antivirus específicos para entornos virtualizados
DESCRIPTION
Ponencia de Álvaro Sierra, Major Account Manager de Trend Micro, durante la Jornada Tecnológica 2011 de Nextel S.A. http://www.nextel.es/eventos_/jornada-tecnologica/TRANSCRIPT
Copyright 2009 Trend Micro Inc.
Alvaro SierraMajor Account Manager
Protección eficiente para entornos virtuales
Copyright 2009 Trend Micro Inc. 2
FILEREPUTATION
WEBREPUTATION
Trend Micro Smart Protection NetworkSecurity Made Smarter
Threat Collection
Partners
• ISPs• Routers• Etc.
Endpoint
Gateway
SaaS/Managed
Cloud
Management
Off Network
Messaging
Threats
EMAILREPUTATION
Copyright 2009 Trend Micro Inc.
DEEP SECURITY 7.5http://www.vmware.com/solutions/partners/alliances/trendmicro.html
Copyright 2009 Trend Micro Inc. 4
Security and privacy were the foremost concerns by far, with a weighted score higher than the next three (performance, immaturity and regulatory compliance) combined.
Gartner (April 2010)
Security: the #1 Cloud Challenge
Copyright 2009 Trend Micro Inc.
The Dynamic Datacenter
88% of North American enterprises [no] virtualization security strategy Forrester Research / Info Week
Physical Virtual Cloud
Number one concern (87.5%) about cloud services is security.Frank Gens, IDC, Senior VP & Chief Analyst
2012, 60% of virtualized servers.. less secure than… physical servers…. “Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010
Technologies and practices for securing physical servers won’t provide sufficient protections for VMs. Neil MacDonald, Gartner, June 2009
Copyright 2009 Trend Micro Inc. 6
¿En qué punto es vulnerable?
Transcurren días e incluso meses hasta que los parches están disponibles y se han probado/ desplegado• “Microsoft Tuesday”• Oracle• Adobe
Desarrolladores no disponibles para soluconar las vulnerabilidades• Ya no están en la compañía• Trabajan en otros proyectos
Los parches ya no se despliegan más • Red Hat 3 -- Oct 2010 • Windows 2000 -- Jul 2010 • Solaris 8 -- Mar 2009 • Oracle 10.1 -- Jan 2009
No pueden ser parcheados por el elevado coste, normativas o SLAs• POS: puntos de venta• casetas de obra• dispositivos médicos…
Copyright 2009 Trend Micro Inc.
VMs Need Specialized Protection
Same threats in virtualized servers as physical
New challenges:1. Dormant VMs2. Resource contention3. VM Sprawl4. Inter-VM traffic5. vMotion
+
Copyright 2009 Trend Micro Inc.Classification 6/27/2011 8
Typical AV Console
3:00am Scan
Server Virtualization SecurityOvercoming resource contention
The old way
Copyright 2009 Trend Micro Inc.Classification 6/27/2011 9
Server Virtualization SecurityOvercoming resource contention
A new, better way SecurityVirtual
Appliance
3:00am Scan6:00am Scan4:00am Scan5:00am Scan
Copyright 2009 Trend Micro Inc.
vSphere 4 - VMsafe™ APIs
CPU/Memory Inspection• Inspection of specific memory pages • Knowledge of the CPU state• Policy enforcement through resource allocation
Networking• View all IO traffic on the host• Intercept, view, modify and replicate IO traffic• Provide inline or passive protection
Storage• Mount and read virtual disks (VMDK)• Inspect IO read/writes to the storage devices• Transparent to device & inline with ESX Storage stack
Copyright 2009 Trend Micro Inc.
Agentless Anti-Virus OverviewThese are the key “building blocks” for VMware customers
11
Agent-less Anti-Virus for VMware
Protection for virtualized desktops and datacenters
Trend Micro Deep SecurityAnti-malware
A virtual appliance that detects and blocks malware (web threats, viruses & worms, Trojans).
