September 23, 2010

McAfee Secure Virtualization

Proven, Comprehensive Protection for Virtualized Environments

Tamas Barna CISSP, Security+

System Engineer, Eastern Europe

Confidential McAfee Internal Use Only

Consolidation and Virtualization Demand

– Data centers are the largest IT budget item

and are the focus of many IT leaders as they

look to reduce their own expenses.

Consolidating the number of data centers

while increasing capacity within a smaller

footprint via virtualization and reducing energy

consumption via Green initiatives are all

winning projects today.

– the Lippis Report #114

– ―Strategic Planning Assumption: By year-end

2010, 70% of large organizations will collapse

all or part of their DMZ by risk-managed

virtualization technologies, up from 10% at

year end 2006.‖

– Neil MacDonald June 2, 2010

–

―How to Securely Implement Virtualization‖

2

Data center cost and consolidation wave

3

Enterprise App

Operating System

What is Virtualization?

• Virtualization

• Decouples software from

hardware

• Allows multiple operating

systems to be installed on

the ―host‖ computer

• Provides many benefits and

efficiencies

Operating System

Virtualization

4

Business Continuity

Server Consolidation

Virtualization Benefits

Utilization

Flexibility

5

Virtualization Market Opportunity

• Companies are readily deploying

virtualization

– 51% in NA, 35% in EMEA and

21% in APAC1

• 50% of all servers will be

virtualized in 5 years2

• $15B virtualization market in 20093

Virtualized Versus Nonvirtualized Servers

Installed Base Forecast, 2006-20113

1 Forrester 2 Gartner 3IDC 4Gartner May 2010: Highlights From the Security and Risk Track at Symposium/ITxpo

“Make security a mandatory part of the

evaluation of virtualization solutions.”4

Paul E. Proctor, Gartner 2010

6

Top Market Challenges

Secure Virtualization

1National Vulnerability Database

• Need secure virtualization as

virtualization vulnerabilities grew over

400%1 from 2006 to 2010

• Every new virtual machine is:

– a new hacking target

– a new source of infection across a

network.

• Out-of-date security makes offline

images more vulnerable.

• It is more cost-effective to include

security in an initial VMWare

deployment than to add it later.

Hypervisor

Apps

OS

Virtual

Machine

Virus

Spam

Trojan

Worms

DDoS

Vulnerabilities

Out-of-date offline images

Apps

OS

Virtual

Machine

Apps

OS

Offline

Virtual

Image

7

McAfee Secure VirtualizationValue Proposition

Customized protection for virtual environments

including offline virtual machines

Integrated, centralized security management

for both physical and virtual environments

Stronger protection, lower costs, and simplified

compliance for today and tomorrow

8

Stronger Protection Lower Costs

Explosive Growth

of Mobile DevicesCost to managed separate products

is high

Simplified Compliance

Explosive Growth

of Mobile DevicesIncreased

compliance requirements

ITIL

PCI

PIPA

EU DPD

35/46/EC

HIPAA

COBIT

SOX

FISMA

J-SOX

GLBA

ISO

Explosive Growth

of Mobile DevicesAV Alone is NOT

Enough

SPYWARE BOTNET

PHISHINGVIRUSES

EXPLOITS

Key Benefits

9

Broad Secure Virtualization Support

• ToPS for Virtualization

• VirusScan Enterprise (VSE)

• VirusScan Enterprise

for Offline Virtual Images

• Host Intrusion Prevention

• Network Access Control

• ePolicy Orchestrator

• Network Security Platform

• Firewall Enterprise/Virtual Appliance

• Vulnerability Manager

• Policy Auditor

• Remediation Manager

• Email and Web Security Appliance

McAfee meets your secure

virtualization needs

Confidential McAfee Internal Use Only

McAfee Firewall

New Virtualization Solutions

10

• McAfee Firewall Enterprise /

Multi-Firewall Edition

• From 4 to 32 discrete virtual

firewalls (VMWare based) in

a single appliance

• Includes Control Center

• Optional IPS, AV, URL

filtering and SSL decryption

• Designed for your network

segmentation and

consolidation projects

• Dedicated resources per FW.

