Case Study – McAfee ePO/MOVE for a billion dollar financial establishment

Use Case

ArchetypeSC was recently approached by billion dollar global financial corporation to perform an assessment of their McAfee ePO, MOVE, and DLP upgrade implementation plan. They have an older, distributed ePO environment which consisted of separate consoles in AMER, EMEA, and APAC making administration of the overall environment difficult. While the ePO infrastructure was their main focus, of particular concern was their McAfee MOVE infrastructure.

Millions of organizations are realizing the benefits of virtualizing their infrastructures wherever possible. This particular organization was expanding their Virtual Desktop Instance (VDI) infrastructure rapidly and with that growth brought forth challenges scaling their VDI antivirus infrastructure. They implemented McAfee MOVE several years ago but they weren’t making use of the biggest product improvement recently released, the SVA manager.

This particular organization was using multiple versions of MOVE in different regions of the globe. Prior to version 3.5 every VDI was assigned a primary and secondary SVM/OSS which makes scaling the infrastructure very difficult because every time they would roll out new VDIs they needed to create new SVM’s as well. The other issue with the primary/secondary model is that there is no load balancing between SVMs. You could have a particular SVM overloaded and poorly performing while another is operating at 0 load. The SVA manager breaks the dependence on the primary/secondary model of offload scan servers and allows intelligent load balancing using pools of SVMs.

McAfee MOVE Overview

McAfeeMOVE.jpg mcAfeeMove

McAfee MOVE is antivirus for virtual environments and its main function is offloading the file scanning to separate servers reducing the load on client VDIs. This is very important for VDIs because there can be 100’s of VDIs running on 1 physical machine making overhead management a major priority. Conventional antivirus can be included in a VDI image but the additional overhead of file scanning on each VDI image has sysadmins looking for alternatives. McAfee MOVE addresses this and provides a solution for customers.

MOVE is distributed in 2 versions Agentless and Multi-Platform.

Both versions make use of McAfee ePolicy Orchestrator (ePO) for administration and a server outside of the VDI image running Virus Scan Enterprise (VSE) to perform on-access and on-demand scans but the major difference between the two are how the VDIs communicate with the SVM (offload scan server).

Agentless – Vmware only

Pros

  • Makes use of the hypervisor channel as a high speed network to communicate with SVMs
  • Uses the v-shield endpoint bundled with VMware tools to facilitate communication

Cons

  • VMware only
  • Requires 1 SVM per hypervisor

Multi-Platform – Works with multiple hypervisors

Pros

  • Communicates with SVMs over the network
  • VDIs only need the McAfee Agent installed on the VDI
  • Works with all major hypervisors
  • Makes use of SVA manage

Cons

  • McAfee Agent needs to be deployed to or part of the VDI image

Architectural Decisions

Multi-Platform or Agentless?

This particular company had a global CITRIX XenDesktop environment with thousands of VDIs in AMER, EMEA, and APAC but also had a very large Red Hat Enterprise Linux Virtual environment in AMER. The VDIs deliver the same end-user experience with the back end hypervisors being the only differentiator. RHEV is not supported by MOVE agentless so we knew that wasn’t an option immediately but agentless remained an option for the CITIX environment.

Ultimately the goal of this entire project was to simplify the management of McAfee ePO and all the associated point products, introducing complexity was not something we were comfortable doing. Had we suggested a mixed environment that would have meant 2 sets of extensions be loaded into ePO, 2 separate products to push out over the WAN connection, and also additional policy to be created to deal with the different products.  MOVE multi-platform was ultimately chosen for its flexibility to work with multiple hypervisors and the scalability with the SVA manager performing intelligent load balancing.

SVA Manager Placement

McAfee doesn’t suggest that there is any theoretical limit of how many SVMs can be managed by 1 SVA manager but using 1 for a global organization did not seem like a good decision either. Part of our overall assessment of the company’s upgrade plan was a bandwidth calculation to understand the amount of bandwidth the new ePO infrastructure would be introducing into the pipe. Using our calculations and a bit of common sense we decided that having SVA managers in each region was going to be the best decision.

Introducing the SVA manager to this environment is going to drastically improve SVM performance and overall load immediately. The SVA manger gets rid of the need for primary/secondary assignments and instead uses SVM pools which the SVA manager assigns VDIs the best available scan server based on policy, tags, network addresses, and intelligent load balancing.

This particular organization has completely separate teams that manage their RHEV and CITRIX environments and they couldn’t get their head around using one manger to assign SVMs between the two environments so ultimately there was a second SVA HA pair introduced into the AMER RHEV environment. This is not required but satisfied a specific requirement of the business to keep the environments completely separate.

Here is a visual representation:

mcAfeeMove

Conclusion

In conclusion ArchetypeSC was brought on to provide guidance and expertise to this billion dollar financial institution while we vetted their upgrade plan. We delivered value to our client and major changes were made to the plan because we found faults or better ways to accomplish the overall goals. Changing a production ePO environment is a task that takes careful planning and no detail is too small. This article focuses on the McAfee MOVE portion of our engagement, in future posts I will share some of the other major considerations when planning, testing, and implementing a McAfee ePO infrastructure.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply