WHITE PAPER Deploying Steelhead Appliances with Symantec Endpoint Protection 11.0 Solutions Guide Riverbed Technical Marketing
DEPLOYING RIVERBED STEELHEAD APPLIANCES WITH SYMANTEC ENDPOINT PROTECTION 11.0 Overview As the internet has evolved, many enterprises face growing challenges in protecting their computers from computer viruses. Antivirus software has become just as important as any office productivity software. Without reliable anti-virus software, computers are vulnerable to any number of attacks resulting in data loss or theft of important information, thus impacting today s business environment. Symantec Endpoint Protection 11.0 combines Symantec anti-virus with advanced threat protection to deliver unmatched defense against malware for laptops, desktops and servers. It seamlessly integrates essential security technologies in a single agent and management console, increasing protection and helping lower total cost of ownership. However, one drawback of anti-virus software is its heavy burden on the WAN when deploying client software and new virus definition files. This paper describes how to deploy the Riverbed Steelhead Appliances to optimize Symantec Endpoint Protection performance and reduce WAN traffic for the enterprise. Test results show that Steelhead Appliances provide up to 99% data reduction and 10 times performance improvement when deploying Symantec Endpoint Protection client software, and up to 95% data reduction when deploying new virus definitions over the WAN. More detailed information on Symantec Endpoint Protection and anti-virus Protection can be found at: http://www.symantec.com/business/endpoint-protection. To get more information on the complete suite of features and services provided by Steelhead, please go to http://www.riverbed.com/. 2010 Riverbed Technology. All rights reserved. 1
LiveUpdate LiveUpdate is the Symantec technology for automatically updating Symantec virus definitions and products. The LiveUpdate client is included with Symantec Endpoint Protection product and is installed automatically. Periodically, the LiveUpdate client connects to a LiveUpdate server to check for new updates that apply to the Symantec products that are installed on the computer. If any updates are found, the LiveUpdate client prompts the user to download and install the update. LiveUpdate offers the option to use either a Symantec LiveUpdate server or, for host computers that are connected to a private network, an internal Central LiveUpdate server. Each LiveUpdate client can be configured separately to use either server. When a Symantec server is used, LiveUpdate clients connect using HTTP or FTP to a server that is located at a Symantec LiveUpdate site. If an internal Central LiveUpdate server is used, clients communicate with it for new updates. Using a Central LiveUpdate server means that clients do not need to connect to an external network for virus definitions and product updates. This reduces the LiveUpdate traffic between the local network and Symantec LiveUpdate sites. Figure 1 shows the various deployment scenarios for the Symantec Endpoint Protection 11.0 and LiveUpdate. Figure 1 Endpoint Protection and LiveUpdate Deployment Scenarios For option 1, the default Management Server downloads the updates from the default Symantec LiveUpdate server. Clients communicate with the Management Server for updates. This option is the simplest, requiring only a connection between the Management Server and the default Symantec LiveUpdate server over the WAN. For option 2, clients communicate directly with the default Symantec LiveUpdate server for updates over the WAN. For option 3, an internal LiveUpdate server is configured and communicates with the default Symantec LiveUpdate server for updates over the WAN. Clients communicate with the internal LiveUpdate server for updates. This option is similar to option 1 but requires additional hardware for the internal LiveUpdate server. Updates are offloaded from the Manager Server to the internal LiveUpdate server. 2010 Riverbed Technology. All rights reserved. 2
Deployment Architecture and Requirements For our deployment, we elected to use option 1 which is the simplest, requiring only a server configured with the Endpoint Protection Manager 11.0 in the Datacenter that connects directly to the default Symantec LiveUpdate server to update Symantec virus definitions and products. Requirements One Server in the Datacenter with the following: o Microsoft Windows Server 2003 or Windows Server 2008 o Symantec Endpoint Protection 11.0 One Steelhead Appliance in the Datacenter running RiOS 6.1.0 One Steelhead Appliance in the Branch running RiOS 6.1.0 Two Desktop Clients with the following: o Microsoft Windows XP or Windows 7 Figure 2 illustrates the test configuration used for this simple deployment. Symantec LiveUpdate WAN T1 / 100 ms RTT latency DATACENTER / SYMANTEC ENDPOINT PROTECTION Figure 2 Test Configuration BRANCH OFFICE / USERS 2010 Riverbed Technology. All rights reserved. 3
