Trend Micro Deep Security 9 is an acquired product from “Third Brigade” that is an integrated solution into the Hypervisor in the VMware ESXi environment. It is used with Agents or can be Agent-less. With an Agent-less install, you’ve got: Intrusion Prevention, Firewall, Anti-Malware, Web Reputation, Integrity Monitoring, and Log Inspection.
It can go into your physical, virtual, and cloud environments — it is very dynamic. Deep Security supports MSFT, Solaris, Linux, vmware, AID, HP, Citrix.
Trend Deep Security 9 has 6 modules:
- Firewall – Prevents denial-of-service and detects network scans.
- Intrusion Prevention – Detects and blocks known and zero-day attacks that target vulnerabilities
- Web Reputation – Tracks credibility of websites and safeguards users from malicious urls
- Antivirus – Detects and blocks malware
- Log Inspection# – Optimizes the identification of important security events buried in log entries (*only available in Agent-form today)
- Integrity monitoring# – Detects malicious and unauthorized changes to directories, files, registry, etc.
#-The last two modules are sold separately. Used mostly for compliance shops – like ours – high compliance demands across our infrastructure.
Here’s the architecture high-level diagram:
So what’s the big deal?
In the physical environment, you have an AV agent on each physical machine, or even on each virtual machine. If you tell one of those agents to do a scan (like a scheduled weekly scan), then all of these resources are going to be used at once. If you’re on VMs, then you’re having an AV storm on your environment and you might even kill some services that users are trying to access. BAD!
In the Deep Security environment, you run a security appliance on each ESX host. It is responsible for all of those hosts. This appliance is controlled by the Deep Security Manager (web based GUI that controls the environment).
You can deploy more VMs in the DS environment with fewer resources than in a VM environment with agent-based AV, all while meeting the strongest of the compliance needs.
THE BIG PROBLEM:
If you have Agent based AV in a virtual desktop non-persistent environment, you will be using the virus and scan definitions from the time you made your golden image snapshot. Every time the user logs in, it has to go through the update process and that could take 5-10 minutes or more. I know that this is true from doing this a few weeks ago! Talk about angry users!