McAfee虛擬化防病毒介紹

1、McAfee MOVE 虛擬化防病毒解決方案為您的數(shù)據(jù)中心保駕護(hù)航Agenda虛擬化發(fā)展趨勢與挑戰(zhàn)McAfee MOVE針對虛擬化的防病毒Multiplatform 解決方案Agentless 解決方案虛擬終端的安全防護(hù)多樣化的部署架構(gòu)總結(jié)23虛擬化發(fā)展趨勢與挑戰(zhàn)數(shù)據(jù)中心正在改變 80%服務(wù)器將被虛擬化在2016年 40%數(shù)據(jù)將在云端被存儲和處理 在2020年$5.4B軟件定義數(shù)據(jù)中心SDDC的市場在2018年將達(dá)到61%業(yè)務(wù)在2014年使用了混合云環(huán)境100101001011000101100110001010110110100110101虛擬化的安全需求5虛擬化架構(gòu)的發(fā)展、復(fù)雜化和SDN等

2、架構(gòu)發(fā)展需求下安全越來越重要！31%公有云漸漸成為企業(yè)服務(wù)器部署的優(yōu)先解決方案+40 %虛擬機(jī)已逐漸成為首要的攻擊目標(biāo)之一65%企業(yè)對虛擬化平臺異構(gòu)要求和虛擬化軟件多樣化Verizon 2013 State of the Enterprise Cloud ReportESG Blog. Multiple Hypervisor StrategyRight Scale 2016 State of the Cloud Survey傳統(tǒng)防病毒解決方案已淘汰傳統(tǒng)防病毒架構(gòu)已經(jīng)無法滿足虛擬化的發(fā)展需求6數(shù)據(jù)中心下的傳統(tǒng)防病毒資源瓶頸繁雜管理架構(gòu)高負(fù)荷、高利用率的HYPERVISOR資源浪費(fèi)、不合理消耗AV

3、掃描風(fēng)暴DAT更新風(fēng)暴不間斷的文件掃描過度消耗主機(jī)性能資源臃腫病毒庫和掃描引擎軟件包部署不斷新增的虛擬機(jī)休眠和關(guān)閉的虛擬機(jī)7虛擬化安全解決方案8傳統(tǒng)防病毒 vs 優(yōu)化過的虛擬防病毒傳統(tǒng)防病毒 vs 優(yōu)化過的虛擬防病毒資源利用率高簡化管理優(yōu)化了資源消耗虛擬防病毒資源瓶頸管理痛點(diǎn)防病毒風(fēng)暴資源浪費(fèi)傳統(tǒng)防病毒性能提升效果10McAfee MOVE AntiVirus 在虛擬化平臺部署的性能提升效果.DAT Storm87% less CPU93% less network usage92% less disk usage與傳動防病毒性能對比ODS Storm70% less CPU 75% less

4、 network usage 75% less disk usage McAfee Threat Intelligence Exchange Enabled75% reduction in file transfer between client and offload scan serverMcAfee Move AntiVirus MultiplatformKey Features支持虛擬化群集、支持在Vmotion遷移功能下的防護(hù)不間斷通過EPO管理平臺實(shí)現(xiàn)隔離文件恢復(fù)可針對單個VM或群組部署按需掃描策略 強(qiáng)大的事件通知功能和性能資源監(jiān)控11VMOSMOVEVMOSMOVEHypervi

5、sor 1VMOSMOVEVMOSMOVEHypervisor 2VMOSMOVEMOVE Offload ScannerMOVE McAfee ePOAuto-scales offload scanners with demand通過網(wǎng)絡(luò)接口掃描受保護(hù)終端支持所有Hypervisor平臺Network當(dāng)虛擬機(jī)訪問文件時EndpointEndpointScan ServerMcAfee AgentGlobal CacheVirtual InfrastructureLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM所有文件都會記錄

