HOW TO PROTECT
YOUR VIRTUAL
DESKTOPS AND
SERVERS?
Security for Virtual and Cloud Environments
OVERVIEW
This document explains the functionality of Security for Virtual and Cloud Environments
(SVCE) - what it is, what it does, and how it works. It also explains some of the needs and
requirements specific to virtual and cloud environments.
Key features
• SVCE is hypervisor-agnostic and supports all popular virtualization platforms,
including VMware, Citrix, and Microsoft Hyper-V, as well as mixed and hybrid
environments.
• To optimize performance, malware scanning is offloaded to a dedicated Scanning
and Reputation Server.
• SVCE combines the flexibility of agentless solutions and the security of traditional
agent-based solutions.
Benefits
SVCE offers complete protection for all virtual environments without compromising
performance.
• The best protection offered by F Secure’s award-winning security clients is now
available for virtualized environments.
• Optimized performance reduces hardware costs due to lower RAM, CPU, and disk
space requirements.
• Unified central management tools and client software reduce complexity. Change
virtual desktops or servers from one virtualization platform to another without
changing security products.
THE CASE FOR
VIRTUALIZATION AND
VIRTUALIZATION
SECURITY
Companies of all sizes are moving to the
cloud and using virtualization as a way to
gain benefits. Moving to the cloud offers
the possibility to switch capital expenses
to operational expenses. One of the key
arguments for virtualization is flexibility –
the option of adding and removing services as needed. Other compelling reasons include resource optimization that
reduces hardware costs, and increases
operational efficiency as new services can
be deployed quickly and automatically.
Companies can also improve their IT infrastructure by gaining more capacity for
less money. Resources that easily scale to
the current need without hardware limitations and the 24/7 support seal the deal.
Despite the increasing use of virtualized
platforms and cloud-based solutions, security for these environments has often
been inadequate.
“Virtualization penetration
has surpassed 50% of all
server workloads, and
continues to grow.”
– Gartner, June 2012, Magic Quadrant for x86 Server
Virtualization Infrastructure
Businesses have had to choose between
security solutions that are designed for
traditional physical environments and
agentless solutions that are based on
vendor-specific, proprietary technologies. While secure, traditional solutions are not optimized for virtual environments. On the other hand, agentless
solutions may not provide adequate protection against online attacks that exploit
security vulnerabilities.
In addition to the traditional security
threats that businesses of all sizes face,
virtual and cloud environments have additional challenges. Limited hardware capacity has a significant impact on desktop
virtualization. A good user experience
with shared hardware requires optimization. The increased load on scanning processes also requires additional hardware
investments.
WHAT IS F-SECURE
SECURITY
FOR VIRTUAL
AND CLOUD
ENVIRONMENTS?
F-Secure Security for Virtual and Cloud Environments (SVCE) is a solution that
is designed to tackle the challenges of virtual and cloud environments.
Unlike other security vendors that offer agentless or silent agent-based solutions, SVCE is an added feature for F-Secure’s award-winning end-point and
server protection products. The solution provides the best protection against
malware, exploits, phishing, and other network-based attacks.
Component groups
SVCE has three component groups: the client security products,
Scanning and Reputation Server, and the management portal.
1. Client security products - Standard F-Secure workstation and
server software
• F-Secure Client Security
• F-Secure Server Security
• F-Secure E-mail and Server Security
• F-Secure Anti-Virus for Workstations
2. Scanning and Reputation Server - Isolates performance-consuming operations away from clients
• Virtual appliance for VMware ESXi, vSphere hypervisor
• Virtual appliance for Citrix XenServer, Xen hypervisor
• Virtual appliance for Microsoft Hyper-V hypervisor
3. Policy Manager - Provides policies, configurations and updates
for the entire solution
• F-Secure Policy Manager for Windows
• F-Secure Policy Manager for Linux
F-Secure
orsp
updates
Virtual Machine
Virtul Appliance
Policy Manager
Scanning and Reputation
Server
OS
OS
policies, statistics, alerts, updates
scan requests, files, results
Virtual Desktop
Virtual Desktop
Virtual Server
Virtual Server
Programs
Programs
Programs
Programs
Client Security
Premium
Client Security
Server Security
Email and Server
Security
OS
OS
OS
OS
Hypervisor
Policy Manager
Provides centralized management for products that
are installed on physical and virtual machines.
