VMware Networking Community
szilagyic
Hot Shot
Hot Shot

Guest introspection and redundancy

Recently we started looking at Symantec DCS (their agentless AV solution) for a POC in a test environment.  In our tests, we simulated a situation where the SVA (security virtual appliance) on one of the hosts becomes unresponsive or even attacked, where it no longer functions.  We simply shut down the VM to simulate it going offline.  We noticed when doing this, all AV scanning on the host stopped and everything failed open.  A test virus was not detected during the time the SVA was down.  A lot of solutions advertise "redundancy", but I do not see how this is possible with NSX due to it will deploy one SVA to each host and everything I know of so far shows this is a manual process.  This is not something with the AV software vendor, it's a VMware thing.

Is there a way to have NSX Manager monitor the SVA (scanner) on each host and automatically recover if one fails?  So far we are not finding any information for this.  In our case, we want to simulate an attack on the SVA or show it in a state where scanning on the host stops, as well as automate the recovery process for this.

Any feedback would be appreciated.  Thanks.

3 Replies
Techstarts
Expert
Expert

Ideally you should engage a System Engineer from Symantec to get your query addressed.

Apparently by default, failopen is configured on your SVA. Please change it to failclose.

There are multiple ways you can monitor or reboot SVA

1. Configure Alarm on vCenter to monitor the virtual machine. If you are using vROPS you can define action to reboot

2. There has to be configuration within SVA to frequently check heartbeat of the SVA

3. You can use vCenter application monitoring.

All the above three options in combination of failclose will aid you in POC.

Hope this helps,

With Great Regards,
szilagyic
Hot Shot
Hot Shot

Hello and thank you for the reply.  I have checked with Symantec, and their answer so far is that all of this functionality is handled in NSX Manager, which, I can see why they say this.  All that the Symantec solution does is upload the SVA image to NSX Manager, and appears to hook to vCenter as well to monitor whether the SVA is powered on or not.  NSX Manager is used to actually deploy or also update the SVA.  So, the gist is that NSX Manager should be the solution re-deploying and managing the SVA appliances which I agree to.  But our question is how to have it do that automatically so it doesn't require human intervention.

We currently do not have vRops permanently running but I do understand that could be an option to at least provide some functionality of monitoring and rebooting.  However, as one of my co-workers suggested, even vRops may not be intelligent enough to actually monitor the services running on the SVA appliances and take action based on that, which I would think is a critical feature to have.  NSX Manager however only seems to know if the SVA is powered on or not (it shows the status as "up").  I am surprised that there is no other monitoring going on for the SVA, which is a single point of failure for the entire host's file and network traffic scanning.  Also, I will have to research what failclose will do, will it stop network and file traffic on the VM, if the SVA is unavailable?  If so, this is a question for each organization to answer, whether to fail open or closed.

Thank you.

Reply
0 Kudos
Techstarts
Expert
Expert

Hello and thank you for the reply.  I have checked with Symantec, and their answer so far is that all of this functionality is handled in NSX Manager, which, I can see why they say this.  All that the Symantec solution does is upload the SVA image to NSX Manager, and appears to hook to vCenter as well to monitor whether the SVA is powered on or not.  NSX Manager is used to actually deploy or also update the SVA.  So, the gist is that NSX Manager should be the solution re-deploying and managing the SVA appliances which I agree to

We all agree here NSX manager is purely taking instruction and sending it to vCenter/ESXi host. Monitoring of SVA at application layer should be owned by vendor. Refer to the blog link below. Trend Micro provides that functionality. Monitoring at other layers is also advised by HStrydom.

We currently do not have vRops permanently running but I do understand that could be an option to at least provide some functionality of monitoring and rebooting.  However, as one of my co-workers suggested, even vRops may not be intelligent enough to actually monitor the services running on the SVA appliances and take action based on that, which I would think is a critical feature to have.  NSX Manager however only seems to know if the SVA is powered on or not (it shows the status as "up").  I am surprised that there is no other monitoring going on for the SVA, which is a single point of failure for the entire host's file and network traffic scanning.  Also, I will have to research what failclose will do, will it stop network and file traffic on the VM, if the SVA is unavailable?  If so, this is a question for each organization to answer, whether to fail open or closed.

  1. Failing closed eliminates risk of security compromise while the appliance is down. Down time is a bigger risk for many organizations but as you are rightly testing since Hacker would be focusing on bringing down SVA and once it is achieved, depending failclose/failopen impact will differ. By default, all vendors keep failclose. So it is Risk Vs Availability discussion
  2. Please review this article ->Deep Security : DSVA Availability options | VirtualClouds.co.za by

With Great Regards,
Reply
0 Kudos