This post originally appeared in VMUG Compass quarterly magazine, Volume 01, Issue 01.
Secret’s Out: Why this approach doesn’t intrude on the hypervisor level and other answers to those questions holding you back.
We all understand the benefits of virtualization: creating a more dynamic and flexible data center. However, in the effort to embrace these solutions, we often continue to deploy traditional methods of security. To address this changing landscape — from physical to virtual to software-defined requires an approach that combines a proven threat-protection technology with an innovative architecture for agentless security protection.
The underlying problem is that, as engineers, we are apprehensive about a new solution that intrudes on the resources and process within our physical hosts. We come from an understanding that nothing touches the hosts unless it’s absolutely necessary. We don’t want a third-party product introducing a new service or process that could potentially obstruct the hypervisor.
The truth around agentless security is that it doesn’t intrude on the hypervisor level; it’s done through virtual appliances. The process is another subset of virtual machines running under your managed cluster of hosts.
As I visit with various engineers or administrators, I often hear the same set of questions. It’s important to go through these concerns to achieve a level of comfort and discover what these hypervisor-based security solutions are all about.
"IS THE AV SCANNING DONE ON THE ESXI HYPERVISOR?"
This is the most common question I am asked when discussing agentless-based security within VMware. It’s a great question, and it’s probably the most communal reasoning that many administrators tend to stick to a traditional form of agent-based security.
The short answer is no, so don’t get scared away. Agentless-based security is managed through VMware APIs that interact with an appliance managed by the host. The process is actually very simple: A virtual appliance is deployed to the host, which then uses VMware vShield Endpoint and a vFilter driver to communicate with ESXi directly. The resource commitment of traditional AV scanning, recommendation scanning or reconnaissance scans are now all managed through the appliance. The appliance is then tied specially to that host, which can be done through DRS rules or placed on the host’s local storage.
I’ve piqued your interest, right? Now we should all be comfortable in saying that the hypervisor itself is not affected. To summarize, nothing other than vShield and the vFilter driver are installed on the host, both of which are products from VMware.
"WHAT ABOUT MY VDI ENVIRONMENT?"
I require a strict security posture when it comes to desktops. It’s the same concept and process — and all automated. As your virtual desktops are spun up daily or on your specific schedule, they are automatically protected through that same appliance running on your host. Even if you’re not using VMware Horizon and instead have XenServer or even — *gasp* Hyper-V, those products would just require an agent to be installed.
"WHAT ABOUT MY PHYSICAL, OR EVEN CLOUD- BASED INFRASTRUCTURE?"
Once we have progressed to this point in the questioning, we now focus around administration. No one has the time to manage a completely separate infrastructure from your physical servers or your hybrid cloud.
What if you could manage everything from a single console? A single pane of glass to manage your physical-, virtual- and cloud-based infrastructure security. It’s true that you cannot manage your physical and cloud infrastructure without an agent; that’s a benefit of the partnership with VMware and access to their host level APIs. It’s still an option to deploy agent-based security directly to each physical or cloud server and manage them from the same console, manage the same policies and the same process.
"I GET THAT IT’S AGENTLESS, BUT WHAT DOES THAT REALLY GET ME?"
This question comes down to solving your specific business need. What is your overall goal? Is it ease of administration, reducing overall license costs, performance or maybe compliance? Agentless security software can address all of these goals and more.
Compliance is critical for most organizations, so optional modules like intrusion prevention/firewall, integrity monitoring and log inspection, all combined with an included anti-malware component, can provide a full suite of protection and ensure compliance.
Let’s tackle the remaining examples to these goals with a single concept: It’s agentless! No agent to deploy means no updates, no pattern files and little management overhead. The same notion applies for goals specific to ROI: No agent translates to less resource utilization on the ESXi host, increasing density and reducing licensing costs.
Lastly, of course, performance is always questioned. Not to be repetitive, but there is no agent; there is nothing installed on the virtual machines; there are no scans, no updates to signatures or patterns.
It’s common that a business will address challenges within the virtual space with a familiar approach. When virtualization was a new concept, it took the corporate world several years to really understand what it is and what it’s really capable of. Now that we’re here, in a virtualized data center, we need to secure it with the same type of innovation and forward thinking.
Jeff Westphal // // works as a senior sales engineer for Trend Micro with a focus on cloud and data center security solutions. Westphal has more than 12 years of experience in server technologies including Citrix, AD, Exchange, VMware and HyperV. He is also a part time IT instructor at a local technical. Westphal currently holds multiple VMware certifications including the VCAP-DCA and DCD, and is actively pursuing his VCDX.