JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

Similar documents
Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

ALTERNATIVES FOR SECURING VIRTUAL NETWORKS

Product Description. Product Overview

How To Protect Your Cloud From Attack

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Secure Virtualization in the Federal Government

Secure Cloud-Ready Data Centers Juniper Networks

Juniper Networks Secure

JUNIPER NETWORKS FIREFLY HOST FIREWALL PERFORMANCE

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

JUNIPER NETWORKS CLOUD SECURITY

White Paper. Five Steps to Firewall Planning and Design

The Global Attacker Security Intelligence Service Explained

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Two Great Ways to Protect Your Virtual Machines From Malware

Endpoint protection for physical and virtual desktops

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Endpoint protection for physical and virtual desktops

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Cloud and Data Center Security

Virtual Desktops Security Test Report

SECURING TODAY S MOBILE WORKFORCE

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

McAfee MOVE / VMware Collaboration Best Practices

Symantec Endpoint Protection

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

AN INTEGRATED SECURITY SOLUTION FOR THE VIRTUAL DATA CENTER AND CLOUD

Symantec Endpoint Protection

Symantec Endpoint Protection Datasheet

vsrx Services Gateway: Protecting the Hybrid Data Center

COORDINATED THREAT CONTROL

Trend Micro Enterprise Security

TOPOLOGY-INDEPENDENT IN-SERVICE SOFTWARE UPGRADES ON THE QFX5100

IBM Endpoint Manager for Core Protection

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Total Cloud Protection

SECURITY FOR VIRTUALIZATION: FINDING THE RIGHT BALANCE

MEETING PCI COMPLIANCE FOR VIRTUALIZED ENVIRONMENTS

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

VDI Security for Better Protection and Performance

Symantec Endpoint Protection

Why Choose VMware vsphere for Desktop Virtualization? WHITE PAPER

McAfee Server Security

The Challenges of Securing Hosting Hyper-V Multi-Tenant Environments

Symantec Endpoint Protection

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Latest Changes in Healthcare Regulations and the IT Solutions Needed to Address Them

Optimize VDI with Server-Side Storage Acceleration

Juniper Networks Automated Support and Prevention Solution (ASAP)

Customer Benefits Through Automation with SDN and NFV

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

Strategies for Protecting Virtual Servers and Desktops

Symantec Brightmail Gateway Real-time protection backed by the largest investment in security infrastructure

VIRTUALIZATION SECURITY IN THE REAL WORLD

Solution Paper. Virtualization security solutions provide a competitive advantage to service providers IaaS, PaaS and SaaS

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

PICO Compliance Audit - A Quick Guide to Virtualization

Solution Brief. Secure and Assured Networking for Financial Services

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

How To Buy Nitro Security

End to End Security do Endpoint ao Datacenter

Devising a Server Protection Strategy with Trend Micro

How To Protect A Virtual Desktop From Attack

When Desktops Go Virtual

Network Access Control in Virtual Environments. Technical Note

Devising a Server Protection Strategy with Trend Micro

Learn the essentials of virtualization security

White Paper The Dynamic Nature of Virtualization Security

Symantec Endpoint Protection 11.0 Securing Virtual Environments Best Practices White Paper. Updated 7/20/2010

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Networks that know data center virtualization

VMware Integrated Partner Solutions for Networking and Security

SECURE ACCESS TO THE VIRTUAL DATA CENTER

JUNOS PULSE APPCONNECT

Juniper Networks Solution Portfolio for Public Sector Network Security

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

for businesses with more than 25 seats

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

WHITE PAPER. The Protection and Operational Benefits of Agentless Security in Virtual Environments SPON. Published March 2012 SPONSORED BY

The first agentless Security, Virtual Firewall, Anti- Malware and Compliance Solution built for Windows Server 2012 Hyper-V

HP Virtual Controller and Virtual Firewall for VMware vsphere 1-proc SW LTU

Juniper Care Plus Services

Understanding & Improving Hypervisor Security

Introduction. PCI DSS Overview

Security Operations Metrics Definitions for Management and Operations Teams

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

WEBAPP SECURE The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

VIRTUALIZATION SECURITY OPTIONS: CHOOSE WISELY

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

Secure your Virtual World with Cyberoam

Networks that virtualization

Endpoint Security Solutions (Physical & VDI Environment) Comparative Testing Analysis

Networks that know data center automation

CA Host-Based Intrusion Prevention System r8.1

Integrated Threat & Security Management.

