Get Adobe Flash player

VMworld 2009 Booth Talk – Trend Micro Solutions Secure Virtual Servers

During VMworld 2009 I talked to Trend Micro about their virtualization protection solutions. Some of which are based in part on VMware’s VMSafe APIs. Trend told me about their protection against virus and malware attacks, network intrusion, firewall integrity, and application threats in VMware virtual machines (VMs). After researching some more about what I heard in the Trend booth at the conference, I discovered Trend also offers a free product, VM Protection, for a maximum of 100 guests.

Antivirus and Malware

At the Trend Micro booth I was introduced to Core Protection for VMware Virtual Machines, and I learned that although virtual machines still require Trend Real Time Agents (RTA) installed in each VM, the protection workload is now isolated to a dedicated “scanning virtual machine”.

The virtualization RTA on each guest is a specialized version responsible only for scheduling and status monitoring, and is not the same agent installed if using Trend’s physical server protection. The volumes and files of each guest are actually scanned directly on the VMFS datastore by the scanning VM, and not performed by the RTA running on each virtual server.

The following diagram was copied from the Trend Core Protection data sheet and shows the logical design of the solution.

Some quick facts on Trend Core Protection:

  • The RTA can only run on Microsoft Windows 2000 Server, Windows XP Professional 32-bit, Windows Server 2003 (or 2003 R2) 32-bit, Microsoft Windows Server 2003 (or 2003 R2) 64-bit , Windows Server 2008, Windows Vista Enterprise 32-bit, and Windows Vista Business 64-bit
  • Protects both active and dormant virtual machines
  • new virtual machines are automatically set up for security scanning
  • does not activate dormant VMs to scan or update them
  • Integrates tightly with the VMware vCenter
  • Enables central management from the same OfficeScan console used to manage desktops and physical servers.
  • Both the Core Protection server and the Scanning Virtual Machine require a Windows 2003 OS and license. The Core Protection Server can also be a VM.

My random impressions

The Trend engineer at the booth told me the current solution is designed for virtual server protection. Trend does not consider this offering to be adequate for desktop protection in a VDI scenario.

The fact that the RTAs are only available for Windows operating systems means that Linux shops cannot take advantage of Trend Core Protection.

Personally, I was a little surprised a Windows license is needed for the Scanning Virtual Machine. I expected this to be a lightweight Linux based appliance like so many other VMware partners use today.

The idea that dormant virtual machines can be a danger to a virtual environment was a new concept to me, but virtual machines are files in folders, and any compromised system that has access to the datastore can attack those volumes. VMFS may have a proprietary limitation for direct access, but a Windows VCB server presents a real threat. NFS datastores are also a more widely accessible point of entry.

Deep Security or VM Protection

Trend rounds out it’s virtualization security offering with a product called Deep Security. I did not discuss this product in much detail while at the booth, but according to Trend’s web page it is “a powerful, centralized management system that enables administrators to create security profiles and apply them to servers. With a centralized console for monitoring alerts and preventive actions taken in response to threats, it can be configured to automate or distribute security updates to servers on demand. It also enables you to generate reports for superior visibility and compliance.” It “combines intrusion detection and prevention, firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent.” Deep Security detects “suspicious activity and behavior, and take[s] proactive or preventive measures to ensure the security of the datacenter.”

VM Protection is a free version of Deep Security that can be used for up to 100 virtual machines. The following is a table comparing the features of the free and licensed versions and gives a better understanding of the protection possible with these products.

Related Posts

  • Pingback: Tweets that mention VMworld 2009 Booth Talk – Trend Micro Solutions Secure Virtual Servers | VM /ETC -- Topsy.com

  • Dracolith

    Nice.. I'm wondering why they'd want to put scheduling in an agent running on the guest itself, instead of only on the management server.

    Seems like a risk in the security protection, if the VM being scanned is the VM running the agent that controls scheduling….

    I really like the idea of system scanners running outside the ability of possible hackers/malware running on the VM to tamper with the scanners/IDS (for avoiding detection).

  • Pingback: VMworld 2009 (San Francisco) – Linkage » Yellow Bricks

  • doit1234

    how come is VCB a threat if it only mounts snapshots and not the virtual machine disk itself?! I see only VCB has a threat in a different perspective, not much different from a traditional windows file server that you should lock and scan strongly…

  • http://vmetc.com rbrambley

    doit,

    The VCB is zoned to see the same LUNs that the ESX hosts access, and the VCB server actually mounts the entire VMFS volume – they show up as unrecognized in disk manager.

    VCB signals vCenter to create a snapshot in order to make a full image backup. VCB then copies the frozen .vmdk while the VM is running on the snapshot file – an important difference to understand both for VCB mechanics and for file version restores.

    In fact, if you are using Windows Server STD edition you have to turn off disk signaturing so that your 2003 server does not corrupt your ESX datastores. Enterprise edition and above have it turned off automatically.

  • doit1234

    how come is VCB a threat if it only mounts snapshots and not the virtual machine disk itself?! I see only VCB has a threat in a different perspective, not much different from a traditional windows file server that you should lock and scan strongly…

  • http://vmetc.com rbrambley

    doit,

    The VCB is zoned to see the same LUNs that the ESX hosts access, and the VCB server actually mounts the entire VMFS volume – they show up as unrecognized in disk manager.

    VCB signals vCenter to create a snapshot in order to make a full image backup. VCB then copies the frozen .vmdk while the VM is running on the snapshot file – an important difference to understand both for VCB mechanics and for file version restores.

    In fact, if you are using Windows Server STD edition you have to turn off disk signaturing so that your 2003 server does not corrupt your ESX datastores. Enterprise edition and above have it turned off automatically.

  • Pingback: Welcome to vSphere-land! » Miscellaneous Links

  • Pingback: vSphere free server IDS and AV protection

Badges

follow-me-twitter

I blog with Blogsy

Comments / DISQUS