Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Sponsored by McAfee Protecting Virtual Endpoints with McAfee Server Security Suite Essentials December 2013 A SANS Analyst Whitepaper Written by Dave Shackleford Capability Sets for Virtualization Security Page 2 Discovery Page 3 Protection Page 7 Conclusion: Putting the Pieces Together PAGE 18 2013 SANS Institute

Introduction More and more organizations have adopted system virtualization technology in the past several years. As of Q4 2013, estimates indicate that 50 to 60 percent of large enterprises are using virtualization. 1 Many organizations are implementing private and hybrid cloud architectures and building or leveraging a private cloud or currently using Infrastructure-as-a-Service (IaaS) offerings from a number of cloud service providers. Because their operations increasingly take place in virtual data centers, many businesses have discovered that traditional security controls have not kept pace with the rapid technology changes associated with virtualization and private/hybrid cloud deployments. Such a gap can easily lead to system and data exposure in virtual machines, excessive consumption of resources within the virtual environment due to lack of optimization and integration with virtualization platforms, and a lack of flexibility in monitoring and reporting on the state of virtual assets, including security controls and policies. The inherent multitenant nature of these systems, especially in the public cloud, is another obvious area of risk for organizations deploying virtualization platforms. Multitenancy creates the possibility that multiple systems, owned and maintained by different business units or even different companies end up sharing physical infrastructure. Virtualization makes it easy to (sometimes unknowingly) mix applications and data in ways that would have never happened in the purely physical data center. For example, many organizations unknowingly run sensitive or compliance-related applications on the same hypervisor and thus, the same physical host as less sensitive applications, potentially exposing the sensitive data to intermingling or leakage through access by less sensitive systems or other resources. Virtual machines (VMs) that are meant to be PCI DSS-compliant could share a virtual network with systems that are less sensitive in nature, their combined traffic may be hosted on the same hypervisor, or the files making up the VMs may be stored in the same location. Security teams have struggled with this problem for some time internally, and the problem is only compounded when trying to ascertain the trust status of a cloud provider s systems. SANS had the opportunity to review several elements of McAfee s Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments. The new McAfee products tackle these problems admirably. Hypervisor validation is easily configured and maintained with Intel s latest development in hardware-based boot attestation services, and both the agent-based and agentless variations of MOVE AntiVirus can significantly streamline deployment and reduce system overhead. 1 www.serverwatch.com/server-news/vmware-ceo-aims-for-90-percent-server-virtualization.html SANS Analyst Program 1 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Capability Sets for Virtualization Security McAfee s focus on data center security involves three major categories of capability sets for their products: 1. Discovery. Inventory and analysis of systems and applications, a critical starting point for inventorying and managing systems and applications. 2. Protection. Creating trust and security policies, evaluating systems and applications and providing protection from malicious code and other attacks. 3. Expansion. Enabling fluid and secure growth into private and public cloud infrastructures without sacrificing security controls and capabilities. For example, with the addition of VMware and Amazon data center connectors, McAfee is creating a powerful integration strategy for security in the cloud. Although numerous products within the McAfee portfolio follow this strategy, the focus of the SANS review was on integration with and protection of virtual infrastructure. The products and capabilities reviewed include: McAfee epolicy Orchestrator 5.0.1 McAfee MOVE AntiVirus 3.0 McAfee Boot Attestation Service 3.0 The goal of the review was to validate that specific functions are available and working in the versions evaluated. SANS Analyst Program 2 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Discovery As both internal and external cloud provisioning becomes commonplace, enterprises are shifting their concerns to knowing where workloads are located and how they are running. Visibility and system inventory have become more difficult, with the dynamic movement of virtual systems among hosts and datacenters and into public cloud infrastructure. 2 For this reason, inventory discovery and system monitoring are more important than ever, not only to IT departments, but to the organization as a whole. In McAfee s new version of the Server Security suite, the McAfee Server Security Suite Essentials, the key to central monitoring and management of the operating inventory including virtual workloads is epolicy Orchestrator (epo). Several new features have been added to the suite to facilitate discovery, monitoring and management in both internal and external cloud environments: McAfee Server Server Security Suite Essentials can be integrated into virtual and cloud environments to automatically discover all VMware and Amazon Web Services (AWS) virtual machines; epo will then display the relationships among hosts, virtual machines and virtual appliances. New Data Center Connector for vsphere allows enterprises to import all virtual machine workloads from VMware s vcenter into epo (including unprotected VMs), providing visibility beyond just those workloads protected by McAfee. A Data Center Connector for Amazon AWS provides expanded visibility into Amazon s cloud services, including the EC2 and S3 platforms. The Data Center Connector for vsphere is simple to set up; with account credentials and