The Virtualization Security Podcast on 9/16 was the first in a series of Virtual Desktop Security discussions we will be having. The special guest panelist was Bill McGee from Trend Micro who helped us to understand their implementation of Deep Security 7.5’s Anti-Virus and Anti-Malware (AV collectively) within the virtual desktop.
Trend Micro’s product makes use of enabling technology within vShield Endpoint to provide offloaded AV and Anti-Malware scanning of virtual machines using only one set of rules and one VM to do the actual scanning. Removing the per VM rule set and processing that currently takes place within the VM.So using Trend Micro we have several savings within the virtual desktop:
- Memory for AV is now sitting within 1 VM not each VM
- Processing of the rules for AV is now within 1 VM not each VM
But how else do we benefit from this arrangement?
- Guest Operating System Attacks that specifically look for AV software will now, not find any but the benefit from AV still exists as it happens from without the VM
However, new attacks could be created to target the new way of doing things. Given this, there needs to be a robust way of enabling and disabling agents within a VM to achieve the same AV protections that currently exist do to the following factors:
- VMs move from host to host to host, so if one host does not have the Endpoint security provided by vShield, then some other mechanism needs to be used to provide continual AV protection.
- If an attack against vShield Endpoint is detected, there needs to be a way to mitigate such an attack.
- What happens if the virtual appliance providing AV services disappears for some reason.
All of these factors are being considered by Trend Micro and others, but the solutions have yet to be released. I expect them to arrive in the future months after the product GAs.
Yet, this led us down another path. How to be preventative instead of trying to fix the AV problem after the virus has landed on the host. For this we need to realize that most virus’ and malware come from two sources: web browsing and email. So we must find a way to protect these two vital tools without letting the rest of the guest operating system from being infected. The solution is Application Virtualization where the web browser and mail client are packaged up to run within a container that has strict limits on how it accesses the rest of the environment. Application Virtualization tools such as ThinApp, App-V, and others will provide these containers, but they still have their own weaknesses.
These weaknesses include use of a sandbox within the filesystem that is generically accessible by the user of the containerized application. So more security requires that these sandboxes not be accessible from outside the containerized application, perhaps with a GPO.
Lastly we also talked briefly about use of VMsafe aware and other firewalls.
Out of the discussion came these take aways:
- AV from outside the VM reduces overall CPU and Memory utilization by AV clients within the VMs and an AV that is virtualization aware will allow you to reduce AVs overall impact on performance. It also moves the attack surface against AV.
- Use of Application Virtualization will provide containers for those susceptible applications.
- Use of out of the VM firewalls such as vShield App, Altor Networks VF3, Reflex Systems vTrust, TrendMicro Deep Security, IBM VSS, and Checkpoint will allow you to further limit incoming malicious traffic.
- Use of vShield and other VMsafe products requires you to increase auditing of the security virtual appliances involved.