Skip navigation

Tag Archives: Deep Security


So this is last part of this series. Hopefully, I don’t need to write another post.

From previous post, I discussed about how to install and configure Trend Deep Security 7.5 on vSheild. This post will talk little bit more about configuration and performance review.

In my last post, I have installed vShield Zone on host, Install DS Manager one of my VMs which is also vCenter, and push DS Virtual Appliance on to one of hosts.

Then, I changed the IP and network configuration on the DS VA and activate it with Deep Security Virtual Appliance.

Please be aware that Security Policy is playing an important role in the DS. You need to make sure all protected VMs having correct Security Policy.

Once you finished the VA, we can go back to DS manager and take a quick look.

I would like to list some common issues you may encounter.

ds-01

If anti-Malware status is not Capable, it means vEndpoint is not installed on this ESX host.

ds-02

If Anti-Malware is on, but the color is blue. It means you haven’t assigned correct policy on this VM. In default, there is no policy at all. Just right click the VM and follow the instruction.

ds-03

ds-04

You better actually create your own policy before you apply. Some default policy(like windows 2k3) doesn’t have all protection on and doesn’t allow certain protocol (e.g: RDP). The best way is to make copy of old policy and customize a new one for yourself.

The next step is to prepare your VMs. All what you need to do is to install vShield Driver agent and DS Agent. Once you finish installation, you must reactivate your vm from DS Manager to let DS Manager to check VM status.

ds-05

If you have installed both agents and apply right policy, reactivate your vm from DS Manager. You should see something like this in the DS Manager.

ds-06

It should have all greens and Agent should running. Your VM should be protected at each level from crossing both Appliance(working with vEndpoint) and Agent.

One more thing when you try to install DS Agent, you need to copy the installation on local disk of VM and install. Otherwise, you will encounter this error.

ds-27

Virus download test

I have a protected VM which has all features turned on. Let’s see how it react when I tried to download a virus sample file from Internet.

ds-26

It actually worked!

Does Deep Security actually reduce resource consumption?

Here is the big question. The reason we spent so much time to deploy this product is the rumour that it can save the resource comparing with traditional AV solution. Let’s take a look.

I installed OfficeScan on one of test machines. I monitored the resource which has been consumed from CPU, Memory,DISK,Network for both test VM and Host as base line. I will scan a vm with officescan once. And also scan it with DS.

Protected VM CPU

Protected VM CPU with OfficeScan

ds-07

CPU: 50% of one core. It lasts 10 mins.

Protected VM CPU with DS

ds-13

ds-14

only 22% on CPU comparing with 50% on Office Scan.

Note: I ran twice on this test.

Protected VM DISK

Protected VM disk with OfficeScan

ds-08

Disk: 5000KBps for 10 mins.

Protected VM disk with DS:ds-15

It’s very interesting to see the first run disk but nothing on second. The reason is the first run has already load disk data into memory and it doesn’t require to load again at second time. It proves DS is load to memory and scan only memory theory. The DS scan finished in 4.5 mins.

Protected VM Memory

Protected VM with OfficeScan

ds-09

Memory: Consumed memory is 1.25GB, and active memory is 4GB.

Protected VM with DS

ds-25

50% of active memory in 4.5 mins. I ran twice.

Protected VM Network

Protected VM with OfficeScan

ds-10

Network: OfficeScan tried to contact OfficeScan server at beginning. Then, it went quiet.

Protected VM Network Activity with DS:

ds-16

There is almost nothing on network. It means DS is using ESX module to scan memory directly. It doesn’t go through normal network channel. Because it is using similar theory as vSwitch, I call it a protected vSwitch channel.

From what I can see via Protected VM angle, the resource has been consumed almost 50% less and use only half time to finish scan.

Because using DA actually involves to use Deep Security Virtual Appliance to scan. We need to take look about DS VA.

DS VA CPU:

ds-17

The truth behind scene is DS VA is actually scanning the data instead of protected VM. That’s why you see low utilization on VM because all what it did was to load data into memory and call vShield Endpoint driver to let DS VA to scan.

DS VA Disk:

ds-18

Almost nothing on disk VA disk activity.

DS VA Memory:

ds-19

It consume 1.5GB memory on VA. It’s understandable.

DS VA Network:

ds-20

This is very interesting. According to this chart, the network activity on DS VA is very high during scanning. It means vShield Endpoint will open port for all VMs sitting on that protected vSwitch instead of just DS VA.

ds-21

This is the vSwitch vShield Endpoint use. It’s just normal vSwith and you can add adapters if you want. It does bring my concern whether this could be potential security breach.

Here is moment of truth. Will DS actually save resource from ESX perspective?