Policy Manager Console
The administration console for defining policies, deploying F-Secure software and monitoring the security status.
Client Security, Server Security and Email and Server
Security
Endpoint security protection products that are installed on physical or virtual desktops and servers.
Managemant Agent
Communicates with Policy Manager, applies defined
policies and sends status information and alerts to
Policy Manager Server.
Automatic Update Agent
Downloads and installs software and database updates.
Offload Scanning Agent
Offloads malware scanning and content reputation
checking from the client to the Scanning and Reputation Server to minimize the impact on performance.
Scanning and Reputation Server
The virtual appliance that is based on a hardened Linux platform and provides malware scanning and
content reputation services.
HOW IT WORKS
SVCE protects virtual machines that are running in private or public clouds. It provides proactive behavioral
analysis and exploit protection that efficiently identifies and blocks modern malware and exploit attempts.
To optimize performance for virtual environments, resource-intensive malware scanning is offloaded to a
dedicated F-Secure Scanning and Reputation Server.
To prevent modern attacks, F-Secure security products are based on multi-layer protection. Each layer
addresses a particular aspect of the threat landscape and works with other layers to provide a complete solution.
Here is what this protection looks like when installed on a physical machine:
Physical Machine
Browsing protection
Behavioral analysis
Advanced heuristic analysis
Web and Email scanning
Exploit protection
Compound object scanning
File reputation analysis
Signature-based scanning
When traditional security products are installed on multiple virtual machines that are running on the same hypervisor, they may compete for hardware resources and eventually decrease the performance of the whole environment. Offload Scanning Agent and Scanning
and Reputation Server can optimize performance to provide the best protection possible:
Virtual Machine
Scanning and Reputation Server
Browsing protection
File reputation analysis
Web and Email scanning
Web Content Reputation
File reputation analysis
Signature-based scanning
Behavioral analysis
Advanced heuristic analysis
Exploit protection
Compound object scanning
Offload Scanning Agent
HOW TO OPERATE
VIRTUAL SECURITY?
The administrator uses F-Secure Policy Manager to centrally manage F-Secure security products that are installed in the network. F-Secure Policy Manager is available for Windows and Linux platforms.
F-Secure Client Security and F-Secure Server Security products are installed on physical or virtual desktops and
servers. They download and install software and database updates automatically, and send status information
and alerts to F-Secure Policy Manager.
To minimize the impact on performance on virtual machines, F-Secure Client Security and F-Secure Server Security offload the malware scanning and content reputation checking to a dedicated server that runs F-Secure
Scanning and Reputation Server.
F-Secure Scanning and Reputation Server is a virtual appliance that is based on a hardened Linux platform and
provides malware scanning and content reputation services.
Deployment and installation
The solution can be easily deployed in a virtual environment, as well as mixed and hybrid environments with different combinations of virtual and traditional machines. Being hypervisoragnostic, it supports all popular virtualization platforms, including VMware, Citrix, and Microsoft Hyper-V.
You only need to install the client software once on a virtual machine template. Scanning and Reputation Server offers easy deployment with a preconfigured virtual appliance.
PROTECTION FEATURES FOR
PHYSICAL AND VIRTUAL
DESKTOPS
Use the following table to choose the features for F-Secure Client Security and F-Secure AntiVirus for Workstation installation packages that you can deploy on physical and virtual desktops.
Product feature / setting
Physical desktop
Virtual desktop
Offload scanning agent
Real-time malware scanning
Scan network drives
DeepGuard (behavior based protection)
Use RTPN to improve DeepGuard detection
DeepGuard advanced process monitoring
DeepGuard exploit protection
E-mail scanning
Web traffic scanning
Use RTPN on web traffic scanning
Browsing Protection
F-Secure Firewall (Internet Shield)
Application Control
Automatic Updates
Database update check randomization
Software Updater
Device Control
Microsoft NAP plug-in
install
Do not install
Installation recommended (see the notes)
Installation not recommended (see the notes)
NOTES
1. You can turn off network drive scanning if the relevant file servers have
real-time antivirus protection.
2. Turn on DeepGuard advanced process monitoring if users can install
their own applications on virtual desktops. Otherwise, turn it off.
3. Turn on E-mail scanning if users can read their e-mails from untrusted
or unprotected e-mail servers. Otherwise, turn it off. You should
consider using F-Secure E-mail and Server Security or F-Secure
Internet Gatekeeper to handle e-mail scanning on the mail server or
gateway.
