light agent or agentless
LIGHT AGENT
OR AGENTLESS
A Features Guide to Kaspersky
Security for Virtualization
www.kaspersky.com
2
A Features Guide to Kaspersky Security for Virtualization
With virtualization becoming ever more widespread, the need for
adequate security solutions is self-evident. Although just as susceptible
to cyber-attack as any physical system, virtual environments present
unique features which need consideration when assessing different
security solutions.
Businesses can use the same security software to protect both their
physical and virtual machines. But while providing a good level of
protection, standard solutions which are not designed specifically
for virtual environments can cause problems, including:
1. Excessive resource consumption due to the replication of
signature databases and active anti-malware engines on each
protected Virtual Machine (VM).
2. “Storms”– simultaneous database updates and/or anti-malware
scanning processes on each VM, leading to an avalanchelike increase in resource consumption, causing drastic loss
of performance and even denial of service. Attempts to
mitigate the problem by scheduling these processes generates
“vulnerability windows” – time periods when postponed
malware scans leave the VM vulnerable to attack.
3. “Instant-on gaps”. Signature databases cannot be updated
on inactive VMs. So from machine startup until the update
process completes, the VM is vulnerable to attack.
4. Incompatibilities. Because standard solutions are not built to
handle virtualization-specific features, like migrating VMs or
non-persistent storage, their use can cause instabilities and
even system lockups.
Recognizing the importance of virtual systems security, and the
unique features virtualization presents, market leader VMware
developed vShield endpoint technology, a specific defensive layer
for its vSphere virtualization platform. This layer creates an integrated
security space for third-party solutions, natively integrated with
VMware APIs such as vShield Endpoint and NSX Guest Introspection,
enveloping all virtualized assets and allowing easy and efficient access
by appropriately designed security solutions. Only one Security
Virtual Machine (SVM) – a specialized virtual machine carrying an
anti-malware scanning engine and signature databases – is needed
per host, removing this burden from individual VMs and so greatly
reducing resource consumption. The biggest benefit of this approach
for Enterprise businesses is smooth and native integration with the
3
A Features Guide to Kaspersky Security for Virtualization
VMware ecosystem.
Another approach is an API-independent or, rather, a virtualizationplatform-independent solution, which utilizes a lightweight agent
optimized to operate inside the OS of each VM being protected.
With the file scanning engine and databases still held centrally on
the SVM, ‘light agent’ technology delivers a dramatically smaller
resource footprint than a traditional full agent solution. The solution
sits between “agentless” and traditional full agent solutions in terms
of resource consumption, but is not tied to or limited by VMware
technologies and can also be used on popular platforms including
Microsoft Hyper-V, Citrix XenServer and KVM.
VM
VM
LIGHTER SECURITY AGENTS
VM
VM
VM
VM
4
A Features Guide to Kaspersky Security for Virtualization
KASPERSKY SECURITY FOR
VIRTUALIZATION | AGENTLESS
Kaspersky Security for Virtualization | Agentless was specifically
designed to utilize all the advantages of vShield Endpoint technology.
The Security Virtual Machine (SVM), ready for deployment out-ofthe-box, is powered by Kaspersky Lab’s award-winning anti-malware
engine, benefiting from superior detection rates and performance.
Support for the cloud-assisted Kaspersky Security Network service
ensures the fastest possible reaction times and, importantly, identifies
new malware threats in as little as 0.02 seconds. This enables
Kaspersky Security for Virtualization to protect your virtualized
environment against even zero-day threats.
VMware NSX-enabled environments benefit from integration between
Kaspersky Security for Virtualization | Agentless and VMware’s native
NSX Guest Introspection, so your infrastructure will scale with no
limitations while your security solution seamlessly follows topology
and infrastructure changes.
KASPERSKY SECURITY FOR VIRTUALIZATION | AGENTLESS
Kaspersky
Security Center
KSN
KSC
VM
VM
VM
VM
DISTRIBUTED SWITCH
vSphere
SVM
NAB
VSHIELD OR NSX MANAGER
vSphere
vSphere
5
A Features Guide to Kaspersky Security for Virtualization
For advanced network protection, a second SVM may be used to
deliver Kaspersky Network Attack Blocker functionality, in close
integration with VMware’s NSX platform as well as with vCloud
Networking & Security component.
There are shortcomings to an ‘agentless’ approach. First, VMware
vSphere is the only virtualization platform with an intermediate security
layer - NSX or vShield Endpoint. For other virtualization platforms,
the security solution must install some form of agent inside the guest
OS of individual VMs to perform file-scanning tasks at machine level.
Secondly, due to VMware’s design, native technologies like vShield
Endpoint and NSX Guest Introspection don’t provide access to the
VM’s internal processes, applications or web traffic, or to virtualized
devices. Infrastructure protection is limited to file level scanning, which
significantly decreases the solution’s ability to provide deep protection
against advanced malware at individual VM level.
