McAfee Move Antivirus Solution (Agent based/Agent less)?

EDIT 15th Mar, 2015: Intel has very good blog which cover similar topic here

EDIT 13th Dec, 2015: Please note with agent less solution you must have vShield Manager or NSX to deploy vShield Endpoint.

While reviewing McAfee AV solution for Horizon View environment I had to made a decision whether to go Agent based on Agentless. I have made decision justification scenario below, hope it helps you.

Design Decision

Design Choice

 

Design Decision ID:DD01

Decision: McAfee MOVE Antivirus solution will be agentless across virtual infrastructure

Category: Security

 

Description

 

To meet RSEC: 01[1], Agentless Antivirus will be used to protect endpoints i.e. Virtual Desktops. Agentless AV solution do not need any agents to be deployed per VM. End protection will be done using VMware NSX API (NetX API). Traffic entering hypervisor will be intercepted by NetX API and sent to McAfee Secure Virtual Machine (SVA) for scanning. VDs will be protected against

1.)    Anti-Malware

2.)    Vulnerability Protection

3.)    Web Filtering

 

Design Justification

 

In agent based solution offload scanner server (OSS) must be deployed on same network as VDs[2]. VLAN or IPSec must be used for secure communication between VM and OSS. However both (VLANs and IPSec) the options impact product performance[3]. On day one, 50 VLANs are required for networks. For 50 VLAN, 50 OSS has to be deployed in each VLAN. Each OSS needs 4 Cores, 6 GB RAM and 8 GB Disk space. For 50 VMs, 50 network IPs, 200 vCPU, 300 GB RAM. OSS must be deployed with McAfee VirusScan Enterprise Client to protect itself & subsequently Windows OS needs to be hardened. For high availability, OSS must be deployed behind NLB. Therefore there is need to enable DRS Anti-affinity rules. With Agent less solution, SVA needs to deployed per ESXi host only. Total ESXi host designed for this solution are 30 . Only 30 SVA are needed and each SVA need 2 Cores, 2 GB RAM and 8 GB Disk space. Tables Below show the significant differences in resources required between agent and agentless solution

 

Agent Based

vCPU

vRAM

Disk Storage

VLAN Count

Total vCPU

Total vRAM

Total Storage

4

6 GB

80 GB

50

200

300 GB

4000 GB

 

Agent Less Solution

vCPU

vRAM

Disk Storage

ESXi Count

Total vCPU

Total vRAM

Total Storage

2

2 GB

8 GB

30

60

60 GB

240 GB

 

Following key points have driven decision on agentless solution

1.     No agent deployment needed. No DAT download needed especially for non-persistent desktops.

2.     SVA is needed per ESXi host unlike off load scan server which is needed per VLAN

3.     Potential to maximize the VM density as resources required by agent is no longer needed

4.     Over all simplified management of Anti-Virus Solution

 

Design Impact

 

Impact

Description

Availability

SVA is installed per ESXi host and is pinned to ESXi host. If ESXi host fails, VMs will reboot to another ESXi host. SVA present on another ESXi host will immediately protect rebooted VMs

Manageability ↑

Over all solution is simplified

1.     Ease to Deploy: Installation of SVA is like deploying any other appliance on ESXi host. Upgrade and updating SVA appliance needs VMware skills.

2.     Ease to Operate: As you install SVA only once per ESXi host, any VMs deployed on the esxi is automatically protected without additional steps

Performance

Since appliance is deployed on ESXi host there is overhead between 5-10% on VMKernel. As a safe factor, 5% additional resource (CPU & Memory) on ESXi host will be added and reserved for SVA

Recovery

Appliance is registered with ESXi host, in case of failure of appliance, vSphere HA for application will restart SVA. In worst case when SVA needs to recovered, SVA will be backed up using VDP weekly. Since footprint of appliance is 8 GB, restore time is less than 15 minutes.

Security ↑

SVA is Linux based OS, which is pre-hardened appliance. Virtual machine security guide settings mentioned in Appendix-A will be part of implementation guide

 

 

 

[1] RSEC:01 Security must be primary focus in entire solution

[2] VDs Virtual Desktops

[3] McAfee MOVE Product Deployment Guide