Protección eficiente para entornos virtuales Alvaro Sierra Major Account Manager Alvaro_sierra@trendmicro.es Copyright 2009 Trend Micro Inc.
Trend Micro Smart Protection Network Security Made Smarter WEB REPUTATIONThreats EMAIL FILE REPUTATION REPUTATION Threat Collection Management SaaS/Managed Partners • ISPs Cloud • Routers • Etc. Endpoint Off Network Gateway Messaging Copyright 2009 Trend Micro Inc. 2
DEEP SECURITY 7.5http://www.vmware.com/solutions/partners/alliances/trendmicro.html Copyright 2009 Trend Micro Inc.
Security: the #1 Cloud ChallengeSecurity and privacy were the foremost concerns by far, with a weightedscore higher than the next three (performance, immaturity and regulatorycompliance) combined. Gartner (April 2010) Copyright 2009 Trend Micro Inc. 4
The Dynamic Datacenter88% of North American enterprises 2012, 60% of virtualized servers.. less[no] virtualization security strategy secure than… physical servers….Forrester Research / Info Week “Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010 Physical Virtual Cloud Technologies and practices for Number one concern (87.5%) securing physical servers won’t about cloud services is security. provide sufficient protections for VMs. Frank Gens, IDC, Senior VP & Chief Analyst Neil MacDonald, Gartner, June 2009 Copyright 2009 Trend Micro Inc.
¿En qué punto es vulnerable?Transcurren días e Desarrolladores noincluso meses hasta disponibles paraque los parches soluconar lasestán disponibles y vulnerabilidadesse han probado/ • Ya no están en ladesplegado compañía• “Microsoft Tuesday” • Trabajan en otros• Oracle proyectos• Adobe No pueden ser parcheados por el elevado coste, normativas o SLAs Los parches ya no se despliegan • POS: puntos de venta más • casetas de obra • Red Hat 3 -- Oct 2010 • dispositivos • Windows 2000 -- Jul 2010 médicos… • Solaris 8 -- Mar 2009 • Oracle 10.1 -- Jan 2009 Copyright 2009 Trend Micro Inc. 6
VMs Need Specialized Protection Same threats in virtualized servers as physical+ New challenges: 1. Dormant VMs 2. Resource contention 3. VM Sprawl 4. Inter-VM traffic 5. vMotion Copyright 2009 Trend Micro Inc.
Server Virtualization SecurityOvercoming resource contention The old way 3:00am Scan Typical AV Console Classification 6/27/2011 Copyright 2009 Trend Micro Inc. 8
Server Virtualization SecurityOvercoming resource contention A new, better way Security Virtual Appliance 3:00am Scan 4:00am 5:00am 6:00am Classification 6/27/2011 Copyright 2009 Trend Micro Inc. 9
vSphere 4 - VMsafe™ APIs CPU/Memory Inspection • Inspection of specific memory pages • Knowledge of the CPU state • Policy enforcement through resource allocation Networking • View all IO traffic on the host • Intercept, view, modify and replicate IO traffic • Provide inline or passive protection Storage • Mount and read virtual disks (VMDK) • Inspect IO read/writes to the storage devices • Transparent to device & inline with ESX Storage stack Copyright 2009 Trend Micro Inc.
Agentless Anti-Virus Overview These are the key “building blocks” for VMware customers Agent-less Anti-Virus for VMwareThe idea Protection for virtualized desktops and datacenters Trend MicroThe components VMware Deep Security vShield Endpoint Anti-malware Enables offloading of antivirus A virtual appliance that detects processing to Trend Micro Deep and blocks malware (web threats, Security Anti-malware – a viruses & worms, Trojans). dedicated, security-hardened VM.CustomerBenefits Higher Faster Better Stronger Consolidation Performance Manageability SecurityDiffer-entiator The first and only agentless anti-virus solution architected for VMware 11 Copyright 2009 Trend Micro Inc.
Arquitectura de Deep Security Copyright 2009 Trend Micro Inc. 12
Protection beyond Anti-MalwareBeyond providing Agentless AV, Trend Micro Deep Security provides additional protection for VMware customers DEEP SECURITY Agentless 1vShield Detects and blocks malware (web threats, Anti-Malware viruses & worms, Trojans). (PCI*)Endpoint Agentless 2 Detects and blocks known and zero-day IDS / IPS attacks that target vulnerabilities (PCI*)VMsafeAPIs Web Application Protection Shields web application vulnerabilities (PCI*) Provides increased visibility into, or control Application Control over, applications accessing the network Firewall Reduces attack surface. Prevents DoS & detects reconnaissance scans (PCI*) Agent-based 3 Detects malicious and unauthorized changes Integrity Monitoring to directories, files, registry keys. (PCI*) Agent-based 4 Log Inspection Optimizes the identification of important security events buried in log entries. (PCI*) (PCI*): Helps address one or more PCI Data Security Standards and other compliance 13 Copyright 2009 Trend Micro Inc. requirements
Deep Packet Inspection Web Application ProtectionIDS/IPS – Enables compliance with PCI DSS 6.6 – Shield vulnerabilities in custom web– Vulnerability rules: shield applications, until code fixes can be known vulnerabilities from completed unknown attacks – Shield legacy applications that cannot be– Exploit rules: stop known fixed attacks – Prevent SQL injection, cross-site scripting (XSS)– Smart rules: Zero-day protection from unknown Application Control exploits against an unknown vulnerability – Detect suspicious inbound/outbound traffic such as allowed protocols over non-– Microsoft Tuesday protection standard ports is delivered in synch with – Restrict which applications are allowed public vulnerability network access announcements. – Detect and block malicious software from– On the host/server (HIPS) network access Copyright 2009 Trend Micro Inc.
