Among our clients there are companies that use Kaspersky solutions as a corporate standard and independently manage their anti-virus protection. It would seem that the virtual desktop service, in which the provider monitors the antivirus, is not very suitable for them. Today I'll show you how customers can manage protection themselves without compromising the security of virtual desktops.
Π we have already described in general how we protect customers' virtual desktops. Antivirus within the VDI service helps to strengthen the protection of machines in the cloud and control it independently.
In the first part of the article, I will show how we manage the solution in the cloud and compare the performance of Kaspersky cloud with traditional Endpoint Security. The second part will be about the possibility of self-management.
How we manage the solution
Here is what the solution architecture looks like in our cloud. For the antivirus, we select two network segments:
- client segment, where users' virtual workstations are located,
- management segment, where the server part of the antivirus is located.
The management segment remains under the control of our engineers, the customer does not have access to this part. The management segment includes the main KSC administration server, which contains license files and keys for activating client workstations.
This is what the solution consists of in terms of Kaspersky Lab.
- Installed on virtual desktops of users light agent (LA). It does not check files, but sends them to the SVM and waits for a βverdict from aboveβ. As a result, user desktop resources are not wasted on anti-virus activity, and employees do not complain that "VDI slows down."
- Checks a separate Security virtual machine (SVM). This is a dedicated security appliance that hosts malware databases. During checks, the load is assigned to the SVM: through it, the light agent communicates with the server.
- Kaspersky security center (KSC) manages the protection virtual machines. This is a console with settings for tasks and policies that will be applied on end devices.
This scheme of work promises to save up to 30% of the hardware resources of the user's machine compared to the antivirus on the user's computer. Let's see what is in practice.
For comparison, I took my work laptop with Kaspersky Endpoint Security installed, ran a scan and looked at resource consumption:
And here is the same situation on a virtual desktop with similar characteristics in our infrastructure. Memory eats about the same, but CPU usage is two times lower:
KSC itself is also quite demanding on resources. We allocate for it
enough to make the administrator feel comfortable working. See for yourself:
What remains under the control of the customer
So, we figured out the tasks on the provider's side, now we will provide the customer with control over anti-virus protection. To do this, we create a child KSC server and bring it to the client segment:
Let's go to the console on the client KSC and see what settings the customer will have by default.
Monitoring. On the first tab we see the dashboard. It is immediately clear what problem areas you should pay attention to:
Let's move on to statistics. A few examples of what can be seen here.
Here the administrator will immediately see if the update has not been installed on some machines
or there is another issue related to software on virtual desktops. Their
the update may affect the security of the entire virtual machine:
In this tab, you can analyze the found threats to a specific found threat on protected devices:
The third tab contains all possible options for preconfigured reports. Customers can create their own reports from templates, choose what information will be displayed. You can set up scheduled email sending or view reports locally from the server
administration (KSC).
Administration groups. On the right we see all managed devices: in our case, virtual desktops managed by the KSC server.
They can be combined into groups to create common tasks and group policies for different departments or for all users at the same time.
As soon as the customer has created a virtual machine in a private cloud, it is immediately detected on the network, and Kaspersky sends it to unassigned devices:
Unassigned devices are not subject to group policies. In order not to scatter virtual desktops into groups manually, you can use rules. This is how we automate the transfer of devices to groups.
For example, virtual desktops with Windows 10, but without the admin agent installed, will fall into the VDI_1 group, and with Windows 10 and the agent installed, they will fall into the VDI_2 group. By analogy with this, devices can also be automatically distributed based on their domain membership, location on different networks and specific tags that the client can set based on their tasks and needs on their own.
To create a rule, simply run the device grouping wizard:
Group tasks. With the help of tasks, KSC automates the execution of certain rules at a certain time or with the onset of a certain moment, for example: performing a virus scan is performed during off-hours or when the virtual machine is βidleβ, which, in turn, reduces the load on the VM. In this section, it is convenient to run scheduled scans on virtual desktops within a group, as well as update virus databases.
Here is the full list of available tasks:
Group Policies. From the child KSS, the customer can independently distribute protection to new virtual desktops, update signatures, configure exclusions
for files and networks, build reports, and manage all kinds of checks on your machines. Including - restrict access to specific files, sites or hosts.
Core server policies and rules can be turned back on if something goes wrong. In the worst case, if configured incorrectly, light agents will lose contact with the SVM and leave virtual desktops unprotected. Our engineers will immediately receive a notification about this and will be able to enable policy inheritance from the main KSC server.
These are the main settings that I wanted to talk about today.
Source: habr.com