Test Scenario 1: Optimizing Deployment of Client Software over the WAN Symantec Endpoint Protection was test in a simulated WAN environment using 100 millisecond latency across a T1 link. In this test, a client install package was deployed over the WAN. The package totaled approximately 194 MB and consisted of the following products: 1. Anti-virus and antispyware protection 2. Firewall protection 3. Intrusion Prevention protection 4. Application and Device Control protection 5. LiveUpdate Settings A Cold Run is defined as a data transfer that has never been seen by the Steelhead appliance before (a completely new file). A Warm Run is defined as a data transfer in which the Steelhead appliance has seen most or all of the data before. By default, Symantec uses the WAN-friendly CIFS protocol to deploy the client software (see figure 3). Figure 3 CIFS Port 445 for Deploying Client Software Test results show that Riverbed Steelhead appliances dramatically accelerate Symantec Endpoint Protection, and significantly reduce WAN bandwidth utilization. The deployment of client software resulted in more than a 10 times speed improvement (see figure 4) and over 99% data reduction in bandwidth utilization (see figure 5). Depending on data types and WAN configuration, your results may vary. Deploying Client Software - Time to Complete (in seconds) Warm Run Cold Run Without Steelhead 0.00 500.00 1000.00 1500.00 2000.00 2500.00 Figure 4 Deploying Client Software (Time to complete in seconds) 2010 Riverbed Technology. All rights reserved. 4
Deploying Client Software - Bandwidth Utilization (KB) Warm Run Cold Run Without Steelhead 0 50000 100000 150000 200000 250000 Figure 5 Deploying Client Software (Bandwidth Utilization in KB) Test Scenario 2: Optimizing Deployment of New Virus Definitions over the WAN In this test, new virus definitions were deployed from the Symantec Endpoint Protection Manager to the clients over the WAN. By default, Symantec uses port 8014 for this communication (see figure 6). Figure 6 Communication Port 8014 for Symantec Endpoint Protection Manager and Clients Test results show that Riverbed Steelhead appliances dramatically accelerate deployment of new virus definitions and significantly reduce WAN bandwidth utilization. The deployment of new virus definitions resulted in over 95% data reduction in bandwidth utilization (see figure 6). Depending on data types and WAN configuration, your results may vary. 2010 Riverbed Technology. All rights reserved. 5
Deploying New Virus Definitions - Bandwidth Utilization (Bytes) Warm Run Cold Run Without Steelhead 0 50000 100000 150000 200000 Figure 6 Deploying New Virus Definitions (Bandwidth Utilization in Bytes) Conclusion The test results presented indicate that Riverbed Steelhead Appliances are essential to the Enterprise when running Symantec Endpoint Protection. Client software and new virus definitions are quite large and can place a heavy burden on the WAN. Customers can expect significant data reduction and improved performance when deploying client software, and significant data reduction when deploying new virus definitions over the WAN. Deploying Steelhead Appliances showed significant data reduction up to 99% and improved performance up to 10 times faster when deploying client software. About Riverbed Riverbed Technology is the IT infrastructure performance company. The Riverbed family of wide area network (WAN) optimization solutions liberates businesses from common IT constraints by increasing application performance, enabling consolidation, and providing enterprise-wide network and application visibility all while eliminating the need to increase bandwidth, storage or servers. Thousands of companies with distributed operations use Riverbed to make their IT infrastructure faster, less expensive and more responsive. Additional information about Riverbed (NASDAQ: RVBD) is available at www.riverbed.com Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com Riverbed Technology Ltd. Farley Hall, London Road, level 2 Binfield Bracknell. Berks RG42 4EU Tel: +44 1344 354910 Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400 Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990 2010 Riverbed Technology. All rights reserved. 6