IP address (or DNS name) information for a VMware vcenter Server (the VMware management platform), epo can connect to vcenter over a standard HTTPS channel and begin enumerating VM workloads that are known to the vcenter system. The Data Center Connector for vsphere is shown in Figure 1. Figure 1. vcenter Connector Details 2 For the sake of clarity, we use the term host to refer to the combination of hypervisor and physical hardware; we use the terms physical host and hypervisor when a distinction between hardware and software needs to be made. SANS Analyst Program 3 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Discovery (CONTINUED) Upon being successfully linked to a VMware virtualization infrastructure (or AWS account), epo recognizes the connection as a registered cloud account, as shown in Figure 2. Figure 2. Registered vcenter Cloud Account Once the vcenter connection has been created, epo will display a list of hosts and VMs known to the vsphere environment. These VMs also display their relationship to particular hosts, which can help security teams evaluate the placement and current state of workloads. Figure 3 illustrates the epo console showing hosts and VMs added from vcenter. Figure 3. Hosts and VMs from vcenter in epo SANS Analyst Program 4 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Discovery (CONTINUED) A new Data Center epo dashboard debuts in this version that includes, in particular, dashboard elements that show all defined data centers known to epo; the integration and installation of MOVE AntiVirus (also known as MOVE AV), both agent-based and agentless, across VMs and cloud systems; as well as the trust attestation status for hypervisors. Additional dashboard elements display the status of McAfee s file integrity monitoring, host firewall and application control tools to provide a complete picture of host-based security controls in the virtual and physical environments. The epo console is shown in Figure 4. Figure 4. McAfee Data Center Server Security epo Dashboard It is easy to drill down into the different dashboard elements. For example, the chart shown in Figure 5 shows the antimalware status for systems within the system. Figure 5. Antimalware Status for Known Systems SANS Analyst Program 5 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Discovery (CONTINUED) By clicking on the blue unprotected area of the chart, security administrators can easily list the specific systems that are currently unprotected, as shown in Figure 6. Figure 6. Drill-down Dashboard Showing Unprotected VMs These types of charts and dashboard elements provide a broad and configurable monitoring perspective within the entire data center, so administrators can see a variety of different aspects of the environment s security posture all at once. SANS Analyst Program 6 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection The most critical element of the McAfee Server Security Suite Essentials, of course, is the protection capabilities for data center systems; and McAfee s endpoint security tools in the MOVE (Management for Optimized Virtual Environments) family do so admirably. MOVE AV optimizes the malware-processing capabilities of McAfee VirusScan in an effort to deliver improved performance and resource utilization for virtualized environments. There are three deployment options available Agent, Agentless, or both Agent and Agentless to meet a variety of needs. The tools include the following components: Agentless Deployment MOVE AntiVirus SVA (Security Virtual Appliance). The SVA provides offloaded scanning of virtual systems, minimizing the performance impact on them. McAfee Agent (MA). On the SVA, this agent handles policy, task and event communication between the MOVE SVA and epo. McAfee MOVE AntiVirus epolicy Orchestrator extension. This provides policies and controls for configuring McAfee MOVE AV through epo. VMware VMtools vshield Endpoint driver. This enables virtual desktops and servers to offload file scanning to the SVA communicating over the ESXi hypervisor. Multiplatform Deployment McAfee Offload Scan Server(s). These are Windows 2008 Server platforms that handle scanning for MOVE AV multi-platform agents. MOVE AntiVirus Client for Windows. This enables virtual desktops and servers to offload file scanning to the Offload Scan Server(s) communicating over the virtual network. McAfee Agent (MA). This handles policy, task and event communication between the MOVE AV client and epo. McAfee MOVE AntiVirus epolicy Orchestrator extension. This provides policies and controls for configuring McAfee MOVE AV through epo. SANS Analyst Program 7 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) Deployment Options For public and hybrid cloud deployments, the multiplatform deployment option makes sense, because the SVA does not need to reside on the same hypervisor as the VMs being protected. With this model, virtual machines are protected from malware as follows: As VMs access files, a hash value or fingerprint of those files is created and compared to a local cache/ whitelist. If the file fingerprint is not in the local cache, the fingerprint is sent to the SVA for scanning. If the MOVE global cache does not recognize the fingerprint, the file itself is moved to the Offload Scan Server for assessment. The file is analyzed and also compared to available information from McAfee s Global Threat Intelligence (GTI) service. If the file is malicious, MOVE AV quarantines it, deletes it or restricts access, depending on policy for the individual VM. If the file clears these checks, its fingerprint is added to the local and global cache and access is granted. On future access (by the same or different endpoints), the local (guest system) or global (SVA) cache will be consulted, to confirm whether access is permitted or denied. The agentless deployment option is designed to integrate with VMware vshield Endpoint and addresses the challenges of protecting the virtual environment and keeping it free of malware without the need for a resource-intensive agent, resulting in easier deployment and configuration. For agentless deployment, the SVA must be on the same hypervisor as the protected endpoints, which makes this more ideally suited for private cloud scenarios with more control over hypervisor and VM placement. Agentless deployment requires all protected VMs to have VMware Tools installed; the MOVE system utilizes the vshield Endpoint driver feature in VMware Tools to intercept files bound for the VM s file system. When files are analyzed in agentless deployment scenarios, the file handle is sent to the SVA first to check the global cache, and if needed, the SVA will scan the file while it s still at the individual VM endpoint because the SVA has access to shared storage. The file is then quarantined, deleted, restricted or approved, in the same manner as the MOVE deployment, and the local and global signature caches are both updated accordingly. Setting up antimalware and operational policies for the MOVE multiplatform or agentless deployment within epo is very simple. SANS Analyst Program 8 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) Multiplatform Configuration We configured the multiplatform deployment of MOVE AV with ease, as follows. First, we established the general settings to point our clients to a set of McAfee Offload Scan Servers; we also enabled the malware file cache settings, as shown in Figure 7. Figure 7. General Settings for Multiplatform Deployment Setting up the types of files to scan, when scanning occurs, and specific exclusions was also easy. We opened the Scan Items tab, as shown in Figure 8, and made our selections. Figure 8. Scan Options SANS Analyst Program 9 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) In this scenario, files are scanned when reading and writing to disk, as well as when they re opened for backup. All files are scanned, and only McAfee components are excluded currently. The Alerts tab enables you to configure where you want to send alerts from the MOVE AV agent, as shown in Figure 9; the defaults are selected, sending alerts to epo and the Offload Scan Server Windows Event Log. Figure 9. Alert Options The Actions tab allows administrators to select the desired primary and secondary actions that MOVE AV takes when malware is detected. Options include deleting files or denying access to files, as shown in Figure 10. Figure 10. Malware Detection Actions Finally, if files should be quarantined when malware is detected, setting parameters including location and duration before deletion is performed on the Quarantine tab (the default quarantine location is the Offload Scan Server s C:\ drive in the Quarantine directory), shown in Figure 11. Figure 11. Quarantine Settings SANS Analyst Program 10 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) Offload Scan Server Settings The Offload Scan Server (OSS) is critical to the proper operation of a multiplatform deployment of MOVE AV. Setting up the protection parameters for the OSS is also simple within epo. The General tab (not shown) enables you to configure the OSS cache, the number of concurrent scans and the number and size of log files. The Scan Settings tab enables you to configure scanning for unwanted programs (e.g., spyware and adware), as well as enforce scans for archives and MIME-encoded files. (Enabling these last two is usually not recommended, as they can degrade performance.) You can also set the sensitivity level of McAfee GTI here, as shown in Figure 12; the default is Medium. Figure 12. Offload Scan Server Scan Settings The Alerts tab is similar to MOVE AV s Alert tab, where you can choose to send malware alerts to the local Windows Event Log and epo. Finally, the On-Demand Scan tab enables you to configure whether scans can be started on demand and how many scans can be run at a time. The On-Demand Scan Time Window grid enables granular selection of days and times when scans are allowed to start. Configuration: Agentless The MOVE AV Agentless product scan operations are configured entirely within the Security Virtual Appliance (SVA). In order for MOVE AV to function in the agentless scenario, VMs must have VMware Tools installed to leverage the vshield Endpoint driver, which, in turn, communicates with the SVA on each host. SANS Analyst Program 11 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) The first setting to configure is the SVA Authentication tab, enabling communication with vcenter Server or a host. Figure 13 shows a typical configuration, using HTTPS over TCP port 443, where the administrator or root credentials are provided. Figure 13. SVA Authentication The next step is to configure the Scan Settings tab. The settings on this tab are very similar to those described for the OSS cache settings, on-demand scanning, scan times permitted with the addition of a checkbox labeled VM-based scan configuration. This setting enables admins to add, modify and assign scan policies to individual VMs, groups or resource pools protected by the SVA. Figure 14 illustrates the Scan Settings tab options. Figure 14. SVA Scan Settings SANS Analyst Program 12 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) Finally, the SVA Quarantine settings tab controls the quarantining of files when malware is detected in them. Unlike the OSS, the SVA quarantines files to a designated network share. Users must enter credentials in the form of a username and password to allow SVA to access the share, as shown in Figure 15. Figure 15. SVA Quarantine Settings The scan policies for antimalware protection in the agentless deployment are relatively straightforward to configure. The General settings, shown in Figure 16, control MOVE AV s On-Access and On-Demand scanning for VMs. Figure 16. Agentless Scanning The majority of the scan policy settings for MOVE AV in an agentless setup are configured in the Scan Items tab. Here, we can set up on-access scans when files are opened and/or closed, designate certain file types to scan, scan compressed and/or MIME-encoded files (again, not usually recommended) and choose McAfee GTI sensitivity levels. SANS Analyst Program 13 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) McAfee antimalware heuristics, which look for behavioral patterns of files that may