UP L17 Virtualization: Security Without Sacrificing Performance

Description

In this hands on lab you will learn how to optimize SEP 12 for your virtual desktops to get maximum protection without sacrificing performance.

This Lab requires some knowledge of the VMware vSphere technology and console

At the end of this lab,

you should be able to § Configure Shared insight cache with vShield integration

§ Configure Virtual image exception § Know the benefit of:

o Shared Insight Cache o Virtual Exception

§ Work with counters and reports in vSphere and SEPM § Understand Symantec’s approach to securing virtual

endpoints

Notes

§ A brief presentation will introduce this lab session and discuss key concepts.

§ The lab will be directed and provide you with step-by-step walkthroughs of key features.

In  this  lab  we  will  focus  on  the  added  benefit  of  Symantec  virtualization  tools  introduced  in  SEP  12.1.2.  This   guide  will  show  you  the  steps  to  configure  and  observe  the  effects  of  the  configuration  on  a  vSphere  5.1   environment.    

All  steps  are  made  from  the  VCENTER  Virtual  machine  in  vmware  workstation;  you  can  expand  to  full  screen   this  machine  for  better  visibility  using  the  full  screen  icon:  

This  lab  is  conducted  like  a  benchmark;  ensure  to  follow  instructions  about  powering  on  and  off  VM  inside   ESX  to  get  the  best  measure  of  performance.    

All  accounts  are  similar  for  VMware,  and  windows:  

User:  administrator   Password:  Symc4now!  

The  account  for  the  SEP  Management  console  is:  

User:  admin  

Open  the  vSphere  client  and  navigate  to  the  inventory  tab>Host  and  clusters.  On  the  left  hand  side  click  on   Win7-­‐A  then  click  on  the  power  button.    

Repeat  these  steps  for    Win7-­‐B  

Open  the  SEPM  VM  

  Click  on  the  SEPM  VM  and  select  the  console  tab.  Right  click  on  the  SEPM  VM  as  illustrated  and  select  

Guest>Send  Ctrl+Alt+Del.  

Password:  Symc4now!   Click  Log  On.    

Edit  the  antivirus  and  antispyware  policy  to  enable  vShield  Enabled  Shared  insight  cache  

  Click  the  Policy  tab  then  select  the  Virus  and  Spyware  Protection  section.  Finally  click  the  balanced  security   policy  (1st  on  the  list).    

Click  on  Miscellaneous,  Select  the  shared  insight  cache  tab  and  enable  the  feature  using  VMware  vShield.  Click   OK  to  save  and  close  the  policy.  

Control  the  vSIC  cache  content  

  Shared  insight  cache  applies  only  to  scheduled  and  on-­‐demand  scans,  therefore  the  cache  should  be  empty   until  we  trigger  a  scan  on  one  of  the  VM  hosted  on  this  ESX  node.    

Control  the  policy  serial  number  on  the  SEPM  

  Every  modification  of  settings  generates  a  new  version  of  the  policy.  In  order  to  keep  track  SEPM  assign  a   unique  serial  number  for  the  said  policy.    

Verify  the  policy  on  the  win7-­‐A  client  

  On  the  vSphere  client,  select  the  win7-­‐A  client  and  click  the  console  view.  If  prompted  for  credentials  use  the   followings:  

User:  administrator   Password:  Symc4now!    

Launch  a  manual  scan  on  the  Win7-­‐A  client  

  Click  on  Scan  for  Threats  >  Run  Full  Scan.    Let  the  scan  complete.  

While  the  scan  is  running  look  on  the  bottom  right  corner  of  the  scan  dialogue  box  for  trusted  file  counter.   This  counter  is  an  aggregate  of  scan  trusted  by  our  reputation  technology,  shared  insight  cache  and  Virtual   image  exception.    

Monitor  the  disk  usage  on  the  ESX  host  

  Switch  to  the  vSphere  client  and  click  on  the  ESX  Host.  Select  the  performance  tab  and  click  advanced.  Finally   from  the  dropdown  menu  select  Disk.  The  graph  indicates  disk  usage  over  time.  This  gives  you  an  indication   about  the  intensity  of  I/O  related  to  the  scan,  which  are  running,  and  the  duration  of  that  scan.    

