In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security? - Brian Madden - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Brian Madden's Blog

Past Articles

In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?

Written on Dec 02 2009
Filed under: , , ,
10,160 views, 16 comments

New! Listen to this post in our daily podcast. iTunes Podcast Podcast RSS Feed

by Brian Madden

I got an email from a reader last week asking a simple question: “With all this desktop virtualization, do you think we still need to keep paying $30 a seat for client security suites (antivirus, etc.)?” This is a great question which we’ll explore today.

Frequent visitors already know how I’m going to answer: “It depends!” In this case it depends on how you define both “desktop virtualization” and “client security suite.”

The desktop virtualization question is easier to define for us, since that’s what we do every day. We can look at this from the perspective of hosted virtual desktops (yeah, I said “HVD” instead of “VDI”—congrats Gartner, you win) and client-based desktops (client hypervisor, Type 2, or streamed).

But figuring out what exactly makes up a “client security suite” is a bit more complex. In the old days it was just antivirus. But now the vendors add-in client firewalls, anti-spyware and anti-adware, email scanning, rootkit detection, device control (to lock down ports and removable media) and even application control (to lock down specific applications). So what of this, if any, do we need to think about for virtual desktops?

Virtual desktops running in the datacenter

For virtual desktops running in the datacenter, we can probably do pretty much the same thing that we do for Terminal Server sessions.

Antivirus

We need this somewhere in our infrastructure. If we have a secure perimeter, we can probably get away without it on the actual Terminal Servers or within the actual VDI sessions.

Antispyware / malware

I’m kind of hoping that Terminal Server sessions are already locked down so that normal users can’t install anything, so I think this is moot there. For VDI, I guess this depends on whether you’re using persistent or non-persistent images. I would guess with non-persistent (where they’re blown away each night), you wouldn’t need it, because anything that’s installed will be lost on the next connection. (This is different from antivirus, which you would still need, since a virus that became active in a session could do damage even if it was lost on reboot. Check out Tim Mangan’s post from a few months ago about this.) But if you have persistent images, I assume this means that users can install their own apps, which means that some kind of antimalware capability would be nice.

Rootkit protection

I’m not sure this is specifically something that matters, although I guess your antivirus solution would catch anything here.

Device control

In a TS or VDI scenario, you get device control at the policy or remote protocol level, so I don’t think you’d specifically need any capability from a desktop security product.

Application lockdown

Again this depends on your model and what exactly your users need to do, but I would assume that with a datacenter-based desktop you already have something in place (software restriction policies, etc.), so you wouldn’t need to pay extra for this. (If you’re using a user environment management product, like something from RES Software, AppSense, or triCerat, you already have this anyway.)

Personal firewall

I don’t know.. what do people usually do here? I can’t imagine that it makes too much of a difference either way. My sense is that enabling it would just lead to more management headaches and helpdesk calls in the long run, and if we’re talking about users who are behind the corporate firewall anyway, then why bother? Then again, if one of the peer-to-peer viruses did get through, the firewall running in each VM would be nice. Of course Windows now has this built-in, so you can enable it for free without having to buy one of these tools.

The bottom line for datacenter-hosted desktops

Antivirus is a must at some level, but you can probably get away with not using anything else.

Virtual desktops running on client devices

When you move the virtual desktop out to the endpoint, now it becomes more important to get a grasp of the security. But even in this case I would say “it depends” on a few things. First and foremost, I think there’s going to be a big difference between how you secure a virtual desktop running on a desktop PC in an office versus on running on a laptop that could connect from anywhere.

I’d imagine that the office-based PCs would be secured in much the same way as datacenter-based virtual desktops (since both are behind the corporate firewall, etc.). But as for virtual machines running on portable laptops—now we’re getting more like the Wild West.

(Of course the irony is that a lot of people might be using desktop virtualization specifically to increase the security of the virtual desktops, so if you have to still buy all these extra security tools, you might be wondering about what’s the point?)

Let’s look at what specific security capabilities we might want for virtual desktops running locally on mobile clients.

Antivirus

Yes, absolutely.

Antispyware / malware

Also yes.

Rootkit protection

I’m not sure this matters, but I guess it couldn’t hurt. Really it would depend on what your use case was (Type 2 VM running on unsecured Windows versus a client hypervisor, for example.)

Device control

Again, you’d have to think about what you were actually protecting. I think every client VM scenario has built-in device control for the corporate VM that you’re concerned about. But do you care about random devices plugging into the host OS? Probably not. (After all, this is probably why you’re running a client-based VM in the first place—you can protect the VM and ignore the host.)

Application lockdown

This is probably the same as with datacenter-hosted desktops. The application lockdown is really more of a desktop virtualization architecture decision, and something that would (hopefully) have been addressed in your core architecture before you think about security. (Yeah, yeah... security shouldn’t be an “afterthought,” I know.. but it’s true.)

Personal firewall

I’d say this is mandatory for portable devices, although again you have some choice as to where it’s implemented depending on the specific type of architecture you choose. If you have a client hypervisor, then it’s going to own the NIC and handle your firewall duties. If you’re running a corporate VM in a Type 2 environment on an unmanaged host, then I’d say you want to enable the firewall in your Windows VM and/or at the VMM level and just sort of “assume” your host is insecure.

Final thoughts

So yeah, that’s just a whole lot of “it depends,” but really it’s true. It looks like if you wanted to boil this all down into a tweet, it’s that AV is still critical and the rest can probably be designed around, but the real answer requires more than 140 characters.

I’d like to close by sharing a few random thoughts about virtual desktop client security:

  • If you don’t plan on running antivirus software in your VMs, be sure to at least run a scan against your master image before you seal it up. (Actually that’s probably a good idea regardless.) Thanks to Gabe for that tip.
  • Remember (as we learned from Tim) that non-persistent disk images can still suffer from the so-called “day zero” problems, so just because you can easily blow away and refresh an image doesn’t mean you can ignore security altogether. (As Gabe says, “Non-persistent is a good method for dealing with bad things once you’ve been screwed, but it does nothing to prevent you from being screwed in the first place.)
  • We’re still hoping for some kind of VMSafe-like API so we can run these various security suites at the hypervisor level (either server for VDI or client), but for now this isn’t really there, so if you want AV in your VMs then you’re going to have to run it in each VM.
  • Finally, remember that probably 99% of all security threats can be eliminated by (a) not letting your users run with admin rights, and (b) removing “execute” permissions from the users’ temp folders and home drives.

So what do you think? Did we cover everything, or are we missing something? Are you running any of these client security suites for your existing physical desktops? And if so, do you plan on porting them to your virtual environments?

 
 




Our Books


Comments

Dan Shappir wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 7:31 AM Link To This Comment

One thing to remember when installing anything that runs constantly inside the VMs, such as an anti-virus, is that the load on the underlying hardware is multiplied by the number of hosted VMs. This is unlike TS, where the load is less dependent on (or not directly a function of) the number of sessions.

appdetective wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 7:50 AM Link To This Comment

@Dan Shappir brings up a great point. To resolve this taking the security out of the VM is going to help. The first person to put to security into their hypervisor has a big advantage IMO. Who will that be? Well it's between McAfee and Symantec. But since Symantec has an end point virtualization strategy of their own, surely that puts' McAfee is a really strong position to do something with one of the hypervisor vendors. MS will not do this so they don't piss off to many people plus. So that really leaves ESX and XEN. One could argue KVM, but that's not really a hypervisor-flame away. Certainly the concept of a security VM running on client guests is a concept I have heard before to reduce overhead. I'd be happy to see virus scanners removed from my OS image, it's should improve performance and hopefully make mgmt easier also.

Eric S. Perkins wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 8:25 AM Link To This Comment

@Appdetective @ Dan Shappir

Agreed for sure.

@Brian Madden

Most of the vendors are pitching VDI solutions as having single (or few) images. The basis of your decisions are if the VM is in a controlled environment like the data center or in the wild west. So do you bake it in or not? Or do you somehow control this with policy?

If you use windows you have to run it no question, I don't care where the machine is.

Totally agree with you on no admin rights and execute rights.

