In my previous post, I described about vShield Endpoint. In this post, I will talk about the only real product which is actually using and design with this concept. Trend Micro Deep Security 7.5.
Before I started to roll out details, I would like to thank Trend Micro Australia’s help to give me support when I stuck. Thanks guys.
What can Trend Micro Deep Security 7.5 do?
First time I saw this product is on the Vmware seminar. When Trend Micro representative standing on the stage and demonstrate how Deep Security can use only 20% of resource to scan in the virtualization environment. That was mind blowing because imaging VDI and VMs are calling for schedule scan at same time. How much pressure it will cost to ESX Host? This product is only working with vSphere 4.1. It’s using vShield Endpoint and must use vShield point to do it’s job. Well, at least, that’s what Trend Micro claimed. So is this true? Please continue to read.
Note: DS 7.5 is actually merely designed for VM environment. It means it’s not a complete solution at this stage. If you want to protect your physical boxes or workstation, you better still use OfficeScan product.
Deep Security provides comprehensive protection, including:
- Anti-Malware (detect&clean virus)
- Intrusion Detection and Prevention (IDS/IPS) and Firewall (malicious attack pattern protection)
- Web Application Protection (malicious attack pattern protection)
- Application Control (malicious attack pattern protection)
- Integrity Monitoring (Registry & file modification trace)
- Log Inspection (inspect logs and event on vm)
The interesting about DS 7.5 and vShield Endpoint is that none of this product can provide complete solution for end users. Each of them play a certain roles in the system. So the result is actually combination of both software.
Let’s take a look with clear table.
Note:
My suggestion for installing is to install both vShield Endpoint Agent and DS Agent on your VMs. That’s the only way you can protect your VMs.
Components of Deep Security 7.5
Deep Security consists of the following set of components that work together to provide protection:
Deep Security Manager, the centralized management component which administrators use to configure security policy and deploy protection to enforcement components: Deep Security Virtual Appliance and Deep Security Agent. (You need to install it on one of windows server)
Deep Security Virtual Appliance is a security virtual machine built for VMware vSphere environments, that provides Anti-Malware, IDS/IPS, Firewall , Web Application Protection and Application Control protection. (It will be pushed from DS manager to each ESX)
Deep Security Agent is a security agent deployed directly on a computer which can provide IDS/IPS, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. (It need to be installed on the protected VMs)
As matter of fact, you need to download following files from Trend Micro website. Don’t forget to download filter-driver which will be pushed from DS Manager to each ESX host.
Architecture of Deep Security 7.5
Let’s take a look.
There should be only have one DS manager unless you want to have redundancy.
ESX Host must be installed with vShield Endpoint.
Each ESX has it’s own Virtual appliance.
Each VM should have both vShield Endpoint and DS Agent installed.
How does Deep Security 7.5 work?
For malware and virus check:
DS is using vShield Endpoint to monitor protected VM memory. The vSheild Endpoint Agent (or AKA vShield Endpoint thin driver) will open a special channel to allow DS virtual appliance to scan it’s memory via special vSwitch which is running on ESX kernel driver layer.
Since VMware needs to make sure the isolation of VMs traffic and memory, hard disk and no other application should breach this protection, vShield Endpoint is a back door opened by VMware to let third party to scan VM content legally and logically.
For registry keys and logs and other components of VM, we have to relay on DS Agent because vShield Endpoint can allow do so much. That’s why the solution must combine both vShield Endpint and DS agent.
Install Deep Security 7.5
I did encounter some interesting errors during the installation.
But let’s sort out the steps of installation first.
- Install Endpoint on your VMware ESXs.
- hostInstall DS manager on one of your windows box.
- Push Virtual Appliance, filter driver to each ESX host. It will add a appliance into vShield protected vSwitch. Filter driver will be loaded in the ESX kernel.
- Install DS agent, vShield Point Agent on VMs you want to protect.
Install Endpoint on your VMware ESXs.
Please click here to see how to do it.
Install DS manager on one of your windows box
Those are easy step. I believe any admin can do his job well.
Let’s me skip some easy parts.
skip,skip
Once you finish installation of DS Manager. You need to configure the DS Manager.
This is really tricky part. What are those IP for?
