Last week you maybe aware that McAfee and Citrix announced a collaboration to secure the virtual world. Obviously VMware announced VMSafe many moons ago, and to date there has been very little up take on this albeit a well overdue requirement for those that are serious about virtualisation.
There is some great information starting to emerge about this collaboration and we wanted to share with you the thoughts of virtualization.info below.
McAfee is solving the problem of virtual security with an endpoint security agent that is optimised to run on virtual infrastructures: Management of Optimized Virtual Environments (MOVE).
It has a lightweight footprint, it pseudo-randomizes some of its activities on the virtual hard drive, but most of all, it doesn’t carry on the scanning and removal engine.
The core activities are in fact executed out of band, in a remote, dedicated virtual appliance.
What this optimised agent really does is copy the suspicious files from the potentially infected virtual desktop to the security virtual appliance, over a secure channel.
Of course McAfee doesn’t want to copy the whole virtual hard drive of each virtual desktop over the network to analyse and clean it, and to avoid it uses a lot of tricks.
First of all, all the operating system files that match the signature in a whitelist are not copied. There’s no reason to move well-known Windows files that are not modified.
Secondarily, the optimised agent only copies relevant portions of the files that are potentially infected: McAfee knows in which parts of the file the malware could reside, and that’s the only portion of it that will be analyzed out of band.
To be sure that this approach works even with dynamic resource management in place (read XenMotion), McAfee will keep track of the position and state of each virtual desktop in the multi-host virtual infrastructure, directing the suspicious files that need analysis to the nearest security server.
The whole thing will be coordinated by the existing McAfee ePolicy Orchestrator and will support multiple hypervisors (including Microsoft Hyper-V, VMware ESX and of course Citrix XenServer) as long as they are the backend of choice for XenDesktop.
On top of that Citrix will allow other third parties to do the same by releasing a set of open APIs, part of XenDesktop, that other security vendors will be able to leverage.
The second phase of this alliance, which will take place next year, will focus on providing what seems a VMsafe-like interface in XenServer and XenClient.