Professional Documents
Culture Documents
014.50 - Lab Guide - Kaspersky Security For Virtualization. Agentless
014.50 - Lab Guide - Kaspersky Security For Virtualization. Agentless
KL 014.50
Kaspersky
Security for
Virtualization 5.0.
Agentless
Lab Guide
Kaspersky Lab
www.kaspersky.com
Table of contents
Lab 1. Start the virtual machines .................................................................................................................................. 2
Lab 2. Configure NSX for the file scan service of Kaspersky Security for Virtualization ........................................... 3
Lab 3. Configure NSX for deploying the network protection service of Kaspersky Security for Virtualization ......... 7
Lab 4. Register Kaspersky Security for Virtualization services with NSX ................................................................ 13
Lab 5. Deploy the services of Kaspersky Security for Virtualization ......................................................................... 27
Lab 6. Activate Kaspersky Security for Virtualization ............................................................................................... 30
Lab 7. Configure a protection policy for Kaspersky Security for Virtualization ........................................................ 38
Lab 8. Enable protection ............................................................................................................................................. 45
Lab 9. Test file protection ........................................................................................................................................... 54
Lab 10. Perform on-demand scanning ........................................................................................................................ 57
Lab 11. Test Network Protection ................................................................................................................................ 63
Lab 12. Test Network Monitor ................................................................................................................................... 70
L–2 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
Lab 1.
Start the virtual machines
Scenario. Let us prepare for the labs: Connect to vCenter Server and start the virtual machines.
Contents:
Run Microsoft Remote Desktop and connect to the remote server. Then connect to your virtual environment using Internet
Explorer.
Start the virtual machines DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr.
L–3
Lab 2
Conclusion
You have powered on the virtual machines and are ready to start the labs.
Lab 2.
Configure NSX for the file scan service of
Kaspersky Security for Virtualization
Scenario. ABC Inc. has a virtual infrastructure on VMware vSphere. The IT department plans to deploy the NSX network
virtualization platform. It will allow the administrators to create new network configurations faster and automate the workflow.
To provide security for such a dynamic environment, the company has decided to deploy Kaspersky Security for
Virtualization | Agentless, a protection solution integrated with NSX.
In this lab, we will prepare the infrastructure for installing the file protection service of Kaspersky Security for Virtualization.
The Guest Introspection service is necessary for various NSX technologies, for example, it provides Kaspersky Security for
Virtualization with the files to be scanned.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Conclusion
The Guest Introspection service is a virtual machine and an ESXi module. The NSX Manager installs them (using ESX Agent
Manager) on each node of an ESXi cluster. This service is necessary only for the file protection service of Kaspersky Security
for Virtualization.
Lab 3.
Configure NSX for deploying the network
protection service of Kaspersky Security for
Virtualization
Scenario. In addition to protecting the file system of virtual machines, ABC Inc. plans to scan network traffic. To achieve this,
you need to prepare the virtual network infrastructure. An NSX Advanced or NSX Enterprise license is a must.
L–8 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
To protect the file system, a free NSX for vShield Endpoint license is sufficient, which is included with NSX installation by
default.
Contents:
With the default NSX license, you can use the file protection of Kaspersky Security for Virtualization. To protect virtual
machines against network attacks, at least NSX Advanced license is required. Let’s add it.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Now, we have a license and need to install NSX components on the cluster. Kaspersky Security for Virtualization will use
these components to scan the traffic of virtual machines.
L–12 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Conclusion
The cluster is ready for the installation of both Kaspersky Security for Virtualization services now. Prior to being installed, the
services must be registered with NSX. We will do it in the next lab.
Lab 4.
Register Kaspersky Security for Virtualization
services with NSX
Scenario. Kaspersky Security for Virtualization services can be installed only via the NSX interface. You need to register
Kaspersky Security services with NSX using a wizard available in the Integration Server Management Console of Kaspersky
Security for Virtualization. The Integration Server Management Console opens from the Kaspersky Security Center console.
Contents:
The Integration Server connects to vCenter server to receive the list of virtual infrastructure objects, including the list of virtual
machines. For this purpose, the Integration Server needs credentials of an account that has Read-Only permissions for vCenter.
