Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Similar documents
Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

McAfee Optimized Virtual Environments for Servers. Installation Guide

Total Protection for Compliance: Unified IT Policy Auditing

Protecting the un-protectable Addressing Virtualisation Security Challenges

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

Data Center Connector for vsphere 3.0.0

McAfee Server Security

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS

How To Buy Nitro Security

McAfee MOVE / VMware Collaboration Best Practices

McAfee Public Cloud Server Security Suite

McAfee Security Architectures for the Public Sector

McAfee Certified Product Specialist McAfee epolicy Orchestrator

How To Protect A Virtual Desktop From Attack

Symantec Endpoint Protection

Symantec Endpoint Protection

Data Center Connector for OpenStack

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

IBM Endpoint Manager for Core Protection

Why Choose VMware vsphere for Desktop Virtualization? WHITE PAPER

How To Protect Your Cloud From Attack

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

McAfee MOVE AntiVirus (Agentless) 3.6.0

Solutions Brochure. Security that. Security Connected for Financial Services

Endpoint protection for physical and virtual desktops

Maximizing Your Desktop and Application Virtualization Implementation

Boost your VDI Confidence with Monitoring and Load Testing

Two Great Ways to Protect Your Virtual Machines From Malware

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Endpoint protection for physical and virtual desktops

McAfee Total Protection Reduce the Complexity of Managing Security

Technology Blueprint. Protect Your Servers. Preserve uptime by blocking attacks and unauthorized changes

Optimize VDI with Server-Side Storage Acceleration

Technology Blueprint. Enforcing Endpoint Compliance on the network. Police your managed and unmanaged systems with Network Access Control (NAC)

Cloud and Data Center Security

VDI Security for Better Protection and Performance

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Bitdefender GravityZone Sales Presentation

Endpoint Security for DeltaV Systems

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Driving Company Security is Challenging. Centralized Management Makes it Simple.

McAfee Threat Intelligence Exchange Software

End to End Security do Endpoint ao Datacenter

Unprecedented Malware Growth

McAfee MOVE AntiVirus 2.6.0

Product Guide. McAfee Endpoint Security 10

Symantec Endpoint Protection

Maximizing Your Desktop and Application Virtualization Implementation

JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

Symantec Endpoint Protection Datasheet

How To Protect Your Data From Attack

solution brief September 2011 Can You Effectively Plan For The Migration And Management of Systems And Applications on Vblock Platforms?

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

Reducing the cost and complexity of endpoint management

Not All Database Security Solutions Are Created Equal

Database Security in Virtualization and Cloud Computing Environments

Best Practices Guide Revision B. McAfee epolicy Orchestrator Software

McAfee Product Entitlement Definitions

Preparing your network for the mobile onslaught

End-user Security Analytics Strengthens Protection with ArcSight

Technology Blueprint. Secure Your Point-of-Sale. Lock down point of sale/service (POS) systems

can you effectively plan for the migration and management of systems and applications on Vblock Platforms?

Security Information & Event Management (SIEM)

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

Securing Data Center Servers: A Review of McAfee Data Center Security Suite Products

McAfee Web Reporter Turning volumes of data into actionable intelligence

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Extreme Networks Security Analytics G2 Vulnerability Manager

McAfee epolicy Orchestrator * Deep Command *

Desktop Release Notes. Desktop Release Notes 5.2.1

Meeting the Challenges of Virtualization Security

Virtual Desktops Security Test Report

Virtualization Guide. McAfee Vulnerability Manager Virtualization

Transcription:

Technology Blueprint Secure Your Virtual Desktop Infrastructure Optimize your virtual desktop infrastructure for performance and protection

LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security Connected The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for SECURITY CONNECTED centralized, efficient, and REFERENCE ARCHITECTURE effective risk mitigation. Built on LEVEL more than two 1 decades 2 3 of 4 5 proven security practices, the Security Connected approach helps organizations of all sizes and segments across all geographies improve security postures, optimize security for greater cost effectiveness, and align security strategically SECURITY with business CONNECTED initiatives. The REFERENCE Security Connected ARCHITECTURE Reference Architecture provides a concrete LEVEL path from 1 ideas 2 3 to 4 5 implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe. Optimize your virtual desktop infrastructure for performance and protection The Situation You have been tasked with making Virtual Desktop Infrastructure (VDI) work in order to minimize the management of desktops. As you move VDI into production, you realize that the system resources required to support standard AV on these systems drops your number of concurrent users to an unacceptable level. You see potential for would-be users logging in, but being denied sessions due to lack of VDI resources. This bottleneck could occur with the arrival of a popular attachment or large file issued companywide, causing multiple users to access it at the same time, launching multiple AV scans. A performance hit is also caused by download and installation of required daily updates (DAT signatures and feature updates). When multiple systems update at once, the cumulative effect on the shared memory and processing of the host causes a spike in overall resources and can lead to a full system denial of access for new requests. With users relying on this new virtual desktop, denial of access is not an option, so you factor in additional resources and capacity, leading to a higher cost solution. Driving Concerns Performance issues have made it hard for IT to implement AV efficiently in virtualized desktop infrastructures you have either burdened the client guest image or chosen not to run AV. However, AV on desktops is a base requirement of most companies and an increasing number of regulations, such as the Massachusetts data privacy law. IT must find a practical way to implement AV reliably and efficiently across virtualized desktop infrastructure. Secure virtual desktops add virtualization-specific challenges to the standard issues of maintaining up-todate AV on traditional endpoints. Virtualization adds complexities such as: Peak capacity issues. Workload spikes create a hypervisor overload phenomenon called AV storming (file I/O), where AV scanning and DAT updates consume all of the resources of the virtual infrastructure. This overload prevents the opening of new sessions, restricts users from going about their daily work, and decreases availability of resources for other tasks and other clients. Resource-intensive AV client footprints. Client-based AV scanning solutions consume significant client resources, constraining the number of clients that can be installed per hypervisor and compromising the promised efficiencies of virtualization Management complexity. Today, most companies have implemented independent or overlay operation of virtualization-specific security solutions that act alongside traditional security solutions. Some projects are also run differently by different teams with varying levels of security concerns addressed in the production environment. This parallel model drives up both day-to-day operational costs and the costs of demonstrating compliance. For example, with parallel systems it is twice as difficult to ensure that the latest DAT files and feature updates are applied. 2 Securing VDI

Delivering clean and secure dynamic images. When new sessions are initiated, the images should come from a well-controlled image library free of malware to prevent infections from spreading Ensuring that persistent sessions stay secure. As persistent sessions are not refreshed at log off, but remain as a leased section of the data center, they are in close network proximity to critical infrastructure. They need additional security considerations to mitigate the risks that an insecure persistent session would introduce malware or open a door to a hacker. Until IT can overcome these basic VDI challenges, most organizations are unprepared to handle the trend of Consumerization of IT, which adds the need to deliver and secure virtual sessions on employeeowned computers, tablets, or smartphones. Solution Description McAfee recommends two steps to achieve efficient virtual desktop infrastructure (VDI) security. First, enterprises should offload virtual desktop AV operations to a centralized system. Second, security for VDI should integrate with the broader enterprise security infrastructure. This combination addresses the specific technical requirements of desktop virtualization: Peak capacity issues. In this model, a centralized resource a dedicated scanning server on the host or a scanning service implemented as a virtual appliance offloads and consolidates the processing of on-access scanning. The virtual appliance makes it easier to plan and scale capacity, since you only monitor a single environment. In addition, memory resource allocation for each virtual machine decreases because of the offloading and can be released back to the resource pool for more effective utilization. Resource-intensive AV client footprints. When anti-virus scanning is separated from the individual virtual machine instances, the resource requirements needed are drastically reduced. The guest images can concentrate exclusively on end-user application processing. Management complexity. Independent or overlay operation of virtualization-specific solutions can be replaced. Instead, integrated systems manage the policies and scanning of virtual and physical endpoints within a consistent management and reporting environment. Delivering clean and secure dynamic images. The design of virtual desktop infrastructure must ensure the security of the offline images that will be used to deliver dynamic images to new user requests. To keep offline images current, the solution must be able to wake up these images, scan for viruses and malware, and refresh them with the latest security updates and or patches. This maintenance will control the image library and keep it free from malware, ready to serve the next user. Ensuring that persistent sessions stay secure. Memory protection and intrusion prevention should be added to protect sessions that are not refreshed at logoff Decision Elements These factors could influence your architecture: Are you using more than one AV vendor today? Is the security team involved during the initial design stage of a VDI project? Do you want to provide VDI sessions to user-provided laptops, tablets, or smartphones? Are you concerned about persistent sessions allowing buffer overflow attacks in your virtual environment? Securing VDI 3