4.Turn on Web traffic scanning unless all HTTP traffic goes through
a gateway where it is scanned (for example, with F-Secure Internet
Gatekeeper).
5. Install or turn on F-Secure firewall if you need to protect virtual
desktops against network-based attacks and intrusions that may come
from within the virtual infrastructure, for example if you do not have full
control of the host environment. You can turn off F-Secure firewall if
your network has network control and intrusion prevention in place, or
if you are using Windows firewall on virtual desktops.
6.Turn on Application Control if users can install and run their own
applications on virtual desktops. Otherwise, turn it off.
7. You do not need to install Software Updater (SWUP) on every virtual
desktop. To deploy virtual desktops without SWUP, install it on the
virtual desktop template to identify and install missing OS and thirdparty updates, after which you can uninstall it before you deploy virtual
desktops from the template.
8.Install the Microsoft NAP plug-in only if you use Microsoft Network
Access Protection.
PROTECTION FEATURES FOR
PHYSICAL AND VIRTUAL SERVERS
Use the following table to choose the features for F-Secure E-mail and Server Security
installation package that you can deploy on physical and virtual servers.
Product feature / setting
Physical server
(Exchange)
Virtual server
(Exchange)
Offload scanning agent
Real-time malware scanning
DeepGuard (behavior based protection)
Use RTPN to improve DeepGuard detection
DeepGuard advanced process monitoring
DeepGuard exploit protection
Web traffic scanning
Browsing Protection
Anti-virus for MS Exchange
Spam Control
Automatic Updates
install
Do not install
Installation recommended (see the notes)
Installation not recommended (see the notes)
Product feature / setting
Physical server
(Terminal, RDSH,
XenApp)
Virtual server
(Terminal, RDSH,
XenApp))
Offload scanning agent
Real-time malware scanning
DeepGuard (behavior based protection)
Use RTPN to improve DeepGuard detection
DeepGuard advanced process monitoring
DeepGuard exploit protection
Web traffic scanning
Browsing Protection
Anti-virus for MS Exchange
Spam Control
Automatic Updates
install
Do not install
Installation recommended (see the notes)
Installation not recommended (see the notes)
NOTES
1. Offload Scanning Agent is currently used for file scanning only.
Because Exchange transport and storage protection in F-Secure
Anti-Virus for Exchange still uses local Content Scanner Server, you
should not install Offload Scanning Agent on virtual Exchange Servers,
especially if you do not have many servers and they are critical for
business communication.
2. You do not need to install DeepGuard advanced process monitoring
and exploit protection features if the server runs trusted software and
the administrator does not browse the web from the server.
3. We recommend that you turn on DeepGuard advanced process
monitoring and exploit protection features if the users can run
unknown software or browse the web from the terminal or RDS server.
4.Web traffic scanning inspects all HTTP traffic, which may affect
communication between Exchange and other Windows server
components that use HTTP-based interfaces. You can turn off Web
traffic scanning and Browsing protection if the administrator does not
browse the web from the server.
5. F-Secure Anti-Virus for Exchange and Spam Control are only installed
if the server runs Microsoft Exchange Server. Spam Control is only
installed if Microsoft Exchange Server acts as the transport or hub
server.
MANAGEMENT AND REPORTING
The entire solution can be centrally managed with F-Secure Policy Manager. It handles status updates,
monitoring, statistics, and licensing for the solution.
Policy Manager provides a scalable way to manage the security on multiple operating systems –both physical and virtual
- from one central location.
You can use Policy Manager to:
• Define and distribute security policies
• Install applications on local and remote systems
• Monitor activities of all systems to ensure compliance
with corporate policies and centralized control.
With Policy Manager, you can see status information from
the entire managed domain. This makes it easy to ensure
that the entire domain is protected, and to change the protection settings when needed. You can also prevent users
from changing the security settings, and make sure that the
protection is always up to date.
The Web Reporting tool that is included in Policy Manager provides detailed graphical reports that are based
on the latest status information and historical trend data. You can generate reports for the entire domain, subdomains, or individual hosts and also export reports as HTML files.
THIS IS
F-SECURE
F-Secure is an online security and privacy company from Finland.
We offer millions of people around the globe the power to surf invisibly
and store and share stuff, safe from online threats. We are here to fight
for digital freedom. Join the movement and switch on freedom.
Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.
SWITCH ON FREEDOM
www.f-secure.com