Trend Micro Cloud Security for Citrix CloudPlatform

Learn the Essentials of Virtualization Security

Transcription:

White Paper JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE Copyright 2012, Juniper Networks, Inc. 1

Table of Contents Executive Summary...3 Introduction...3 Typical Antivirus Use Cases...3 Use Case 1: Compliance...3 Use Case 2: Public Cloud/Multi-tenant Hosting...3 Use Case 3: Virtual Desktop Infrastructure (VDI)... 4 Firefly Host Antivirus Protection... 4 The Value of Firefly Host On-Access Scanning... 5 The Value of Firefly Host On-Demand Full Disk Scanning... 5 VM Memory Usage...7 VM Disk Usage...7 Conclusion...7 About Juniper Networks... 8 List of Figures Figure 1: On-access scanning... 5 Figure 2: On-demand scanning... 6 Figure 3: Performance comparison of no antivirus, Firefly Host, and competitive solution... 6 Figure 4: VM memory usage (MB)...7 Figure 5: VM disk usage (MB)...7 2 Copyright 2013, Juniper Networks, Inc.

Executive Summary Virtual machines (VMs) have the same software stack (operating system and applications) as physical machines. As such, they are just as susceptible to virus and malware attacks as their physical counterparts. An infected VM can not only wreak havoc by bringing down the hypervisor host and affecting tens to hundreds of VMs on the same hypervisor host, but it can migrate the infection to other hypervisor hosts via technologies like VMware vmotion live migration, propagating it across the entire virtualized data center. Virtualized environments demand elegant resource sharing among VMs and their applications; and they demand proper protection against malware attacks. The problem with traditional agent-based antivirus solutions is that they were not designed for virtual environments. They are resource intensive and have led customers to encounter problems such as antivirus storms and brownouts. In addition, thick agents consume a lot of memory and disk and waste resources by duplicating tasks like signature updates for each VM in the hypervisor host. Introduction What organizations require to meet today s VM challenges is hypervisor-based antivirus protection that has minimal impact on memory and disk usage, and is optimized to leverage the virtualized infrastructure in a way that delivers malware protection while preserving the benefits of virtualization like VM consolidation ratios. Juniper Networks Firefly Host* is exactly this type of solution. Firefly Host delivers security without compromising virtualization benefits. Moreover, it is integrated with the Firefly Host hypervisor-based stateful firewall to ensure that detection is coupled with industry-leading enforcement capabilities. Also, all Firefly Host security and visibility features are managed from a centralized management console to guarantee administrative efficiency and reduce errors. This paper will review common antivirus use cases and explain how the Firefly Host eliminates conventional scanning challenges like antivirus storms and brownouts, while maintaining the VM s security posture. Typical Antivirus Use Cases Three common use cases for antivirus software include compliance, public cloud/multi-tenant hosting, and virtual desktop infrastructure (VDI). Use Case 1: Compliance Virtualized environments are not exempt from regulatory and compliance requirements. In fact, certain regulations including Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX), Gramm-Leach-Bliley Privacy Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS) require that companies deploy antivirus protections as an added layer of protection toward the prevention of data breaches. For example, the PCI DSS has 12 compliance requirements the fifth of which is dedicated specifically to antivirus. In order to remain virus vigilant and compliant, organizations must use and regularly update antivirus software on all systems commonly targeted by malware. They must also choose antivirus software that is capable of real-time detection of threats and can provide reports to show which resources (e.g., PCI resources) are protected and which may have suffered from an attack. This is the only way that direct and timely action can be taken to mitigate risks. Use Case 2: Public Cloud/Multi-tenant Hosting To compete in the ever growing cloud hosting market, providers must be able to deliver seamless, high quality service meaning, the fewer performance issues they need to contend with, the better. They also need to deal with the fact that cybercriminals are becoming more resourceful, making it increasingly difficult to identify and mitigate the risks associated with web-based malware. For these reasons, antivirus solutions have emerged as critical for the protection of VM availability and integrity against common threats. This is especially true for the VMs of hosted tenants who rely on the cloud service provider to deliver VM performance guarantees. The problem with typical antivirus strategies is that they can degrade VM and hypervisor performance. For example, if a VM uses 50 percent of its processor power to scan every file, then applications that the VM is hosting are sure to suffer in performance. If you have 20 VMs simultaneously running antivirus scans, that concern is going to lead to severe performance degradation of the entire hypervisor and all guest VMs. In a cloud hosting environment, this could mean impacting tenants with business process outages and poor online experience for their customers. The key to a winning antivirus strategy lies in avoiding this all at once monopolization of resources. And a winning antivirus solution should enable a provider to define scanning requirements, and should be intelligent enough to schedule/perform the scanning based on resource availability. It should also enable organizations to schedule the scans to run on a periodic basis. *Formerly vgw Virtual Gateway Copyright 2013, Juniper Networks, Inc. 3