Following is the data from Physical ESX Host:

ESX CPU utilization

ESX CPU with OfficeScan

ds-22

4% of total CPUs on ESX box.  I have nothing else was running on that host.

ESX Host CPU Performance on DS

ds-23

It does finish scan in half time but it actually use 6% of CPUs. Be aware this is not including overhead of ESX host CPU. It’s 2% of higher than OfficeScan.

ESX Disk with OfficeScan

ds-12

Disk activity on ESX host.

ESX Disk activity with DS

ds-24

It’s same disk activity but with half loading time.

There ain’t much point to check memory since everything is happening in the memory. Just one module to scan another chunk of memory in the host. That’s all.

Conclusion:

Let’s sum up with what we have learned from those data. Please be aware I’m only test single machine scan.

Resource consumption:

ESX Host

OfficeScan DS 7.5
CPU Util 4% 6%
CPU Used time 10 mins 4.5 mins
DISK Util 200CMD/s 200CMD/s
DISK Used time 10 mins 4.5 mins
Memory Same Same
Network 0 0 Nothing on pNIC

It does seem like Host CPU is consumed more resource than officeScan.

but It seems that DS VA doesn’t support multiple threads scanning at same time. If that’s the case, a host can hold about 30 VMs max. So DS Manager will schedule to scan all machines in different time.

This is the end of this Session of this year!

I wish everyone has a wonderful Christmas and Happy New Year!!

 

 


As you guys may notice, I have spent some hours on vSphere vShield product recently. I have came cross a design flaw issue I would like to discuss with you.

First all, let me briefly describe my test environment.

I have two physical HP boxes and a EMC SAN as my test box. In this case, I have built a vCenter as VM sitting on one of ESX host. Therefore, I can even make snapshot if I want to. However, this has been generate some issues for vShield product.

Symptoms:

In terms of testing installing and configuring vShield product. I normally install vShield on one host and move some test VMs to new host to see how VMs respond. Then, I will vMotion vCenter VM to new host and install vShield on the second host since some of vShield components requires reboot host. I have done that couple of times. Eventually, it happened.

shissue-03

I initialled vMotion from a host which has zone, firewall, vApp to a host which doesn’t have those settings. vCenter got frozen.

I was waiting for couple of minutes but I was still not able to connect to vCenter. Not even pingable.

so I jump on new host with directly vClient and I found vCenter is up running in the new host. But it’s not pingable. Other VMs sitting in the same vSwitch are not having issues at all. I vMotioned vCenter before I install vShield without any issues. Why I can’t connect to vCenter VM this time?

Cause:

The reason is simple. It’s caused by vShield Zone and other components. Let’s take a look to see what happens when I vMotion a normal VM to a host installed with vShield.

shissue-01

 

The normal procedure should be:

  1. Query
  2. Migrate a new VM into new host.

 

However, as you can see from the picture, it actually reconfigured the VM afterwards.

Notice:

And  if you monitor vMotion ping status, the ping drop during vMotion from 1 time out become 10 times out depends on how you configure vShield.

shissue-02

 

so what exactly this reconfiguration step do?

The answer is that virtual machine vmx file has been reconfigured with vShield information. The more important thing is this step is done by vCenter!!

With a host installed with vShield products(like Zone), any VMs vMotion into that host will automatically configured with vZone. If vZone information is not configured, the VM will not able to communicate with other VM even if VMs in the same vSwitch because it’s caused at vNic leve.

Just imagine what happened if you try to vMotion a vCenter? No one is going to modify vCenter VM since it’s temporary disconnect from network!!

Solution:

I think this is a design flaw since use VM as vCenter is an option provided by VMware.

What I did was to use putty to connect to ESX host and manually modify vmx file of vCenter VM.

This is what old vmx looks like. This host has all vShield parts.

shissue-05

We need to remove filter0.name and param1 and add vEndpoint to match whatever new host got. The result is following.

shissue-04

After modification, the vCenter is able to start and connect to network.

Conclusion:

vShield is still a new product. VMware needs to resolve issues when vCenter in VM mode and let host , instead of vCenter, to reconfigure vmx files everytime a new VM vmotion into host or register a new VM.

Plus, the reconfiguration takes too long to finish. For important time sensitive machine, 10 time out may not be acceptable.


In my previous post, I described about vShield Endpoint. In this post, I will talk about the only real product which is actually using and design with this concept. Trend Micro Deep Security 7.5.

Before I started to roll out details, I would like to thank Trend Micro Australia’s help to give me support when I stuck. Thanks guys.

trenddp_08

What can Trend Micro Deep Security 7.5 do?

