HOW TO PROTECT
YOUR VIRTUAL
DESKTOPS AND
SERVERS?
OVERVIEW
This document explains the functionality of Security for Virtual and Cloud Environments (SVCE) - what it is, what it does, and how it works. It also explains some of the needs and requirements specific to virtual and cloud environments.
Key features
• SVCE is hypervisor-agnostic and supports all popular virtualization platforms, including VMware, Citrix, and Microsoft Hyper-V, as well as mixed and hybrid environments.
• To optimize performance, malware scanning is offloaded to a dedicated Scanning and Reputation Server.
• SVCE combines the flexibility of agentless solutions and the security of traditional agent-based solutions.
Benefits
SVCE offers complete protection for all virtual environments without compromising performance.
• The best protection offered by F Secure’s award-winning security clients is now available for virtualized environments.
• Optimized performance reduces hardware costs due to lower RAM, CPU, and disk space requirements.
THE CASE FOR
VIRTUALIZATION AND
VIRTUALIZATION
SECURITY
Companies of all sizes are moving to the cloud and using virtualization as a way to gain benefits. Moving to the cloud offers the possibility to switch capital expenses to operational expenses. One of the key arguments for virtualization is flexibility – the option of adding and removing ser-vices as needed. Other compelling rea-sons include resource optimization that reduces hardware costs, and increases operational efficiency as new services can be deployed quickly and automatically. Companies can also improve their IT in-frastructure by gaining more capacity for less money. Resources that easily scale to the current need without hardware limi-tations and the 24/7 support seal the deal.
Despite the increasing use of virtualized platforms and cloud-based solutions, se-curity for these environments has often been inadequate.
“Virtualization penetration
has surpassed 50% of all
server workloads, and
continues to grow.”
– Gartner, June 2012, Magic Quadrant for x86 Server Virtualization Infrastructure
Businesses have had to choose between security solutions that are designed for traditional physical environments and agentless solutions that are based on
vendor-specific, proprietary technol-ogies. While secure, traditional solu-tions are not optimized for virtual envi-ronments. On the other hand, agentless solutions may not provide adequate pro-tection against online attacks that exploit security vulnerabilities.
WHAT IS F-SECURE
SECURITY
FOR VIRTUAL
AND CLOUD
ENVIRONMENTS?
F-Secure Security for Virtual and Cloud Environments (SVCE) is a solution that is designed to tackle the challenges of virtual and cloud environments. Unlike other security vendors that offer agentless or silent agent-based solu-tions, SVCE is an added feature for F-Secure’s award-winning end-point and server protection products. The solution provides the best protection against malware, exploits, phishing, and other network-based attacks.
Component groups
SVCE has three component groups: the client security products, Scanning and Reputation Server, and the management portal. 1. Client security products - Standard F-Secure workstation and server software
• F-Secure Client Security • F-Secure Server Security
• F-Secure E-mail and Server Security • F-Secure Anti-Virus for Workstations
2. Scanning and Reputation Server - Isolates performance-con-suming operations away from clients
• Virtual appliance for VMware ESXi, vSphere hypervisor • Virtual appliance for Citrix XenServer, Xen hypervisor • Virtual appliance for Microsoft Hyper-V hypervisor
3. Policy Manager - Provides policies, configurations and updates for the entire solution
updates orsp Programs Policy Manager Programs Programs
Scanning and Reputation Server Programs Client Security Premium OS Server Security Client Security OS
Email and Server Security OS OS OS OS F-Secure Virtual Desktop Virtual Machine Virtual Server Virtual Desktop Hypervisor Virtul Appliance Virtual Server Policy Manager
Provides centralized management for products that are installed on physical and virtual machines.
Policy Manager Console
The administration console for defining policies, de-ploying F-Secure software and monitoring the secu-rity status.
Client Security, Server Security and Email and Server Security
Endpoint security protection products that are in-stalled on physical or virtual desktops and servers.
Managemant Agent
Communicates with Policy Manager, applies defined policies and sends status information and alerts to Policy Manager Server.
Automatic Update Agent
Downloads and installs software and database up-dates.
Offload Scanning Agent
Offloads malware scanning and content reputation checking from the client to the Scanning and Rep-utation Server to minimize the impact on perfor-mance.
Scanning and Reputation Server
The virtual appliance that is based on a hardened Li-nux platform and provides malware scanning and content reputation services.
HOW IT WORKS
SVCE protects virtual machines that are running in private or public clouds. It provides proactive behavioral analysis and exploit protection that efficiently identifies and blocks modern malware and exploit attempts. To optimize performance for virtual environments, resource-intensive malware scanning is offloaded to a dedicated F-Secure Scanning and Reputation Server.
To prevent modern attacks, F-Secure security products are based on multi-layer protection. Each layer addresses a particular aspect of the threat landscape and works with other layers to provide a complete solution. Here is what this protection looks like when installed on a physical machine:
Browsing protection Behavioral analysis Web and Email scanning Exploit protection
Advanced heuristic analysis
File reputation analysis Signature-based scanning
Compound object scanning
When traditional security products are installed on multiple virtual machines that are run-ning on the same hypervisor, they may compete for hardware resources and eventually de-crease the performance of the whole environment. Offload Scanning Agent and Scanning and Reputation Server can optimize performance to provide the best protection possible:
Browsing protection File reputation analysis
Behavioral analysis Advanced heuristic analysis Web and Email scanning Web Content Reputation
Exploit protection Compound object scanning File reputation analysis Signature-based scanning
Offload Scanning Agent
The administrator uses F-Secure Policy Manager to centrally manage F-Secure security products that are in-stalled in the network. F-Secure Policy Manager is available for Windows and Linux platforms.