6、到本地緩存里EndpointEndpointScan ServerMcAfee AgentGlobal CacheVirtual Infrastructure19870110AE1D2675DBLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM如果本地緩存沒有記錄，則會向Scan Server請求確認(rèn)是否有緩存記錄EndpointEndpointScan ServerMcAfee AgentGlobal CacheVirtual Infrastructure19870110AE1D2675DBLocal CacheLocal C

7、acheFile 1McAfee AgentMcAfee AgentVMVMVM19870110AE1D2675DB如果文件沒有在全局緩存內(nèi)，文件則會傳給Scan Server進(jìn)行掃描EndpointEndpointScan ServerMcAfee AgentGlobal CacheVirtual Infrastructure19870110AE1D2675DBLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM19870110AE1D2675DBFile 1所有文件會通過本地特征庫檢測和GTI云端檢測EndpointEndpo

8、intScan ServerMcAfee AgentGlobal CacheVirtual Infrastructure19870110AE1D2675DBLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVMFile 119870110AE1D2675DBEndpointEndpointScan ServerMcAfee AgentGlobal CacheVirtual InfrastructureLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM如果文件為惡意程序

9、則會執(zhí)行 刪除/拒絕訪問/隔離（基于策略配置）EndpointEndpointScan Server1987.1987.McAfee AgentGlobal CacheVirtual Infrastructure19870110AE1D2675DBLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM19870110AE1D2675DBFile 1如果文件是安全的則會自動緩存到本地緩存庫和全局緩存庫EndpointEndpointScan Server1987.1987.McAfee AgentGlobal CacheVirtual

10、 Infrastructure19870110AE1D2675DBLocal CacheLocal CacheFile 1McAfee AgentMcAfee AgentVMVMVM19870110AE1D2675DB對于同一個文件訪問，MOVE會進(jìn)行緩存比對，如果緩存庫里存在則跳過掃描，不存在則通過Scan Server進(jìn)行掃描，并建立本地緩存和全局緩存File 1How McAfee MOVE AntiVirus Multiplatform Works12Multiplatform 和TIE集成13提供全局的網(wǎng)絡(luò)和終端保護(hù)TIE Server(Managed by ePO)ESX Host

11、 1MOVEATDVirtual NSP2.Virtual NSP uses ATD to detect malware and notifies TIE1.Virtual NSP inspects network traffic for threats （支持東西、南北流量）3.MOVE cleans infected systemsData Exchange Layer (DXL)NetworkDXLMcAfee MOVE AntiVirus VMware Agentless Deployment（無代理部署）Key Features無代理支持 vCNS or NSX for vSpher

12、e支持大規(guī)模的虛擬化架構(gòu)快速部署提供對VMs 和 VMtools 保護(hù)智能的分配計劃掃描任務(wù)支持vMotion 不間斷保護(hù)14MOVE Offload ScannerVMware ESXVMware NSX or VMware vCNS McAfee ePOScans guest VMs over NSX/Vshield APIVMOSMOVEVMOSMOVEMOVENo agents to manage in VMsVMtoolsVMtoolsEndpointSVMMcAfee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpoin

13、tVmware ToolsLocal CacheVMVMVMFile 1當(dāng)虛擬機(jī)訪問文件時。會檢測文件是否在本地vCNS endpoint cache里，如果沒有，則會將文件投遞給SVM進(jìn)行掃描EndpointSVMMcAfee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 1File 1MOVE AV 會創(chuàng)建文件的MD5值并記錄到全局緩存里EndpointSVMMcAfee AgentGlobal CacheHypervisorVmware ToolsLo

14、cal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 119870110AE1D2675DBFile 1如果文件的MD5值在全局緩存庫里，MOVE AV不會進(jìn)行文件掃描，并且會將記錄告訴vCNS endpoint 保存到本地緩存EndpointSVMMcAfee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 119870110AE1D2675DB19870110AE1D2675DBEndpointSVMMcAf

15、ee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 1File 1如果該文件的MD5不在全局緩存里，則會對文件進(jìn)行本地特征庫檢測和GTI云端檢測EndpointSVM1987.McAfee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 119870110AE1D2675DB19870110AE1D2675DB如果檢測到的文