VMware vShield Endpoint
Enables offloading of antivirus processing to Trend Micro Deep Security Anti-malware – a dedicated, security-hardened VM.
The first and only agentless anti-virus solution architected for VMware
BetterManageability
HigherConsolidation
FasterPerformance
StrongerSecurity
The idea
The components
CustomerBenefits
Differ-entiator
Copyright 2009 Trend Micro Inc.
Arquitectura de Deep Security
12
Copyright 2009 Trend Micro Inc.
vShieldEndpoint
Protection beyond Anti-MalwareBeyond providing Agentless AV, Trend Micro Deep Security provides additional protection for VMware customers
13
Anti-MalwareDetects and blocks malware (web threats, viruses & worms, Trojans). (PCI*)
Agentless1
DEEP SECURITY
VMsafeAPIs
Log Inspection
Integrity Monitoring
IDS / IPS
Web Application Protection
Application Control
Firewall
Detects and blocks known and zero-day attacks that target vulnerabilities (PCI*)
Provides increased visibility into, or control over, applications accessing the network
Reduces attack surface. Prevents DoS & detects reconnaissance scans (PCI*)
Optimizes the identification of important security events buried in log entries. (PCI*)
Detects malicious and unauthorized changes to directories, files, registry keys. (PCI*)
Shields web application vulnerabilities (PCI*)
Agent-based
2
3
4Agent-based
Agentless
(PCI*): Helps address one or more PCI Data Security Standards and other compliance requirements
Copyright 2009 Trend Micro Inc.
Deep Packet Inspection
IDS/IPS– Vulnerability rules: shield
known vulnerabilities from unknown attacks
– Exploit rules: stop known attacks
– Smart rules: Zero-day protection from unknown exploits against an unknown vulnerability
– Microsoft Tuesday protection is delivered in synch with public vulnerability announcements.
– On the host/server (HIPS)
Web Application Protection – Enables compliance with PCI DSS 6.6 – Shield vulnerabilities in custom web
applications, until code fixes can be completed
– Shield legacy applications that cannot be fixed
– Prevent SQL injection, cross-site scripting (XSS)
Application Control– Detect suspicious inbound/outbound traffic
such as allowed protocols over non-standard ports
– Restrict which applications are allowed network access
– Detect and block malicious software from network access
Copyright 2009 Trend Micro Inc.
Alrededor de 100 aplicaciones protegidas
Operating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSELinux (10,11)
Database servers Oracle, MySQL, Microsoft SQL Server, Ingres
Web app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint
Mail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,, MailEnable Professional,
FTP servers Ipswitch, War FTP Daemon, Allied Telesis
Backup servers Computer Associates, Symantec, EMC
Storage mgt servers Symantec, Veritas
DHCP servers ISC DHCPD
Desktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer, Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime, RealNetworks RealPlayer
Mail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client
Web browsers Internet Explorer, Mozilla Firefox
Anti-virus Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft
Other applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior, Rsync, OpenSSL, Novell Client
15
Copyright 2009 Trend Micro Inc.
Microsoft Active Protections Program (MAPP)
• Microsoft Active Protections Program (MAPP)– Program for security software vendors– Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly security update
– Members use this information to deliver protection to their customers after the Microsoft Security Bulletins have been published
• Trend Micro’s protection is delivered to customers within 2 hours of Microsoft Security Bulletins being published
– This enables customers to shield their vulnerable systems from attack – Systems can then be patched during the next scheduled maintenance window
Copyright 2009 Trend Micro Inc.
Recommendation Scans
• The server being protected is analyzed to determine:– OS, service pack and patch level– Installed applications and version– DPI rules are recommended to shield the unpatched vulnerabilities from attacks– As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:• Recommend new rules for assignment• Recommend removal of rules no longer required after system patching
– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are supported
Copyright 2009 Trend Micro Inc.
Sample Microsoft Patch Tuesday Protection
Copyright 2009 Trend Micro Inc.
In IT, do you know the differences???