Customers moving to the public cloud for hosting of their business assets and applications should not have to make a choice between securing their VMs and performance. In this sense, it is a customer s responsibility to seek out hosting providers who have provisioned purpose-built, virtualization-specific security suites that offer VM protections at scale. And it is a provider s responsibility to add as many valuable services as possible, including providing client-less antivirus service via on-demand scans so as not to impact end user business uptime. Use Case 3: Virtual Desktop Infrastructure (VDI) Antivirus protections are imperative for VDI environments. If proper steps are not taken, it can be risky to virtualize desktops and run VDI VMs in the heart of the data center alongside other regular data center VMs. End users who are accessing virtual desktops are doing so from a new location the virtualization platform which is closer to protected resources (e.g., finance VMs). Should users continue to perform unknown and potentially dangerous activities (such as downloading malicious content, probing or hacking the network), any negative impact could be much further reaching. This makes it extremely important to analyze the connection point and privileges for a physical desktop or laptop, as well as a hosted virtual desktop. Not only should network connections be protected, but VDI VMs should be scanned frequently for the presence of malware or infected files. Although an infected image may be cleaned in a VDI environment, the new image that replaces it can still be susceptible to infection. This can be dependent on the behavior responsible for the initial infection (e.g., download of infected file from a malicious website). If this behavior is repeated, it can result in a recurring VM infection that can potentially be passed along to other users in the shared VDI environment. This shared virtual location means that a user who is continually infecting a VM is now in a position to exacerbate the issue by continually infecting other VMs on the virtual platform. While a single rogue user who keeps infecting a physical laptop may not be a big problem, having that same user infect a VDI VM and then spread that infection to other VMs is a huge problem. Simply relying on the image restore capabilities of VDI does not preclude a user from needing proper virus protection. Constant rebuilding of VM images in a VDI environment can contribute to performance bottlenecks and management overhead. For example, if a VM gets reset to a clean image state because a virus infection occurred, it may be necessary to download and reapply updated operating system patches to the VM. This is compounded by the need to be vigilant about ensuring that the image is not infected or does not contain old versions of vulnerable software or configuration settings that have been altered for security since the image was created. Antivirus storms are yet another concern in environments with a large number of VDI VMs. These occur when VMs simultaneously attempt to retrieve signature updates and conduct malware scans. During such a storm or brownout, a VDI environment can experience extreme lag or, worse case, come to a halt (recall that VDI VMs are guests of a single host and share its hardware resources). Moreover, the dynamic nature of provisioning desktops and their overall load in a virtualized environment make capacity planning difficult. Even if the user desktop can run traditional antivirus software within the individual VM, the cumulative performance impact of many VMs loaded individually with antivirus software can be profound. This directly affects the total number of virtual desktops that can be supported within the environment, and it decreases the expectations of return on investment for virtualization software and hardware. Together, these considerations further the case for virtualization-specific antivirus that enables proper management of scans through an agent-less approach to reduce antivirus impact on VDI systems. Firefly Host Antivirus Protection Firefly Host can help resolve the antivirus issues for these use cases and others. Firefly Host, which includes virtualization-specific antivirus, provides malware protection (from viruses, worms, and spyware) with minimal impact on VM memory and disk. The Firefly Host antivirus engine provides optional on-access and on-demand scanning so that administrators can choose to scan files in real time, use the completely agent-less offline approach, or both. With numerous options for when and what to scan, organizations can optimize their antivirus scanning mechanisms for performance in the most cost-effective manner by obviating the need to buy licenses for all VMs or run CPU-intensive applications on all guest VMs. The Firefly Host antivirus feature provides improved security and flexibility that agents alone cannot provide through: Use of its kernel module installed on the VMware ESX/ESXi host hypervisor Its management integration Its ability to scan VMs with only a light installation on the VM through its Firefly Host Endpoint Its ability to scan VMs entirely without any installation on the VM through its on-demand feature 4 Copyright 2013, Juniper Networks, Inc.