6
A Features Guide to Kaspersky Security for Virtualization
KASPERSKY SECURITY FOR
VIRTUALIZATION | LIGHT AGENT
A ‘light agent’ approach overcomes these limitations. With the file
scanning engine and databases still held centrally on the SVM, this
application has a dramatically smaller resource footprint than traditional
full agent solutions. The light agent on each VM provides access to
individual machine memory, application and internal processes, as well
as to web traffic and virtualized devices. This access allows advanced
security techniques to be deployed at machine level, while preserving
overall virtualization platform efficiency and performance.
Kaspersky Security for Virtualization | Light Agent has been specifically
designed for virtual environments and supports most popular platforms:
Citrix XenServer, Microsoft Hyper-V, VMware and most recently KVM.
KASPERSKY SECURITY FOR VIRTUALIZATION | LIGHT AGENT
Kaspersky
Security Center
KSN
KSC
VM
VM
VM
VM
VM
SVM
VIRTUALIZATION PLATFORM MANAGEMENT
vSphere
XenSer ver
KVM
7
A Features Guide to Kaspersky Security for Virtualization
In virtualized server environments, Kaspersky Security for Virtualization
| Light Agent users benefit from valuable technologies like HIPS (HostBased Intrusion Prevention System) and a proprietary Firewall, giving
protection from network attacks. For VDI environments, security is
extended with comprehensive network protection capabilities and a full
set of endpoint controls - allowing you not just to protect your systems
from malware, but to limit the use of untrusted applications, devices or
web resources. The solution architecture significantly reduces the attack
surface, saving precious computing resources. A powerful multi-layered
defensive perimeter, capable of eliminating sophisticated malware
and even zero-day threats, is supplemented by Automatic Exploit
Prevention (AEP) technology.
A ‘light agent’ approach means you can secure your virtual
environment – including virtual servers and VDI - with no significant
impact on hypervisor performance. So you fully protect your systems
and sensitive corporate data while preserving machine density and
quality of user experience.
8
A Features Guide to Kaspersky Security for Virtualization
KASPERSKY PROTECTIVE
TECHNOLOGIES VS. THREATS TO
YOUR VIRTUAL INFRASTRUCTURE
VMs are every bit as vulnerable as their physical counterparts –
perhaps even more so: in lightning-fast virtualized networks,
the spread of infection can be devastating. So it’s important to identify
the security weaknesses in your virtual infrastructure, and to deploy
an efficient security solution with specific protection to fight advanced
threats. Below, we examine potential threats to virtual systems,
and the technologies used to counteract them.
Malware executables
Whether it’s an insidiously crafted attachment received via email,
infected leisureware or a temporary malware-created executable – antimalware protection is essential deal with basic threats. Our powerful
malware-fighting engine is the core of both our Agentless and Light
Agent configurations of Kaspersky Security for Virtualization, though
different means are used to reach into the protected VM’s file.
Another way to prevent malware agents from harming your virtualized
assets is through Application Control with Dynamic Whitelisting. When
only trusted software is allowed to run on a VM, malware has no chance
of executing. Kaspersky Security for Virtualization | Light Agent allows
endpoint controls, including Application Control, to be enabled on
individual VMs.
Bodiless malware
Some sophisticated malware does not have a ‘body’ – so there’s nothing
to be found in the file system. Spawned by a previously launched
executable, or injected via an exploit, this malware can rarely be detected
by traditional anti-malware solutions. Advanced anti-malware techniques,
which can monitor processes in the memory and immediately block
programs engaged in any suspicious or dangerous activity, are required.
Kaspersky Security for Virtualization | Light Agent is armed with a range
of technologies able to block incursions into the VM’s memory. These
include:
∞∞ System Watcher, which monitors program behavior, tracing
system events.
∞∞ Behavioral Stream Signatures, identifying behavior patterns
characteristic of malware activity.
9
A Features Guide to Kaspersky Security for Virtualization
∞∞ Privilege Control, restricting application from making unsolicited
changes, including process injection.
These tools allow the Host-based Intrusion Protection System (HIPS) to
track down and stop rogue processes in the VM memory.
Exploits
The exploitation of vulnerabilities found in systems components and
popular applications remains a highly effective attack mechanism.
Though it is possible to thwart these incursions using the technologies
above, the affected program may operate at a high privilege level,
limiting control over its activities.
The most effective method of tackling this form of threat is to prevent
exploits from exploiting their targeted vulnerabilities. To swiftly overcome
the dangers posed by unpatched vulnerabilities, Kaspersky Security for
Virtualization | Light Agent offers Automatic Exploit Prevention (AEP)
technology. AEP specifically monitors the most frequently targeted
applications in critical environments like VDI – including Adobe Reader,
Internet Explorer, Microsoft Office, Java and many more – delivering an
extra layer of security monitoring and protection against unknown threats.
The efficiency of this technology has been proven in independent tests
performed by MRG Effitas institute, which found that, even with all
other protective components switched off, Kaspersky’s AEP technology
remained 100% effective against exploit-using attacks (see Real World
Enterprise Security Exploit Prevention, MRG Effitas, March 2015 for details).
Even unknown, zero-day exploits are blocked by this superior technology.
Rootkits
Sophisticated malware is often capable of hiding itself, preventing
detection by traditional anti-malware with the help of so called
“bootkits” and “rootkits”. These insidious tools try to boot or execute
the malware as early as possible, so that it gains high privileges within
the guest operating system, helping it remain undetected.
