The Deep Security Virtual Appliance will reach end of extended support
(EOL) on 31-Dec-2027 or VMware's end of support date for NSX-4.X, whichever comes
first.
Trend Micro Deep Security has worked closely with VMware to offer agentless security
at the
hypervisor level. This security is provided by the Deep Security Virtual Appliance.
The
appliance is deployed at the cluster level through NSX Manager to offer protection
to VMs
on the same ESXi host.
Topics on this page:
Deep Security Virtual Appliance features
Scan caching
The scan cache allows the results of an Anti-Malware scan to be used when scanning
multiple machines with the same files. When the appliance scans the original guest
virtual machine, it keeps track of attributes of the files it is scanning. When other
virtual machines are scanned, it can compare these attributes for each file. This
means
that subsequent files with the same attributes do not need to be scanned fully a second
time, which reduces the overall scan time. In situations like virtual desktop
infrastructure (VDI) where the images are nearly identical, the performance savings
from
scan cache are greater.
Scan storm optimization
A 'scan storm' occurs where many scans occur concurrently, causing performance
slowdowns. Typically, scan storms occur in large-scale VDI deployments. When performing
Anti-Malware scanning, the appliance can use the scan cache feature to optimize
its resource usage during a scan storm.
Ease of management
Generally, deploying one Deep Security Virtual Appliance to each ESXi host is easier
than deploying a Deep Security Agent on multiple VMs. With NSX, this management savings
increases because NSX Manager automatically deploys Deep Security the service when
you
add a new ESXi host to the cluster.
The virtual appliance can also help with network flexibility. Each Deep Security Agent
requires network connectivity to resolve the Deep Security Manager and Relay. By using
the Deep Security Virtual Appliance, this network connectivity is limited to the virtual
appliance and connectivity to each VM is not required.
In some cases, the infrastructure and VMs may be managed by different teams. By using
the virtual appliance, the infrastructure team does not require access to the virtual
machine to add protection because it can be deployed at the hypervisor level to protect
each of the virtual machines.
VMware deployments with the virtual appliance and NSX
If you want to use the Deep Security Virtual Appliance to protect your guest VMs,
you'll
need to use VMware NSX Data Center for vSphere (NSX-V) or NSX-T Data Center. NSX-V
and
NSX-T have several license types. These license types are shown in the table below,
along with the Deep Security features supported by each.
 |
NoteFor a more detailed list of supported features and sub-features that are supported
by
the Deep Security Virtual Appliance, see Deep Security Virtual Appliance (NSX) (with embedded 11.0 agent).
|
|
Deep Security Virtual Appliance deployment
|
||||||||
|
NSX for vSphere (NSX-V) 6.4.x
|
NSX for vSphere (NSX-V) 6.4.x
and
NSX-T 3.x
|
|||||||
|
Standard
Or
NSX for vShield Endpoint (free)
|
Advanced
|
Enterprise
|
NSX Data Center Standard
Or
NSX for vShield Endpoint (free)
|
NSX Data Center Professional
|
NSX Data Center Advanced
|
NSX Data Center Enterprise Plus
|
NSX Data Center for Remote Office Branch Office
|
|
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
|
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
✔1
|
|
|
X
|
✔
|
✔
|
X
|
X
|
✔
|
✔
|
✔
|
|
|
X
|
✔
|
✔
|
X
|
X
|
✔
|
✔
|
✔
|
|
|
X
|
✔
|
✔
|
X
|
X
|
✔
|
✔
|
✔
|
|
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
X
|
|
1 Available on Windows guest VMs only
If a feature is not supported by the appliance (X), it can be procured
through the agent. When you install agents to supplement the virtual appliance's
functionality, this is known as combined
mode.
Some key points when considering combined mode:
-
Management: Deep Security has deployment scripts that can be used to script the deployment of the Deep Security Agent using various orchestration tools (Chef, Puppet, etc). Using the deployment scripts allows for easier deployment of the agent. These scripts also allow activation and assignment of policy. They help to reduce the manual intervention required and reduce the management cost when deploying the agent in a VMware environment.
-
Scan caching performance improvements and Scan storm optimization: In combined mode, the virtual appliance will do scan caching and scan storm optimization for Anti-Malware scanning. This allows the agent footprint on each VM to remain small because only a network driver needs to be installed.
For details on how to set up the Deep Security Virtual Appliance environment, see
Deploy the
appliance (NSX-T 3.x), or Deploy the appliance
(NSX-V).
VMware deployments with the agent only
If you want to protect VMware environments without the virtual appliance or NSX, you
can
do so by deploying the Deep Security Agent to each of your VMs. In this scenario,
you
don't need the Deep Security Virtual Appliance, since all protection is provided by
the
agents. By using the Deep Security Agent, you get all of main features of Deep Security,
namely: Anti-Malware, Integrity
Monitoring, Firewall, Intrusion
Prevention, Web Reputation,
Log
Inspection, and Application
Control. In addition, the agent has the following characteristics:
-
It is lightweight (a Smart Agent). Only the protection modules that you specify (for example, Anti-Malware and Integrity Monitoring) are installed using a policy that you set up on the manager. Further, Deep Security has a feature called 'recommendation scanning', which allows you to only assign rules necessary for the specific workload you are protecting.
-
Windows agents include an Anti-Malware scan cache, containing hashes of previously-scanned files that are frequently accessed, so that they don't need to be rescanned.
To deploy agents, Trend Micro has provided deployment scripts that can be used with various orchestration tools (Chef,
Puppet, etc). You can also install the agent
manually.
Additional information
-
Trend Micro and VMware Website: https://www.trendmicro.com/VMware/