Secure Virtualization in the Federal Government

White Paper

Secure Virtualization in the

Federal Government

Table of Contents

Ready, Fire, Aim? 3

McAfee Solutions for Virtualization 4

Securing virtual servers in data centers 4

Securing virtualized desktop infrastructure 6

Securing the infrastructure 7

Manage Everything, Anywhere 7

McAfee Solutions for Virtualization

Servers and Data Centers

• McAfee® _{Application Control} • McAfee Change Control • McAfee Database Activity

Monitoring • McAfee Host IPS

• McAfee MOVE AntiVirus for virtual servers

–McAfee VirusScan® _Enterprise

–McAfee VirusScan Enterprise for Offline Virtual Images

–McAfee ePolicy Orchestrator® (McAfee ePO™₎

–McAfee MOVE Scheduler

Virtualized Desktop Infrastructure

• McAfee Application Control • McAfee MOVE AntiVirus for

virtual desktops

–McAfee Host Intrusion Prevention System (IPS)

–McAfee SiteAdvisor® Enterprise

–McAfee VirusScan Enterprise

–McAfee ePO

Virtual Infrastructure

• McAfee Network Security Platform

• McAfee Firewall Enterprise • McAfee Security Innovation

Alliance Partners, including Bromium, Hytrust, Invincea, and Reflex

Refer to individual product specifications on www.mcafee.com for certification levels for FIPS and Common Criteria.

Federal IT leaders embracing virtualized systems—servers, desktops, or network

devices—must account for the unique aspects of virtualization and their effects on

security. Leveraging security proven in the physical world and optimized for the virtual

world can ensure that virtualization efforts deliver the desired efficiency gains without

compromising security or compliance.

IT leaders in the US Federal Government face considerable pressure to sustain the highest level of security while maintaining performance, maximizing utilization of shared infrastructure (including cloud), rapidly supporting new services and applications, and improving situational awareness across physical and virtual platforms. These demands compete with the very real constraints of shrinking IT budgets, fewer staff, and finite physical resources such as rack space, cooling, and power. Virtualization technologies are helping government teams balance these opposing forces in a flexible, integrated cybersecurity and compliance strategy that adapts existing infrastructure to changing needs and resources. Virtualization has migrated from server farms and data centers into desktop infrastructure and network components. This adoption is helping federal organizations improve operational efficiency—but will it help or hinder risk management?

Ready, Fire, Aim?

Since deployment of new virtualized systems is much easier than deployment of physical systems, they can sprout quickly, everywhere, without the normal careful planning for security risk. Federal IT teams may not realize that virtual systems in the data center, in virtualized desktop infrastructure, and in the network require additional, specialized security. For example, traditional server security products such as antivirus and host intrusion prevention do not operate efficiently on virtualized platforms if deployed “out of the box.” Designed to use dedicated physical resources, they can quickly rob shared hypervisor memory and processing and undermine performance. Other challenges include: • _{Unauthorized installation of applications can disrupt stability of the system, introduce vulnerabilities, or} siphon off resources • _{Malicious attacks can exploit shared resources in the virtualized environment, potentially compromising} neighboring virtual machines (VMs) • _{Infected virtual server templates can spread malware across the production environment} • _{The virtual server network itself becomes “critical infrastructure” that must be managed and protected} • _{Patch and security update management programs must work around the shared and high-utilization} design of virtualized infrastructure Risk management programs must account for these issues, or ad hoc configurations will introduce service disruption, noncompliance, and performance bottlenecks called scan storms. When these problems emerge, the pressure to deliver at service levels necessary to assure the mission can cause administrators to work around or waive security controls. There’s a better way to capture efficiency while managing risk appropriately.

McAfee Solutions for Virtualization McAfee continues to lead the evolution of integrated, agile security tools for government. McAfee solutions can help federal IT teams support more end users, more workloads, and more geographies, while adhering to strict government compliance standards. Our solutions include virtualized appliance versions of proven government-grade security products such as the McAfee Network Security Platform and McAfee Firewall Enterprise, as well as innovations like McAfee Optimized for Virtualized Environments (MOVE AV) and McAfee VirusScan Enterprise for Offline Virtual Images. These specialized technologies make our best traditional antivirus and host intrusion prevention capabilities work efficiently within virtualized deployments, with both hypervisor-aware and hypervisor-agnostic options to preserve flexibility. In addition, a range of McAfee products extends key controls such as application whitelisting and change control into the virtual environment, providing flexibility and a seamless continuum of options from physical to cloud deployments.