The answer is those IP must not be occupied and it must be in the same subnet as rest of your vShield components are.
Check out this diagram and find out your own vShield subnet.
On your ESX host(which has Endpoint installed already), you should find this.
so what’s your vSheild Subnet?
The rest is easy part. skip,skip
Basic Configure DS Manager
By now, you have already connect to vCenter and vShield Manager. You suppose to see something like that.
Notice nothing is actually managed and ready. That’s because you need to “Prepare ESX”.
Notice:
Before you “Prepare ESX”, you need to make sure vShield Endpoint has already installed and you have already download all DS components.
If you didn’t setup your vShield subnet correct, you will run into this error.
In my case, I just need to right click vCenter->Properties-> Network Configuration
please be aware you need to put your ESX into maintenance mode and restart it in terms of pushing DS virtual appliance and filter driver.
You need to import your downloaded files into DS Manager. If you didn’t import before, you will have chance to import again or download.
As usually, I skip some steps.
Here is another tricky. Because my ESX has different default IP as DS default. so once the DS Manager deploy the virtual appliance to ESX, the appliance only has default DHCP IP which is wrong in my case also the virtual network is also wrong. I encounter this problem.
All what you need to do is to jump on ESX and virtual appliance console to change IP of that appliance. The default username and password is dsva.
Once you changed the IP, reboot this VM. Go back to DS Manager and double click dsva object to activate it.
Make sure the security profile is loaded. That’s very important!!
System will automatically offer you some VMs to protect. You can choose “no” at this stage. Why? because you haven’t installed vShield Endpoint agent and DS agent on your VMs yet.
By now, the installation steps have finished here.
In my next post, I will talk about how to configure Trend Micro Deep Security 7.5 and performance result comparing with OfficeScan and virus testing.
Let me show you a picture what a DS manager look like when a VM is fully protected to finish this post.
Reference:
Trend Micro Deep security installation guide
Trend Micro Deep security User guide
GeekSilver's Blog 
16 Comments
Hi,
i took the Deep security 7.5 SP1 for a test drive along with vShield End Point but i had some observations:
1-yours VMs sometimes are having triggered yellow and red alarms related to ESPEC and sometimes if u fix the root cause the alarm remains active
2-suddenly the SVM state changes to offline though it is up, i ended up by deactiviating the appliance and redeploying it
3-though all SVMs are up but some VMs may report that the Antimalware driver is offline, though it is installed on the guest OS.
4-have u tried scanning RDMs?
in my point of view the concept is really innovative but the risk remains when something goes wrong to the SVM and you have to move ur VMs to a healthy host, also troubleshooting is becoming more complex when adding additional layers from 3rd party vendors (ex Trend Micro, cisco(N1K))
hi, Marwan:
I didn’t dig that deep with vShield since the result of utilization was quite unstable and lots of troubles and tricks which may cause some big issue with your environment.
At this point, I would suggest to give Vmware support a call. They are the best resource to resolve your issue. However, at mean time, I strongly suggest to wait for next version of vShield which will hope to get itself out of troubles.
Hi Marwan,
Regarding problem #3. I’d suggest you to check type of HDD controller for guest OS. In case if you’re using IDE (recommended to use SCSI LSI Logic) – just try o switch it.
Regarding #1-#2 issues. This looks like some kind of internal VMware issues (we faced them few times also) and Geeksilver suggested to you very reasonable way to resolve it – contact with VMware guys.
Regards
hello this is a exellent post
i ´ve a quesstion
I´ve installed Deep Security 7.5 but i´ve the next error:
“The Filter Driver failed to load. Please ensure that the ESX server is configured correctly.” on de DSVA the filter driver failed. could you please suggestme something because i´ve yet talked to trend micro and vmware and they didn´t tell me nothing
please help me
hi, Diana:
You need to understand DS 7.5 is using vShield structure as a base. vShield Zone is using creating “hidden” vSwitch and redirect all traffic to vShield Agent(one for each host) via hidden vSwitch to filter the traffic.
So you can check out whether your vShield Agent (a vm sittinng on each host) are deployed successfully or not.
For more details, you can check out my post here.
hi GeekSilver
Thanks for your your time.