Manage and report individually

• McAfee Firewall Appliance

Line

• Designed for typical

deployments

• Purpose dedicated, high

security appliances (EAL4+)

• Levels of appliances sized for

branch to data center

deployments

Same High Assurance Firewall Software

All Supported with One Central Management and Reporting Solution

New Offerings

• McAfee Firewall Enterprise /

Virtual Appliance

• Software firewall for VMWare

ESX Server – unlimited

instances per server

• Includes virtualized IPS, as

well as AV, URL filtering, SSL

decryption

• Designed for your server

consolidation projects –

security within ESX platform

and inter VM

• Dedicated resources per FW.

Manage and report individually

Confidential McAfee Internal Use Only

McAfee Network Intrusion Prevention

IntrusionPrevention

• Award-winning, network-class protection for

absolute security confidence

• 10-Gigabit Ethernet performance

• Real-time risk-aware IPS

• System-aware IPS with McAfee ePO™ integration

• Dynamic network access control

• Improved network availability and performance

• Stream-lined security management processes through

ePO integration

• Reduced risk and cost associated with patching cycles

Customer Benefits

VSE for OVI v2

• RTW is scheduled for Oct 14

• Dramatically improved performance on scanning offline

images in sequential order

• Uses ODS tasks to schedule scans

• Product certification for:

– VMware ESX: uses VMsafe API’s

– Microsoft Hyper-V

13

Citrix Ready Certification

The Citrix Ready program identifies trusted, third-party solutions that add the greatest value in the Citrix Delivery Center™ infrastructure.

Certified Products:• VirusScan Enterprise

for Offline Virtual Images*

• VirusScan Enterprise

• AntiSpyware Enterprise

• ePolicy Orchestrator

• Vulnerability Manager

Compatible with Citrix® XenApp™.

*V1 version

www.citrixready.com

14

Host IPS

for

server

VirusScan

Enterprise

ToPS for VirtualizationProtect virtual servers

Components

Anti-spyware

Enterprise

VSE for

Linux

VSE for Offline VirtualImages

ePolicy

Orchestrator

Host IPS

for

server

VirusScan

Enterprise

15

VirusScan Enterprise for Offline Virtual Images

Need to secure offline virtual images

– VM sprawl fuels growth of offline virtual images

– Security profiles of offline virtual images quickly become out-of-date

– Compromised offline VMs threaten the network and other endpoints when activated

VirusScan Enterprise for Offline Virtual Images secures offline VMs without bringing them online

– Identify malware

– Remove malware

– Automate security update

VirusScan Enterprise

for

Offline Virtual Images

169/23/2010

Total Protection for EndpointProtect virtual desktops

Single Integrated

Management Console -

ePO

Anti-Spam (Email server) Anti-Spyware

Host Intrusion PreventionDesktop Firewall

Anti-Virus

Network Access Control Web Security

Policy Auditing

17

ePolicy OchestratorCentrally manage security for physical and virtual environments

“ePO has historically been the standard for

centralized administration consoles.”

Peter Firstbrook,

2008 Endpoint Protection Platform Magic Quadrant

• World’s most scalable security and

compliance mgmt platform

— Manages 58M+ endpoints in 35,000+

enterprises with largest deployment >

5M endpoint

— 3 of 4 Global 2000 companies use ePO

• Deploy, manage and report on

— Secure virtualization

— Online and offline images

— Endpoint security

— Data protection

— Web and messaging security

— Integration with network IPS and

vulnerability management

— Threat alerts from Avert Labs

McAfee Solutions for a Virtual Environment

McAfee Virtualization Strategy18

19

Coverage for

Enterprise from

Physical to

Virtualized

Environments

Virtualization

Security

Assessment

Services

McAfee’s Support for Virtualization

Future:

Optimized and

Flexible

McAfee

Global Threat

Intelligence:

Virtualization

Industry’s 1st

dedicated security

consulting service

for virtualized

environment

Industry’s most

complete and

scalable solution

spanning

virtual servers,

networks and

desktops

Enterprise

Vulnerability

Management

and Host IPS

Offline

Virtual

Server

Security

Virus Scan

Enterprise

Offline Virtual

Images

P

T

P

McAfee’s MOVE (Mgmt for Optimized Virtualized Environments)