indicate malware, can also be enabled. The unwanted programs detection options are more granular here, enabling admins to select specific categories and types of programs that should be detected and handled under the policy. These are shown in Figure 17. Figure 17. MOVE AV Agentless Scan Policy In an agentless deployment, exclusions are similar to those for MOVE AV s multiplatform mode; they allow for wildcards to be specified, but require the entire directory path. You can specify applicable actions on malware detection for both on-access and on-demand scans, and you can enable quarantining as well (the default is Disabled). SANS Analyst Program 14 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) We determined that the McAfee MOVE AV virtualizationaware product, both agent-based and agentless, appears to perform as indicated in limited, nonperformance testing. Hypervisor statistics at normal loads did not indicate unwanted overhead due to antimalware processing. EICAR test files nonmalicious files used to validate that signaturebased scanning is functioning properly were used to validate antimalware scanning and detection, and we successfully demonstrated the results within epo, as shown in Figure 18. When quarantining is enabled in an agentless deployment and MOVE AV deletes a malware file, a.vmq file is created that contains an obfuscated version of the malware file s contents. The.vmq file also has a header with associated metadata used to identify the malware sample s VM of origin, its original path on that VM, its MD5 and other properties. The.vmq file is a temporary backup of the original malware sample and will be deleted automatically once it is 28 days old. Figure 18. MOVE Malware Detection in epo SANS Analyst Program 15 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) Boot Attestation Service The last piece of the McAfee Server Server Security Suite Essentials that we reviewed was the Boot Attestation Service, which McAfee developed in conjunction with Intel, which ensures that the hypervisor image booted is the expected one. Suitable physical hosts have a chipset containing the Intel Trusted Execution Technology (TXT) functionality. Administrators boot up a machine with a gold image in a clean-room environment and extract and save the values of the registers computed by TXT (This is called a Known Good Machine KGM). Other similar hosts in the data center are associated with this KGM. When each of them boots up, their TXT register values are compared against those of the KGM. If they match, it is a trusted boot; if not, it is untrusted. To set up Boot Attestation, you need to download a Linux-based Boot Attestation Server as an Open Virtualization Format (OVF) virtual appliance and then configure it to communicate with epo. After that, you can configure simple policies, based on each host s hardware, on the Boot Attestation Server, that allow an individual host to be configured as trusted or not. A new column (VMM Trust State) appears in the hypervisor listing within epo s system tree, as shown in Figure 19. Figure 19. VMM Trust State Column in epo SANS Analyst Program 16 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Protection (CONTINUED) In addition, a new epo Dashboard chart (Boot Attestation Status) can be displayed that shows the total number of trusted and untrusted hosts (see Figure 20). Figure 20. Boot Attestation Status Graph in epo More extensive analysis of Boot Attestation settings and policies was not performed, but the fundamental product and capabilities seem to function as designed. SANS Analyst Program 17 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Conclusion: Putting the Pieces Together Overall, McAfee has taken a number of progressive steps in adapting its technology for virtual and cloud environments, and the Server Security Suite Essentials reflects this. The MOVE AV product was easy to set up and configure, and it integrated well with VMware vsphere virtual environments. MOVE AV will be particularly attractive to organizations looking to put an end to AV storms caused by excessive overhead processing and resource utilization on VMs; by leading to dynamic migration of guest systems, such storms can destabilize an data center environment. In addition, the use of Intel TXT technology in the chipsets of the physical hosts adds an entirely new dimension to building a trusted multitenant cloud infrastructure, whether public or private. By controlling which VMs can run on which hosts, organizations can now gain an entirely new set of controls by which to manage their overall system and data security posture. As mainstream cloud providers move to embrace this technology and provide APIs and native monitoring capabilities for TXT protection, the security and auditability of public cloud environments may improve dramatically. Overall, we found the products in the new McAfee Server Security Suite Essentials to work well, and they were easy to set up and configure. Because new virtual appliances are required, it s important to properly plan for the additional overhead they ll represent in the virtual data center, but some of this is likely offset by the reduction in overhead across VMs due to minimal antimalware and security processing. When more cloud provider connectors are available, and cloud providers support TXT attestation, this set of security solutions could easily facilitate a significant increase in overall cloud security in the areas of visibility and host and data protection. SANS Analyst Program 18 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

About the Author Dave Shackleford is the founder and principal consultant with Voodoo Security, a SANS analyst, instructor and course author, and a GIAC technical director. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vexpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft and CTO for the Center for Internet Security. Dave is the author of the Sybex book Virtualization Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. SANS would like to thank its sponsor: SANS Analyst Program 19 Protecting Virtual Endpoints with McAfee Server Security Suite Essentials