cuongk6t's Blog

How they do that – step by step

VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 1

leave a comment »


This is going to be a long post regarding vShield Endpoint and Trend Micro Deep Security 7.5. In this post, I will go through What is Endpoint, DP 7.5. How to install and basic configuration. How system work and performance comparison between two Trend products. Deep Security and OfficeScan.

Like what I said, this is going to be a long post. Let’s turn to Page one. ;)

In my past posts, I have describe what vShield is and different modules of vShield. You can find my previous post from here.

What is vShield Endpoint?

Let’s take a look what vShield is.

Strengthen security for virtual machines and their hosts while improving performance by orders of magnitude for endpoint protection, with VMware vShield Endpoint, part of the VMware vShield family. Offload antivirus and anti-malware processing to dedicated security-hardened virtual machines delivered by VMware partners. Leverage existing investments and manage antivirus and anti-malware policies for virtualized environments with the same management interfaces as physical environments.

  • Streamline and accelerate antivirus and anti-malware deployment
  • Improve virtual machine performance and eliminate antivirus and anti-malware bottlenecks
  • Reduce risk by eliminating agents susceptible to attack and enforce remediation more easily
  • Satisfy audit requirements with detailed logging of antivirus and anti-malware activities

This is what you can read from vmware.com. But what vShield Endpoint real does is a set of common interface or opening window to let third Party Anti-virus virtual appliance to scan/query memory of ESX host. If  you do remember what Vmware said about memory of each individual VM is secured separated for each VM. Well, vShield Endpoint is a back door to allow certain VM (like virtual appliance) to access all VMs memory at same time. As we all know, all information has to go through memory. Regardless it is opening ports or data saved on the virtual harddisk. However, it ain’t entire solution. As matter of fact, it can only do part of solutions. It can open window to AV appliance to scan memory, use firewall rule to deny unwanted access but it doesn’t understand registry key and logic structure of your servers.

How does vShield Endpoint work?

trenddp_03

The endpoint doesn’t have it’s own VM in the system unlike vApp and Edge. Well, in fact it does require a virtual appliance but it’s provided by third party.

Endpoint will install a special module in your ESX.

trenddp_01

This module will read data from protected VM and handled it to third party appliance to check virus/malware. This third party will sit in a secured vSwitch which will only be accessed by special module in ESX host. From protected VM angle, CPU usage is very low and memory utilization is low as well. The resource consumption has been transferred and reduced to AV appliance. But it doesn’t mean Hard disk are not used. We will discuss it in performance section.

What you need to do is to enable Endpoint on your host. Install Endpoint driver (or thin agent) on VMs you want to protect. Then, install third party appliance and everything will be fine.

How to install vShield Endpoint?

This procedure is similar as vEdge and vApp.

trenddp_04

trenddp_05

trenddp_06

Once you have install everything including Endpoint, and thirdparty of Antivirus. You will see something like this.

trenddp_07

Well, for more details, please wait for second post. I will review Trend Micro Deep Security 7.5 and how to install, configure.

source: http://geeksilver.wordpress.com

cuongk6t – Nguyen Quoc Cuong

Written by cuongk6t

29/11/2011 at 11:16 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: