Trend Micro Deep Security

[n30_mkii]

Anyone using Trend Deep Security Agent in a VDI environment? i.e. XenServer where agentless offload isn't an option? If so could you let me have some feedback on how you find it please? I'm considering moving us to Trend for standard virtual server environment running on VMware using agentless offload (vshield integration) so I guess any feedback on that would be appreciated too.

Thanks in advance, I know its a bit of a niche ask!

 

[Lanz]

We did a pilot, its good but very expensive.

600 endpoint vshield licenses for VDI came is at about £25K or something, where as Kaspersky Security for Virtualization which does the same thing (maybe not as mature though) was about £5K for 600.

 

[Ev0]

What aspects of the product is it you are looking to utilise exactly, main reasons for going for it?

I.e. anti malware, ips, firewall, web app control?

 

[covenantuk]

We use Trend DSM in agentless mode for both virtual desktops and servers. We'll be conducting a trial at some point to use the agent on physical devices as we'd like to remove the need to run Sophos Enterprise for that.

Some initial teething problems in the early versions, but it's now shaping up as a good product although still has a few quirks to iron out imo.

Regards pricing as with all enterprise products it can vary massively depending on who you are and your reseller relationships. We certainly didn't pay as much as the post above.

I really need to make time to set up a trial of the Kapersky product - at the time we implemented VDI it had only just been launched and was too immature.

 

[Ev0]

Just having a read about the agent less stuff as it sounds pretty cool.

So is it like a virtual appliance that hooks into multiple VMs using those VMWare APIs to provide on host protection?

I've seen virtual IPS appliances before, but they don't hook into the VMs themselves providing any on host protection. They are literally just virtual versions of physical network IPS products, which if you don't need the on host stuff is fine I guess.

 

[covenantuk]

Yup, you run an appliance on each host and it filters the traffic to every VM, killing malware before it even gets to the VM

 

[Ev0]

Ah right so similar to what I've seen/used before then in a virtual ips appliance.

But from what I can tell what I've used in the past hasn't linked with the vms directly via an api, it really is just a virtual device with 2 virtual interfaces to inspect any traffic passing through it, exactly the same as a physical network IPS, that you plonk where ever on the virtual network.

In my demo environment I have a virtual ips device with one interface connected to a virtual switch that has access to outside of the virtual environment, and the other interface connected to a different virtual switch that doesn't have the external access, but is where my 'internal' vms sit.

Thus any traffic going into and out of the virtual machines network zone is inspected, does the job for a test environment.

Guess the thing I need to read up on is whether the api hooking part of things provides much benefit or not, as the virtual appliances I've used will inspect any traffic passing through them.

From a pricing point of view the method I'm used too could be beneficial, you're not licensed by how many machines are behind the appliance, just on how many appliances you use. But do you lose out on enough to warrant the increase in costs by licensing per host?

 

[covenantuk]

Trend DSM does quite a bit more than an IPS - probably best to read up on it:
http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/

You only use the agent install where you need protection for the user running in local mode vdi or on a physical computer

 

[Ev0]

Next gen IPS stuff does a lot of the same (ip rep, web app control etc) but not the local file stuff.

Interesting though.