JUNIPER NETWORKS VGW VIRTUAL GATEWAY ANTIVIRUS ARCHITECTURE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
White Paper JUNIPER NETWORKS VGW VIRTUAL GATEWAY ANTIVIRUS ARCHITECTURE Copyright © 2012, Juniper Networks, Inc. 1
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Typical Antivirus Use Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Use Case 1: Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Use Case 2: Public Cloud/Multi-tenant Hosting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Use Case 3: Virtual Desktop Infrastructure (VDI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 vGW Virtual Gateway Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The Value of vGW On-Access Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Value of vGW On-Demand Full Disk Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 VM Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 VM Disk Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 List of Figures Figure 1: On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 2: On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 3: Performance comparison of no antivirus, vGW, and competitive solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 4: VM memory usage (MB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 5: VM disk usage (MB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture Executive Summary Virtual machines (VMs) have the same software stack (operating system and applications) as physical machines. As such, they are just as susceptible to virus and malware attacks as their physical counterparts. An infected VM can not only wreak havoc by bringing down the hypervisor host and affecting tens to hundreds of VMs on the same hypervisor host, but it can migrate the infection to other hypervisor hosts via technologies like VMware vMotion live migration, propagating it across the entire virtualized data center. Virtualized environments demand elegant resource sharing among VMs and their applications; and they demand proper protection against malware attacks. The problem with traditional agent-based antivirus solutions is that they were not designed for virtual environments. They are resource intensive and have led customers to encounter problems such as antivirus storms and brownouts. In addition, “thick agents” consume a lot of memory and disk and waste resources by duplicating tasks like signature updates for each VM in the hypervisor host. Introduction What organizations require to meet today’s VM challenges is hypervisor-based antivirus protection that has minimal impact on memory and disk usage, and is optimized to leverage the virtualized infrastructure in a way that delivers malware protection while preserving the benefits of virtualization like VM consolidation ratios. Juniper Networks® vGW Virtual Gateway is exactly this type of solution. vGW Virtual Gateway delivers security without compromising virtualization benefits. Moreover, it is integrated with the vGW hypervisor-based stateful firewall to ensure that detection is coupled with industry-leading enforcement capabilities. Also, all vGW security and visibility features are managed from a centralized management console to guarantee administrative efficiency and reduce errors. This paper will review common antivirus use cases and explain how the vGW Virtual Gateway eliminates conventional scanning challenges like antivirus storms and brownouts, while maintaining the VM’s security posture. Typical Antivirus Use Cases Three common use cases for antivirus software include compliance, public cloud/multi-tenant hosting, and virtual desktop infrastructure (VDI). Use Case 1: Compliance Virtualized environments are not exempt from regulatory and compliance requirements. In fact, certain regulations— including Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX), Gramm-Leach-Bliley Privacy Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS)—require that companies deploy antivirus protections as an added layer of protection toward the prevention of data breaches. For example, the PCI DSS has 12 compliance requirements—the fifth of which is dedicated specifically to antivirus. In order to remain “virus vigilant and compliant,” organizations must use and regularly update antivirus software on all systems commonly targeted by malware. They must also choose antivirus software that is capable of real-time detection of threats and can provide reports to show which resources (e.g., PCI resources) are protected and which may have suffered from an attack. This is the only way that direct and timely action can be taken to mitigate risks. Use Case 2: Public Cloud/Multi-tenant Hosting To compete in the ever growing cloud hosting market, providers must be able to deliver seamless, high quality service— meaning, the fewer performance issues they need to contend with, the better. They also need to deal with the fact that cybercriminals are becoming more resourceful, making it increasingly difficult to identify and mitigate the risks associated with web-based malware. For these reasons, antivirus solutions have emerged as critical for the protection of VM availability and integrity against common threats. This is especially true for the VMs of hosted tenants who rely on the cloud service provider to deliver VM performance guarantees. The problem with typical antivirus strategies is that they can degrade VM and hypervisor performance. For example, if a VM uses 50 percent of its processor power to scan every file, then applications that the VM is hosting are sure to suffer in performance. If you have 20 VMs simultaneously running antivirus scans, that concern is going to lead to severe performance degradation of the entire hypervisor and all guest VMs. In a cloud hosting environment, this could mean impacting tenants with business process outages and poor online experience for their customers. The key to a winning antivirus strategy lies in avoiding this “all at once” monopolization of resources. And a winning antivirus solution should enable a provider to define scanning requirements, and should be intelligent enough to schedule/perform the scanning based on resource availability. It should also enable organizations to schedule the scans to run on a periodic basis. Copyright © 2012, Juniper Networks, Inc. 3
