JUNIPER NETWORKS VGW VIRTUAL GATEWAY ANTIVIRUS ARCHITECTURE

Page created by Erica Horton
 
CONTINUE READING
White Paper

JUNIPER NETWORKS
VGW VIRTUAL GATEWAY
ANTIVIRUS ARCHITECTURE

Copyright © 2012, Juniper Networks, Inc.             1
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                       Table of Contents
                       Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
                       Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
                       Typical Antivirus Use Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
                           Use Case 1: Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
                           Use Case 2: Public Cloud/Multi-tenant Hosting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
                           Use Case 3: Virtual Desktop Infrastructure (VDI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
                       vGW Virtual Gateway Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
                       The Value of vGW On-Access Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
                       The Value of vGW On-Demand Full Disk Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
                       VM Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
                       VM Disk Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
                       Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
                       About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

                       List of Figures
                       Figure 1: On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
                       Figure 2: On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
                       Figure 3: Performance comparison of no antivirus, vGW, and competitive solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
                       Figure 4: VM memory usage (MB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
                       Figure 5: VM disk usage (MB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2                                                                                                                                                                                        Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                        Executive Summary
                        Virtual machines (VMs) have the same software stack (operating system and applications) as physical machines. As
                        such, they are just as susceptible to virus and malware attacks as their physical counterparts. An infected VM can not
                        only wreak havoc by bringing down the hypervisor host and affecting tens to hundreds of VMs on the same hypervisor
                        host, but it can migrate the infection to other hypervisor hosts via technologies like VMware vMotion live migration,
                        propagating it across the entire virtualized data center.
                        Virtualized environments demand elegant resource sharing among VMs and their applications; and they demand
                        proper protection against malware attacks. The problem with traditional agent-based antivirus solutions is that they
                        were not designed for virtual environments. They are resource intensive and have led customers to encounter problems
                        such as antivirus storms and brownouts. In addition, “thick agents” consume a lot of memory and disk and waste
                        resources by duplicating tasks like signature updates for each VM in the hypervisor host.

                        Introduction
                        What organizations require to meet today’s VM challenges is hypervisor-based antivirus protection that has minimal
                        impact on memory and disk usage, and is optimized to leverage the virtualized infrastructure in a way that delivers
                        malware protection while preserving the benefits of virtualization like VM consolidation ratios.
                        Juniper Networks® vGW Virtual Gateway is exactly this type of solution. vGW Virtual Gateway delivers security without
                        compromising virtualization benefits. Moreover, it is integrated with the vGW hypervisor-based stateful firewall to ensure
                        that detection is coupled with industry-leading enforcement capabilities. Also, all vGW security and visibility features are
                        managed from a centralized management console to guarantee administrative efficiency and reduce errors.
                        This paper will review common antivirus use cases and explain how the vGW Virtual Gateway eliminates conventional
                        scanning challenges like antivirus storms and brownouts, while maintaining the VM’s security posture.

                        Typical Antivirus Use Cases
                        Three common use cases for antivirus software include compliance, public cloud/multi-tenant hosting, and virtual
                        desktop infrastructure (VDI).

                        Use Case 1: Compliance
                        Virtualized environments are not exempt from regulatory and compliance requirements. In fact, certain regulations—
                        including Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX), Gramm-Leach-Bliley
                        Privacy Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data
                        Security Standard (PCI DSS)—require that companies deploy antivirus protections as an added layer of protection
                        toward the prevention of data breaches. For example, the PCI DSS has 12 compliance requirements—the fifth of which
                        is dedicated specifically to antivirus.
                        In order to remain “virus vigilant and compliant,” organizations must use and regularly update antivirus software on
                        all systems commonly targeted by malware. They must also choose antivirus software that is capable of real-time
                        detection of threats and can provide reports to show which resources (e.g., PCI resources) are protected and which
                        may have suffered from an attack. This is the only way that direct and timely action can be taken to mitigate risks.

                        Use Case 2: Public Cloud/Multi-tenant Hosting
                        To compete in the ever growing cloud hosting market, providers must be able to deliver seamless, high quality service—
                        meaning, the fewer performance issues they need to contend with, the better. They also need to deal with the fact
                        that cybercriminals are becoming more resourceful, making it increasingly difficult to identify and mitigate the risks
                        associated with web-based malware. For these reasons, antivirus solutions have emerged as critical for the protection
                        of VM availability and integrity against common threats. This is especially true for the VMs of hosted tenants who rely
                        on the cloud service provider to deliver VM performance guarantees.
                        The problem with typical antivirus strategies is that they can degrade VM and hypervisor performance. For example,
                        if a VM uses 50 percent of its processor power to scan every file, then applications that the VM is hosting are sure to
                        suffer in performance. If you have 20 VMs simultaneously running antivirus scans, that concern is going to lead to severe
                        performance degradation of the entire hypervisor and all guest VMs. In a cloud hosting environment, this could mean
                        impacting tenants with business process outages and poor online experience for their customers. The key to a winning
                        antivirus strategy lies in avoiding this “all at once” monopolization of resources. And a winning antivirus solution should
                        enable a provider to define scanning requirements, and should be intelligent enough to schedule/perform the scanning
                        based on resource availability. It should also enable organizations to schedule the scans to run on a periodic basis.

Copyright © 2012, Juniper Networks, Inc.                                                                                                                        3
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                       Customers moving to the public cloud for hosting of their business assets and applications should not have to make a
                       choice between securing their VMs and performance. In this sense, it is a customer’s responsibility to seek out hosting
                       providers who have provisioned purpose-built, virtualization-specific security suites that offer VM protections at
                       scale. And it is a provider’s responsibility to add as many valuable services as possible, including providing client-less
                       antivirus service via on-demand scans so as not to impact end user business uptime.

                       Use Case 3: Virtual Desktop Infrastructure (VDI)
                       Antivirus protections are imperative for VDI environments. If proper steps are not taken, it can be risky to virtualize
                       desktops and run VDI VMs in the heart of the data center alongside other regular data center VMs. End users who are
                       accessing virtual desktops are doing so from a new location—the virtualization platform—which is closer to protected
                       resources (e.g., finance VMs). Should users continue to perform unknown and potentially dangerous activities (such as
                       downloading malicious content, probing or hacking the network), any negative impact could be much further reaching.
                       This makes it extremely important to analyze the connection point and privileges for a physical desktop or laptop, as
                       well as a hosted virtual desktop. Not only should network connections be protected, but VDI VMs should be scanned
                       frequently for the presence of malware or infected files.
                       Although an infected image may be cleaned in a VDI environment, the new image that replaces it can still be
                       susceptible to infection. This can be dependent on the behavior responsible for the initial infection (e.g., download of
                       infected file from a malicious website). If this behavior is repeated, it can result in a recurring VM infection that can
                       potentially be passed along to other users in the shared VDI environment. This shared virtual location means that a
                       user who is continually infecting a VM is now in a position to exacerbate the issue by continually infecting other VMs on
                       the virtual platform. While a single rogue user who keeps infecting a physical laptop may not be a big problem, having
                       that same user infect a VDI VM and then spread that infection to other VMs is a huge problem.
                       Simply relying on the image restore capabilities of VDI does not preclude a user from needing proper virus protection.
                       Constant rebuilding of VM images in a VDI environment can contribute to performance bottlenecks and management
                       overhead. For example, if a VM gets reset to a clean image state because a virus infection occurred, it may be necessary
                       to download and reapply updated operating system patches to the VM. This is compounded by the need to be vigilant
                       about ensuring that the image is not infected or does not contain old versions of vulnerable software or configuration
                       settings that have been altered for security since the image was created.
                       Antivirus storms are yet another concern in environments with a large number of VDI VMs. These occur when VMs
                       simultaneously attempt to retrieve signature updates and conduct malware scans. During such a storm or brownout, a
                       VDI environment can experience extreme lag or, worse case, come to a halt (recall that VDI VMs are guests of a single
                       host and share its hardware resources).
                       Moreover, the dynamic nature of provisioning desktops and their overall load in a virtualized environment make
                       capacity planning difficult. Even if the user desktop can run traditional antivirus software within the individual VM, the
                       cumulative performance impact of many VMs loaded individually with antivirus software can be profound. This directly
                       affects the total number of virtual desktops that can be supported within the environment, and it decreases the
                       expectations of return on investment for virtualization software and hardware.
                       Together, these considerations further the case for virtualization-specific antivirus that enables proper management of
                       scans through an agent-less approach to reduce antivirus impact on VDI systems.

                       vGW Virtual Gateway Antivirus Protection
                       vGW Virtual Gateway can help resolve the antivirus issues for these use cases and others. vGW, which includes
                       virtualization-specific antivirus, provides malware protection (from viruses, worms, and spyware) with minimal impact
                       on VM memory and disk. The vGW antivirus engine provides optional on-access and on-demand scanning so that
                       administrators can choose to scan files in real time, use the completely agent-less offline approach, or both. With
                       numerous options for when and what to scan, organizations can optimize their antivirus scanning mechanisms for
                       performance in the most cost-effective manner by obviating the need to buy licenses for all VMs or run CPU-intensive
                       applications on all guest VMs.
                       The vGW antivirus feature provides improved security and flexibility that agents alone cannot provide through:
                       • Use of its kernel module installed on the VMware ESX/ESXi host hypervisor
                       • Its management integration
                       • Its ability to scan VMs with only a light installation on the VM through its vGW Endpoint
                       • Its ability to scan VMs entirely without any installation on the VM through its on-demand feature

4                                                                                                                    Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                        The Value of vGW On-Access Scanning
                        The vGW on-access scanning option, with settings that can easily be adjusted and fine-tuned to an organization’s
                        precise needs, protects VMs against malicious content downloading or execution in real time. It does so by detecting
                        malware or viruses on VMs, quarantining the infected files or infected guest VMs themselves, and enabling definition
                        of a remediation plan. With the use of these features, organizations can prioritize scanning processes and optimize
                        performance by lowering memory and CPU usage and decreasing disk I/O.
                        If an IT administrator is trying to save a file (e.g., from a file share), the vGW will trap the call, intercept the file, and
                        scan for malware. If the file is found to be infected, vGW will quarantine it and alert stakeholders. This is a critical
                        optional scanning mechanism of the antivirus module within the vGW product that can essentially ensure that VMs,
                        especially highly critical VMs, high-risk VDI VMs, or file servers do not end up infecting other VMs. And this is all
                        accomplished in a very computationally efficient way to ensure that scans do not consume so much memory that they
                        disrupt VM operation.

                                                          One Antivirus Engine
                                                          One Signature Database
                                                                                                       VM
                                                          Small Agent on VMs
                                                                                                                   VM1        VM2        VM3
                                                                                                      SVM
                                                                                                       AV
                                                               Install small
                                                                               1                     Engine

                                                                                                                                                                   ESX or ESXi Host
                                                               agent on VM
                                                 Files accesses are captured
                                                                               2
                                           by the agent and sent to the SVM
                                                                                                    Signature
                                                                                                    Database
                                                        On-access AV scan      3

                                                                                                                                                   VMware Kernel
                                                    Scan results are cached
                                                                               4
                                                           for performance
                                                                                                                 The vGW Engine

                                                                                                                    Hypervisor

                                                                                   Figure 1: On-access scanning

                        Figure 1 shows the basic four step process for completing an on-access scan. Additionally, for on-access scanning,
                        vGW must authenticate the vGW Endpoint system with the Security VM, which is installed on each host and contains
                        the antivirus signature database and scanning engine. Following these steps makes it impossible to create a spoofed
                        Security VM that can begin receiving files from guest VMs. Once vGW has established the authentication between the
                        components, it then allows the transfer of packets to flow between them to validate that files are clean. If not clean,
                        the files will be written to a quarantine location on the guest VM (i.e., quarantined files are isolated in each guest VM).
                        At this point, administrators can either choose to delete a file from quarantine or transfer the file out of quarantine (the
                        file is altered so as not to infect anything else and sent to the vGW administrator’s system, where it can be analyzed
                        and, if appropriate, restored).
                        The on-access disk scanning feature further protects the guest VM from viruses already resident on it by allowing a
                        scheduled offline full or partial disk scan.

                        The Value of vGW On-Demand Full Disk Scanning
                        The vGW on-demand scanning feature can conduct full VM disk scans on a periodic and sequential schedule to
                        significantly diminish antivirus storms. The offline on-demand option scans guest VMs periodically, examining virtual
                        disk files for malicious content. Because the antivirus feature does not need to be deployed on each VM for scanning, it
                        can perform scans on virtual disk files from a centralized location. This increases the engine’s efficiency and allows it to
                        conduct the scan “from the outside” relative to the VM, which helps with the detection of rootkits.
                        Scheduled on-demand antivirus scans influence host resource saturation. As previously reviewed, it is okay if a small
                        number of VMs run CPU-intensive scans. However, organizations can start to run into issues when those VM numbers
                        begin to increase. An antivirus solution should provide flexibility and allow users to choose between automatically,
                        manually, or randomly running scans so as to reduce the potential for VM host CPU saturation.

Copyright © 2012, Juniper Networks, Inc.                                                                                                                                              5
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                       The vGW antivirus feature minimizes performance impact on the guest VM and host in both cases (on-access and on-
                       demand) by centralizing the scanning on the vGW Security VM instantiated on each VMware ESX/ESXi system, rather
                       than executing the antivirus functions via thick clients on each guest VM. The vGW Endpoint on a VM passes the file—
                       or in some cases, only a portion of the file necessary to determine if it contains a virus—to the vGW Security VM across
                       the virtualized network for examination whenever the VM accesses or attempts to transmit a file.
                       For on-demand, the Security VM mounts a snapshot of the virtual disk of the guest VM, traverses the contents directly,
                       and passes them to the scan engine—all at a rapid rate of 5 MB/second.

                                                     One Antivirus Engine
                                                     One Signature Database
                                                                                                        VM
                                                     No Agent on VMs
                                                                                                                     VM1       VM2    VM3
                                                                                                       SVM
                                                                                                         AV
                                                                                                       Engine

                                                                                                                                                                ESX or ESXi Host
                                                     Create                  VM2
                                               1     Snapshot
                                                                       VM1         VM3

                                                                                                     Signature
                                                                                                     Database

                                                     Full-Disk               VM2
                                               2

                                                                                                                                                VMware Kernel
                                                     AV Scan
                                                                       VM1         VM3

                                                                                                                   The vGW Engine

                                                     Delete                  VM2
                                               3     Snapshot          VM1         VM3

                                                                                                                      Hypervisor

                                                                                    Figure 2: On-demand scanning

                        Performance Graph
                                                                            % Performance Degraded
                                                                  (30 VMs - MS Office On-Access Execution Time)
                                                                                             -4.013%

                                                                                                                 -28.688%

                                                                        No Antivirus       vGW Antivirus       Competitive
                                                                         (Baseline)            5.0              Antivirus
                                                                                                             (Typical Agent)

                                                   Figure 3: Performance comparison of no antivirus, vGW, and competitive solution

6                                                                                                                                    Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                        VM Memory Usage
                                                                         VM Memory Usage (MB)
                                                                       vGW Antivirus 5.0
                                                                       Competitive Antivirus (Typical Agent)

                                                                                                               2250

                                                                                           1500

                                                                        750
                                                                                                      450
                                                                                  300
                                                               150

                                                                  15 VMs             30 VMs             45 VMs

                                                                      Figure 4: VM memory usage (MB)

                        VM Disk Usage
                                                                           VM Disk Usage (MB)
                                                                       vGW Antivirus 5.0
                                                                       Competitive Antivirus (Typical Agent)

                                                                                                               3825

                                                                                           2550

                                                                        1275

                                                                                   75                112.5
                                                               37.5

                                                                  15 VMs             30 VMs             45 VMs

                                                                       Figure 5: VM disk usage (MB)

                        Conclusion
                        Antivirus protection should be another layer of defense against hacking, malware, and code that aim to disrupt
                        business and rob organizations of valuable information. It should not be a performance killer.
                        Traditional antivirus approaches, when deployed within virtualized environments, are extremely punitive on CPU and
                        RAM for guest VMs, using up far too much of these resources and requiring that organizations buy more VM hosting
                        hardware to support the additional protections. With the Juniper Networks vGW Virtual Gateway, antivirus processing
                        is extremely efficient, making use of virtualized environment awareness and innovative design so that antivirus scans
                        are applied when it makes sense and to what matters most. As a result, vGW offers organizations the highest quality
                        and most sophisticated antivirus protection available—all at minimal impact to performance.

Copyright © 2012, Juniper Networks, Inc.                                                                                                                           7
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture

                         About Juniper Networks
                         Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud
                         providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics
                         of networking. The company serves customers and partners worldwide. Additional information can be found at
                         www.juniper.net.

Corporate and Sales Headquarters                    APAC Headquarters                        EMEA Headquarters                To purchase Juniper Networks solutions,
Juniper Networks, Inc.                              Juniper Networks (Hong Kong)             Juniper Networks Ireland         please contact your Juniper Networks
1194 North Mathilda Avenue                          26/F, Cityplaza One                      Airside Business Park            representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA                             1111 King’s Road                         Swords, County Dublin, Ireland   authorized reseller.
Phone: 888.JUNIPER (888.586.4737)                   Taikoo Shing, Hong Kong                  Phone: 35.31.8903.600
or 408.745.2000                                     Phone: 852.2332.3636                     EMEA Sales: 00800.4586.4737
Fax: 408.745.2100                                   Fax: 852.2574.7803                       Fax: 35.31.8903.601
www.juniper.net

Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property of
their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

2000456-001-EN         Feb 2012                        Printed on recycled paper

8                                                                                                                                       Copyright © 2012, Juniper Networks, Inc.
You can also read