Agentless Workload Security with GravityZone and NSX-T 2.4 Data Center

• VMware NSX-T Data Center 2.4 release now includes Guest Introspection services via agentless endpoint protection.
• Bitdefender GravityZone Security for Virtualized Environment (SVE) is the first, and currently the only, security vendor that integrates NSX-T Guest Introspection.
• If you are upgrading to NSX-T Bitdefender solves real operational challenges for highly-dense, large scale datacenter deployments.

Background

VMware initially released NSX-T in 2017 as an alternative to NSX for vSphere (NSX-V), expanding the NSX software defined networking solutions to multi-hypervisor, hybrid cloud and container environments. Large organizations operating distributed heterogenous environments take advantage of the NSX-T network and security platform to provide configuration consistency of services across their entire datacenter estate. VMware provides a lot of good insights on their release blog post for NSX-T Data Center version 2.4 here and good coverage of agentless capabilities here. Let’s review some advantages of using agentless protection.

Agentless use scenarios and benefits

The agentless endpoint protection ecosystem in VMware NSX is all about automation and performance of security solutions. The advanced architecture of the agentless ecosystem provides solutions for common infrastructure security challenges which enterprises encounter, including:

• Dynamic environments. Depending on the nature of the workloads, servers running enterprise applications or workspaces provided via large VDI deployments must often quickly scale to meet varying demands. The agility of such environments renders most traditional security architectures unusable because there simply isn’t time to deploy guest agents or wait for security intelligence updates. In the agentless security model, GravityZone SVE deployment is automated, security is always on at the host level and no in-guest updates are required. Security and ops teams management effort is drastically reduced.
• Restrictive requirements. In private cloud deployment scenarios, organizations provide various hosted services for internal divisions or third-parties. These projects may have highly restrictive requirements with regards to network isolation or microsegmentation between various tenants. This complicates management of security agents (if at all possible!). Other projects have requirements in place which simply prohibit the usage of in-guest agents on top of the approved workload software. GravityZone SVE doesn’t require a direct line of communication with protected VMs or in-guest agents. This architecture significantly reduces deployment complexity.

• Regulatory compliance. Depending on their business profile, organizations are required to be compliant with various standards like PCI-DSS, HIPAA etc. In certain scenarios security solutions defeat the performance objectives of the respective environments. Meeting compliance requirements then boils down to increased effort and cost. Through the agentless ecosystem, GravityZone SVE provides centralized compliance reporting without the collateral disadvantages.

Automation via agentless guest introspection in NSX-T

GravityZone SVE is a cloud-workload protection platform that leverages the Bitdefender award-winning malware attack prevention technologies including HyperDetect, a tunable machine learning technology, to protect VMware workloads against attacks. The NSX agentless security service is powered by two platform integration points.

GravityZone integrates with one or more vCenter Server instances to provide administrators with end to end visibility into the asset inventory in their infrastructure, upon which GravityZone provides rich auditing capabilities.

GravityZone registers the SVE security service with NSX-T manager. Security administrators deploy and configure SVE by leveraging automated workflows in NSX-T.

Behind the scenes, NSX-T Manager deploys the NSX host drivers on ESXi servers to create a hypervisor-internal communication channel with VMs running VMware Tools with Guest Introspection. The Bitdefender Security Server is then deployed on each ESXi host and connected to the Guest Introspection communication channel, protecting each virtual machine without deploying a Bitdefender agent in-guest. The resulting architecture is represented below.

GravityZone SVE and NSX-T 2.4 in action

Check out the following demo video recorded by Bitdefender and VMware to demonstrate how the two platforms work in concert to provide infrastructure security and ease of use.

Try GravityZone SVE with NSX-T

Qualifying, large organizations can request a special, extended trial of GravityZone SVE to experience the full potential of NSX-T integrated security.

Visit https://businessresources.bitdefender.com/nsx-special-offer to apply.

Additional Resources

• Embracing Heterogeneity, blog post discussing the unique security challenges in heterogenous environments
• Configure GravityZone SVE with NSX-T Datacenter 2.4 Guest introspection, a step-by-step solution deployment guide.