Professional Documents
Culture Documents
Overview
This document explains the functionality of Security for Virtual and Cloud
Environments (SVCE) - what it is, what it does, and how it works. It also
explains some of the needs and requirements specific to virtual and cloud
environments.
Key features
SVCE is hypervisor-agnostic and supports all popular virtualization platforms,
including VMware, Citrix, and Microsoft Hyper-V, as well as mixed and hybrid
environments.
To optimize performance, malware scanning is offloaded to a dedicated
Scanning and Reputation Server.
SVCE combines the flexibility of agentless solutions and the security of
traditional agent-based solutions.
Benefits
SVCE offers complete protection for all virtual environments without
compromising performance.
The best protection offered by F Secures award-winning security clients is
now available for virtualized environments.
Optimized performance reduces hardware costs due to lower RAM, CPU, and
disk space requirements.
Unified central management tools and client software reduce complexity.
Change virtual desktops or servers from one virtualization platform to
another without changing security products.
Component groups
SVCE has three component groups: the client security products, Scanning and Reputation Server,
and the management portal.
1. Client security products - Standard F-Secure workstation and server software
F-Secure Client Security
F-Secure Server Security
F-Secure E-mail and Server Security
F-Secure Anti-Virus for Workstations
2. Scanning and Reputation Server - Isolates performance-consuming operations away from clients
Virtual appliance for VMware ESXi, vSphere hypervisor
Virtual appliance for Citrix XenServer, Xen hypervisor
Virtual appliance for Microsoft Hyper-V hypervisor
3. Policy Manager - Provides policies, configurations and updates for the entire solution
F-Secure Policy Manager for Windows
F-Secure Policy Manager for Linux
Virtual Appliance
Scanning and
Reputation Server
Policy Manager
orsp
Cache
OS
updates
F-Secure
OS
Virtual Desktop
Virtual Desktop
Virtual Server
Virtual Server
Programs
Programs
Programs
Programs
Client Security
Server Security
OS
OS
OS
OS
Hypervisor
Component
What it does
Policy Manager
Managemant Agent
How it works
SVCE protects virtual machines that are running in private or public clouds. It provides proactive
behavioral analysis and exploit protection that efficiently identifies and blocks modern malware and
exploit attempts. To optimize performance for virtual environments, resource-intensive malware
scanning is offloaded to a dedicated F-Secure Scanning and Reputation Server.
To prevent modern attacks, F-Secure security products are based on multi-layer protection. Each
layer addresses a particular aspect of the threat landscape and works with other layers to provide a
complete solution.
Here is what this protection looks like when installed on a physical machine:
Physical Machine
Browsing protection
Web and Email scanning
File reputation analysis
Behavioral analysis
Exploit protection
Signature-based scanning
Advanced heuristic analysis
Compound object scanning
When traditional security products are installed on multiple virtual machines that are running
on the same hypervisor, they may compete for hardware resources and eventually decrease the
performance of the whole environment. Offload Scanning Agent and Scanning and Reputation
Server can optimize performance to provide the best protection possible:
Virtual Machine
Browsing protection
Signature-based scanning
Behavioral analysis
Exploit protection
Legend:
Install
Do not install
Installation recommended (see the notes)
Installation not recommended (see the notes)
Physical
desktop
Virtual
desktop
Notes:
1. Y
ou can turn off network drive scanning if the relevant file servers have real-time antivirus
protection.
2. T urn on DeepGuard advanced process monitoring if users can install their own applications on
virtual desktops. Otherwise, turn it off.
3. T urn on E-mail scanning if users can read their e-mails from untrusted or unprotected e-mail
servers. Otherwise, turn it off. You should consider using F-Secure E-mail and Server Security or
F-Secure Internet Gatekeeper to handle e-mail scanning on the mail server or gateway.
4. T urn on Web traffic scanning unless all HTTP traffic goes through a gateway where it is scanned (for
example, with F-Secure Internet Gatekeeper).
5. I nstall or turn on F-Secure firewall if you need to protect virtual desktops against network-based
attacks and intrusions that may come from within the virtual infrastructure, for example if you do
not have full control of the host environment. You can turn off F-Secure firewall if your network has
network control and intrusion prevention in place, or if you are using Windows firewall on virtual
desktops.
6. T urn on Application Control if users can install and run their own applications on virtual desktops.
Otherwise, turn it off.
7. Y
ou do not need to install Software Updater (SWUP) on every virtual desktop. To deploy virtual
desktops without SWUP, install it on the virtual desktop template to identify and install missing OS
and third-party updates, after which you can uninstall it before you deploy virtual desktops from the
template.
8. Install the Microsoft NAP plug-in only if you use Microsoft Network Access Protection.
Physical server
(Exchange)
Virtual server
(Exchange)
Physical server
(Terminal, RDSH,
XenApp)
Virtual server
(Terminal, RDSH,
XenApp)
N/A 5
N/A 5
N/A 5
N/A 5
Legend:
Install
Do not install
Notes:
1. O
ffload Scanning Agent is currently used for file scanning only. Because Exchange transport and
storage protection in F-Secure Anti-Virus for Exchange still uses local Content Scanner Server,, you
should not install Offload Scanning Agent on virtual Exchange Servers, especially if you do not have
many servers and they are critical for business communication.
2. Y
ou do not need to install DeepGuard advanced process monitoring and exploit protection features
if the server runs trusted software and the administrator does not browse the web from the server.
3. W
e recommend that you turn on DeepGuard advanced process monitoring and exploit protection
features if the users can run unknown software or browse the web from the terminal or RDS server.
4. W
eb traffic scanning inspects all HTTP traffic, which may affect communication between Exchange
and other Windows server components that use HTTP-based interfaces. You can turn off Web traffic
scanning and Browsing protection if the administrator does not browse the web from the server.
5. F -Secure Anti-Virus for Exchange and Spam Control are only installed if the server runs Microsoft
Exchange Server. Spam Control is only installed if Microsoft Exchange Server acts as the transport
or hub server.
Policy Manager provides a scalable way to manage the security on multiple operating systems
both physical and virtual - from one central location.
You can use Policy Manager to:
-
Define and distribute security policies
-
Install applications on local and remote systems
-
Monitor activities of all systems to ensure compliance with corporate policies and
centralized control.
With Policy Manager, you can see status information from the entire managed domain. This makes
it easy to ensure that the entire domain is protected, and to change the protection settings when
needed. You can also prevent users from changing the security settings, and make sure that the
protection is always up to date.
The Web Reporting tool that is included in Policy Manager provides detailed graphical reports that
are based on the latest status information and historical trend data. You can generate reports for
the entire domain, subdomains, or individual hosts and also export reports as HTML files.
F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland
Tel. +358 9 2520 0700
2014 F-Secure Corporation. All rights reserved. "F-Secure" is a
registered trademark of F-Secure Corporation and F-Secure product
names and symbols/logos are either trademarks or registered
trademarks of F-Secure Corporation. All product names referenced
herein are trademarks or registered trademarks of their respective
companies.