Securing virtual servers in data centers

Virtual servers in data centers, both on your premises and in the cloud, consolidate multiple physical systems onto virtual compute, storage, and management platforms that communicate across a unified network. This model reduces the number of physical servers, storage resources, management systems, and their associated capital and operational expenses. Unified Network VM VM VM VM Servers Mgmt Storage Arrays

Figure 1. By sharing back-end compute, storage, and management resources, virtualized datacenters can support more users and applications with greater efficiency.

These systems require core security processes such as antimalware scanning and intrusion prevention, but not in the traditional “per node” model of servers. Scanning operations must work around the hypervisor design and data center schedules to ensure memory and processing resources remain available to new sessions. In addition, a consolidated model also removes the security advantages of the physical separation between databases, application servers, web servers, and other software. That physical isolation frustrates malware authors and hackers who hope to exploit vulnerabilities in these components to navigate around your environment. To compensate, you must build stronger security into virtualized systems everywhere, but particularly in mission-critical data centers. McAfee helps optimize your virtual server security environment while achieving the same level of security that you demand in traditional server environments. For example, McAfee MOVE AV reduces the performance impact of traditional antivirus by eliminating the need for installation of a full antivirus client on each virtual server and offloading on-access scanning to a centralized resource: a dedicated scanning server or a scanning service implemented as a virtual appliance. This model makes it easier to plan and scale capacity and streamlines operations. You monitor just a single environment and perform

In addition, the offloading decreases memory resource allocation for each virtual machine, so the memory can be released back to the resource pool for more effective utilization. In MOVE AV for virtual servers, a special feature orchestrates on-demand scans based on hypervisor and resource availability. MOVE manages the schedule of on-demand scans to prevent hypervisors from being overloaded, and allow them to have higher VM density, enabling greater efficiency for the overall system. This configuration also includes McAfee VirusScan Enterprise for Offline Virtual Images, which ensures stored offline images used for disaster recovery or continuity of operations are intact and ready when needed. The software can wake up dormant images, scan for viruses and malware, and refresh them with the latest security updates and patches before they are called into use. McAfee virtual server security options include advanced technologies such as McAfee Application Control and McAfee Change Control. They prevent buffer overflow attacks and memory exploits while blocking rogue applications and malware from being installed or executed. These controls help prevent attacks from spreading through compromised virtual servers and can also provide protection until a vulnerable server is patched. McAfee Change Control can continuously detect system-level changes being made across the virtual enterprise and prevent unauthorized changes to critical system files, directories, and configurations. It helps you stabilize both physical and virtualized infrastructure against inadvertent or malicious changes. These systems are centrally managed and exchange data through the McAfee management platform, McAfee ePO. Through this environment, you gain leverage and visibility across policies and products used in both traditional physical security processes and your expanding virtualized environments. Virtualization is not limited to hosts. At the edge of your data center, McAfee Network Security Platform (NSP) and McAfee Firewall Enterprise allow you to apply unique security policies to virtual hosts, networks, or tenants to re-establish the partitions typically lost in the move from traditional physical deployments. You can define “trust zones,” for example, that set rules and boundaries for key data center systems subject to PCI or other sensitive data restrictions. McAfee ePO McAfee Network Security Platform Hypervisor Hypervisor Virtual Machines

- McAfee Application Control - McAfee Change Control - MOVE AV (Agent)

MOVE Scanning Servers

- MOVE AV

- McAee VirusScan Enterprise

Image Data Storage

- McAfee VirusScan for Offline Virtual Images

Virtual Server

Applications

MOVE AV

OS

To enhance the security of your virtualized data center, McAfee NSP can inspect all the packets that traverse the virtual switches throughout the virtual server network, looking for anomalies, exploits, and denial of service attacks. Through integration with the IP and file reputation services of McAfee Global Threat Intelligence,™ _{NSP can help organizations profile and block incoming malware and the malicious}

external IP addresses that are attempting denial of service or buffer overflow attacks. Securing virtualized desktop infrastructure

Many of the same technologies used in virtualized data centers also deliver value in virtualized desktop infrastructure (VDI). The chief operational difference is that desktop infrastructures have many more simultaneously active guest images per server, and the session lengths tend to be shorter. This dynamic environment requires a different approach to virtualization security. McAfee offers two options: an agent-based solution that supports all the major hypervisor vendors, and an adaptive, agentless solution tightly integrated with VMware vShield. McAfee MOVE AV for virtual desktops includes the core features of optimized antimalware scanning, plus host intrusion prevention, a desktop firewall, memory protection, and web application protection (through McAfee SiteAdvisor Enterprise). Federal IT teams can use McAfee MOVE AV to implement and maintain protection and efficiency across VDI. This step helps ensure federal organizations have deployed antivirus and other controls stipulated by the US Government Configuration Baseline (USGCB). McAfee ePO Hypervisor VM Applications MOVE OS VM Applications MOVE OS MOVE Virtual Appliance Off-load Processing McAfee MOVE Client Virtual Desktop Client Virtual Desktop

Figure 3. McAfee MOVE and McAfee ePolicy Orchestrator work together to centralize and optimize AV operations in VDI.