Rodd Ahrenstorff wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 10:27 AM Link To This Comment

Using Parallels for VDI offers the benefit of running a single instance of AV on the physical host to protect all the containers on that host (I've tested this scenario to 170 containers on a single host).  It also has a downside; only a limited set of AV vendors are supported (but this set has increased over time).

@appdetective OT: I'm curious why you say KVM is  "not really a hypervisor"?

Stuart Robinson wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 11:13 AM Link To This Comment

On the client side for VDI - Hardware Zero Clients eliminate the need for antivirus/spyware on VDI clients.  One less antivirus/spyware license and a reduction in client management.  

Also View 4 hardware zero client include unique device control features to manage peripherals access.  If a peripheral is not authorized, the USB plug event is blocked directly in hardware so the virtual desktop does not even see the plug event  or the peripheral (a notification of the plug in attempt can be sent to security if needed).  

These zero clients are widely available from Wyse (P20), Dell (FX100), Samsung integrated displays (NC190, NC240), Fujitsu (Celsius Remote Access), DevonIT(TC10), IBM (CP20), Amulet Hotkey (DXip2/4), Clearcube (I94x0), Verari (Connexxus), EVGA (PD-01), ELSA (V200), and Leadtek (VP-200).

Shanetech wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 12:31 PM Link To This Comment

Hmm, this feels like DejaVu or Vuja De depending on how awake you are.

After reading the article and the comments, for me, it comes down to security, cost, and performance. I work for a 100K + seat enterprise who is doing VDI for 2% of that, albeit not the way I would like, but whatever, that is irrelevant.

Like most of us, I am torn on the Security vs. Performance debate. Of course I want an environment to be secure but having been involved with several outbreaks during the course of my career, I have an extreme love hate relationship for Anti-Malware solutions. I have seen cases where we were patched, updated, stewed, poached and grilled, and there were still infections. Take “Conficker” for example, last year I spent most of January fighting the spread of Conficker and McAfee could not keep up with the dats for each variant. So what is the answer? Switch to Symantec or Trend? Is one truly any better than the other? The point I am trying to make here is that even when you think you have everything buttoned up as tightly as possible, you still get burned. The cost of doing business in a Windows world I suppose. Stay patched, up to date, and monitor is still the only way.

Anyway, for now, if you are going to run VDI , and for the most of part, many shops simply virtualized their current physical build, there is no way around running some type of anti-malware solution. The promise of vmSafe type scanners do offer some hope, I guess we will have to wait and see (just like everything else in this space right now). The only way I can see running production VMs without any protection is if you are deploying tasked based workstations that have some type of stateless-ness properties with some out of band application delivery. In this case the VM simply becomes a shell. But hell, why even do VDI then? ;-)

The bigger issue for me is the performance debate and this not only holds true for VDI but also for TS/CTX. How many of us have designed and deployed a smoking fast XenApp environment to only have it driven to its knees by the submission hold of an AntiVirus solution? I remember Brain presenting years back on how he doesn’t even run A/V(which I am sure has changed). How about all the exclusions we make on a XenApp box just make sure the thing doesn’t fall over? We didn’t even get into vendor requested application exclusions. After all that, how protected is that server? I know I will get some guff on this but I honestly feel that it is nothing but a false sense of security. If I wanted to be lied to, I would just go to a gogo bar. At least I know that is a lie from the moment I walk in the door.

A big selling point of VDI is the isolation when compared to TS/CTX, “you no longer have the pissing section of the pool”. I disagree with that as well. Throw 70VMs on a host, add an intrusive A/V, a software polling agent, an inventory mgmt agent, and whatever PC health type agent you might have to each VM and kick those agents off at boot time or whatever staggered sequence you might think you have, watch those things bounce like a jack russel terrior in your  system tray and your end result will be your ESX System resources entering into the land of no return. Yeah so much for isolation.

But what is the answer, because the agents I described above are what you will see in a mature enterprise desktop image. Do we begin to build our images without these things citing they are too costly for performance or not VDI friendly? I often joke with my peers and say that our current build could not be anymore Anti-VDI if we architected to be that way from the onset. Although this is true, there is not damn thing I can do about it. Do I now suggest an alternate solution for ESD just for VDI? Do I tell the PCLCM or asset folks who do charge backs that their inventory agent was the one that got cut so now its back to excel tracking and post its?

As much as I love this renaissance in this space and I am delighted to be a part of the technology in my current role, we still have a way to go, and I don’t think it will be 2010.

(Sorry for the rant/tangent, no coffee this morning..)

homerbartlett wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 12:41 PM Link To This Comment

I know this is a newbie question, but the bit about removing execute permissions sounds smart and I'm wondering why I've never heard of that before. So what do you do, deny "read and execute" permissions on the Temporary Internet Files folder? And on the user's "home drive," what do you mean by that?

Thank you for an always interesting, helpful blog!

rebecca.vanderbilt wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 4:35 PM Link To This Comment

Why do you need to pay at all?

With the latest Microsoft Security Essentials, they are provided for free. Why not just use that?

Brian Madden wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 8:09 PM Link To This Comment

@homerbarlett, good question.. I should have been more specific. You have to use Software Restriction Policies (part of Group Policy since 2003).. Just set a "path" rule (and remember you can use variables like %temp% and %homedrive%\%homepath%) and then remove access to  *.msi, and *.exe.

Eric Hanselman wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 8:31 PM Link To This Comment

Brian - Coming out of the security world, I'm cringing at some of the comments.  Yes, removing admin rights can help a lot.  The largest problems that security teams face today on desktops are the large number of "drive-by" attacks that are thrown from the web.  If you give your users web access, there's a really large attack surface.  That's where you need protection.

Effective mitigation only comes from activity monitoring.  Traditional AV pattern scanning will only pick up the simpler (outdated/old school/ not really too swift) threats.  This is the main reason VMsafe is only good for static things like DLP.  Anyone trying to sell you rootkit detection through VMsafe is not your friend.

Keep in mind that with HVD (must not drink Gartner Koolaid...) all of those desktops are now in the datacenter.  A whole lot closer to critical resources.  If the bad guys get in, they're way in.

It's worth investing resources in some decent protection.

Kimmo Jernstrom wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Wed, Dec 2 2009 8:41 PM Link To This Comment

This is one of the rare threads where everyones opinion is eually weighted. As of myself; I dunno, heh. hah - damn this thing stuck in my throat.

I guess, in part, I'm feeling that all of those zero day/every day potential or real exploits are happening elsewhere (not on my turf!) , because I, for sure, dance the dance, walk the walz.

Thus I'm fooled, Beeing naive, ignorant or just plain stupid. As such, I go on and persist in having real-time AV, asking why doesn't this happen in the HV layer, or for that matter, any other more deeply abstracted layer? Vmsafe? Right? Who's there? Not me. I'm not even doing vmware.

Harry Labana wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Thu, Dec 3 2009 7:44 AM Link To This Comment

Whitelisting applications vs. AV signatures always chasing a constantly changing world. Solutions are available from various 3rd parties. Anybody successfully implemented whitelisting out there at scale and happy with the mgmt aspects? Would love to hear your experiences. If successful would you still need AV? I think at least it would matter less.

Eric Hanselman wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Thu, Dec 3 2009 11:07 AM Link To This Comment

The big problem with application and process name protections is that there are too many ways around it that are being actively exploited today.  You can fingerprint an executable, but if it dynamically loads anything, you're done.

In the Windows world, you can't get away from it.  Yes, iexplore.exe passes the hash when it loads, but look at all of the attacks that inject DLL's.  You think that you're running safe, but you're completely undermined.

It's also completely unmanageable at scale.  You have to update all of your hashes at patch time.  Your Wednesdays get really ugly.  Rather than updating sigs, you're updating hashes.  And you have to do it, not the AV vendor.

VMware bought Determina back in 2007, but it doesn't seem to have gone anywhere.  They had some interesting fingerprinting and stack walking protections, but it seems to have dried up and blown away.

Application fingerprinting isn't a tool that's worth the management hassle for the pittance of protection that it offers.