First time I saw this product is on the Vmware seminar. When Trend Micro representative standing on the stage and demonstrate how Deep Security can use only 20% of resource to scan in the virtualization environment.  That was mind blowing because imaging VDI and VMs are calling for schedule scan at same time. How much pressure it will cost to ESX Host? This product is only working with vSphere 4.1. It’s using vShield Endpoint and must use vShield point to do it’s job.   Well, at least, that’s what Trend Micro claimed. So is this true? Please continue to read.

Note: DS 7.5 is actually merely designed for VM environment. It means it’s not a complete solution at this stage. If you want to protect your physical boxes or workstation, you better still use OfficeScan product.

Deep Security provides comprehensive protection, including:

  • Anti-Malware (detect&clean virus)
  • Intrusion Detection and Prevention (IDS/IPS) and Firewall (malicious attack pattern protection)
  • Web Application Protection (malicious attack pattern protection)
  • Application Control (malicious attack pattern protection)
  • Integrity Monitoring (Registry & file modification trace)
  • Log Inspection (inspect logs and event on vm)

The interesting about DS 7.5 and vShield Endpoint is that none of this product can provide complete solution for end users. Each of them play a certain roles in the system. So the result is actually combination of both software.

Let’s take a look with clear table.

trenddp_09

Note:

My suggestion for installing is to install both vShield Endpoint Agent and DS Agent on your VMs. That’s the only way you can protect your VMs.

Components of Deep Security 7.5

Deep Security consists of the following set of components that work together to provide protection:

Deep Security Manager, the centralized management component which administrators use to configure security policy and deploy protection to enforcement components: Deep Security Virtual Appliance and Deep Security Agent. (You need to install it on one of windows server)

Deep Security Virtual Appliance is a security virtual machine built for VMware vSphere environments, that provides Anti-Malware, IDS/IPS, Firewall , Web Application Protection and Application Control protection. (It will be pushed from DS manager to each ESX)

Deep Security Agent is a security agent deployed directly on a computer which can provide IDS/IPS, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. (It need to be installed on the protected VMs)

As matter of fact, you need to download following files from Trend Micro website. Don’t forget to download filter-driver which will be pushed from DS Manager to each ESX host.

trenddp_10

Architecture of Deep Security 7.5

Let’s take a look.

trenddp_02

There should be only have one DS manager unless you want to have redundancy.

ESX Host must be installed with vShield Endpoint.

Each ESX has it’s own Virtual appliance.

Each VM should have both vShield Endpoint and DS Agent installed.

How does Deep Security 7.5 work?

trenddp_16

For malware and virus check:

DS is using vShield Endpoint to monitor protected VM memory. The vSheild Endpoint Agent (or AKA vShield Endpoint thin driver) will open a special channel to allow DS virtual appliance to scan it’s memory via special vSwitch which is running on ESX kernel driver layer.

Since VMware needs to make sure the isolation of VMs traffic and memory, hard disk and no other application should breach this protection, vShield Endpoint is a back door opened by VMware to let third party to scan VM content legally and logically.

For registry keys and logs and other components of VM, we have to relay on DS Agent because vShield Endpoint can allow do so much. That’s why the solution must combine both vShield Endpint and DS agent.

Install Deep Security 7.5

I did encounter some interesting errors during the installation.

But let’s sort out the steps of installation first.

  1. Install Endpoint on your VMware ESXs.
  2. hostInstall DS manager on one of your windows box.
  3. Push Virtual Appliance, filter driver to each ESX host. It will add a appliance into vShield protected vSwitch. Filter driver will be loaded in the ESX kernel.
  4. Install DS agent, vShield Point Agent on VMs you want to protect.

Install Endpoint on your VMware ESXs.

Please click here to see how to do it.

Install DS manager on one of your windows box

Those are easy step. I believe any admin can do his job well.

Let’s me skip some easy parts.

trenddp_11

skip,skip

trenddp_12

Once you finish installation of DS Manager. You need to configure the DS Manager.

trenddp_13 trenddp_14

trenddp_15

This is really tricky part. What are those IP for?

The answer is those IP must not be occupied and it must be in the same subnet as rest of your vShield components are.

Check out this diagram and find out your own vShield  subnet.

On your ESX host(which has Endpoint installed already), you should find this.

trenddp_17

so what’s your vSheild Subnet?

The rest is easy part. skip,skip

trenddp_18

trenddp_19

Basic Configure DS Manager

By now, you have already connect to vCenter and vShield Manager. You suppose to see something like that.

trenddp_20

Notice nothing is actually managed and ready. That’s because you need to “Prepare ESX”.