MOVE – Platform & Partnerships

MOVE

PLATFORM

• Provide VDI specific security with Citrix

• Open MOVE Platform to Partners

• New developments for security for virtualized environments

MOVE Antivirus Optimization

Customer Feedback

Operational Issues• How to capacity plan around

AV resource utilization

• Want to achieve higher

virtual machine density per

hypervisor

• Do not want another

management console in the

Enterprise

• Don’t want to lock-in to a

single vendor

Anti-Virus Offloading – First Application on MOVE Platform

Anti-Virus Offloading

• Design Goals

– Move Anti-Virus processing out of each VM – Offloading

– Enhance Efficiency and optimize scalability

• Avoid AV Storming through Hypervisor awareness

• Reducing Memory, CPU load, Disk I/O

• Increase the density of VMs per hypervisor

• Increase scanning efficiency by taking advantage of scan caching

– Work in 100,000 desktop environments

– Integrated management

– Responsive user experience

– Supporting persistent and non-persistent desktops

Client

Virtual Desktop

McAfee MOVE enhances Security for Virtualization

25

ePO

Client

Virtual Desktop

Hypervisor

VM

OS

Applications

MOVE

MOVE

Virtual Appliance

Off-load

Processing

McAfee ePO

VM

OS

Applications

MOVE

MOVE-AV Optimizes Enterprise Anti-virus

• On-Demand Scanning (ODS)

• On-Access Scanning (OAS)

• Offline Scanning (OVI)

Component & Feature On-access On-demand

Checks local cache / requests a scan

Processes file operations

Checks global cache / requests a scan

Hypervisor load-aware task scheduling

End

point

Product

Agent

MOVE Platform

Xen ESX Hyper-V

The Anti-Virus Offloading Process

ePolicy

Orchestrator

• Installation

• Configuration

• Reporting

MOVE Virtual

Appliance(s)

Features – Advanced File Caching

• Reduce overall scanning overhead

– Use scan caching better

– Local scan caching now becomes global scan caching

Hypervisor

MOVE

Server

ePO Server

Cache Synchronization Protocol

Scan

Engineabc

def

g i

abc

def

g i

abc

def

g i

abc

def

g i

Features – Optimised File Scanning

1. Local scan cache

2. Global Scan cache

3. File scan

4. Artemis if appropriate

Hypervisor

Artem

is

Scan

Engineabc

def

g i

abc

def

g i

abc

def

g i

ac

def

g i

1

2

3

4

Features - Security Dashboards/Reports

Report per

datacenter,

hypervisor,

cluster etc.

Features – Hypervisor-aware scheduler

Maximum concurrent scans per

HypervisorMaximum concurrent scans per

Storage

Features

• Efficient Security Management

– Maintains Virtual Machine

Awareness so security can still

be managed regardless of what

hypervisor it resides on

– Intelligent Scanning scheduler

per hypervisor

• Allows for scheduling Offline

Virus Scanning

• Allows for scheduling based

on load of hypervisor

– Security Dashboards/Reports

per hypervisor

• hypervisor

Platform Initial Testing Proof Points with Citrix

A/V within the guest Offloading A/V with MOVE

Memory

Consumption (per

VM)

60-120MB+ ~20MB

Peak CPU Usage

(per hypervisor)

80-100% <10%

VM Density X 3X

Scanning Resource

Utilization

YES NO

(Offloaded to Virtual

Appliance)

DAT Update

Resource Utilization

YES NO

(Offloaded to Virtual

Appliance)

The product plans, specifications and descriptions herein are provided for information only, subject to

change without notice, results may vary and without warranty of any kind, express or implied

MOVE 1.5 Product Package Details

• Not part of any suite

• Components

– EPO Extension (policies, tasks, reports, dashboards)

– Off Load Server (Secure VM)

• MOVE Offload Component/VSE/OVI

• Runs on windows 2008 64 bit

• Platform Support

– Hypervisor

• VMWare ESX/ESXi , Citrix XenServer

– MOVE-AV for VDI

• Windows XP, Win7 (32 bit 64bit)

– MOVE-AV Servers

• Windows 2003, Windows 2008, windows 2008 R2

34

Top McAfee Differentiators

Most complete and scalable, security

solution spanning physical and virtual

servers, desktops, and networks.

ePolicy Orchestrator, the only integrated

management platform for physical and

virtual environments.

First and only security vendor to protect

online and offline virtual machines.

Thank You!

For more information, please visit:

http://www.mcafee.com/us/enterprise/products/virtualization_security/index.html

For more information, please visit:

http://www.mcafee.com/us/enterprise/products/virtualization_security/index.html