So what do I mean with this ? While I was doing the Webinar on Compliance and Backups I got the idea to see if I can protect a VM that is being recovered by Veeam’s Instant Recovery using VMware’s vShield Manager and Agent-Less AV ability. So lets look at the product set we going to use for this :
Deep Security have the ability to protect VMware Virtual Machines from Malware, Web Threats, Firewall and Intrusion Detection/Prevention using Agent-Less technology. Thus there is no in guest agent needed to protect the VM from all these threats.
Veeam have this cool feature’s that is called vPower and Instant Recovery. Basically with vPower Veeam can mount the backup storage as a datastore to an ESXi host via NFS and then power up the VM that you want to restore from withing this NFS mounted backup storage. Once the VM is up and running you can then use a Storage vMotion to migrate the VM to a VMware Datastore.
VMware vShield Manager
VMware vShield Manager provided the ability to Deep Security to protect VM’s using Agent-Less technology.
The Use Case….
So lets put this all together as a use case. You have a VM that needs to be recovered that might have Malware on it. Or just a VM needs to be started up from backup that have out dated AV pattern files, or no AV at all. The basics here is that we will need to restore a VM fast and at the same time provide immediate up to date security (Malware/AV/Web/Firewall/IPS) protection to this VM. This is how I did it in my lab.
In my Lab I have my AD01-Server that is being backed up by Veeam. See below the VM screenshot in vCenter (all 5.5)
This VM is being backup up by a task in Veeam on an daily basis.
Next we have to create an Event Based Task in Deep Security that will enable the Agent-Less option and set a default Policy on any VM that is added to vCenter. The policy have the following settings set :
- Activate Computer Delay = 0 min
- Assign Policy = Lab Policy (See screenshot of my Lab Policy below)
- Assign Relay Group = Default Relay Group (Or you relay group name)
- Conditions : vCenter Name = * (or if you have multiple vCenters the correct name)
Some notes on the rest of the config before we go on :
- You can define VM Names.. I just used a * for testing
- You can select more Conditions, for my test I only needed a vCenter Name. I did not want to add Physical servers also.
- 0 Min will activate immediately. If you want a delay you can add ‘x’ min and the task for activating the VM will be delayed for ‘x’ min.
- My MGMT Cluster do not have Agent-Less security deployed and as such the AD01-Server has no protection.
- I also have Deep Security installed and working in a VMware environment. Screen shot below of my environment with ESXi hosts prepared and DSVA’s deployed.
Next step is to do an Instant Restore of the AD01-Server that is in my MGMT-Cluster to a Resource Cluster called “Cluster01” and provide Instance Protection. From the Veeam Console I do an Instant Recovery of the VM to a different Location namely Cluster01 ->ESX01. Below Screenshot of the Instant Recovery we can see that the current host is MGMTESX01 (My MGMT Cluster host) and target host is ESX01 (Cluster01 host).
I also set the VM to Power on Automatically with NO Network Connectivity. I want the VM to startup with no network and then do a Malware scan on the server using Agent-Less Malware Scan.
When the Veeam Instant Recovery Job starts it will create the new VM. The Event Based Task in Deep Security will detect the new VM and apply the base Policy to it. See below Screenshot of the activation process and once complete the immediate protection that is enabled.
From the ESX01 Host side we can see that the VM is started up from the VeeamBackup_VEEAM01 NFS Datastore.
Now that the VM is running we can do our Malware Scan from Deep Security. This done from the Deep Security console.
To Recap what we did :
- Have a VM with no security (AV) protection that we needed to restore and do a full scan on
- Did a Instant VM Recovery using Veeam
- Have an Event based task in Deep Security that will detect need VM’s, Activate them and apply new Policy to protect them
- Started up the VM in a Network Disconnect state
- Was able to start a Malware Scan using no in Guest OS Agents
- All done in about 2min!