(Re-)Introduction to Guest Introspection
The Guest Introspection platform has been included in NSX Data Center for vSphere for several years, mostly as a replacement for the VMware vShield Endpoint product and providing customers the ability to plug in their VMware certified partner solutions to allow agent-less anti-virus and anti-malware protections for a variety of data center workloads.
The Benefit of the Guest Introspection Platform
The Guest Introspection platform provides customers several outcomes.
Simplified AV management – Manual installation of agents into the guest operating system requires massive operational overhead just getting the agents deployed out on every virtual workload, managing the agent life-cycle post deployment, and for troubleshooting issues with the in-guest agents in day 2 operations.
Guest Introspection provides a centralized management interface for deploying the agentless components to the vSphere hosts, including the security policies, all while using vSphere objects and grouping of those objects to associate the endpoint policy. This provides granular policy creation and association in the workload environments.
Improved endpoint performance – When several or all of the virtual workloads kick off a scheduled AV scan, this can produce a massive resource drain from host resources where workloads might suffer performance concerns during the scanning and can potentially cause end users to notice the performance drop. These performance impacts could lead to reduced consolidation ratios where more host hardware is required to provide the extra overhead to run these types of scans.
Guest Introspection reduces this by moving the AV scan workload to the partner service virtual appliance which uses far less resources than all of the in-guest agents running the same scan on all of the machines at the same time. We’ve seen customers reduce their overall CPU needs and even lower CapEx costs by not reducing consolidation ratios and requiring more host hardware to perform the same types of scheduled scans.
Strengthened security posture – In-guest agents are exposed to attack by malicious payloads. Typically, the malicious payload will search for the anti-virus and anti-malware solutions and shut them down or completely disable them in general.
Guest Introspection doesn’t require any partner agents to be deployed into the guest operating system to provide the same security benefits of anti-virus and anti-malware solutions. These agent-based services are offloaded and the attack surface is further isolated from the malicious payload from being directly disabled or shutdown.
Taking Guest Introspection to the Next Level for NSX-T 2.4
With the General Availability announcement of NSX-T Data Center 2.4, the Guest Introspection platform is now integrated into NSX-T to provide the same benefits listed above as it does for NSX Data Center for vSphere, and has few new enhancements specific to NSX-T. These new enhancements could represent compelling reasons for customers to look at for their new deployments of NSX, or migrating their current NSX Data Center for vSphere deployments over to NSX-T Data Center.
Guest Introspection for NSX-T 2.4 brings several enhancements to the already strong benefits it does in NSX Data Center for vSphere with features that are only available with NSX-T.
Simplified Life-cycle management – Guest Introspection in NSX Data Center for vSphere requires a separate Guest Introspection service virtual appliance to help with agentless offload capabilities in addition to the VMware partner appliance on a per host basis. While NSX manages its own appliance efficiently, with NSX-T, we moved those components into the NSX Agent installation to simplify the overall architecture and reduce the number of service virtual appliances needed for Guest Introspection to only one partner appliance per host. The reduction of the number of service virtual appliances to run Guest Introspection means less server downtime and/or possible interruption during deployments and upgrades.
Multi-vCenter support – NSX Data Center for vSphere has a dependency on vCenter for integration and can only be associated with one vCenter at a time. NSX-T Data Center 2.4 supports up to 16 vCenters (compute managers) in which it can be associated with at the same time. This means common security profiles from the anti-virus and anti-malware VMware partners can extend across multiple vCenter workload domains and management of those policies is significantly reduced and no longer requires a customer to set the same policy multiple times in each NSX Manager deployment.
Partner scale enhancements – In NSX Data Center for vSphere, the partner appliances were limited to the amount of resources they could have associated with them. This includes vCPU and vRAM attributes. These resource limits were not configurable and agnostic to how many workloads actually resided on the hosts that needed these security solutions. A host with 10 VMs to protect would need the same resources that the same host with 100 VMs to protect would need. This presented a model which was not scalable and could result in under-utilized or insufficient resources for the security solution. NSX-T Data Center now allows VMware partner service virtual appliances to be deployed using ‘t-shirt style’ deployment models of Small, Medium, and Large. The security solution can be adapted to fit the number of workloads that require protection by either increasing as the number of workloads grow, or decreasing for lower densities on hosts. This also means that a customer can mix and match deployment models based on the workload types and densities across their environment rather than having to rely on using one static resource service virtual appliance deployment model.
Along with the re-introduction to Guest Introspection for NSX-T 2.4, we’d like to point out that we have our first certified partner integration with Bitdefender GravityZone. Jump over to their site for more information on Bitdefender and their solution and be sure to check out the functional joint demo of NSX-T 2.4 and GravityZone together in action. More certified partners are coming soon!