F-Secure Client Security and F-Secure Server Security products are installed on physical or virtual desktops and servers. They download and install software and database updates automatically, and send status information and alerts to F-Secure Policy Manager.
To minimize the impact on performance on virtual machines, F-Secure Client Security and F-Secure Server Se-curity offload the malware scanning and content reputation checking to a dedicated server that runs F-Secure Scanning and Reputation Server.
F-Secure Scanning and Reputation Server is a virtual appliance that is based on a hardened Linux platform and provides malware scanning and content reputation services.
HOW TO OPERATE
VIRTUAL SECURITY?
Deployment and installation
The solution can be easily deployed in a virtual environment, as well as mixed and hybrid environments with dif-ferent combinations of virtual and traditional machines. Being hypervisoragnostic, it supports all popular virtu-alization platforms, including VMware, Citrix, and Microsoft Hyper-V.
PROTECTION FEATURES FOR
PHYSICAL AND VIRTUAL
DESKTOPS
install Do not install Installation recommended (see the notes) Installation not recommended (see the notes) Offload scanning agent
Real-time malware scanning Scan network drives
DeepGuard (behavior based protection) Use RTPN to improve DeepGuard detection DeepGuard advanced process monitoring DeepGuard exploit protection
E-mail scanning Web traffic scanning
Use RTPN on web traffic scanning Browsing Protection
F-Secure Firewall (Internet Shield) Application Control
Automatic Updates
Database update check randomization Software Updater
Device Control Microsoft NAP plug-in
Virtual desktop
Physical desktop
1. You can turn off network drive scanning if the relevant file servers have real-time antivirus protection.
2. Turn on DeepGuard advanced process monitoring if users can install their own applications on virtual desktops. Otherwise, turn it off. 3. Turn on E-mail scanning if users can read their e-mails from untrusted
or unprotected e-mail servers. Otherwise, turn it off. You should consider using F-Secure E-mail and Server Security or F-Secure Internet Gatekeeper to handle e-mail scanning on the mail server or gateway.
4. Turn on Web traffic scanning unless all HTTP traffic goes through a gateway where it is scanned (for example, with F-Secure Internet Gatekeeper).
5. Install or turn on F-Secure firewall if you need to protect virtual desktops against network-based attacks and intrusions that may come from within the virtual infrastructure, for example if you do not have full control of the host environment. You can turn off F-Secure firewall if your network has network control and intrusion prevention in place, or if you are using Windows firewall on virtual desktops.
6. Turn on Application Control if users can install and run their own applications on virtual desktops. Otherwise, turn it off.
7. You do not need to install Software Updater (SWUP) on every virtual desktop. To deploy virtual desktops without SWUP, install it on the virtual desktop template to identify and install missing OS and third-party updates, after which you can uninstall it before you deploy virtual desktops from the template.
8. Install the Microsoft NAP plug-in only if you use Microsoft Network Access Protection.
install Do not install Installation recommended (see the notes) Installation not recommended (see the notes) Offload scanning agent
Real-time malware scanning
DeepGuard (behavior based protection) Use RTPN to improve DeepGuard detection DeepGuard advanced process monitoring DeepGuard exploit protection
Web traffic scanning Browsing Protection Anti-virus for MS Exchange Spam Control Automatic Updates
Virtual server
(Exchange)
Physical server
(Exchange)
Product feature / setting
PROTECTION FEATURES FOR
PHYSICAL AND VIRTUAL SERVERS
Use the following table to choose the features for F-Secure E-mail and Server Security
install Do not install Installation recommended (see the notes) Installation not recommended (see the notes) Offload scanning agent
Real-time malware scanning
DeepGuard (behavior based protection) Use RTPN to improve DeepGuard detection DeepGuard advanced process monitoring DeepGuard exploit protection
1. Offload Scanning Agent is currently used for file scanning only. Because Exchange transport and storage protection in F-Secure Anti-Virus for Exchange still uses local Content Scanner Server, you should not install Offload Scanning Agent on virtual Exchange Servers, especially if you do not have many servers and they are critical for business communication.
2. You do not need to install DeepGuard advanced process monitoring and exploit protection features if the server runs trusted software and the administrator does not browse the web from the server. 3. We recommend that you turn on DeepGuard advanced process
monitoring and exploit protection features if the users can run unknown software or browse the web from the terminal or RDS server.
4. Web traffic scanning inspects all HTTP traffic, which may affect communication between Exchange and other Windows server components that use HTTP-based interfaces. You can turn off Web traffic scanning and Browsing protection if the administrator does not browse the web from the server.
5. F-Secure Anti-Virus for Exchange and Spam Control are only installed if the server runs Microsoft Exchange Server. Spam Control is only installed if Microsoft Exchange Server acts as the transport or hub server.
MANAGEMENT AND REPORTING
Policy Manager provides a scalable way to manage the secu-rity on multiple operating systems –both physical and virtual - from one central location.
You can use Policy Manager to:
• Define and distribute security policies • Install applications on local and remote systems • Monitor activities of all systems to ensure compliance
with corporate policies and centralized control. With Policy Manager, you can see status information from the entire managed domain. This makes it easy to ensure that the entire domain is protected, and to change the pro-tection settings when needed. You can also prevent users from changing the security settings, and make sure that the protection is always up to date.