The Value of Firefly Host On-Access Scanning The Firefly Host on-access scanning option, with settings that can easily be adjusted and fine-tuned to an organization s precise needs, protects VMs against malicious content downloading or execution in real time. It does so by detecting malware or viruses on VMs, quarantining the infected files or infected guest VMs themselves, and enabling definition of a remediation plan. With the use of these features, organizations can prioritize scanning processes and optimize performance by lowering memory and CPU usage and decreasing disk I/O. If an IT administrator is trying to save a file (e.g., from a file share), the Firefly Host will trap the call, intercept the file, and scan for malware. If the file is found to be infected, Firefly Host will quarantine it and alert stakeholders. This is a critical optional scanning mechanism of the antivirus module within the Firefly Host product that can essentially ensure that VMs, especially highly critical VMs, high-risk VDI VMs, or file servers do not end up infecting other VMs. And this is all accomplished in a very computationally efficient way to ensure that scans do not consume so much memory that they disrupt VM operation. One Antivirus Engine One Signature Database Small Agent on VMs VM VM1 VM3 SVM Install small agent on VM Files accesses are captured by the agent and sent to the SVM On-access AV scan Scan results are cached for performance 1 2 3 4 AV Engine Signature Database The Firefly Host Engine VMware Kernel ESX or ESXi Host Hypervisor Figure 1: On-access scanning Figure 1 shows the basic four step process for completing an on-access scan. Additionally, for on-access scanning, Firefly Host must authenticate the Firefly Host Endpoint system with the Security VM, which is installed on each host and contains the antivirus signature database and scanning engine. Following these steps makes it impossible to create a spoofed Security VM that can begin receiving files from guest VMs. Once Firefly Host has established the authentication between the components, it then allows the transfer of packets to flow between them to validate that files are clean. If not clean, the files will be written to a quarantine location on the guest VM (i.e., quarantined files are isolated in each guest VM). At this point, administrators can either choose to delete a file from quarantine or transfer the file out of quarantine (the file is altered so as not to infect anything else and sent to the Firefly Host administrator s system, where it can be analyzed and, if appropriate, restored). The on-access disk scanning feature further protects the guest VM from viruses already resident on it by allowing a scheduled offline full or partial disk scan. The Value of Firefly Host On-Demand Full Disk Scanning The Firefly Host on-demand scanning feature can conduct full VM disk scans on a periodic and sequential schedule to significantly diminish antivirus storms. The offline on-demand option scans guest VMs periodically, examining virtual disk files for malicious content. Because the antivirus feature does not need to be deployed on each VM for scanning, it can perform scans on virtual disk files from a centralized location. This increases the engine s efficiency and allows it to conduct the scan from the outside relative to the VM, which helps with the detection of rootkits. Scheduled on-demand antivirus scans influence host resource saturation. As previously reviewed, it is okay if a small number of VMs run CPU-intensive scans. However, organizations can start to run into issues when those VM numbers begin to increase. An antivirus solution should provide flexibility and allow users to choose between automatically, manually, or randomly running scans so as to reduce the potential for VM host CPU saturation. Copyright 2013, Juniper Networks, Inc. 5

The Firefly Host antivirus feature minimizes performance impact on the guest VM and host in both cases (on-access and on-demand) by centralizing the scanning on the Firefly Host Security VM instantiated on each VMware ESX/ESXi system, rather than executing the antivirus functions via thick clients on each guest VM. The Firefly Host Endpoint on a VM passes the file or in some cases, only a portion of the file necessary to determine if it contains a virus to the Firefly Host Security VM across the virtualized network for examination whenever the VM accesses or attempts to transmit a file. For on-demand, the Security VM mounts a snapshot of the virtual disk of the guest VM, traverses the contents directly, and passes them to the scan engine all at a rapid rate of 5 MB/second. One Antivirus Engine One Signature Database No Agent on VMs VM VM1 VM3 SVM 1 Create Snapshot 2 Full-Disk AV Scan 3 Delete Snapshot VM1 VM3 VM1 VM3 VM1 VM3 AV Engine Signature Database The Firefly Host Engine VMware Kernel ESX or ESXi Host Hypervisor Figure 2: On-demand scanning Performance Graph % Performance Degraded (30 VMs - MS Office On-Access Execution Time) -4.013% -28.688% No Antivirus (Baseline) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) Figure 3: Performance comparison of no antivirus, Firefly Host, and competitive solution 6 Copyright 2013, Juniper Networks, Inc.

VM Memory Usage VM Memory Usage (MB) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) 2250 1500 750 150 300 450 15 VMs 30 VMs 45 VMs Figure 4: VM memory usage (MB) VM Disk Usage VM Disk Usage (MB) Firefly Host Antivirus 5.0 Competitive Antivirus (Typical Agent) 3825 2550 1275 37.5 75 112.5 15 VMs 30 VMs 45 VMs Figure 5: VM disk usage (MB) Conclusion Antivirus protection should be another layer of defense against hacking, malware, and code that aim to disrupt business and rob organizations of valuable information. It should not be a performance killer. Traditional antivirus approaches, when deployed within virtualized environments, are extremely punitive on CPU and RAM for guest VMs, using up far too much of these resources and requiring that organizations buy more VM hosting hardware to support the additional protections. With the Juniper Networks Firefly Host, antivirus processing is extremely efficient, making use of virtualized environment awareness and innovative design so that antivirus scans are applied when it makes sense and to what matters most. As a result, Firefly Host offers organizations the highest quality and most sophisticated antivirus protection available all at minimal impact to performance. Copyright 2013, Juniper Networks, Inc. 7

About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller. Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000456-002-EN Nov 2013 Printed on recycled paper 8 Copyright 2013, Juniper Networks, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information