Futuro
Agent AgentAgent
vSphere
Ahora
19
Agent AgentAgent
Copyright 2009 Trend Micro Inc.
Deep Security Virtual Appliance
Architecture of Coordinated approach
vNIC
vSwitch
vNIC vNIC vNIC
Vmsafe API
ESX 4Hypervisor
Copyright 2009 Trend Micro Inc.
Deep Security enables higher VM densities• SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle
more than 25 desktop VMs/host
• DS supports 2-3 times no. of desktop VMs/host than traditional AV
• DS supports 40-60% more server VMs/host than traditional AV
Scheduled scan resource usage over baseline – 50 VMs per host
273%
81%
307%
Symantec Trend McAfee
CPUSymantec Trend McAfee
2143%
692%
2053%
Symantec Trend McAfee
IOPSSymantec Trend McAfee
Copyright 2009 Trend Micro Inc.
Agentless approach uses less ESX memory
22
# of Guest VMs
Anti-Virus “B”
Anti-Virus “Y”Anti-Virus “R”
Copyright 2009 Trend Micro Inc.23
Anti-Virus “B”
Time (Seconds)
Anti-Virus “Y”
Anti-Virus “R”
Agentless approach uses less bandwidthSignature update for 10 agents
AgentlessAnti-Virus “T”
Copyright 2009 Trend Micro Inc.
VMware vSphere 4
VMwarevCenter
Deep SecurityVirtual Appliance*
Coordinated Approach …Coordinated Security Approach• Agent Disappears (removed / reverted to previous snapshot)Coordinated Security Approach• Agent Disappears (removed / reverted to previous snapshot)• Virtual Appliance auto-protects VM
* VMware vSphere 4VMsafe API based solution
Copyright 2009 Trend Micro Inc.
Deep Security 7.5: Funcionalidades Clave
• Escaneo en tiempo real sin agentes– Notificaciones al motor de antivirus– Acceso a ficheros de datos para escaneo
• Escaneo manual y/o programado sin agentes– Los escaneos bajo demanda son coordinados y organizados– Notificaciones
• Se integra con vShield Endpoint ( vSphere 4.1)• Protección día Zero
– Integración con Smart Protection Network
• Limpieza sin agentes– Active Action, Delete, Pass, Quarantine, Clean
• Caching a nivel de API– Cacheo de datos para optimizar el rendimiento
Virtual Appl.
vShield Endpoint
SPN
Copyright 2009 Trend Micro Inc.
¿Cuáles es la diferencia?
Copyright 2009 Trend Micro Inc.
Addressing Payment Card Industry (PCI) Requirements
Key Deep Security features & capabilities
(1.) – Network Segmentation
(1.x) – Firewall
(6.1) – Virtual Patching*
(6.5) – Web Application Firewall
(10.6) – Review Logs Daily
(11.4) – Deploy IDS / IPS
(11.5) – Deploy File Integrity Monitoring
* Compensating control subject to QSA approval
81% NOT PCI compliant prior to breach
Verizon 2009 Data Breach Investigation Report
Copyright 2009 Trend Micro Inc. 28
Trend Micro: Server Security LeadershipIDC Market Analysis: Worldwide Corporate Server Security Market Share
All Others77.1%
Trend Micro22.9%
Source: Worldwide Endpoint Security 2010-2014 Forecast and 2009 Vendor Shares, IDC
These products are generally more robust than desktop endpoint securityand are available for a much wider set of operating systems (Windows, Unix, and Linux).This category also includes products that are designed to protect hypervisors and virtualservers.”
Copyright 2009 Trend Micro Inc.29
The most comprehensive suite of next-generation,
virtualization security solutions:
Virtual appliance- and guest-based
Tightly integrated with, and leverages,
VMware APIs and technologies.
Architected to fully leverage the VMware platform
for delivering better-than-physical security.
Improves Securityby providing the most
secure virtualization infrastructure, with APIs, and certification programs
Improves Virtualizationby providing security solutions
architected to fully leveragethe VMware platform
Copyright 2009 Trend Micro Inc.