Going  Further  (optional):  

Note  the  final  results  from  the  win7-­‐A  client  

  Once  the  scan  is  completed  on  win7-­‐A  take  note  of  the  number  of  trusted  files.      

Observe  the  Shared  insight  cache  counters  on  the  SEPM  

  Open  the  SEPM  console  and  click  on  Monitor,  Select  the  Security  Virtual  Appliance  tab.  Select  Symantec-­‐sva   and  click  details.    

Win7-­‐B  Virus  definitions  check  

  Ensure  the  virus  definition  date  and  revision  match  the  one  used  on  win7-­‐A.  Shared  insight  cache  only  

optimize  scan  for  system  using  the  same  set  of  definitions.    

Open  the  SEP  client  interface  by  double  clicking  on  the  SEP  shield  in  the  system  tray,    

Scan  on  Win7-­‐B  

Observe  the  trusted  file  counter  

Once  the  scan  on  win7-­‐B  completed  note  the  amount  of  scanned  files  and  trusted  files.  Since  Win7-­‐A  already   cached  most  of  the  files  Win7-­‐B  didn't  have  to  scan  most  of  the  files  on  the  drive.    

Observe  the  Shared  insight  cache  counters  on  the  SEPM  

  The  request  number  should  have  increased  drastically  while  the  number  of  files  in  the  scan  cache  remains   roughly  the  same.    

Looking  at  the  performance  counters  (Disk  &  CPU)  

  On  the  vSphere  client  click  on  the  ESX  host  and  select  the  performance  tab.  Click  Advanced  and  select  Disk   from  the  drop  down  menu.  Then  on  the  bottom  of  the  graph  looks  at  the  read  and  write  rate.  You  should  see   2  peeks  corresponding  to  the  2  scans.  The  height  indicates  the  intensity  of  I/O  requests  and  the  horizontal  axis   represents  the  duration  of  these  requests.  You  can  notice  that  the  second  scan  is  shorter  and  less  intensive.      

Switch  the  dropdown  menu  to  CPU  and  observe  the  intensity  and  duration  of  CPU  usage  for  the  2  scans.      

Configuring  Virtual  Image  Exception  

  The  Win7-­‐C  client  has  been  pre-­‐configured  with  VIETOOL,  in  order  to  whitelist  all  of  the  files  present  in  the   base  image:  Windows+SEP+all  remaining  file  when  the  tool  ran.  We  will  now  enable  the  SEP  policy  to  use  this   technology.  Select  the  SEPM  VM  and  click  the  console  tab.  Open  the  SEPM  console  (if  you  closed  it  previously).   Login  with  the  credentials:  

User:  admin  

Password:Symc4now!    

Click  the  policy  tab  and  open  the  balanced  Virus  and  spyware  protection  policy.  Within  the  policy  click   Miscellaneous  then  select  the  Virtual  Image  tab.  Check  the  2  boxes.  Click  ok  to  save  the  policy.  

As  in  previous  tests,  look  for  the  trusted  file  counter.  This  time  the  amount  of  files  scanned  and  the  trusted   should  almost  match.    

Scan  duration  comparison  

  Using  SEPM  reporting  you  will  now  compare  the  scan  length  and  numbers  of  files  effectively  scanned  for  each   of  the  tests  we  ran.    

Win7-­‐A    ==>  baseline  scan   Win7-­‐B  ==>  vSIC  optimized  scan   Win7-­‐C  ==>  vSIC+VIE  optimizations    

Switch  to  the  console  view  for  the  VM  SEPM.  Click  Monitor  and  select  the  log  tab.   From  the  first  dropdown  menu  select  Scans  

  This  screenshot  is  for  illustration  purpose  only.  Look  at  the  numbers  on  your  lab  machine  for  accurate  

reporting.                

This  concludes  the  lab.  Thank  you  for  taking  the  time  exploring  our  product.   Do  not  forget  to  fill  the  survey  about  this  session,  when  instructed.