You are on page 1of 13

F-Secure Security for Virtual

and Cloud Environments


How to protect your virtual desktops and servers?
Protecting the irreplaceable | f-secure.com

Overview
This document explains the functionality of Security for Virtual and Cloud
Environments (SVCE) - what it is, what it does, and how it works. It also
explains some of the needs and requirements specific to virtual and cloud
environments.

Key features
SVCE is hypervisor-agnostic and supports all popular virtualization platforms,
including VMware, Citrix, and Microsoft Hyper-V, as well as mixed and hybrid
environments.
To optimize performance, malware scanning is offloaded to a dedicated
Scanning and Reputation Server.
SVCE combines the flexibility of agentless solutions and the security of
traditional agent-based solutions.

Benefits
SVCE offers complete protection for all virtual environments without
compromising performance.
The best protection offered by F Secures award-winning security clients is
now available for virtualized environments.
Optimized performance reduces hardware costs due to lower RAM, CPU, and
disk space requirements.
Unified central management tools and client software reduce complexity.
Change virtual desktops or servers from one virtualization platform to
another without changing security products.

The case for virtualization and virtualization security


Companies of all sizes are moving to the cloud and using virtualization as a way to gain benefits.
Moving to the cloud offers the possibility to switch capital expenses to operational expenses.
One of the key arguments for virtualization is flexibility the option of adding and removing
services as needed. Other compelling reasons include resource optimization that reduces
hardware costs, and increases operational efficiency as new services can be deployed quickly and
automatically.
Companies can also improve their IT infrastructure by gaining more capacity for less money.
Resources that easily scale to the current need without hardware limitations and the 24/7 support
seal the deal.
Despite the increasing use of virtualized platforms and cloud-based solutions, security for these
environments has often been inadequate.

Virtualization penetration has surpassed 50% of all server


workloads, and continues to grow.
Gartner, June 2012, Magic Quadrant for x86 Server Virtualization Infrastructure
Businesses have had to choose between security solutions that are designed for traditional physical
environments and agentless solutions that are based on vendor-specific, proprietary technologies.
While secure, traditional solutions are not optimized for virtual environments. On the other hand,
agentless solutions may not provide adequate protection against online attacks that exploit security
vulnerabilities.
In addition to the traditional security threats that businesses of all sizes face, virtual and cloud
environments have additional challenges. Limited hardware capacity has a significant impact on
desktop virtualization. A good user experience with shared hardware requires optimization. The
increased load on scanning processes also requires additional hardware investments.

What is F-Secure Security for Virtual and Cloud


Environments?
F-Secure Security for Virtual and Cloud Environments (SVCE) is a solution that is designed to tackle
the challenges of virtual and cloud environments.
Unlike other security vendors that offer agentless or silent agent-based solutions, SVCE is an added
feature for F-Secures award-winning end-point and server protection products. The solution
provides the best protection against malware, exploits, phishing, and other network-based attacks.

Component groups
SVCE has three component groups: the client security products, Scanning and Reputation Server,
and the management portal.
1. Client security products - Standard F-Secure workstation and server software
F-Secure Client Security
F-Secure Server Security
F-Secure E-mail and Server Security
F-Secure Anti-Virus for Workstations
2. Scanning and Reputation Server - Isolates performance-consuming operations away from clients
Virtual appliance for VMware ESXi, vSphere hypervisor
Virtual appliance for Citrix XenServer, Xen hypervisor
Virtual appliance for Microsoft Hyper-V hypervisor
3. Policy Manager - Provides policies, configurations and updates for the entire solution
F-Secure Policy Manager for Windows
F-Secure Policy Manager for Linux

public, private or hybrid cloud


Virtual Machine

Virtual Appliance
Scanning and
Reputation Server

Policy Manager

orsp
Cache

OS

updates

F-Secure

OS

policies, statistics, alerts, updates

Virtual Desktop

Virtual Desktop

Virtual Server

Virtual Server

Programs

Programs

Programs

Programs

Client Security Premium

Client Security

Server Security

Email and Server


Security

OS

OS

OS

OS

Hypervisor

Component

What it does

Policy Manager

Provides centralized management for products that are


installed on physical and virtual machines.

Policy Manager Console


Client Security, Server
Security and Email and
Server Security

Endpoint security protection products that are installed


on physical or virtual desktops and servers.

Managemant Agent

Automatic Update Agent

Downloads and installs software and database updates.

Scanning and Reputation


Server

The virtual appliance that is based on a hardened Linux platform


and provides malware scanning and content reputation services.

How it works
SVCE protects virtual machines that are running in private or public clouds. It provides proactive
behavioral analysis and exploit protection that efficiently identifies and blocks modern malware and
exploit attempts. To optimize performance for virtual environments, resource-intensive malware
scanning is offloaded to a dedicated F-Secure Scanning and Reputation Server.
To prevent modern attacks, F-Secure security products are based on multi-layer protection. Each
layer addresses a particular aspect of the threat landscape and works with other layers to provide a
complete solution.
Here is what this protection looks like when installed on a physical machine:

Physical Machine
Browsing protection
Web and Email scanning
File reputation analysis
Behavioral analysis
Exploit protection
Signature-based scanning
Advanced heuristic analysis
Compound object scanning

When traditional security products are installed on multiple virtual machines that are running
on the same hypervisor, they may compete for hardware resources and eventually decrease the
performance of the whole environment. Offload Scanning Agent and Scanning and Reputation
Server can optimize performance to provide the best protection possible:

Virtual Machine

Scanning and Reputation Server

Browsing protection

File reputation analysis

Web and Email scanning

Web Content Reputation

File reputation analysis

Signature-based scanning

Behavioral analysis

Advanced heuristic analysis

Exploit protection

Compound object scanning

How to operate virtual security?


The administrator uses F-Secure Policy Manager to centrally manage F-Secure security products
that are installed in the network. F-Secure Policy Manager is available for Windows and Linux
platforms.
F-Secure Client Security and F-Secure Server Security products are installed on physical or virtual
desktops and servers. They download and install software and database updates automatically, and
send status information and alerts to F-Secure Policy Manager.
To minimize the impact on performance on virtual machines, F-Secure Client Security and F-Secure
Server Security offload the malware scanning and content reputation checking to a dedicated
server that runs F-Secure Scanning and Reputation Server.
F-Secure Scanning and Reputation Server is a virtual appliance that is based on a hardened Linux
platform and provides malware scanning and content reputation services.

Deployment and installation


The solution can be easily deployed in a virtual environment, as well as mixed and hybrid
environments with different combinations of virtual and traditional machines. Being hypervisoragnostic, it supports all popular virtualization platforms, including VMware, Citrix, and Microsoft
Hyper-V.
You only need to install the client software once on a virtual machine template. Scanning and
Reputation Server offers easy deployment with a preconfigured virtual appliance.

Protection features for physical and virtual


desktops
Use the following table to choose the features for F-Secure Client Security and F-Secure Anti-Virus
for Workstation installation packages that you can deploy on physical and virtual desktops.

Product feature / setting

Legend:
Install
Do not install
Installation recommended (see the notes)
Installation not recommended (see the notes)