The same strengths McAfee provides to virtual servers extrapolate well to virtualized desktop infrastructure. In particular, McAfee MOVE AV overcomes the performance issues that have made it hard for IT to implement AV efficiently in virtualized desktop infrastructures. The MOVE AV design leaves the client guest image free to concentrate exclusively on end-user application processing. The MOVE AV configuration for virtual desktop infrastructure includes extra protection against the sort of attacks common to desktop environments. The desktop firewall and advanced memory protection of McAfee Host Intrusion Prevention restrict the activities of malware to prevent malicious activity and

preserve file integrity. McAfee SiteAdvisor Enterprise alerts users to malicious and risky URLs and gives administrators policy-based control over web usage. These interventions help reduce the chance of downloading malware. As with virtual servers, we also recommend deployment of McAfee Application Control to prevent users installing undesired or risky applications. The open McAfee ePO management platform allows security for VDI to integrate with your broader security infrastructure. Instead of independent or overlay operation of virtualization-specific solutions, one integrated system can manage the policies and scanning of virtual and physical endpoints within a consistent policy management and reporting environment. Cloud Infrastructure Security Datacenter Facilities (e.g. cooling, power)

Storage

Network Compute

Figure 4. Security systems can be virtualized to support the move to the cloud.

Securing the infrastructure

Network-based security tools such as network intrusion prevention systems and network firewalls can help government agencies realize the cost saving and hardware reduction that virtualization brings by emulating literally up to 1000 standalone devices on a single appliance. This is crucial as IT teams collapse network, storage, and computing resources into centralized datacenters. Network security devices can be protecting your data center perimeter or monitoring traffic within your network and within your virtualized infrastructure. For example, McAfee Network Security Platform can integrate with VMware to inspect traffic and enforce policy on and between virtual machines, regardless of their physical location. Virtualizing network security infrastructure allows you to reduce the number of physical sensors on your network, consolidating operations into a single node between the switch and the router. Additionally, the McAfee ePO management platform integrates with third-party virtualization security and management vendors such as Bromium, Reflex Systems, Invincea, and HyTrust to extend security to hardware virtualization, application virtualization, and hypervisor reporting and management.

Manage Everything, Anywhere

The technologies working on the virtual server, in the virtualized desktop infrastructure, and in virtualized network devices can be centrally managed and reported via the McAfee ePO console, bringing these systems into the same management environment as your physical security infrastructure. Connecting all your virtual security systems to your physical security infrastructure through McAfee ePO means your organization can have broad visibility across your environment. In addition, the open McAfee platform integrates with hundreds of partners, helping reduce the number of consoles and windows you need to monitor in order to understand your risk posture. Policy management, security maintenance, auditing, and reporting all get easier when you have consistent, correlated data sets. With new visibility into threats and relevant actions, federal IT organizations can close the security gaps that exist within your virtual infrastructure.

More Efficiency, More Confidence The McAfee approach to virtualization security helps organizations optimize virtualized resources and ease management of the virtualized systems that are becoming a core part of government infrastructure. McAfee solutions overcome the unique concerns that arrive with virtualized infrastructure: performance, unauthorized installation of applications, malicious attacks, exploitation of shared resources, the integrity of active and offline virtual machines, the security of the virtual server network itself, software (.DAT and patch) maintenance, and overall management complexity. With the McAfee solution, you can achieve the maximum ROI of your virtual environment. For example, the design improves hypervisor density—MOVE AV has shown dramatic improvements in VDI density as compared to running McAfee VirusScan Enterprise locally—and enables efficiencies in CPU, disk, and file I/O management. Even though in a virtual environment you can reimage quickly, the goal is to prevent you from having to perform this activity in the first place. By scanning and updating images even in an offline state, McAfee MOVE AV for virtual desktops ensures that the image library is well controlled and free of malware. This design improves the user experience with access whenever they need it, while unburdening the load of the hypervisor. Server and desktop virtualization can yield tremendous savings as government organizations drive toward optimizing existing computing resources, but security and compliance solutions must adapt to the changing environment, too. McAfee delivers comprehensive and integrated datacenter, desktop, and network solutions to secure this dynamic frontier intelligently and allow organizations to focus on their missions. Our security and compliance tools offer the flexibility to maintain a standard, virtualized, hosted, or hybrid server and desktop environment without compromising on efficiency or risk management objectives. Learn more at www.mcafee.com/virtualization.