How to protect VDIs when using VMware Horizon View and GravityZone SVE
Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.
This article explains how to protect the Virtual Desktop infrastructure (VDI) in a VMware environment with the use of VMware Horizon View and GravityZone Security for Virtualized Environments.
VMware Horizon View delivers desktop services from your datacenter to enable end-user freedom and IT management and control.
Desktop and application virtualization offers IT a more streamlined, secure way to manage users and provide agile, on-demand desktop services.
Bitdefender GravityZone Security for Virtualized Environments (SVE), is an all-encompassing security solution for virtualized datacenters, protecting virtualized servers and desktops on Windows, Linux, and Solaris systems.
GravityZone SVE offers protection through Security Server and BEST. Security Server is a dedicated virtual machine that de-duplicates and centralizes most of the antimalware functionality of antimalware clients, acting as a scan server. BEST is the component to be installed on the virtual machines you want to protect.
The prerequisites for GravityZone SVE are:
- ESXi host;
- vCenter Server;
- Control Center with GravityZone SVE service;
- Security Server (VMware version) deployed on at least on ESXi Host;
- BEST installed on golden image.
You can use SVE in VMware environment also when vShield Endpoint is not installed. In non-vShield VMware environment, you must install BEST on every virtual machine.
BEST offloads anti-malware processing to the Security Server via TCP/IP. Network load will be at a minimum level due to the BEST local cache and the centralized cache on the Security Server. BEST employs a local cache that is prepopulated based on its environment variables; this way it is able to offload the scanning of only what is required while excluding objects that are safe.
Note: Using GravityZone SVE in a non-vShield VMware environment, there is no need to deploy a Security Server on each ESXi Hosts.
To protect the VDIs, follow the next steps:
Integrate Control Center with vCenter:
- Open GravityZone Control Center.
- Go to the Configuration page.
- Select the Virtualization tab.
- Click the Add button from the left uppper side of the table and choose vCenter Server from the menu.
Install Security Server on ESXi hosts.
- Go to the Network page and select Virtual Machines service.
- Select the host(s) on which you deploy the Security Server.
Right-click to access the contextual menu and select the Tasks > Install Security Server option. The Security Server Installation window appears.
In the General tab, select one of the following options:
Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.
Note: If DHCP is used, make sure all IPs assigned to Security Servers are reserved.
- Configure each Security Sever differently. This option allows you to have different values for each setting of the Security Servers.
- Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.
Click Next to configure the Security Server instance(s):
- Name – The name of the Security Server which will appear in VMware Inventory.
- Deploy Container – the vCenter server parent container for the new Security Server.
- Provisioning – the VMDK provisioning type.
- Consolidation – the hardware resources assignation. If Custom level is selected, the administrator can specify the amount of CPU and Memory.
- Set Administrative Password – at the time of the deployment the administrator can change the Security Server root password. If this option is not selected, the root account will have the default password and the only way this can be changed later is by accessing the VM's console.
- Timezone – the time zone setting. Clock is automatically synchronized by the ntpd service.
- Network Settings – the VMs management network settings.
After all the configurations are done, if you have different settings for your Security Servers, click Next to proceed with the next instance, otherwise click Save. The deployment task starts.
Note: You can view the deployment task progress in the Network > Tasks page. Check the task status, by clicking the link in the Status column. After the deployment task reaches the status In progress 100%, the new Security Server is powered on and boot process starts. Allow up to 3 minutes for the boot operation to complete. The deployment task will display the Finished status after the management agent on the Security Server synchronizes with GravityZone for the first time, announcing the administrator the new Security Server is operational.
- Create a virtual machine (with Windows 7 for example) with all the programs needed by users.
Deploy BEST on this new virtual machine:
- Select the VM on which you deploy BEST.
Right-click to access the contextual menu and select the Tasks > Install option. The BEST Installation window appears.
- Under the Credentials Manager section, specify the administrative credentials required for remote authentication on the virtual machine.
Configure the VMware Horizon View: connect to VMware Horizon View Administrator and create the pools for the VDIs.
Once VMware Horizon View is configured and a user is trying to connect from a VMware View Client to a VDI, new Virtual Desktops are created.
All the VDIs from VMware Horizon View will be protected.
- Try an EICAR test. Copy the 68 bytes string, in a .txt file and save it. If the VDI is protected, when you will reopen the .txt file, it will be empty. Also, the reports and charts from Control Center Dashboard and Reports page, the charts will show malware presence on the VDI.
On the Security Server you can check if your VDI is connected to it. The connection should be established on port 7081.
netstat | grep ESTABLISHED
tcp6 0 0 gz2svamp.tstlabs:7081 vdi-01.tstlabs.bi:65299 ESTABLISHED
tcp6 0 0 gz2svamp.tstlabs:7081 vdi-02.tstlabs.bi:64235 ESTABLISHED