16、件是健康的，則會將文件的MD5值保存到全局緩存和本地vCNS endpoint緩存如果檢測為惡意程序，MOVE AV則會通過vCNS endpoint 執(zhí)行刪除/拒絕訪問 （基于策略）EndpointSVMMcAfee AgentGlobal CacheHypervisorVmware ToolsLocal CacheEndpointVmware ToolsLocal CacheVMVMVMFile 1File 1EndpointFile 1SVM1987.McAfee Agent19870110AE1D2675DBGlobal CacheHypervisorVmware Tools19870

17、110AE1D2675DBLocal CacheEndpointVmware ToolsLocal CacheVMVMVM當(dāng)其他終端再次訪問該文件時，則會從全局緩存進(jìn)行快速查詢，MOVE AV則不會對文件進(jìn)行掃描How McAfee MOVE AntiVirus Agentless Works15McAfee MOVE AntiVirus Agentless16通過與NSX虛擬環(huán)境集成實(shí)現(xiàn)自動化的策略部署和管理EPO與NSX無縫的集成實(shí)現(xiàn)環(huán)境策略同步可對威脅主機(jī)的快速標(biāo)記同時支持VMware vCNS部署深度的NSX集成VMware ESXVmware vShield OR NSX McAfe

18、e ePONSX ManagerVMVMtoolsVMVMtoolsVMVMtoolsMOVESVMVMware CertifiedMcAfee MOVE AntiVirus for Private Cloud17 McAfee ePO Unified Policy Management VMware vSphereVMVMtoolsVMVMtools VMware NSX or vCNS EndpointMOVESVMVMMOVEVMMOVEVirtual InfrastructureMOVESVMVMMOVEVMMOVEVMMOVEVirtual InfrastructureVMMOVEV

19、irtual InfrastructureMOVESVMMOVESVM Manager NSX/vCNSManager VMware vSphereVMVMtoolsVMVMtools VMware NSX or vCNS EndpointMOVESVMAgentless (VMware)Multiplatform (any hypervisor)McAfee MOVE AntiVirus optimizes malware protection for virtualized environments. There are two flexible deployment options, m

20、ultiplatform supporting all hypervisors such as vSphere, Hyper-V, and KVM and an agentless-tuned option for VMware NSX or VMware vCNS. Multiplatform1 SVM per 400 VMs1 SVM Manager for an ePO instance with load balancing across SVMsElastic provisioning of SVMsIntegrated with TIE/ATD workflowsAgentless

21、1 SVM per hypervisor VMware NSX and VMware vCNSVMware vCNS endpoint can be deployed from ePOePO is tightly integrated with VMware NSX全面的覆蓋和統(tǒng)一管理18McAfee的安全解決方案可涵蓋所有云架構(gòu)和服務(wù)器類型McAfee ePO Management ConsolePhysical ServersPrivate CloudsPublic CloudsExtensive VisibilityComprehensive ProtectionEndpoint Sec

22、urityNetwork SecurityData SecurityAccess ControlInventory & Config.Customer NeedsApplication and Content Protection19選擇最優(yōu)的解決方案！靈活的云安全解決方案選擇20Hybrid Solution Perpetual LicensingUsage Based LicensingServer Security Suite EssentialsServer Security Suite AdvancedPublic Cloud Server Security McAfee ePO c

23、onsoleMcAfee ePO consoleMcAfee ePO consoleCloud Workload Discovery for hybrid cloud (VMware, OpenStack, AWS & Azure)Cloud Workload Discovery for hybrid cloud (VMware, OpenStack, AWS & Azure)Cloud Workload Discovery for public cloud (AWS & Azure)Anti-malware (Optimized for VMs)Anti-malware (Optimized

24、 for VMs)Anti-malware (Optimized for VMs)Host Intrusion PreventionHost Intrusion PreventionHost Intrusion PreventionAWS Encryption managementAWS Encryption managementApplication WhitelistingApplication WhitelistingFile Integrity MonitoringFile Integrity Monitoring可選擇VDI安全解決方案21McAfee MOVE AntiVirus

