficeScan™

Client-Server Suite

Immediate Protection

Endpoint Defense• Web and File Reputation in the

Smart Protection Network

• Endpoint-centric security

• HIPS and new device control

Less Complexity

Easy Management• Single Web-based management console

• Role-based administration

• Active Directory integration

More Flexibility

Plug-in Architecture• Adaptive approach to changing threats

• Multiple device and OS support

OfficeScan™ Client-Server Suite

More Flexibility

Desktops

Laptops

Servers

Virtual Machines

Macs

Smartphones

PDAs

Storage Appliances

Windows XP

Windows Vista

Windows Server2003

Windows Server2008

Mac OS 10.4 + 10.5

Linux

Windows Mobile 5.x

Windows Mbile 6.x

Symbian OS

VMware ESX

More Platforms

More Protection Points

OfficeScan Plug-in architecture

MODULAR PLUG-IN ARCHITECTURE

Anti-malwareFile & Folder

Encryption

HIPS &

Vulnerability shielding

MobileSecurity

Security forMacintosh

VirtualizationSecurity

Select the security you want to deploy, when, and where

• Easily add new modules, as needed

– As soon as new technologies become available

– At any time your needs change

• Extends your solution lifecycle

• Protects your investment

• No need to rip-and-replace to be protected

OfficeScan™ Client-Server Suite

More Flexibility

Plug-in Manager

Agenda

• VMware vShield





Trend Micro Virtualization Security™

Current Market Situation

� Existing content security

solutions underperform in

virtual environments

� They are unable to scan vulnerable dormant VMs

� Simultaneous full system malware scans causes huge performance degradation

(X86) Physical Server

ESX Server

Virtual Machines


Dormant Virtual Machines Need Protection

Dormant VMs have no anti-malware agent running but can still get infected

Aged dormant VMs will be way behind with pattern update

AppAVAppAVAppAVAppAVAppAV

ESX Server

Active

VMActive

VM

Active

VM

Dormant

VMDormant

VM

AppAV


Scheduled Scanning with Existing Solutions

Typical AV solutions are not VI-aware

Simultaneous full AV scans will cause system thrashing


ESX Server

Typical AV Console

Scan

3:00AM

Scan

3:00AM

Scan

3:00AM

Scan

3:00AM

Scan

3:00AMScan

3:00AM

Trend Micro Virtualization Security

Anti-malware protection for offline and online virtual machines.

Signature update for offline Virtual Machines.

Full integration with OfficeScan and Vmware ESX.

―Supports VMsafe API.

―Management via vCenter console.

―Plug-in for Trend Micro OfficeScan.

―Supports Trend Micro Lightweight Smart Protection agent for

realtime AV protection


Scanning with Virtualization Security

Virtualization Security scans and remediates offline VMs

Virtualization Security integrates with VMware Virtual Center


Scanning

agent

ESX Server

VMsafe APIs

Active

VMActive

VM

Active

VM

Dormant

VM

Dormant

VM

VirtualCenter

Virtualization Security Console


Scheduled Scanning


Scanning

agent

ESX Server

Active

VMActive

VM

Active

VM

Dormant

VM

Dormant

VM

VirtualCenter

VirtualizationSecurity Console

ESX Server ESX Server

VMsafe APIsVMsafe APIsVMsafe APIs

Virtualization Security is set up to be VI Aware

Scheduled scans on the same physical server are automatically staggered

Scan

3:10AM

Scan

3:00AM

Scan

3:10AM

Scan

3:00AM

Scan

3:00AM


Summary

We solve the pattern volume problem

File Reputation

Web Reputation

Vulnerability shielding

We solve the Endpoint performance drop problem

Cloud-Client Architecture Frees resources

Offloads growing patterns to the cloud

We provide full VMware support

OfficeScan VMSafe Plug-in architecture

Virtual Appliances

All current products are support in a vmware environment

www.trendmicro.com/go/virtualization

Thank you

Security in a Virtualized Environment with...

Documents

Transcript of Security in a Virtualized Environment with...