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture Customers moving to the public cloud for hosting of their business assets and applications should not have to make a choice between securing their VMs and performance. In this sense, it is a customer’s responsibility to seek out hosting providers who have provisioned purpose-built, virtualization-specific security suites that offer VM protections at scale. And it is a provider’s responsibility to add as many valuable services as possible, including providing client-less antivirus service via on-demand scans so as not to impact end user business uptime. Use Case 3: Virtual Desktop Infrastructure (VDI) Antivirus protections are imperative for VDI environments. If proper steps are not taken, it can be risky to virtualize desktops and run VDI VMs in the heart of the data center alongside other regular data center VMs. End users who are accessing virtual desktops are doing so from a new location—the virtualization platform—which is closer to protected resources (e.g., finance VMs). Should users continue to perform unknown and potentially dangerous activities (such as downloading malicious content, probing or hacking the network), any negative impact could be much further reaching. This makes it extremely important to analyze the connection point and privileges for a physical desktop or laptop, as well as a hosted virtual desktop. Not only should network connections be protected, but VDI VMs should be scanned frequently for the presence of malware or infected files. Although an infected image may be cleaned in a VDI environment, the new image that replaces it can still be susceptible to infection. This can be dependent on the behavior responsible for the initial infection (e.g., download of infected file from a malicious website). If this behavior is repeated, it can result in a recurring VM infection that can potentially be passed along to other users in the shared VDI environment. This shared virtual location means that a user who is continually infecting a VM is now in a position to exacerbate the issue by continually infecting other VMs on the virtual platform. While a single rogue user who keeps infecting a physical laptop may not be a big problem, having that same user infect a VDI VM and then spread that infection to other VMs is a huge problem. Simply relying on the image restore capabilities of VDI does not preclude a user from needing proper virus protection. Constant rebuilding of VM images in a VDI environment can contribute to performance bottlenecks and management overhead. For example, if a VM gets reset to a clean image state because a virus infection occurred, it may be necessary to download and reapply updated operating system patches to the VM. This is compounded by the need to be vigilant about ensuring that the image is not infected or does not contain old versions of vulnerable software or configuration settings that have been altered for security since the image was created. Antivirus storms are yet another concern in environments with a large number of VDI VMs. These occur when VMs simultaneously attempt to retrieve signature updates and conduct malware scans. During such a storm or brownout, a VDI environment can experience extreme lag or, worse case, come to a halt (recall that VDI VMs are guests of a single host and share its hardware resources). Moreover, the dynamic nature of provisioning desktops and their overall load in a virtualized environment make capacity planning difficult. Even if the user desktop can run traditional antivirus software within the individual VM, the cumulative performance impact of many VMs loaded individually with antivirus software can be profound. This directly affects the total number of virtual desktops that can be supported within the environment, and it decreases the expectations of return on investment for virtualization software and hardware. Together, these considerations further the case for virtualization-specific antivirus that enables proper management of scans through an agent-less approach to reduce antivirus impact on VDI systems. vGW Virtual Gateway Antivirus Protection vGW Virtual Gateway can help resolve the antivirus issues for these use cases and others. vGW, which includes virtualization-specific antivirus, provides malware protection (from viruses, worms, and spyware) with minimal impact on VM memory and disk. The vGW antivirus engine provides optional on-access and on-demand scanning so that administrators can choose to scan files in real time, use the completely agent-less offline approach, or both. With numerous options for when and what to scan, organizations can optimize their antivirus scanning mechanisms for performance in the most cost-effective manner by obviating the need to buy licenses for all VMs or run CPU-intensive applications on all guest VMs. The vGW antivirus feature provides improved security and flexibility that agents alone cannot provide through: • Use of its kernel module installed on the VMware ESX/ESXi host hypervisor • Its management integration • Its ability to scan VMs with only a light installation on the VM through its vGW Endpoint • Its ability to scan VMs entirely without any installation on the VM through its on-demand feature 4 Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture The Value of vGW On-Access Scanning The vGW on-access scanning option, with settings that can easily be adjusted and fine-tuned to an organization’s precise needs, protects VMs against malicious content downloading or execution in real time. It does so by detecting malware or viruses on VMs, quarantining the infected files or infected guest VMs themselves, and enabling definition of a remediation plan. With the use of these features, organizations can prioritize scanning processes and optimize performance by lowering memory and CPU usage and decreasing disk I/O. If an IT administrator is trying to save a file (e.g., from a file share), the vGW will trap the call, intercept the file, and