Operating both in memory and at file system level, Kaspersky Security
for Virtualization | Light Agent uses Kaspersky Lab’s Anti-Rootkit
technology to detect and eradicate even this deeply hidden malware.
10
A Features Guide to Kaspersky Security for Virtualization
Network attacks
Network-based cyber threats may allow the attacker to obtain
crucial information about the network, gaining access to the targeted
system’s resources, interfering with critical processes and affecting its
smooth operation. These threats include malicious actions like port
scanning, denial-of-service attacks, buffer under-run attacks. Both
our ‘agentless’ and ‘light agent’ solutions have network protection
technologies built-in. Kaspersky Security for Virtualization | Light Agent
extends network protection capabilities with built-in HIPS (Host-based
Intrusion Prevention System) and additional proprietary technologies to
fight external and internal network attacks – including threats that may
be hidden in non-transparent virtualized traffic.
Kaspersky Security for Virtualization | Agentless also addresses this
issue, leveraging VMware integration to provide a Network Attack
Blocker – a dedicated virtual appliance designed to monitor network
traffic for signs of typical attack activity.
Malicious websites
One of the most common sources of infection is a malicious, or
infected, website. Though this rarely affects virtualized servers, it
may pose a serious threat to VDI, a fact not always fully appreciated
by corporate users. This is where Kaspersky Lab’s web protection
technologies come into play.
Anti-phishing prevents users from accessing websites reported as
dangerous, using information obtained via the Kaspersky Security
Network (KSN) and continuously updated with the help of millions
of KSN’s voluntary participants around the globe. As yet undiscovered
phishing sites are also blocked, thanks to a heuristic engine that
analyzes the source text of the loaded page, detecting signs of
malicious code. Web Control lets you manage Internet usage, so you
can block access to social networks, music, video, non-corporate
web email and any websites that contain inappropriate content or
are against your corporate policy. You can deploy different policies
reflecting different responsibilities, and choose between applying
a complete block or just blocking access during specific periods.
11
A Features Guide to Kaspersky Security for Virtualization
Peripherals-based attacks
Traditionally, one of the most effective methods of introducing
an infection into an IT network is through external storage. While
network-delivered infections now appear the greater threat in terms
of sheer numbers, external storage remains a significant danger –
especially when it’s part of a carefully planned targeted attack. It is
worth mentioning that ungoverned non-storage peripherals can also
pose a threat - external storage drives are one of the most popular
methods of stealing your confidential data. While it may not be easy
for an unauthorized person to access the physical machines hosting
your virtual infrastructure, it is possible.
So hardware connecting to your virtualized environment should
be a concern. For example, using thin-clients is a best practice for
VDI deployments, and even simplest thin-clients have USB ports.
Controlling peripherals can be nightmare – or can be done seamlessly
using Kaspersky Lab’s Device Control technology. This technology
allows you to specify which removable devices are granted access to
individual VMs, so it’s easy to apply control policies covering a range
of devices, including removable drives, printers and non-corporate
network connections.
Data leakage
Secrets leaking from a corporate IT environment may harm not
only business-critical processes or systems but the entire business,
including reputational damage that may have long-lasting and painful
consequences. So restricting the number of ways information is shared
is a good option to protect your business.
Both Kaspersky Lab’s Application Control and Device Control are useful
here. Application Control can prevent dangerous applications, such as
instant messengers or file hosting and P2P client apps, from executing
on the secured VM, while Device Control restricts the use of external
storage, which could be used to steal sensitive data. Both technologies
are included in Kaspersky Security for Virtualization | Light Agent.
Agentless or light agent: which is better?
The answer depends on which virtualization platform or platforms you
utilize, and specific deployments. Regardless of the hypervisor used to
build your virtualized environment – VMware vSphere, Citrix XenServer,
Microsoft Hyper-V or KVM – you can protect your critical virtual
servers and fast-growing VDI with Kaspersky Security for Virtualization
| Light Agent. But you may also consider Kaspersky Security for
Virtualization | Agentless for non-critical VMware-based servers which
do not require strong multi-layered security.
Luckily, Kaspersky Security for Virtualization licensing policy allows
you to deploy the most appropriate approach to each part of your
virtualized environment – ‘agentless’, ‘light agent’ or a combination of
both - under single license.
Whatever combination of Citrix XenServer, VMware vSphere, KVM or
Microsoft Hyper-V virtualization platforms, and whichever approach
you are using, all your virtual and physical machines, as well as mobile
security, can be managed simply and centrally through a single unified
interface – Kaspersky Security Center. And utilizing our cloud-based
security service – Kaspersky Security Network – allows for almost
instant detection of advanced threats.
Twitter.com/
Kaspersky
Kaspersky Lab, Moscow, Russia
www.kaspersky.com
Facebook.com/
Kaspersky
All about Internet security:
www.securelist.com
Youtube.com/
Kaspersky
Find a partner near you:
www.kaspersky.com/buyoffline
2016 Kaspersky Lab. All rights reserved. Registered trademarks and service marks are the property of their respective owners.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement