Chapter 3. Mitigating Threats Using vShield Endpoint Security
VMware vShield Endpoint strengthens security for virtual machines while still improving performance for endpoint protection. The vShield Endpoint Security (EPSEC) does this by offloading the antivirus and anti-malware agent processing to a dedicated Security Virtual Appliance that is delivered and supported by VMware partners. EPSEC is a framework of different elements, including Application Programming Interfaces (APIs) that are developed by VMware Engineering to enable Endpoint security partners to integrate these solutions into the VMware vSphere (SVM) platform. This integration is performed at the hypervisor layer that provides the introspection.
It's important to note that customers do not consume EPSEC, but they benefit from the integration of EPSEC through Endpoint products and solutions.
In this chapter, we will look into the benefits of vShield Endpoint over traditional antivirus solutions for a virtual environment. We...
Traditional antivirus solutions require an agent in each virtual machine. All of those agents manage an antivirus signature. You can either configure a client-side schedule to do the virus scanning or you can use a centralized schedule running on the master server. In this approach, if you look at the consolidation ration, your memory, CPU, and network overhead may become a significant overkill.
However, there are other solutions as well, which can be configured for a distributed scan over a configurable time interval. It can reduce the resource usage in VMs and in your ESXi as well.
You can still get exposed to a threat in this model if your antivirus signature is not up-to-date. Until the time you update your signature in guest machines, your VM is at risk. Some antivirus software comes with the automated process of pushing the antivirus signature to the guest machines (registered clients).
So, as you see, there are lots of caveats as to why VMware does not recommend using...
The vCloud Networking and Security Endpoint product allows you to offload the following security functions from the VM to a dedicated appliance on the host:
Protection: Virus definitions can be kept up-to-date easily as they are stored on an always-on appliance. So if an attacker is targeting a particular VM, the virus engine is not compromised.
Efficiency: You don't need to install an agent on each guest on the host. An agent is provided with a driver, which is included in VMware Tools. You just need one appliance per host. So you need just one scanning engine and one signature database per host. There is also no antivirus storm.
Assurance: As there is no need to install the software, deployed VMs are protected as soon as they are switched on.
Centralized management: Using a single management console, vCloud security administrators can manage policies and see if the antivirus is functioning correctly.
In a nutshell, it provides:
On-access scans
On-demand scans
Remediation...
vShield Endpoint architecture
Let us look at the various architectural components of vShield Endpoint as shown in the following figure:
You can configure and control the partner's software hosted in the SVA using the management console provided by the VMware partner. VMware partners can provide a user interface that makes the management experience (including policy management) exactly like managing software hosted on a dedicated physical security appliance.
Your vSphere administrators will put in less effort on this as they do not need to manage agents on the virtual machines. All of the policy management and AV management is done through a partner-provider SVA. Your vSphere administrators also don't need to update the AV definition inside the guest.
Virtual infrastructure administrators can easily monitor deployments to determine, for example, whether an antivirus solution is operating properly.
The EPSEC and REST interfaces allow partner-provided services to integrate with vSphere and vCloud...
vShield Endpoint components and intercommunication
To plug in Endpoint directly into the vSphere, which is the backbone of a vCloud environment, the following components are needed:
A SVA that will be hardened and delivered by VMware partners, such as Bitdefender, Symantec, Trend Micro, McAfee, and Kaspersky
The Thin Agent for virtual machines to offload security events, which is included in VMware Tools
vShield Endpoint ESXi hypervisor module (MUX) that enables communication between the first two components in the hypervisor layer
For example, in the case of an antivirus solution, vShield Endpoint monitors the virtual machine's file events, such as a file open request, and notifies the antivirus engine, which scans and returns a disposition. The solution supports both on-access and on-demand (scheduled) scans initiated by the antivirus engine in the SVA.
VMCI is an inter-process communication used between the thin agent and the MUX component. However, there are caveats around this. If you use...
vShield Endpoint prerequisites
Installing only vShield Endpoint is not enough. You need to install an SVA (partner solution) as well. So let us see what would be the proper flow for installing vShield Endpoint:
Install vShield Endpoint on each ESXi host. This will effectively install the MUX module on each host. When you install the MUX module on each host, it opens ports 48651 to 448666 for communication between the host and partner SVA.
Deploy and configure an SVA to each ESXi host according to the instructions from the VMware antivirus partner. However, in our example, we will use vCloud Networking and Security Data Security as the SVA.
Install VMware Tools 8.6.0 or later on all virtual machines that are to be protected. VMware Tools include the vShield Thin Agent, which must be installed on each guest virtual machine to be protected.
Make sure that the guest virtual machine has a supported version of Windows installed. The following Windows operating systems are supported:
Installing vShield Endpoint
First of all, we need to install the vShield Endpoint in the hypervisor of an ESXi host, before deploying the SVA. In this case, it is the VMware vCloud Networking and Security Data Security SVA. Finally, we need to install the Thin Agent in the guest VM. You should keep in mind that it is that Thin Agent that enables protection on the guest VM, where interesting security events are passed to the SVA for processing and possible threat mitigation.
You should also remember that each host should have the EPSEC module installed. Even if a guest has the Thin Agent installed, if the host does not have the Endpoint module installed or the SVA VM, then the guest VM is not protected.
Before you install vShield Endpoint, you need to first put the vCloud Networking and Security App license there. To do so, perform the following steps:
Log in to the vCenter Server where you have vCloud Networking and Security Manager registered.
On the Home screen, click on Licensing.
Click on...
vShield Endpoint – health monitoring
If you want to monitor the vShield Endpoint health status, you need to look at alarms that are shown in red on the vCenter Server. You can also look at the event logs to gather more status information. To get these, you need to configure your vCenter Server correctly. The following are the points that need to be taken care of:
Not all guest operating systems are supported by vShield Endpoint. Virtual machines with unsupported operating systems are not protected by the security solution. Refer to the KB article, which is available at http://kb.vmware.com/kb/1036847.
All hosts in a resource pool containing protected virtual machines must be prepared for vShield Endpoint, so that virtual machines continue to be protected as they are moved with vSphere vMotion from one ESXi host to another within the resource pool.
To properly monitor a vShield Endpoint environment, you need to look at the following three components:
VMware vShield Endpoint strengthens security for virtual machines while improving performance for endpoint protection. vShield Endpoint offloads the antivirus and anti-malware agent processing to a dedicated SVA that is delivered and supported by VMware partners. In this chapter, we have seen the architecture of EPSEC and how to implement it.
In the next chapter, we will talk about VMware vCloud Networking and Security Data Security. We will walk through the installation and configuration process. We will create a Data Security policy and show you how to perform a data scan. We will also review the violation reports that are generated by the vCloud Networking and Security Data Security scan.
