Virtualization heavyweight Citrix recently published a thoughtful article in the Tech Papers section of the Citrix Tech Zone entitled Endpoint Security and Antivirus Best Practices, outlining a point-by-point primer on working with security vendors to procure the right anti-malware tools to secure virtual applications and desktops. Citrix focuses on four challenging areas:
This blog describes Bitdefender’s fully-compliant implementation of the Citrix best-practice guidelines, covering GravityZone Security for Virtual Environments (SVE) which provides security for next-generation infrastructure including the software-defined datacenter, hyper-converged infrastructure, and the hybrid cloud.
“Isn’t AV the same in the virtual data center and VDI desktops as it is for fixed and persistent VM endpoints?”
Securing non-persistent workloads—like VDI desktops that rapidly come and go—presents numerous challenges that exceed the scope of fixed client security. Within these transient workloads, machines are often identified uniquely by a GUID that is generated during the security tool installation process, so that dynamically provisioned machines do not appear in the management console and deprovisioned machines leave orphaned entries in the console.
Enterprise software requires centralized management for real-time granular deployment operations, security policy configurations, and event reporting. GravityZone SVE is built with from the ground-up for virtualization. It is delivered as a virtual appliance, integrates with infrastructure-management tools, and leverages virtualization infrastructure for seamless operations because the virtualization infrastructure is monitored in real-time. GravityZone SVE integrates with Infrastructure as a Service (IaaS) management tools—including vCenter Server, Citrix Hypervisor, Nutanix Prism, AWS, and Azure—allowing for inventory replication in real time with full visibility into environmental changes. Any time a virtual machine is created, moved, or deleted from the inventory, GravityZone SVE updates immediately.
“When our old AV would start scanning, the infrastructure would come to a screeching halt”
Legacy antivirus solutions in the virtualized datacenter face the longstanding challenge whereby AV signature updates significantly degrade performance, reducing the efficiency of the datacenter and frustrating users. Unoptimized security solutions use decentralized updates, often with large signature files that must be downloaded and updated regularly (sometimes hourly) and scanned continuously. In non-persistent environments, this can lead to security challenges (window of opportunity) and large network traffic (signatures are reset on boot).
GravityZone SVE scan offloading solves these problems. A Security Virtual Appliance (SVA) handles all updates so that each VDI client requires fewer updates. Significant CPU, memory, and disk activity footprint consumption is moved to the SVA so that virtual datacenter environments achieve higher VM-to-host densities and superior VDI performance.
How to Build A Windows Virtual Desktop (VDI) Experience Properly Cheat Sheet
“Wouldn’t agentless security solve all of my virtual datacenter performance and density issues?”
Not long ago, security administrators (and security vendors) hung their hopes on “agentless” security to solve their virtual datacenter performance woes, performance and density being chief among them. In practice however, all agentless VMs rely on a single security appliance and unknown files are transferred in full between each VM and the offloading appliance, resulting in higher latency and slower performance. Built correctly as in GravityZone SVE, scan offloading has since supplanted agentless security as the preferred deployment model, as shown in the table below.
Agentless vs. Scan Offloading Deployment Models |
|
Agentless |
Scan Offloading |
Require 1 SVA per host |
Requires 1 SVA per 200 VMs across hosts |
Offloading handled by a platform driver |
Offloading handled by a Bitdefender driver |
Full files transferred to SVA for analysis |
Only unique file sections transferred to SVA |
High availability is not achievable |
High-availability and load distribution built-in |
“I’ll just scale up my existing AV solution to match the rapid growth of my virtual datacenter deployments.”
Security optimization remains a persistent challenge in large-scale deployments. Traditional security agents are not suitable for single-image management and the lack of centralized scanning and intelligence sharing hinders efficiency.
Bitdefender overcomes these scale issues with a two-tier caching technology. GravityZone SVE caching occurs on both the VM and the Security Virtual Appliance. The caching also has two components: a pre-trained cache and a self-learning cache. With this efficient design, the SVA inspects each file only once even if it appears on multiple VMs—avoiding redundant scanning, dramatically reducing CPU, RAM, IO, and network load across the datacenter or any defined VM cluster.
“If nothing else changed and users are complaining about performance, start by checking antivirus.”
Administrators of virtual datacenters face a core challenge when attempting to troubleshoot performance issues and determine their root causes. With so many moving parts, and multiple vendors involved, solutions are often unclear.
GravityZone SVE features a single point of configuration for all server, desktop, and cloud VMs. It maintains centralized configurations that propagate in real time and provides a local troubleshooting interface for testing and validating configuration changes that can resolve and improve performance issues.
“Our old antivirus caused excessive latency as it would scan system files that are always the same across clones.”
A final challenge faced by virtual datacenter administrators is the lack of smart scanning exclusions, especially among VDI desktop and server “clones”, where thousands of pre-installed operating system and application files are identical across VM instances. Since as stock Windows 10 installation often includes over one million distinct files—before any applications are even loaded onto it—why scan “known good” files when you don’t have to?
Conventional AV tools use two common approaches to scanning exclusions in the virtual datacenter: no default exclusions at all, or a single exclusion policy for all VM workloads. Both solutions are suboptimal. GravityZone SVE includes a flexible scan exclusion model with default scanning exclusions for a fast, reliable performance boost across your VM estate, or admins can implement custom exclusions as recommended by their specific virtualization infrastructure provider, including:
Impact of Virtualization Security on Your VDI Environment White Paper
Layered next-generation security is a necessity, especially in the virtual datacenter, where advanced protection against breaches cannot come at the expense of VM efficiency, density, or performance. Organizations should opt for security specifically designed for virtualization and for the cloud, as legacy anti-malware security introduces excessive latency that hinders user experience with their “heavy” agents that take up host resources, reduce consolidation ratios, and drive up costs. Real-time security integration with infrastructure-management tools is critical for expedient deployments, to maintain real-time VM inventory, facilitate security automation, and ensure compliance in non-persistent environments.
tags
Michael is Director of Technical Product Marketing for Bitdefender’s Data Center and Network Security Products. He has an MBA in Information Systems, a JD in Law, and 20 years of experience bringing innovative enterprise security software systems to market. Michael enjoys diving deep into products and making technical content accessible to general audiences.
View all postsDon’t miss out on exclusive content and exciting announcements!