25、for Virtual DesktopsMcAfee Security Suite for Virtual Desktop InfrastructureMcAfee ePO consoleMcAfee ePO consoleAnti-malware (Optimized for virtual desktops)Anti-malware (Optimized for virtual desktops)Cloud Workload Discovery for private cloud (VMware and OpenStack)Cloud Workload Discovery for priv

26、ate cloud (VMware and OpenStack)Host Intrusion Prevention for desktopsHost Intrusion Prevention for desktopsBrowser ProtectionBrowser ProtectionApplication Whitelisting for desktopsFile and Removable Media Protection22總結(jié)Summary支持多平臺（所有Hypervisor架構(gòu)）以及Vmware 的Agentless解決方案TIE平臺整合和隨意擴(kuò)展的部署架構(gòu)最大程度的減少性能消耗和

27、硬件資源消耗 提高虛擬機(jī)密度防止防病毒掃描風(fēng)暴無需每臺虛擬機(jī)進(jìn)行更新使用全局緩存減去不必要的掃描工作實(shí)現(xiàn)終端全面管控23McAfee MOVE AntiVirus 產(chǎn)品優(yōu)勢McAfee MOVE AntiVirus provides McKesson with comprehensive and consistent malicious code protection for our virtual environment.As we continue to adopt emerging technologies implementing McAfee MOVE AntiVirus provi

28、des us with additional security in our virtual environment. The solution makes sizing and deployment simpler and ensures that every system is deployed with the same level of protection.Patrick EnyartSenior Director McKesson Information Security, Security Operations 24Use Case: Large Global Retailer2

29、5Global Warehouse RetailerWho is the company/industry?Global membership-style warehouse retailer with hundreds of locations worldwide. What was the challenge?Protect virtualized enterprise without hampering business: Ensure that the companys virtual computing environment can grow without being compr

30、omised by malware attacks.Current environment: Over 25,000 virtual desktops, 5000 virtual servers, and 50 VMW hosts in 3 vCenters.How do we uniquely help?McAfee MOVE AntiVirus protects 98% of virtualized desktops and servers against sophisticated threats. ePO delivers new efficiencies through centra

31、lized management and provides global visibility to support compliance and protect customers26McAfee MOVE AntiVirus Deployment Options27FeatureMultiplatform DeploymentAgentless DeploymentHypervisors SupportedAll major hypervisorsVMware NSX and VMware vCNSSVM to VM CommunicationsNetworkVMCI channel wi

32、thin VMware ESXOn-Access ScanningOn-Demand Scanning (ODS)Weekly and instant schedulingWeekly schedulingQuarantine RestoreRestore from ePORestore from utilityIn-Guest Malware NotificationsAutomatic SVM Deployment through NSXElastic SVM ProvisioningFlexible Tuning PoliciesPolicy ExclusionsPathname, pr

33、ocess & publisherPathnameGTI File ReputationTIE File ReputationWhats New in McAfee MOVE AntiVirus 4.0?Secure the Cloud Securing Hybrid Infrastructure28Instant Discovery and ControlComprehensive Server ProtectionMinimal Impact on PerformanceCustomer OutcomesStreamlined management and consistent polic

34、ies for multiplatform and agentless deploymentsReal-time threat detection and correctionLayered security defense across server, network, endpoint and data center solutionsGreat scalability and efficient resource utilizationIncreased scanning precision and controlNew FeaturesUnified policy management

35、 for multiplatform and agentless deploymentsTIE/ATD/NSP integration (multiplatform)Elastic provisioning of offload scanners (multiplatform)Exclusive on-access and on-demand scanningWhats New in McAfee MOVE AntiVirus 4.0?Secure the Cloud Securing Hybrid Infrastructure29Instant Discovery and ControlComprehensive Server ProtectionMinimal Impact on PerformanceCustomer OutcomesStreamlined management and consistent policies for multiplatform and agentless deploymentsReal-time threat detection and corre