JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

Transcription

1 White Paper JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE Copyright 2012, Juniper Networks, Inc. 1

2 Table of Contents Executive Summary...3 Introduction...3 Typical Antivirus Use Cases...3 Use Case 1: Compliance...3 Use Case 2: Public Cloud/Multi-tenant Hosting...3 Use Case 3: Virtual Desktop Infrastructure (VDI)... 4 Firefly Host Antivirus Protection... 4 The Value of Firefly Host On-Access Scanning... 5 The Value of Firefly Host On-Demand Full Disk Scanning... 5 VM Memory Usage...7 VM Disk Usage...7 Conclusion...7 About Juniper Networks... 8 List of Figures Figure 1: On-access scanning... 5 Figure 2: On-demand scanning... 6 Figure 3: Performance comparison of no antivirus, Firefly Host, and competitive solution... 6 Figure 4: VM memory usage (MB)...7 Figure 5: VM disk usage (MB) Copyright 2013, Juniper Networks, Inc.

3 Executive Summary Virtual machines (VMs) have the same software stack (operating system and applications) as physical machines. As such, they are just as susceptible to virus and malware attacks as their physical counterparts. An infected VM can not only wreak havoc by bringing down the hypervisor host and affecting tens to hundreds of VMs on the same hypervisor host, but it can migrate the infection to other hypervisor hosts via technologies like VMware vmotion live migration, propagating it across the entire virtualized data center. Virtualized environments demand elegant resource sharing among VMs and their applications; and they demand proper protection against malware attacks. The problem with traditional agent-based antivirus solutions is that they were not designed for virtual environments. They are resource intensive and have led customers to encounter problems such as antivirus storms and brownouts. In addition, thick agents consume a lot of memory and disk and waste resources by duplicating tasks like signature updates for each VM in the hypervisor host. Introduction What organizations require to meet today s VM challenges is hypervisor-based antivirus protection that has minimal impact on memory and disk usage, and is optimized to leverage the virtualized infrastructure in a way that delivers malware protection while preserving the benefits of virtualization like VM consolidation ratios. Juniper Networks Firefly Host* is exactly this type of solution. Firefly Host delivers security without compromising virtualization benefits. Moreover, it is integrated with the Firefly Host hypervisor-based stateful firewall to ensure that detection is coupled with industry-leading enforcement capabilities. Also, all Firefly Host security and visibility features are managed from a centralized management console to guarantee administrative efficiency and reduce errors. This paper will review common antivirus use cases and explain how the Firefly Host eliminates conventional scanning challenges like antivirus storms and brownouts, while maintaining the VM s security posture. Typical Antivirus Use Cases Three common use cases for antivirus software include compliance, public cloud/multi-tenant hosting, and virtual desktop infrastructure (VDI). Use Case 1: Compliance Virtualized environments are not exempt from regulatory and compliance requirements. In fact, certain regulations including Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX), Gramm-Leach-Bliley Privacy Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS) require that companies deploy antivirus protections as an added layer of protection toward the prevention of data breaches. For example, the PCI DSS has 12 compliance requirements the fifth of which is dedicated specifically to antivirus. In order to remain virus vigilant and compliant, organizations must use and regularly update antivirus software on all systems commonly targeted by malware. They must also choose antivirus software that is capable of real-time detection of threats and can provide reports to show which resources (e.g., PCI resources) are protected and which may have suffered from an attack. This is the only way that direct and timely action can be taken to mitigate risks. Use Case 2: Public Cloud/Multi-tenant Hosting To compete in the ever growing cloud hosting market, providers must be able to deliver seamless, high quality service meaning, the fewer performance issues they need to contend with, the better. They also need to deal with the fact that cybercriminals are becoming more resourceful, making it increasingly difficult to identify and mitigate the risks associated with web-based malware. For these reasons, antivirus solutions have emerged as critical for the protection of VM availability and integrity against common threats. This is especially true for the VMs of hosted tenants who rely on the cloud service provider to deliver VM performance guarantees. The problem with typical antivirus strategies is that they can degrade VM and hypervisor performance. For example, if a VM uses 50 percent of its processor power to scan every file, then applications that the VM is hosting are sure to suffer in performance. If you have 20 VMs simultaneously running antivirus scans, that concern is going to lead to severe performance degradation of the entire hypervisor and all guest VMs. In a cloud hosting environment, this could mean impacting tenants with business process outages and poor online experience for their customers. The key to a winning antivirus strategy lies in avoiding this all at once monopolization of resources. And a winning antivirus solution should enable a provider to define scanning requirements, and should be intelligent enough to schedule/perform the scanning based on resource availability. It should also enable organizations to schedule the scans to run on a periodic basis. *Formerly vgw Virtual Gateway Copyright 2013, Juniper Networks, Inc. 3

4 Customers moving to the public cloud for hosting of their business assets and applications should not have to make a choice between securing their VMs and performance. In this sense, it is a customer s responsibility to seek out hosting providers who have provisioned purpose-built, virtualization-specific security suites that offer VM protections at scale. And it is a provider s responsibility to add as many valuable services as possible, including providing client-less antivirus service via on-demand scans so as not to impact end user business uptime. Use Case 3: Virtual Desktop Infrastructure (VDI) Antivirus protections are imperative for VDI environments. If proper steps are not taken, it can be risky to virtualize desktops and run VDI VMs in the heart of the data center alongside other regular data center VMs. End users who are accessing virtual desktops are doing so from a new location the virtualization platform which is closer to protected resources (e.g., finance VMs). Should users continue to perform unknown and potentially dangerous activities (such as downloading malicious content, probing or hacking the network), any negative impact could be much further reaching. This makes it extremely important to analyze the connection point and privileges for a physical desktop or laptop, as well as a hosted virtual desktop. Not only should network connections be protected, but VDI VMs should be scanned frequently for the presence of malware or infected files. Although an infected image may be cleaned in a VDI environment, the new image that replaces it can still be susceptible to infection. This can be dependent on the behavior responsible for the initial infection (e.g., download of infected file from a malicious website). If this behavior is repeated, it can result in a recurring VM infection that can potentially be passed along to other users in the shared VDI environment. This shared virtual location means that a user who is continually infecting a VM is now in a position to exacerbate the issue by continually infecting other VMs on the virtual platform. While a single rogue user who keeps infecting a physical laptop may not be a big problem, having that same user infect a VDI VM and then spread that infection to other VMs is a huge problem. Simply relying on the image restore capabilities of VDI does not preclude a user from needing proper virus protection. Constant rebuilding of VM images in a VDI environment can contribute to performance bottlenecks and management overhead. For example, if a VM gets reset to a clean image state because a virus infection occurred, it may be necessary to download and reapply updated operating system patches to the VM. This is compounded by the need to be vigilant about ensuring that the image is not infected or does not contain old versions of vulnerable software or configuration settings that have been altered for security since the image was created. Antivirus storms are yet another concern in environments with a large number of VDI VMs. These occur when VMs simultaneously attempt to retrieve signature updates and conduct malware scans. During such a storm or brownout, a VDI environment can experience extreme lag or, worse case, come to a halt (recall that VDI VMs are guests of a single host and share its hardware resources). Moreover, the dynamic nature of provisioning desktops and their overall load in a virtualized environment make capacity planning difficult. Even if the user desktop can run traditional antivirus software within the individual VM, the cumulative performance impact of many VMs loaded individually with antivirus software can be profound. This directly affects the total number of virtual desktops that can be supported within the environment, and it decreases the expectations of return on investment for virtualization software and hardware. Together, these considerations further the case for virtualization-specific antivirus that enables proper management of scans through an agent-less approach to reduce antivirus impact on VDI systems. Firefly Host Antivirus Protection Firefly Host can help resolve the antivirus issues for these use cases and others. Firefly Host, which includes virtualization-specific antivirus, provides malware protection (from viruses, worms, and spyware) with minimal impact on VM memory and disk. The Firefly Host antivirus engine provides optional on-access and on-demand scanning so that administrators can choose to scan files in real time, use the completely agent-less offline approach, or both. With numerous options for when and what to scan, organizations can optimize their antivirus scanning mechanisms for performance in the most cost-effective manner by obviating the need to buy licenses for all VMs or run CPU-intensive applications on all guest VMs. The Firefly Host antivirus feature provides improved security and flexibility that agents alone cannot provide through: Use of its kernel module installed on the VMware ESX/ESXi host hypervisor Its management integration Its ability to scan VMs with only a light installation on the VM through its Firefly Host Endpoint Its ability to scan VMs entirely without any installation on the VM through its on-demand feature 4 Copyright 2013, Juniper Networks, Inc.

