NSX-T Guest Introspection With Trend Micro Deep Security

Integrating third party security services with NSX has always been a popular feature of the platform. While NSX comes with its own set of robust security services, there are scenarios where additional workload protection is required. The ability for a partner solution to leverage the rather unique layer in which the NSX platform operates with regard to the workloads makes for a pretty powerful service.

There are two main types of NSX-T partner integrations. We have Service Insertion for inspection of network traffic and Endpoint Protection (aka Guest Introspection) which provides agentless antimalware and antivirus capabilities for virtual machines.

In today’s article I’m having a look at setting up NSX-T Guest Introspection through integration with Trend Micro Deep Security.

Guest Introspection Architecture

Before we dive into configuring this integration, let’s have brief look at the major components that make up the Guest Introspection solution in NSX-T 2.5:

So what we have here is:

  • NSX Manager Cluster – Responsible for pushing configuration to the ESXi hosts (carried out by the controller component).
    undefined
  • Partner Console – The partner solution interface for managing the guest introspection solution on the partner solution side. For example Trend Micro Deep Security Manager (DSM).
    undefined
  • Partner SVM – A service virtual machine deployed by the partner solution. It contains the logic to scan file or process events to detect virus or malware on the guest. For example Trend Micro Deep Security Appliance.
    undefined
  • Thin agent – Installed on the guest VM (part of the VMware Tools installation package). It intercepts file and network activities.
  • NestDB – Holds NSX configuration related to the host.
  • OpsAgent – Forwards the guest introspection configuration to the Mux. It also relays the health status of the solution to the NSX Manager Cluster.
  • Context Multiplexer – Multiplexes and forwards messages from all the protected Guest VMs to the Partner SVM.

Setting up the Trend Micro Deep Security integration

A couple of things have been installed in the lab environment in advance:

  • vSphere 6.7 U3
  • NSX-T 2.5.1
  • Trend Micro Deep Security Manager 12.5 (DSM).
  • vCenter and the NSX Manager Cluster added to the DSM.

Having this in place means we can start with the interesting stuff right away! 😉

Service deployment

The first step is deploying the partner service which can be done from the NSX Manager UI under System > Configuration > Service Deployments > Deployment:

As you see the Trend Micro Deep Security partner service is already selectable. It was added when the DSM registered itself with the NSX Manager Cluster. You can view some details about the partner service by clicking on View Service Details link.

We go ahead and click Deploy Service which brings up the following form:

Deploying the service is pretty straightforward. We fill out a name for the deployment, pick the compute manager (vCenter), vSphere cluster, and a data store. Clicking Save initiates the service deployment.

In the next step we see that the SVMs are configured with two NICs:

A Management NIC that needs to be configured with an IP address (either via DHCP or an NSX-T IP Pool) and a Control NIC that is configured by the system.

The vSphere cluster in my lab contains two ESXi hosts which means two Trend Micro SVMs are being deployed:

The SVMs are placed in a resource pool called ESX Agents:

Group

Next we need to create a group for the virtual machines that should be subject to the introspection. Groups can be added at Inventory > Groups > Add Group:

Here I created a group called Trend-DS-Protection with a membership criteria that will add all Windows VMs to the group.

Service Profile & Rule

The third step is to add a service profile under Security > Endpoint Protection > Endpoint Protection Rules > Service Profiles:

Here I’m adding a service profile called Trend-DS-Service-Profile and select the Default (EBT) vendor template.

Under Rules we first add a policy (Trend-DS-Policy) and then a rule (Trend-DS-Rule) within that policy:

This rule basically ties the Trend-DS-Protection group to the Trend-DS-Service-Profile service profile.

Guest Introspection Activation

The final step is to activate guest introspection for the VMs in the Trend-DS-Protection group. For this the VMs need to be in a managed state in the Trend Micro DSM.

The easiest way to achieve this is to create an Event-Based task in DSM that will assign a policy based on criteria:

As you can see above I’m assigning the Windows Server policy to VMs running Windows Server which then results in these VMs automatically becoming managed by DSM:

One last thing is to make sure that the Thin Agent is active in the guest VMs. As mentioned it is part of VMware Tools, but only installed when performing a Complete installation. In case we did a Typical installation it’s pretty easy to add the Guest Introspection bits afterwards by modifying the existing VMware Tools installation:

Conclusion

This completes my high level NSX-T – Trend Micro Guest Introspection configuration walkthrough. In my lab environment I had zero issues installing this solution. VMware and Trend Micro really did a good job in making it an easy process.

In larger environments the configuration process will be largely the same except for more SVMs to deploy and more VMs to handle.

Thanks for reading.

References:
Trend Micro Deep Security documentation
NSX-T documentation
Agentless Anti-Virus with NSX-T Guest Introspection Deep Dive (VMworld 2019, Geoff Wilmington)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.