Endpoint Security Management Console

One of the futures of Deep Security is to integrate Agent Less with the VMware ESXi Hypervisor. With the Use of vShield Manager EndPoint Protection this is possible. In this post I aim to explain how this integration works with the Deep Security components. The requirements from a Deep Security side is as follow :

• Deep Security Installation files ( download from , select “Product Patch” to get latest patches)
• Deep Security DSVA and Filter driver that is needed for VMware Integration ( download from , select “Product Patch” to get latest patches)
• vSphere 5.x
• ESXi 5.x (Note ESXi 4.1 is supported. please check Installation Manual for specific’s)
• vShield Manager 5.0, 5.1, 5.5
• VMtools with vShield Driver option installed within the OS

Lets looks at how the Agent Less protection work. There is two basic methods that is used :

• Malware / AV – This is disk IO based
• Web Reputation /Firewall /IPS – This is Network based traffic

Malware / OFF

Malware and AV activity is disk IO based. The disk reads and writes is “captured” by die vShield Driver installed inside the OS and passed to the DSVA for scanning. Once scanned the results is returned. The file that was scanned is either committed to disk or delete (if Malware was found).  The key here is that for Malware / AV Deep Security used the vShield Driver installed inside the OS.

Web Reputation / Firewall / IPS

All this traffic is network based and is detected by the filter driver that is installed inside the Hypervisor when the ESXi host was “Prepared” in the DSM console. The Filter driver will pass the traffic to the DSVA appliance for scanning and based on the rules that was applied for that VM via the policy will either allow or deny the traffic.

(Note that Log Inspection cannot be done by Agent Less. an Agent is needed for this. Read below on Coordinated Protection)

The key message for this is to understand that different Deep Security modules rely on different methods of of filtering.

The next question I get often is that can an Deep Security Agent be installed along side Agent Less. The answer is yes and this is called Coordinated Protection. Here is the rules around this:

• The VM will be protected by the Agent installed inside the OS. If this OS Agent goes off line the Host based Agent will take open the protection.
• There is no “Double Scanning”. The Host based agent(Filter Driver on ESXi) will allow all traffic to pass. (Until it have to take over)
• It provides mobility for Cloud based VM’s. Thus you can move the VM to different providers and still keep the same security settings.
• Allow for the implementation of Log Inspection.