Physical
desktop

Virtual
desktop

Notes:
1. Y
ou can turn off network drive scanning if the relevant file servers have real-time antivirus
protection.
2. T urn on DeepGuard advanced process monitoring if users can install their own applications on
virtual desktops. Otherwise, turn it off.
3. T urn on E-mail scanning if users can read their e-mails from untrusted or unprotected e-mail
servers. Otherwise, turn it off. You should consider using F-Secure E-mail and Server Security or
F-Secure Internet Gatekeeper to handle e-mail scanning on the mail server or gateway.
4. T urn on Web traffic scanning unless all HTTP traffic goes through a gateway where it is scanned (for
example, with F-Secure Internet Gatekeeper).
5. I nstall or turn on F-Secure firewall if you need to protect virtual desktops against network-based
attacks and intrusions that may come from within the virtual infrastructure, for example if you do
not have full control of the host environment. You can turn off F-Secure firewall if your network has
network control and intrusion prevention in place, or if you are using Windows firewall on virtual
desktops.
6. T urn on Application Control if users can install and run their own applications on virtual desktops.
Otherwise, turn it off.
7. Y
ou do not need to install Software Updater (SWUP) on every virtual desktop. To deploy virtual
desktops without SWUP, install it on the virtual desktop template to identify and install missing OS
and third-party updates, after which you can uninstall it before you deploy virtual desktops from the
template.
8. Install the Microsoft NAP plug-in only if you use Microsoft Network Access Protection.

Protection features for physical and virtual servers


Use the following table to choose the features for F-Secure E-mail and Server Security installation
package that you can deploy on physical and virtual servers.

Product feature / setting

Physical server
(Exchange)

Virtual server
(Exchange)

Product feature / setting

Physical server
(Terminal, RDSH,
XenApp)

Virtual server
(Terminal, RDSH,
XenApp)

N/A 5

N/A 5

N/A 5

N/A 5

Legend:
Install

Installation recommended (see the notes)

Do not install

Installation not recommended (see the notes)

Notes:
1. O
ffload Scanning Agent is currently used for file scanning only. Because Exchange transport and
storage protection in F-Secure Anti-Virus for Exchange still uses local Content Scanner Server,, you
should not install Offload Scanning Agent on virtual Exchange Servers, especially if you do not have
many servers and they are critical for business communication.
2. Y
ou do not need to install DeepGuard advanced process monitoring and exploit protection features
if the server runs trusted software and the administrator does not browse the web from the server.
3. W
e recommend that you turn on DeepGuard advanced process monitoring and exploit protection
features if the users can run unknown software or browse the web from the terminal or RDS server.
4. W
eb traffic scanning inspects all HTTP traffic, which may affect communication between Exchange
and other Windows server components that use HTTP-based interfaces. You can turn off Web traffic
scanning and Browsing protection if the administrator does not browse the web from the server.
5. F -Secure Anti-Virus for Exchange and Spam Control are only installed if the server runs Microsoft
Exchange Server. Spam Control is only installed if Microsoft Exchange Server acts as the transport
or hub server.

Management and reporting


The entire solution can be centrally managed with F-Secure Policy Manager. It handles status
updates, monitoring, statistics, and licensing for the solution.

Policy Manager provides a scalable way to manage the security on multiple operating systems
both physical and virtual - from one central location.
You can use Policy Manager to:
-
Define and distribute security policies
-
Install applications on local and remote systems
-
Monitor activities of all systems to ensure compliance with corporate policies and
centralized control.
With Policy Manager, you can see status information from the entire managed domain. This makes
it easy to ensure that the entire domain is protected, and to change the protection settings when
needed. You can also prevent users from changing the security settings, and make sure that the
protection is always up to date.
The Web Reporting tool that is included in Policy Manager provides detailed graphical reports that
are based on the latest status information and historical trend data. You can generate reports for
the entire domain, subdomains, or individual hosts and also export reports as HTML files.

F-Secure Protecting the irreplaceable


Innovation, reliability and speed of response have made F-Secure one
of the worlds leading IT security providers since its founding in 1988.
Today F-Secures award-winning, easy-to-use products are trusted in
millions of homes and businesses globally. We provide powerful realtime
protection allowing computer and smartphone users to enjoy
connected life.
F-Secure is listed on NASDAQ OMX Helsinki Ltd.

F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland
Tel. +358 9 2520 0700
2014 F-Secure Corporation. All rights reserved. "F-Secure" is a
registered trademark of F-Secure Corporation and F-Secure product
names and symbols/logos are either trademarks or registered
trademarks of F-Secure Corporation. All product names referenced
herein are trademarks or registered trademarks of their respective
companies.

You might also like