VMworld 2009 Booth Talk – Trend Micro Solutions Secure Virtual Servers
During VMworld 2009 I talked to Trend Micro about their virtualization protection solutions. Some of which are based in part on VMware’s VMSafe APIs. Trend told me about their protection against virus and malware attacks, network intrusion, firewall integrity, and application threats in VMware virtual machines (VMs). After researching some more about what I heard in the Trend booth at the conference, I discovered Trend also offers a free product, VM Protection, for a maximum of 100 guests.
Antivirus and Malware
At the Trend Micro booth I was introduced to Core Protection for VMware Virtual Machines, and I learned that although virtual machines still require Trend Real Time Agents (RTA) installed in each VM, the protection workload is now isolated to a dedicated “scanning virtual machine”.
The virtualization RTA on each guest is a specialized version responsible only for scheduling and status monitoring, and is not the same agent installed if using Trend’s physical server protection. The volumes and files of each guest are actually scanned directly on the VMFS datastore by the scanning VM, and not performed by the RTA running on each virtual server.
The following diagram was copied from the Trend Core Protection data sheet and shows the logical design of the solution.
Some quick facts on Trend Core Protection:
- The RTA can only run on Microsoft Windows 2000 Server, Windows XP Professional 32-bit, Windows Server 2003 (or 2003 R2) 32-bit, Microsoft Windows Server 2003 (or 2003 R2) 64-bit , Windows Server 2008, Windows Vista Enterprise 32-bit, and Windows Vista Business 64-bit
- Protects both active and dormant virtual machines
- new virtual machines are automatically set up for security scanning
- does not activate dormant VMs to scan or update them
- Integrates tightly with the VMware vCenter
- Enables central management from the same OfficeScan console used to manage desktops and physical servers.
- Both the Core Protection server and the Scanning Virtual Machine require a Windows 2003 OS and license. The Core Protection Server can also be a VM.
My random impressions
The Trend engineer at the booth told me the current solution is designed for virtual server protection. Trend does not consider this offering to be adequate for desktop protection in a VDI scenario.
The fact that the RTAs are only available for Windows operating systems means that Linux shops cannot take advantage of Trend Core Protection.
Personally, I was a little surprised a Windows license is needed for the Scanning Virtual Machine. I expected this to be a lightweight Linux based appliance like so many other VMware partners use today.
The idea that dormant virtual machines can be a danger to a virtual environment was a new concept to me, but virtual machines are files in folders, and any compromised system that has access to the datastore can attack those volumes. VMFS may have a proprietary limitation for direct access, but a Windows VCB server presents a real threat. NFS datastores are also a more widely accessible point of entry.
Deep Security or VM Protection
Trend rounds out it’s virtualization security offering with a product called Deep Security. I did not discuss this product in much detail while at the booth, but according to Trend’s web page it is “a powerful, centralized management system that enables administrators to create security profiles and apply them to servers. With a centralized console for monitoring alerts and preventive actions taken in response to threats, it can be configured to automate or distribute security updates to servers on demand. It also enables you to generate reports for superior visibility and compliance.” It “combines intrusion detection and prevention, firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent.” Deep Security detects “suspicious activity and behavior, and take[s] proactive or preventive measures to ensure the security of the datacenter.”
VM Protection is a free version of Deep Security that can be used for up to 100 virtual machines. The following is a table comparing the features of the free and licensed versions and gives a better understanding of the protection possible with these products.