cuongk6t's Blog

How they do that – step by step

VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2

leave a comment »


In my previous post, I described about vShield Endpoint. In this post, I will talk about the only real product which is actually using and design with this concept. Trend Micro Deep Security 7.5.

Before I started to roll out details, I would like to thank Trend Micro Australia’s help to give me support when I stuck. Thanks guys.

trenddp_08

What can Trend Micro Deep Security 7.5 do?

First time I saw this product is on the Vmware seminar. When Trend Micro representative standing on the stage and demonstrate how Deep Security can use only 20% of resource to scan in the virtualization environment.  That was mind blowing because imaging VDI and VMs are calling for schedule scan at same time. How much pressure it will cost to ESX Host? This product is only working with vSphere 4.1. It’s using vShield Endpoint and must use vShield point to do it’s job.   Well, at least, that’s what Trend Micro claimed. So is this true? Please continue to read.

Note: DS 7.5 is actually merely designed for VM environment. It means it’s not a complete solution at this stage. If you want to protect your physical boxes or workstation, you better still use OfficeScan product.

Deep Security provides comprehensive protection, including:

  • Anti-Malware (detect&clean virus)
  • Intrusion Detection and Prevention (IDS/IPS) and Firewall (malicious attack pattern protection)
  • Web Application Protection (malicious attack pattern protection)
  • Application Control (malicious attack pattern protection)
  • Integrity Monitoring (Registry & file modification trace)
  • Log Inspection (inspect logs and event on vm)

The interesting about DS 7.5 and vShield Endpoint is that none of this product can provide complete solution for end users. Each of them play a certain roles in the system. So the result is actually combination of both software.

Let’s take a look with clear table.

trenddp_09

Note:

My suggestion for installing is to install both vShield Endpoint Agent and DS Agent on your VMs. That’s the only way you can protect your VMs.

Components of Deep Security 7.5

Deep Security consists of the following set of components that work together to provide protection:

Deep Security Manager, the centralized management component which administrators use to configure security policy and deploy protection to enforcement components: Deep Security Virtual Appliance and Deep Security Agent. (You need to install it on one of windows server)

Deep Security Virtual Appliance is a security virtual machine built for VMware vSphere environments, that provides Anti-Malware, IDS/IPS, Firewall , Web Application Protection and Application Control protection. (It will be pushed from DS manager to each ESX)

Deep Security Agent is a security agent deployed directly on a computer which can provide IDS/IPS, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. (It need to be installed on the protected VMs)

As matter of fact, you need to download following files from Trend Micro website. Don’t forget to download filter-driver which will be pushed from DS Manager to each ESX host.

trenddp_10

Architecture of Deep Security 7.5

Let’s take a look.

trenddp_02

There should be only have one DS manager unless you want to have redundancy.

ESX Host must be installed with vShield Endpoint.

Each ESX has it’s own Virtual appliance.

Each VM should have both vShield Endpoint and DS Agent installed.

How does Deep Security 7.5 work?

trenddp_16

For malware and virus check:

DS is using vShield Endpoint to monitor protected VM memory. The vSheild Endpoint Agent (or AKA vShield Endpoint thin driver) will open a special channel to allow DS virtual appliance to scan it’s memory via special vSwitch which is running on ESX kernel driver layer.

Since VMware needs to make sure the isolation of VMs traffic and memory, hard disk and no other application should breach this protection, vShield Endpoint is a back door opened by VMware to let third party to scan VM content legally and logically.

For registry keys and logs and other components of VM, we have to relay on DS Agent because vShield Endpoint can allow do so much. That’s why the solution must combine both vShield Endpint and DS agent.

Install Deep Security 7.5

I did encounter some interesting errors during the installation.

But let’s sort out the steps of installation first.

  1. Install Endpoint on your VMware ESXs.
  2. hostInstall DS manager on one of your windows box.
  3. Push Virtual Appliance, filter driver to each ESX host. It will add a appliance into vShield protected vSwitch. Filter driver will be loaded in the ESX kernel.
  4. Install DS agent, vShield Point Agent on VMs you want to protect.
Install Endpoint on your VMware ESXs.

Please click here to see how to do it.

Install DS manager on one of your windows box

Those are easy step. I believe any admin can do his job well.

Let’s me skip some easy parts.

trenddp_11

skip,skip

trenddp_12

Once you finish installation of DS Manager. You need to configure the DS Manager.

trenddp_13 trenddp_14

trenddp_15

This is really tricky part. What are those IP for?

The answer is those IP must not be occupied and it must be in the same subnet as rest of your vShield components are.

Check out this diagram and find out your own vShield  subnet.

On your ESX host(which has Endpoint installed already), you should find this.

trenddp_17

so what’s your vSheild Subnet?

The rest is easy part. skip,skip

trenddp_18

trenddp_19

Basic Configure DS Manager

By now, you have already connect to vCenter and vShield Manager. You suppose to see something like that.

trenddp_20

Notice nothing is actually managed and ready. That’s because you need to “Prepare ESX”.

Notice:

Before you “Prepare ESX”, you need to make sure vShield Endpoint has already installed and you have already download all DS components.

trenddp_21

trenddp_22

If you didn’t setup your vShield subnet correct, you will run into this error.

trenddp_23

In my case, I just need to right click vCenter->Properties-> Network Configuration

trenddp_24

please be aware you need to put your ESX into maintenance mode and restart it in terms of pushing DS virtual appliance and filter driver.

trenddp_25

You need to import your downloaded files into DS Manager. If you didn’t import before, you will have chance to import again or download.

trenddp_26

As usually, I skip some steps.

trenddp_27

trenddp_28

Here is another tricky. Because my ESX has different default IP as DS default. so once the DS Manager deploy the virtual appliance to ESX, the appliance only has default DHCP IP which is wrong in my case also the virtual network is also wrong. I encounter this problem.

trenddp_29

All what you need to do is to jump on ESX and virtual appliance console to change IP of that appliance. The default username and password is dsva.

trenddp_30

trenddp_31

Once you changed the IP, reboot this VM. Go back to DS Manager and double click dsva object to activate it.

trenddp_32

Make sure the security profile is loaded. That’s very important!!

trenddp_33

System will automatically offer you some VMs to protect. You can choose “no” at this stage. Why? because you haven’t installed vShield Endpoint agent and DS agent on your VMs yet.

trenddp_34

By now, the installation steps have finished here.

In my next post, I will talk about how to configure Trend Micro Deep Security 7.5 and performance result comparing with OfficeScan and virus testing.

Let me show you a picture what a DS manager look like when a VM is fully protected to finish this post.

trenddp_36

Reference:

Trend Micro Deep security installation guide

Trend Micro Deep security User guide

source: http://geeksilver.wordpress.com

cuongk6t – Nguyen Quoc Cuong

Written by cuongk6t

29/11/2011 at 11:18 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: