THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156
JIM P. NIXON Application Support Manager Seyfarth Shaw LLP jnixon@seyfarth.com
IN THE PAST, TRADITIONAL SOLUTIONS DIDN T THINK ABOUT VIRTUAL WORKLOADS
OVERVIEW OF TECHNOLOGIES
TODAYS APPROACHES TO SECURING WINDOWS Traditional Signature based scanning & blocking Application Control Uses a number of methods for controlling applications Privilege Management - Applications run with standard privileges unless exceptions are made.
APPLICATION CONTROL Application Whitelisting Deny by default and execute only trusted executables Application Blacklisting Opposite of whitelisting Application sandboxing The use of virtualization to control application access privileges & behavior by policy
APPLICATION WHITELISTING Arguably the best for security but terrible for the end-user and administrator Difficult to manage Adding and removing applications is time consuming and require a full-time role Whitelist database creation - Must use monitoring tools to recorded trusted application behavior Can be used with verified publisher lists with certificate checking Patching could be difficult if file hashes or signatures change
APPLICATION BLACKLISTING The basis of anti-virus software and the most commonly used method Much easier on administrators and end-users since it only targets software that is known to be malicious Considered to be inadequate on its own with the modern threats that exist today Provides the best system performance when used with image pre-scanning
APPLICATION SANDBOXING Applications are isolated and only access system resources exposed in the container they run in Isolates untrusted applications & code Includes virtualized OS s, virtual files & folders memory, etc.. Usually driven by policy from a centralized platform Can cause problems with integration points since applications my not be aware of one another
PRIVILEGE MANAGEMENT Applications generally run with standard user privileges regardless of user permissions on the machine Legacy applications can be configured to run with elevated privileges if the user account is restricted Centrally managed by policy Commonly used with blacklisting technologies as a layered approach
TRADITIONAL ANTI-VIRUS & MALWARE OPTIONS Agents are installed on each virtual guest and managed centrally Full load of processing done within each guest with no information shared centrally or with other guests Signature/String based and Heuristic scanning Reliance on downloaded signatures being up to date Scheduled definition updates and scans
TRADITIONAL SCANNING ARCHITECTURE
PERFORMANCE CONCERNS WITH VIRTUAL ENVIRONMENTS Traditional agents installed in guests could run scheduled tasks simultaneously, causing performance issues with virtualization hosts Non-persistent VDI guests may need to re-download older definition files after reboots Default or misconfigured polices could impact scalability
IN THE END, ALL OF THIS LEADS TO A POOR SYSTEM PERFORMANCE!
WHAT TECHNIQUES ARE VENDORS USING TO SOLVE THIS?
WHAT TECHNIQUES ARE VENDORS USING TO SOLVE THIS? Offloading A light agent is installed in each guest which offloads scanning and other tasks Image pre-scanning - creates a hash database, safe list to reduce scanning overhead Best practice polices that improve performance but adhere to your company's security policies
HOW OFFLOADING WORKS One type of offloading communicates to a dedicated scanning server over the network One advantage with using the network is that the dedicated scanning VM s can be on different physical hosts The second type of offloading is direct communication with the hypervisor Directly communicating with the hypervisor could save additional resources from the network offload method Pre-scanning the image allows a allows light version of the agent to forward files to the scanning server over the network
OFFLOADING ARCHITECTURE
LIGHT AGENT VS. AGENTLESS Agentless solutions use hypervisor aware integration points Agentless solutions tend to have less features (e.g. only file and network level protection) Light agents can be as full featured as traditional solutions (e.g. firewall, memory scanning, process protection)
COMMON BEST PRACTICES WHEN CONFIGURING SCANNING POLICES Disable security add-in s and use gateway products for Exchange and web browsing Exclude hypervisor recommended file locations (VMware tools, etc..) Disable scanning on reads if possible Disable heuristic scanning if possible Use Windows native firewall instead of the security vendor
TESTING RECOMMENDATIONS (ALWAYS TEST!) Use eicar to test AV excluded directories Make sure needed utilities are not restricted or broken by you solution Monitor processor and storage overhead with your favorite tool For VDI, scalability testing with your favorite tool
SOLUTIONS AVAILABLE TODAY
COMMON FEATURES OF VIRTUAL AWARE SOLUTIONS Uses offloading to a network scanning appliance (SVA) Supports tight integrations with the most common hypervisors (e.g. agentless) Pre-scanning of golden images Some have default exclusions for broker and hypervisor components
BITDEFENDER GRAVITYZONE Multiplatform can we used on any hypervisor platform Virtual aware default settings Agentless uses vshield for file system access New HVI Hypervisor Introspection feature for XenServer 7 users agentless, real-time memory scanning and monitoring
MCAFEE MOVE MULTIPLATFORM & AGENTLESS Multiplatform can we used on any hypervisor platform Agentless option uses VMware vsheild, NSX or vcns for high-speed hypervisor integration
KASPERSKY VIRTUALIZATION SECURITY Agentless uses vshield or NSX for file system access Supports wildcard exclusions
TREND MICRO DEEP SECURITY Agentless uses vshield or NSX Integrates with various cloud platforms, including Azure, Amazon EC2 and Vmware vcloud
BROMIUM ADVANCED ENDPOINT SECURITY Different approach which uses microvirtualization to isolate processes vsentry combines proactive isolation and contextual enforcement Seamless to end users One of the few solutions that can deal with 0-day threats
EXCELLENT RESOURCE FOR UNDERSTANDING ANTIVIRUS IMPACT ON VDI
THE PROJECT VRC TEAM EVALUATED THE FOLLOWING SOLUTIONS Microsoft Forefront (discontinued) McAfee MOVE & Enterprise editions Symantec Enterprise Edition
RESULTS.. Microsoft Forefront (discontinued) had the least overhead when pre-scans were performed McAfee MOVE 2.0 was second even with offloading.. Symantec Enterprise Edition came in last.
BUT!
NO REAL WINNER SINCE THEY WORK SO DIFFERENTLY ON DIFFERENT PLATFORMS
REFERENCES Bromium Advanced Endpoint Security ProjectVRC Whitepapers and analysis Trend Micro Deep Security Kaspersky Virtualization Security McAfee -MOVE Bitdefender - GravityZone