5 The Value of Firefly Host On-Access Scanning The Firefly Host on-access scanning option, with settings that can easily be adjusted and fine-tuned to an organization s precise needs, protects VMs against malicious content downloading or execution in real time. It does so by detecting malware or viruses on VMs, quarantining the infected files or infected guest VMs themselves, and enabling definition of a remediation plan. With the use of these features, organizations can prioritize scanning processes and optimize performance by lowering memory and CPU usage and decreasing disk I/O. If an IT administrator is trying to save a file (e.g., from a file share), the Firefly Host will trap the call, intercept the file, and scan for malware. If the file is found to be infected, Firefly Host will quarantine it and alert stakeholders. This is a critical optional scanning mechanism of the antivirus module within the Firefly Host product that can essentially ensure that VMs, especially highly critical VMs, high-risk VDI VMs, or file servers do not end up infecting other VMs. And this is all accomplished in a very computationally efficient way to ensure that scans do not consume so much memory that they disrupt VM operation. One Antivirus Engine One Signature Database Small Agent on VMs VM VM1 VM3 SVM Install small agent on VM Files accesses are captured by the agent and sent to the SVM On-access AV scan Scan results are cached for performance AV Engine Signature Database The Firefly Host Engine VMware Kernel ESX or ESXi Host Hypervisor Figure 1: On-access scanning Figure 1 shows the basic four step process for completing an on-access scan. Additionally, for on-access scanning, Firefly Host must authenticate the Firefly Host Endpoint system with the Security VM, which is installed on each host and contains the antivirus signature database and scanning engine. Following these steps makes it impossible to create a spoofed Security VM that can begin receiving files from guest VMs. Once Firefly Host has established the authentication between the components, it then allows the transfer of packets to flow between them to validate that files are clean. If not clean, the files will be written to a quarantine location on the guest VM (i.e., quarantined files are isolated in each guest VM). At this point, administrators can either choose to delete a file from quarantine or transfer the file out of quarantine (the file is altered so as not to infect anything else and sent to the Firefly Host administrator s system, where it can be analyzed and, if appropriate, restored). The on-access disk scanning feature further protects the guest VM from viruses already resident on it by allowing a scheduled offline full or partial disk scan. The Value of Firefly Host On-Demand Full Disk Scanning The Firefly Host on-demand scanning feature can conduct full VM disk scans on a periodic and sequential schedule to significantly diminish antivirus storms. The offline on-demand option scans guest VMs periodically, examining virtual disk files for malicious content. Because the antivirus feature does not need to be deployed on each VM for scanning, it can perform scans on virtual disk files from a centralized location. This increases the engine s efficiency and allows it to conduct the scan from the outside relative to the VM, which helps with the detection of rootkits. Scheduled on-demand antivirus scans influence host resource saturation. As previously reviewed, it is okay if a small number of VMs run CPU-intensive scans. However, organizations can start to run into issues when those VM numbers begin to increase. An antivirus solution should provide flexibility and allow users to choose between automatically, manually, or randomly running scans so as to reduce the potential for VM host CPU saturation. Copyright 2013, Juniper Networks, Inc. 5

6 The Firefly Host antivirus feature minimizes performance impact on the guest VM and host in both cases (on-access and on-demand) by centralizing the scanning on the Firefly Host Security VM instantiated on each VMware ESX/ESXi system, rather than executing the antivirus functions via thick clients on each guest VM. The Firefly Host Endpoint on a VM passes the file or in some cases, only a portion of the file necessary to determine if it contains a virus to the Firefly Host Security VM across the virtualized network for examination whenever the VM accesses or attempts to transmit a file. For on-demand, the Security VM mounts a snapshot of the virtual disk of the guest VM, traverses the contents directly, and passes them to the scan engine all at a rapid rate of 5 MB/second. One Antivirus Engine One Signature Database No Agent on VMs VM VM1 VM3 SVM 1 Create Snapshot 2 Full-Disk AV Scan 3 Delete Snapshot VM1 VM3 VM1 VM3 VM1 VM3 AV Engine Signature Database The Firefly Host Engine VMware Kernel ESX or ESXi Host Hypervisor Figure 2: On-demand scanning Performance Graph % Performance Degraded (30 VMs - MS Office On-Access Execution Time) % % No Antivirus (Baseline) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) Figure 3: Performance comparison of no antivirus, Firefly Host, and competitive solution 6 Copyright 2013, Juniper Networks, Inc.

7 VM Memory Usage VM Memory Usage (MB) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) VMs 30 VMs 45 VMs Figure 4: VM memory usage (MB) VM Disk Usage VM Disk Usage (MB) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) VMs 30 VMs 45 VMs Figure 5: VM disk usage (MB) Conclusion Antivirus protection should be another layer of defense against hacking, malware, and code that aim to disrupt business and rob organizations of valuable information. It should not be a performance killer. Traditional antivirus approaches, when deployed within virtualized environments, are extremely punitive on CPU and RAM for guest VMs, using up far too much of these resources and requiring that organizations buy more VM hosting hardware to support the additional protections. With the Juniper Networks Firefly Host, antivirus processing is extremely efficient, making use of virtualized environment awareness and innovative design so that antivirus scans are applied when it makes sense and to what matters most. As a result, Firefly Host offers organizations the highest quality and most sophisticated antivirus protection available all at minimal impact to performance. Copyright 2013, Juniper Networks, Inc. 7

8 About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Nov 2013 Printed on recycled paper 8 Copyright 2013, Juniper Networks, Inc.