Jump to content

Single point of failure using ESXi scanning?


Recommended Posts

I've never liked the idea of using a VM or even a host agent to offload scanning of all VMs within an environment.  I honestly think a lot of people feel this way and that's why this particular forum is so dead.

 

What happens if the host agent or single VM used for offloading has an issue?  Does that mean nothing gets scanned?  What happens if it's overloaded, does that mean it's now introducing latency in my VM environment?

 

We were using McAfee EPO years ago and they had this same feature.  You could use a single VM appliance to offload all scanning.  It slowed everything down considerably and required 16 vCPUs to function correctly. 

 

I'd much rather install the agent/endpoint on each server and know that each system is self contained. 

Link to post
Share on other sites
  • ESET Staff

Thank you for your inputs.

Support for agent-less scanning was a demanded feature from the market, especially from the ease of deployment / ease of change point of use perspective. 

Once you have deployed entire VMware infrastructure and tweaked it properly, switching for another vendor was just a matter of minutes (you exchange one scanning appliance to another one).

However, as you have correctly mentioned, it has certain drawbacks. The level of security is limited to the abilities of the API we are integrating with, which is the reason why ESET has chosen dual approach.

You have the freedom of choice, whether you install our agents (Endpoints / EFSW) into the guest systems, and connect them with our Shared Local Cache, which prevents duplicate scanning on hosts, where there is a large duplication of files (usually all VMs share the same code). Our you can opt-in for the agent-less approach. VMware was solving the AV storms problem with vShield, not a strengthening of security problem.

Link to post
Share on other sites

Yeah, that's what I thought.  I fixed the IO blender issue another way - all flash storage and plenty of physical CPU cores.  I'll stick to the agent/endpoint on each guest approach for now.  It works well with Smart Optimization/Scan enabled.

 

I noticed you guys didn't have the host based scanning for a while.  I figured you were pretty much pushed into it.

Link to post
Share on other sites
  • 3 weeks later...
  • ESET Staff

Hi,

I'd like to point out, that in case you have 10 servers with 10VMs on each, only these 10VMs are offloading scanning to security VM appliance (EVSA), which is deployed on same physical server (in this scenario, you'll have 10 EVSAs in your environment). If you'd install 10 endpoints on each guest VM I'm not sure, whether you'll improve utilization.

It's however true, that our Endpoint is safer that VMware vShield solution.

 

It's up to customer, whether he wants more security or better utilization. 

Edited by Matus
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...