To be able to scan drives of templates and powered-off virtual machines, the Integration Server also needs permissions for
changing the settings of the file protection service virtual machine.
Create a new role KsvViis for the Integration Server in vCenter and grant it the following privileges: ESX Agent Manager |
Modify, Virtual machine | Add or remove device, Virtual machine | Add existing disk and Virtual machine | Remove Disk.
L–14 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
The Integration server of Kaspersky Security for Virtualization | Agentless requires a user account with limited permissions.
We created the KsvViis role with these privileges in task A. In this task, we will create an account and grant it the KsvViis
role’s permissions for the vCenter root node.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Kaspersky Security Center components include a management plug-in for Kaspersky Security Center and an integration server
responsible for interaction with vCenter and NSX. Install these components on the computer where the Kaspersky Security
Center server is installed.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
26. Accept the License Agreement and the Privacy Policy and
click Next
Add the vcenter.abc.lab vCenter to the integration server and register the services of Kaspersky Security for Virtualization
with NSX.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
In the previous task, the Integration Server of Kaspersky Security for Virtualization registered itself as a Service Manager with
NSX, which is responsible for two services: File Antimalware Protection and Network Protection. Let’s make sure of that.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
●
Conclusion
In this lab, we have installed the management components of Kaspersky Security for Virtualization, which include the
Integration Server, Integration Server Management Console, and also a plug-in for Kaspersky Security Center. We used the
Integration Server to register the Kaspersky Security for Virtualization services with NSX.
Lab 5.
Deploy the services of Kaspersky Security for
Virtualization
Scenario. You registered the Kaspersky Security for Virtualization services with NSX. Now they will be available in the list of
NSX services, and you will be able to deploy them in a few simple steps.
Install the services of Kaspersky Security for Virtualization: File Antimalware Protection and Network Protection.
L–28 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
8. Click Finish
9. Wait for the installation to complete
Conclusion
In this lab, we deployed two services of Kaspersky Security for Virtualization on the ESXi host. These are virtual machines
that will protect the infrastructure from various threats using the APIs provided by VMware.
The protection does not work yet: Kaspersky Security for Virtualization must be activated and databases must be updated first.
Lab 6.
Activate Kaspersky Security for Virtualization
Scenario. When deploying service virtual machines, the Integration Server automatically connects them to the KSC Server. To
activate a license and update databases on the service virtual machines, configure tasks in Kaspersky Security Center.
Contents:
You installed management components of Kaspersky Security for Virtualization, including the plug-in for Kaspersky Security
Center. When Kaspersky Security Center finds a new plug-in, it starts the Quick Start wizard. This wizard created an update
task for the Managed devices group in Lab 3.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Add activation codes to the licenses repository of Kaspersky Security Center and activate the application with activation keys.
L–32 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Unlike most Kaspersky Lab products, Kaspersky Security for Virtualization can use two active licenses simultaneously: for
servers and for workstations. Kaspersky Security Center interface does not permit displaying two active licenses for a single
product on a managed device. For this reason, Kaspersky Security for Virtualization transfers a dummy license for the total
number of protected nodes to the KSC Console.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Conclusion
Kaspersky Security for Virtualization has two types of licensing: Per processor on ESXi hosts and per protected virtual
machine. A virtual machine is considered to be protected if it is running, the services of Kaspersky Security for Virtualization
are applied to it via a security policy on vCenter, and a security profile is applied via a Kaspersky Security Center policy.
This lab demonstrates how Kaspersky Security Center works with virtual machine licenses.
L–38 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
Lab 7.
Configure a protection policy for Kaspersky
Security for Virtualization
Scenario. Prior to enabling protection, you need to configure a policy for Kaspersky Security for Virtualization in Kaspersky
Security Center. This way, you can be sure that virtual machines have proper security settings from the very beginning.
You want protection to have minimal impact on the servers’ performance, and for this reason you have decided to create an
individual profile for them.