Technologies Used in the McAfee Secure VDI Solution To fulfill these requirements, the McAfee solution has two primary components, McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus and McAfee epolicy Orchestrator (McAfee epo ). For further efficiencies, we offer optional integration with other McAfee solutions for endpoint protection. VM Applications MOVE OS VM Applications MOVE OS MOVE Virtual Appliance Off-load Processing Hypervisor McAfee epo Client Virtual Desktop Client Virtual Desktop McAfee MOVE Figure 1. McAfee MOVE and McAfee epolicy Orchestrator work together to centralize and optimize AV operations in VDI. McAfee MOVE McAfee MOVE AntiVirus (AV) supports on-access file scanning and.dat update functions within virtual desktop environments. This add-on component greatly reduces the infrastructure impact seen with traditional anti-virus deployments. McAfee MOVE AV also includes desktop Host Intrusion Prevention (Host IPS) and McAfee SiteAdvisor Enterprise. For those organizations that are going beyond dynamic VDI sessions and are concerned about memory protection for these persistent sessions, the low impact McAfee Host IPS provides additional layered security to ensure continual protection. McAfee SiteAdvisor Enterprise Plus helps you reduce risk by blocking employee access to risky websites before they click. You can customize the authorization or blocking of website access, view reporting, control messaging, and assign actions based on safety ratings all to enable policy compliance. 4 Securing VDI

The McAfee MOVE virtual appliance is the broker that enforces security for each client based on policies defined within McAfee epo. It provides on-access scanning and security processing on behalf of guests. To ensure the responsiveness of the McAfee MOVE Server software, a virtual appliance deployment can be configured to allow both a primary and a secondary MOVE Server. The secondary server resides within the management network of the datacenter. Both servers run on dedicated virtual machines. As long as the guest is accessible on the network, continuous protection is provided. The recommended model uses a lightweight endpoint component communicating with a centralized broker that operates AV on behalf of each virtual machine desktop. The McAfee MOVE guest component is installed on every virtual desktop to communicate with the MOVE Virtual Appliance, and the McAfee Master Agent is also installed for policy enforcement. Each virtual machine can be configured with unique and individual policies or be managed as a collective work group (satisfying the needs of different teams). The broker ensures the most recent signatures (DATs) are used as it performs on-access scanning, providing active, continuous protection during each session. File reputation scores from McAfee Global Threat Intelligence (GTI) help these virtual desktops stay secure. The MOVE offload scanning appliance looks up file reputations in the McAfee GTI database to provide real-time protection. The cloud-based McAfee GTI system receives billions of file reputation queries each month and responds with a score that reflects the likelihood that the file is malware. These reputation scores are based not only on the collective intelligence from sensors querying the McAfee cloud and the analysis performed by McAfee Labs researchers and automated tools, but also on the correlation of cross-vector intelligence from file, web, and network threat data. McAfee MOVE reduces implementation complexity through its support for all of the leading virtual desktop infrastructure solutions, including Citrix, VMware, and Microsoft. McAfee epolicy Orchestrator (McAfee epo) McAfee epo is the centralized policy and management environment used by McAfee products as well as many McAfee partner solutions. For McAfee Secure VDI, this platform installs client software on each guest image, pushes out new policies, monitors client activity, and stores and sends out content and client updates. McAfee epo Extension provides the interface for configuration, scheduling, and security reporting for McAfee MOVE components. McAfee epo Agent acts as an intermediary between the guest and the McAfee epo console and database McAfee epo itself provides a single pane of glass for managing security in both virtualized and physical infrastructures and can roll up status reports across these infrastructures Securing VDI 5