I´ve resolved the problem abouut DSVA (status it ´s managed), but now when i want to activate a virtual machine, its status is “Activating” I´ve checked the communication between DS Manager, D.S.V.A, V Center, VShield Manager and the virtual machines (Windows 7) and is successfull.
DSVA virtual machine appear an error in |virtual agents|VM(Windows 7) like this: “ratt 7.5.05535:5000” “ioctl failed” “stats unavailable”. Coul you tell me how to change the status to manage?
Best regards
Hi Diana,
did you check connection from DSVA to DSM via FQDN or by IP only? This is important to resolve DSM name by DNS (or through hosts file on DSVA).
Hi,
I’m a rookie of installing deep security environment, so I followed your installation steps to setup my deep security7.5.
When I pressed the option “Prepare ESX”, I just got an error message : “The specified parameter is not correct. defaultPolicy.”
I’m sure that ESX server have vShield Manager and vShield Endpoint installed. Is there something wrong in my settings?
Thanks for replying.
Hi,
I’ve followed your steps to install my deep security7.5
When I tried to install deep virtual appliance on my ESX server, I got the error message: “a specified parameter was not correct. defaultPolicy.” I’m sure that my ESX server had vShield Manager & vShield Endpoint installed. Is there any setting that I might ignore? Thanks for you reply. Thanks.
Hi eggwater,
I am facing the same issue that you mentioned. Was curious to know if you were able to resolve the issue and if so, could you share the solution please?
Thanks.
Hi eggwater,
what ESX version do you have? DS 7.5 doesn’t support vSphere 5. We don’t get any similar errors in our projects and I thought this could possibly related to this.
I followed the Installation guide from Trend which was little more complex that what you show, however, on all of my Guests I am receiving the errors below and the Guest Status shows “Update Failed (Agent/Appliance error)” for the Appliance Status. The Agent Status is “Managed (Online)”.
Do you know what would cause this?
Unable to complete the operation due to the following error on the Agent/Appliance: Update failed – check agent events for cause.
Agent/Appliance Event(s):
Time: January 12, 2012 13:43:56
Level: Error
Event ID: 1001
Event: Engine Command Failed
Description: Engine command code FLUSH_LOGS failed with error: -1 (Unknown error 18446744073709551615).
Time: January 12, 2012 13:43:56
Level: Error
Event ID: 1001
Event: Engine Command Failed
Description: Engine command code GET_INTERFACES failed with error: -1 (Unknown error 18446744073709551615).
Hi..
I have 4 VM ESX and looking to installing Trend’s Deep Security with vShield, however there are sayings that with the new vshield 5, no need to get trend’s DS anymore.
Does anyone has comments on it? if possible, a simple table showing the criterias with the yes/no for the different environments as below:
criteria, normal ESX, ESX with DS+vshield, ESX with new vshield5
thanks guys
uh oh.. forgot to mention that the first idea for DS is for everything it offers (agentless threat and malware protection installed in hypervisor.. anything else?) except the anti-virus as the guest OS are mostly Windows Server and already has McAfee antivirus installed
Hi andrew
it’s a kind of misunderstanding I suppose 🙂 vShield is just API to integrate external solution (ie Deep Security). Currently VMware supports two different ways to protect VMs:
1. VMSafe NET API – integration at network level (FW, IDS/IPS). Provides agentless netowrk security. Still the same is for vSphere 5 products family.
2. EPSec (part fo vShield) – integration at file level (AV, integrity control)
3. vShield App – integration at application level (Data Protection extension for DLP functionality from RSA) + partially network security
4. vSheild Edge – http://www.vmware.com/ru/products/datacenter-virtualization/vshield-edge/overview.html
Hope this help.
Nikolay
Hi there, this weekend is fastidious for me, because this moment
i am reading this impressive educational post here at my house.
4 Trackbacks/Pingbacks
[…] This post was mentioned on Twitter by VMware Architect, Silver Chen. Silver Chen said: VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2: http://wp.me/pVbEv-cU […]
[…] previous post, I discussed about how to install and configure Trend Deep Security 7.5 on vSheild. This post will […]
[…] vSphere vShield 4.1 Understanding Part 1 VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2 VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part […]
[…] VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 1 (GeekSilver) VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2 (GeekSilver) VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 3 […]