The Balance of Today’s Security Solutions

The endpoint security software used to protect physical computers and servers is what’s known as an agent-based solution. In a non-virtualized environment, the full security software agent and anti-malware database are installed on the machine (server or desktop). Generally, using these agent-based products within a virtualized environment is not very effective. Each virtual machine will require the full agent and full anti-malware signature database to be installed on it. So, if the company has 100 virtual machines running on one virtual host, it’ll have 100 instances of the security agent and 100 instances of the malware signature database on that virtual host.

Agent-based security configurations cause the following problems in a virtual environment:

1. Duplication: Every VM will carry an identical set of security components, including an isolated anti-malware engine and signature databases, each of which will need to update independently. This high level of duplication of the antivirus database wastes storage capacity.
2. Instant-on gaps: It is not possible to update security components or databases on an inactive VM. So immediately after booting and before the security update is completed, the VM is vulnerable to attack.

3. Update Storms: A virtual host stores the anti-malware databases and provides this database to the security agent on each virtual machine – simultaneous updates of each virtual machine’s anti-malware database can severely impact the performance of other applications.

4. Scanning Storms: Virtual machines simultaneously start to run a routine security scan, the other applications that are running on that host will be affected.

Agentless security applications only need one instance of the anti-malware database and one virtual machine that’s dedicated to security in order to protect every virtual machine that is running on that host. Compared to agent-based security, agentless solutions place much less demand on the host machine’s CPU, memory and storage. Furthermore, with only one dedicated security virtual machine, malware ‘scanning storms’ and security database / application ‘update storms’ are eliminated. In addition, instant on gaps do not occur.

It should be noted that agentless security is only available using VMware’s vShield technology, so agentless security is not an option for Citrix or Microsoft virtual environments.

However, agentless security also has some limitations. vShield capabilities only allow access to protected VMs at file systems level. This means that other endpoint protection technologies, like Application Control with Dynamic Whitelisting, designed to provide powerful additional layers of security, cannot be implemented.

Light Agent: Aiming to be a balance between “agentless” and “agent-based,” a light agent security solution uses a dedicated virtual appliance at the hypervisor level to store databases and conduct file-scanning (similar to an agentless configuration). This configuration also installs a small software agent on each virtual machine, which is specially configured to be lightweight and use far less processing power than a traditional software agent. This provides the benefits of performing the “heavy work” away from the VMs, but still having a direct link for performing advanced security tasks on each VM.

Even though there is a light agent on each virtual machine, ‘update storms’ do not occur – as there is only one instance of the security database, which is held within the virtual appliance – and ‘scanning storms’ are eliminated.

Light agent solutions can deliver security and management technologies that are not provided by agentless products, including:
• The ability to scan memory – and find memory resident malware,
• Control tools that can be particularly useful in virtual desktop environments,
• Host-based network security – including a firewall and host intrusion prevention system (HIPS).

For example, Kaspersky Security for Virtualization | Light Agent delivers:
• Advanced anti-malware protection,
• Advanced network-level protection – using, HIPS, firewall and Kaspersky Lab’s Network Attack Blocker technology,
• Application Control – to help manage which applications are allowed to launch,
• Device Control – to manage how removable devices are permitted access to the systems,
• Web Control – to help manage Internet usage and block access to specific types of websites,
• Automatic Exploit Prevention (AEP) – to defend against malware that exploits vulnerabilities in the operating system and applications,
• Cloud-assisted, real-time threat data – from the Kaspersky Security Network.
Kaspersky Security for Virtualization includes Kaspersky Security Center – Kaspersky Lab’s easy-to-use management interface that allows to configure and control a wide range of Kaspersky Lab’s security and systems management technologies, via a single console. With it the company will be able to control both light agent and agentless from one unified management console.