scan for malware. If the file is found to be infected, vGW will quarantine it and alert stakeholders. This is a critical optional scanning mechanism of the antivirus module within the vGW product that can essentially ensure that VMs, especially highly critical VMs, high-risk VDI VMs, or file servers do not end up infecting other VMs. And this is all accomplished in a very computationally efficient way to ensure that scans do not consume so much memory that they disrupt VM operation. One Antivirus Engine One Signature Database VM Small Agent on VMs VM1 VM2 VM3 SVM AV Install small 1 Engine ESX or ESXi Host agent on VM Files accesses are captured 2 by the agent and sent to the SVM Signature Database On-access AV scan 3 VMware Kernel Scan results are cached 4 for performance The vGW Engine Hypervisor Figure 1: On-access scanning Figure 1 shows the basic four step process for completing an on-access scan. Additionally, for on-access scanning, vGW must authenticate the vGW Endpoint system with the Security VM, which is installed on each host and contains the antivirus signature database and scanning engine. Following these steps makes it impossible to create a spoofed Security VM that can begin receiving files from guest VMs. Once vGW has established the authentication between the components, it then allows the transfer of packets to flow between them to validate that files are clean. If not clean, the files will be written to a quarantine location on the guest VM (i.e., quarantined files are isolated in each guest VM). At this point, administrators can either choose to delete a file from quarantine or transfer the file out of quarantine (the file is altered so as not to infect anything else and sent to the vGW administrator’s system, where it can be analyzed and, if appropriate, restored). The on-access disk scanning feature further protects the guest VM from viruses already resident on it by allowing a scheduled offline full or partial disk scan. The Value of vGW On-Demand Full Disk Scanning The vGW on-demand scanning feature can conduct full VM disk scans on a periodic and sequential schedule to significantly diminish antivirus storms. The offline on-demand option scans guest VMs periodically, examining virtual disk files for malicious content. Because the antivirus feature does not need to be deployed on each VM for scanning, it can perform scans on virtual disk files from a centralized location. This increases the engine’s efficiency and allows it to conduct the scan “from the outside” relative to the VM, which helps with the detection of rootkits. Scheduled on-demand antivirus scans influence host resource saturation. As previously reviewed, it is okay if a small number of VMs run CPU-intensive scans. However, organizations can start to run into issues when those VM numbers begin to increase. An antivirus solution should provide flexibility and allow users to choose between automatically, manually, or randomly running scans so as to reduce the potential for VM host CPU saturation. Copyright © 2012, Juniper Networks, Inc. 5
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture The vGW antivirus feature minimizes performance impact on the guest VM and host in both cases (on-access and on- demand) by centralizing the scanning on the vGW Security VM instantiated on each VMware ESX/ESXi system, rather than executing the antivirus functions via thick clients on each guest VM. The vGW Endpoint on a VM passes the file— or in some cases, only a portion of the file necessary to determine if it contains a virus—to the vGW Security VM across the virtualized network for examination whenever the VM accesses or attempts to transmit a file. For on-demand, the Security VM mounts a snapshot of the virtual disk of the guest VM, traverses the contents directly, and passes them to the scan engine—all at a rapid rate of 5 MB/second. One Antivirus Engine One Signature Database VM No Agent on VMs VM1 VM2 VM3 SVM AV Engine ESX or ESXi Host Create VM2 1 Snapshot VM1 VM3 Signature Database Full-Disk VM2 2 VMware Kernel AV Scan VM1 VM3 The vGW Engine Delete VM2 3 Snapshot VM1 VM3 Hypervisor Figure 2: On-demand scanning Performance Graph % Performance Degraded (30 VMs - MS Office On-Access Execution Time) -4.013% -28.688% No Antivirus vGW Antivirus Competitive (Baseline) 5.0 Antivirus (Typical Agent) Figure 3: Performance comparison of no antivirus, vGW, and competitive solution 6 Copyright © 2012, Juniper Networks, Inc.
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture VM Memory Usage VM Memory Usage (MB) vGW Antivirus 5.0 Competitive Antivirus (Typical Agent) 2250 1500 750 450 300 150 15 VMs 30 VMs 45 VMs Figure 4: VM memory usage (MB) VM Disk Usage VM Disk Usage (MB) vGW Antivirus 5.0 Competitive Antivirus (Typical Agent) 3825 2550 1275 75 112.5 37.5 15 VMs 30 VMs 45 VMs Figure 5: VM disk usage (MB) Conclusion Antivirus protection should be another layer of defense against hacking, malware, and code that aim to disrupt business and rob organizations of valuable information. It should not be a performance killer. Traditional antivirus approaches, when deployed within virtualized environments, are extremely punitive on CPU and RAM for guest VMs, using up far too much of these resources and requiring that organizations buy more VM hosting hardware to support the additional protections. With the Juniper Networks vGW Virtual Gateway, antivirus processing is extremely efficient, making use of virtualized environment awareness and innovative design so that antivirus scans are applied when it makes sense and to what matters most. As a result, vGW offers organizations the highest quality and most sophisticated antivirus protection available—all at minimal impact to performance. Copyright © 2012, Juniper Networks, Inc. 7
White Paper - Juniper Networks vGW Virtual Gateway Antivirus Architecture About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland authorized reseller. Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601 www.juniper.net Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000456-001-EN Feb 2012 Printed on recycled paper 8 Copyright © 2012, Juniper Networks, Inc.
You can also read