Notice:

Before you “Prepare ESX”, you need to make sure vShield Endpoint has already installed and you have already download all DS components.

trenddp_21

trenddp_22

If you didn’t setup your vShield subnet correct, you will run into this error.

trenddp_23

In my case, I just need to right click vCenter->Properties-> Network Configuration

trenddp_24

please be aware you need to put your ESX into maintenance mode and restart it in terms of pushing DS virtual appliance and filter driver.

trenddp_25

You need to import your downloaded files into DS Manager. If you didn’t import before, you will have chance to import again or download.

trenddp_26

As usually, I skip some steps.

trenddp_27

trenddp_28

Here is another tricky. Because my ESX has different default IP as DS default. so once the DS Manager deploy the virtual appliance to ESX, the appliance only has default DHCP IP which is wrong in my case also the virtual network is also wrong. I encounter this problem.

trenddp_29

All what you need to do is to jump on ESX and virtual appliance console to change IP of that appliance. The default username and password is dsva.

trenddp_30

trenddp_31

Once you changed the IP, reboot this VM. Go back to DS Manager and double click dsva object to activate it.

trenddp_32

Make sure the security profile is loaded. That’s very important!!

trenddp_33

System will automatically offer you some VMs to protect. You can choose “no” at this stage. Why? because you haven’t installed vShield Endpoint agent and DS agent on your VMs yet.

trenddp_34

By now, the installation steps have finished here.

In my next post, I will talk about how to configure Trend Micro Deep Security 7.5 and performance result comparing with OfficeScan and virus testing.

Let me show you a picture what a DS manager look like when a VM is fully protected to finish this post.

trenddp_36

Reference:

Trend Micro Deep security installation guide

Trend Micro Deep security User guide


This is going to be a long post regarding vShield Endpoint and Trend Micro Deep Security 7.5. In this post, I will go through What is Endpoint, DP 7.5. How to install and basic configuration. How system work and performance comparison between two Trend products. Deep Security and OfficeScan.

Like what I said, this is going to be a long post. Let’s turn to Page one. ;)

In my past posts, I have describe what vShield is and different modules of vShield. You can find my previous post from here.

What is vShield Endpoint?

Let’s take a look what vShield is.

Strengthen security for virtual machines and their hosts while improving performance by orders of magnitude for endpoint protection, with VMware vShield Endpoint, part of the VMware vShield family. Offload antivirus and anti-malware processing to dedicated security-hardened virtual machines delivered by VMware partners. Leverage existing investments and manage antivirus and anti-malware policies for virtualized environments with the same management interfaces as physical environments.

  • Streamline and accelerate antivirus and anti-malware deployment
  • Improve virtual machine performance and eliminate antivirus and anti-malware bottlenecks
  • Reduce risk by eliminating agents susceptible to attack and enforce remediation more easily
  • Satisfy audit requirements with detailed logging of antivirus and anti-malware activities

This is what you can read from vmware.com. But what vShield Endpoint real does is a set of common interface or opening window to let third Party Anti-virus virtual appliance to scan/query memory of ESX host. If  you do remember what Vmware said about memory of each individual VM is secured separated for each VM. Well, vShield Endpoint is a back door to allow certain VM (like virtual appliance) to access all VMs memory at same time. As we all know, all information has to go through memory. Regardless it is opening ports or data saved on the virtual harddisk. However, it ain’t entire solution. As matter of fact, it can only do part of solutions. It can open window to AV appliance to scan memory, use firewall rule to deny unwanted access but it doesn’t understand registry key and logic structure of your servers.

How does vShield Endpoint work?

trenddp_03

The endpoint doesn’t have it’s own VM in the system unlike vApp and Edge. Well, in fact it does require a virtual appliance but it’s provided by third party.

Endpoint will install a special module in your ESX.

trenddp_01

This module will read data from protected VM and handled it to third party appliance to check virus/malware. This third party will sit in a secured vSwitch which will only be accessed by special module in ESX host. From protected VM angle, CPU usage is very low and memory utilization is low as well. The resource consumption has been transferred and reduced to AV appliance. But it doesn’t mean Hard disk are not used. We will discuss it in performance section.

What you need to do is to enable Endpoint on your host. Install Endpoint driver (or thin agent) on VMs you want to protect. Then, install third party appliance and everything will be fine.

How to install vShield Endpoint?

This procedure is similar as vEdge and vApp.

trenddp_04

trenddp_05

trenddp_06

Once you have install everything including Endpoint, and thirdparty of Antivirus. You will see something like this.

trenddp_07

Well, for more details, please wait for second post. I will review Trend Micro Deep Security 7.5 and how to install, configure.

Follow

Get every new post delivered to your Inbox.

Join 125 other followers