Impact of the Solution Deployment of McAfee MOVE and McAfee epo addresses the driving concerns we outlined at the beginning, including AV storming and other peak capacity issues, client resource consumption, management complexity, and the security needs of dynamic images and persistent sessions. With the McAfee solution, you can achieve the maximum ROI of your virtual environment. For example, the design improves hypervisor density MOVE AV has shown dramatic improvements in VDI density as compared to running McAfee VirusScan Enterprise locally and enables efficiencies in CPU, disk, and file I/O management. Even though in a virtual environment you can reimage quickly, the goal is to prevent you from having to perform this activity in the first place. By scanning and updating images even in an offline state, McAfee MOVE AV for virtual desktops ensures that the image library is well controlled and free of malware. This design improves the user experience with access whenever they need it, while unburdening the load of the hypervisor. By overcoming the basic obstacles of creating a secure VDI, you can free your users to connect from multiple sources and networks. With this freedom, your company can move ahead with IT initiatives such as support for personal devices or the move to a hosted datacenter. 6 Securing VDI

Q&A Does MOVE AV include the anti-virus scanning engine? Yes, MOVE AV provides McAfee VirusScan Enterprise (VSE) for the dedicated off-load scanning server or the MOVE off-load scanning virtual appliance deployment. Do I need to install McAfee VirusScan into each virtual desktop? No. The MOVE AV Server provides AV functionality on behalf of the endpoints, reducing the workload of each virtual desktop. MOVE AV for virtual servers needs to have McAfee VirusScan installed within the server, but there is no need to install McAfee VirusScan into each virtual desktop. Why does MOVE AV for VDI only provides on-access virus scanning? As most dynamic sessions are refreshed for every login, the common files are in a known clean state. The concern is to ensure that new files that a user brings into the environment such as emails, downloads, or from USBs are scanned during access to ensure that they are malware. In addition to AV scanning, MOVE AV also includes desktop Host Intrusion Prevention (Host IPS) and McAfee SiteAdvisor Enterprise. For those organizations that are going beyond dynamic VDI sessions and are concerned about memory protection for these persistent sessions, the low impact McAfee Host IPS provides additional layered security to ensure continual protection. McAfee SiteAdvisor Enterprise Plus helps you reduce risk by blocking employee access to risky websites before they click. You can customize the authorization or blocking of website access, view reporting, control messaging, and assign actions based on safety ratings all to ensure policy compliance. Securing VDI 7

Additional Resources www.mcafee.com/move www.mcafee.com/epo www.mcafee.com/producttrials For more information about the Security Connected Reference Architecture, visit: www.mcafee.com/securityconnected About the Author Uy Huynh is a Senior Director for Sales Engineering at McAfee. He is responsible for ensuring his team delivers the right security solutions, designs, and best practices to help customers improve their security postures and protect their most important digital assets. Uy is a security expert who has worked with large Fortune 100 customers such as HP, Oracle, ATT, McKesson, and others to select the right security products to meet their complex requirements. Prior to McAfee, he led and created the SE organization at Foundstone. Here he developed best practices for vulnerability management and risk management for large networks and systems. Prior to Foundstone, he was a Senior Consultant at ISS where he deployed a variety of security solutions, policies, and technologies at large organizations. The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee, McAfee Application Control, McAfee epolicy Orchestrator, McAfee epo, McAfee Global Threat Intelligence, McAfee Labs, McAfee MOVE AV, SiteAdvisor, VirusScan, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2011 McAfee, Inc. 32700bp_vdi-L3_1011_wh

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information