Alrededor de 100 aplicaciones protegidasOperating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE Linux (10,11)Database servers Oracle, MySQL, Microsoft SQL Server, IngresWeb app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft SharepointMail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,, MailEnable Professional,FTP servers Ipswitch, War FTP Daemon, Allied TelesisBackup servers Computer Associates, Symantec, EMCStorage mgt servers Symantec, VeritasDHCP servers ISC DHCPDDesktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer, Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime, RealNetworks RealPlayerMail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail ClientWeb browsers Internet Explorer, Mozilla FirefoxAnti-virus Clam AV, CA, Symantec, Norton, Trend Micro, MicrosoftOther applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior, Rsync, OpenSSL, Novell Client 15 Copyright 2009 Trend Micro Inc.
Microsoft Active Protections Program (MAPP)• Microsoft Active Protections Program (MAPP) – Program for security software vendors – Members receive security vulnerability information from the Microsoft Security Response Center (MSRC) in advance of Microsoft’s monthly security update – Members use this information to deliver protection to their customers after the Microsoft Security Bulletins have been published• Trend Micro’s protection is delivered to customers within 2 hours of Microsoft Security Bulletins being published – This enables customers to shield their vulnerable systems from attack – Systems can then be patched during the next scheduled maintenance window Copyright 2009 Trend Micro Inc.
Recommendation Scans• The server being protected is analyzed to determine: – OS, service pack and patch level – Installed applications and version – DPI rules are recommended to shield the unpatched vulnerabilities from attacks – As patches, hotfixes, and updates are applied over time, the Recommendation Scan will: • Recommend new rules for assignment • Recommend removal of rules no longer required after system patching – Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are supported Copyright 2009 Trend Micro Inc.
Sample Microsoft Patch Tuesday Protection Copyright 2009 Trend Micro Inc.
In IT, do you know the differences??? Agent Agent Agent Agent Agent Agent Ahora vSphere Futuro Copyright 2009 Trend Micro Inc. 19
Deep Security Virtual ApplianceArchitecture of Coordinated approach vNIC vNIC vNIC vNIC Vmsafe API ESX 4 vSwitch Hypervisor Copyright 2009 Trend Micro Inc.
Deep Security enables higher VM densities • SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle more than 25 desktop VMs/host • DS supports 2-3 times no. of desktop VMs/host than traditional AV • DS supports 40-60% more server VMs/host than traditional AV CPU IOPS Symantec Trend McAfee Symantec Trend McAfee 2143 307% 2053 % % 273% 692% 81% Symantec Trend McAfee Symantec Trend McAfee Scheduled scan resource usage over baseline – 50 VMs per host Copyright 2009 Trend Micro Inc.
Agentless approach uses less ESX memory Anti-Virus “B” Anti-Virus “Y” Anti-Virus “R” # of Guest VMs Copyright 2009 Trend Micro Inc. 22
Agentless approach uses less bandwidthSignature update for 10 agents Anti-Virus “B” Anti-Virus “Y” Anti-Virus “R” Agentless Anti-Virus “T” Time (Seconds) Copyright 2009 Trend Micro Inc. 23
Coordinated Approach … Coordinated Security Approach • Agent Disappears (removed / reverted to previous snapshot) • Virtual Appliance auto-protects VM Deep Security VMware Virtual Appliance* vCenter VMware vSphere 4* VMware vSphere 4VMsafe API based solution Copyright 2009 Trend Micro Inc.
Deep Security 7.5: Funcionalidades Clave• Escaneo en tiempo real sin agentes – Notificaciones al motor de antivirus – Acceso a ficheros de datos para escaneo• Escaneo manual y/o programado sin agentes – Los escaneos bajo demanda son coordinados y organizados SPN – Notificaciones• Se integra con vShield Endpoint ( vSphere 4.1)• Protección día Zero – Integración con Smart Protection Network• Limpieza sin agentes Virtual – Active Action, Delete, Pass, Quarantine, Clean Appl.• Caching a nivel de API – Cacheo de datos para optimizar el rendimiento vShield Endpoint Copyright 2009 Trend Micro Inc.
¿Cuáles es la diferencia? Copyright 2009 Trend Micro Inc.
Addressing Payment Card Industry (PCI)RequirementsKey Deep Security features & capabilities (1.) – Network Segmentation (1.x) – Firewall (6.1) – Virtual Patching* 81% NOT PCI compliant (6.5) – Web Application Firewall prior to breach Verizon 2009 Data Breach (10.6) – Review Logs Daily Investigation Report (11.4) – Deploy IDS / IPS (11.5) – Deploy File Integrity Monitoring Copyright 2009 Trend Micro Inc. * Compensating control subject to QSA approval
Trend Micro: Server Security Leadership IDC Market Analysis: Worldwide Corporate Server Security Market Share Trend Micro 22.9% All Others 77.1%These products are generally more robust than desktop endpoint security and are available for a much wider set of operating systems (Windows, Unix, and Linux).This category also includes products that are designed to protect hypervisors and virtualservers.” Source: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC Copyright 2009 Trend Micro Inc. 28
Improves Security Improves Virtualization by providing security solutions by providing the most architected to fully leveragesecure virtualization infrastructure, the VMware platformwith APIs, and certification programsThe most comprehensive suite of next-generation,virtualization security solutions: Virtual appliance- and guest-based Tightly integrated with, and leverages, VMware APIs and technologies. Architected to fully leverage the VMware platform for delivering better-than-physical security. Copyright 2009 Trend Micro Inc. 29