Mr. Incredible wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Sat, Dec 5 2009 1:38 PM Link To This Comment

@Stuart Robinson,

Yeah - good one - so View has the ability to control ports on proprietary hardware via PCOIP, well that's hardly revolutionary - Citrix Provisioning Services has been able to do this for years on generic hardware via PVS' PortBlocker technology - obviously works at both the HVD and physical (zero client) level. Then of course you can add ICA policies for a belt & braces approach if you are using ICA at all.

Rosen Sharma wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Thu, Dec 10 2009 1:08 PM Link To This Comment

 Disclaimer: I am CTO of Systems (all end point) products at McAfee. Came to McAfee via the Solidcore Acquisition.

About 30 people sent me this article :-).

The first questions we have to answer is whether we can provide

Security with Security Suite in Guest == Security with New Method

Let us take the idea of non-persistent shared image. Where the image is reset at log off. BTW from a security perspective, this idea is not new, several public libraries have adopted this method of keeping their computers working.

Is an enterprise willing to have a desktop possibly infected for period of a logon session, which may be 9am to 5pm?

You can probably guess the answer of a CISO?

You can't firewall each desktop? It has to connect to the corporate resources for the task workers to do work. Will it be working on corporate enterprise data?

One can argue that this is theoretical, these sessions wont get infected. Most of infections today come from 3 sources (in large enterprises): WEB, Targeted Attacks, Internal Attacks.

Every Fortune 1000 company and several Fortune 10000 company is under targeted attacks and a lot of them in global companies from from insiders. The attacker in many cases has "domain rights" and Default startup sharepoint pages being compromised.

I give these examples to point out that attack surfaces and security considerations for these environments are fairly complex.

Security with Guest Based Agent == Security with new Approach

OK. Now lets move to a slightly different area which some of the vendors have been talking about. Can we do this completely in the network. If we have A/V in the network, that will solve the problem.

Let me share what a lot of malware today does ... they use encryption and all the techniques we have learnt to make things secure. The malware has sophisticated packers (encryption), the packers use different encryption keys and thus by definition of encryption can't be caught by signatures. The only time the malware is unecrypted is in memory, where its layout is randomized. Sometimes even the content is downloaded on a https connection encrypted from random web sites or p2p networks.

This kind of malware can;t be detected by running anything in the network or even static A/V scans. It needs some serious run time technology.

It is fair to say that the A/V for a VDI environment will be different than what it is in a physical world, but it wont be in the form, that has been discussed in this post or the comments.

JimW wrote re: In a virtual desktop world, do we need to pay $30 a seat for antivirus and client security?
on Tue, Dec 15 2009 6:05 PM Link To This Comment

Disclaimer As Well: Director of Product Management, Symantec Endpoint Protection

While most of our customers tell me they want to ensure their virtual desktops are protected by either installing security in the guest or leveraging off of capabilities like VMsafe, I have heard a few companies talk about using the non-persistent images as a method to ensure that their systems are not infected.  That sounds like a good idea if you are just tracking if systems are infected. Take the case (also mentioned above) where systems are recycled every 8 hours (assuming a 3 shift cycle of 8 hours each). How long does it take for a user to get infected from either browsing the web or inserting a USB device? Since those desktops are performing some business function, they have access to the network resource which means they are systems that are open, unprotected and able to launch attacks. Even more important though, is that if this becomes a common method of “security through obliteracy,” how long will it be before these criminals who are stealing data see the trend and exploit it?  Taking a look at the different technologies that are needed to protect virtual desktops:

Malware Scanning – Of course, but definitely should not be the only layered defense

Application Control – Protection of the core operating system files, services and drives  from being attacked

Device Control – Provide some level of control on the devices being attached to the systems, especially USB memory sticks

Network IPS – Scan and Detect malware coming from the internet as well as threats that propagate through the network, e.g. worms.

Firewall – Block ports that are being attacked and restrict communication to only that which is required

And Finally, Madden brings up a good point for best practices on preventing malware spread. Here are a few more to add to the list:

• Disable Autorun/autoplay

• Close unnecessary open shares

• Use complex passwords for all user accounts

• Judiciously apply security patches

• Limit or eliminate local administrator privileges

• Limit network drive mapping to the bare minimum

Regards,

Jim Waggoner

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.