Contents:
The Quick Start wizard creates a policy for Kaspersky Security for Virtualization. In this task, we will modify its settings. We
will disable network drive scanning in the policy, since we will protect not only workstations but also servers. Double scanning
is undesirable.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
To configure a new profile for servers, we will need the standard Microsoft exclusions, which are to be exported from the
default protection profile.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
In the policy, connect to the virtual infrastructure and assign the main protection profile to it, and the Servers protection profile
to the Windows-Svr virtual machine.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
38. Note that the policy displays the infrastructure of all VMware
vCenter servers, and no protection profile is assigned by
default
39. Select the Integration Server object in the infrastructure
40. Click Assign protection profile above the infrastructure list
Conclusion
In this lab, we have configured the policy of Kaspersky Security for Virtualization. We created a protection profile and
assigned it to a virtual machine. Profiles can also be assigned to vApp, hosts, clusters, and datacenters.
Lab 8.
Enable protection
Scenario. You have completely prepared the infrastructure: deployed both services of Kaspersky Security for Virtualization,
created a policy, and activated the application. Create an NSX security policy to enable protection for virtual machines.
Contents:
Preparation
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
Create a security group that will include all virtual machines of Lab Cluster.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
Create an NSX policy; specify both services of Kaspersky Security for Virtualization in the policy.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
Now the virtual machines are protected and can be monitored via Kaspersky Security Center. Open the reports about the
protection status and keys to consult information about the virtual machines.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
Conclusion
Finally, after a long preparation, the virtual machines have been protected. We created a single policy for our cluster. In real
life, you can create two different policies for File Antimalware Protection and Network Protection for greater flexibility.
L–54 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
Lab 9.
Test file protection
Scenario. The virtual machines are protected in the cluster. Now we can use a test malicious file to make sure that everything
works as expected.
Contents:
Task A: Run a test virus and consult reports in Kaspersky Security Center
Unpack an archive with the eicar.com test virus on the Windows-Svr virtual machine and check the detection events in
Kaspersky Security Center.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
When Kaspersky Security for Virtualization finds a malicious object, it assigns a security tag to the virtual machine via NSX.
Let’s make sure of that.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
●
L–57
Lab 10
Conclusion
In this lab, we made sure that protection works, and Kaspersky Security Center receives its events. Kaspersky Security for
Virtualization assigns a special security tag to a virtual machine where it has detected a malicious object. You can use this tag
to move the respective virtual machines to an NSX security group.
Lab 10.
Perform on-demand scanning
Scenario. Real-time protection works with mild settings to reduce the load on the virtual machines. You need to create an on-
demand scan task for thorough scanning.
There is a virtual machine where Kaspersky Security for Virtualization detected a malicious file and to which it assigned a
security tag. If the task shows that this virtual machine is clean, Kaspersky Security for Virtualization will remove the security
tag.
Contents:
Preparation
The preparation is performed on Windows-Wks.
Create a task that will scan Windows-Svr and the powered off Windows-Wks virtual machine for viruses. To avoid waiting
for too long, we will configure the task to scan zip archives only.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be powered on.
The Windows-Wks computer must be powered off.
Check whether the on-demand scan task has changed security tags on Windows-Svr and Windows-Wks.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be powered on.
Conclusion
The on-demand scan task has several functions in Kaspersky Security for Virtualization. It thoroughly scans the file system
and removes NSX tags from clean machines thus helping the administrator monitor whether the virtual machines conform to
the security policy. To make the task remove the tags, in the scan scope, select Scan all files and folders except for those
specified (see step 22).
Also, this lab demonstrates how to scan powered off virtual machines.
Lab 11.
Test Network Protection
Scenario. We used the eicar.com test virus to check how File Antimalware Protection works. Now, we need to test the
Network Protection.
Contents:
Preparation
The preparation is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be
powered on.
Use the kltps utility to imitate a network attack from the Windows-Wks computer on TCP port 445 (SMB service) of KSC-
Svr. In Lab 7, we selected to block an attacking computer for 1 minute. Let’s test this.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and KSC-Svr machines must
be powered on.
Use a test malicious link and a test phishing link to make sure that web addresses are scanned.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
Events about attacks and malicious web addresses are sent to Kaspersky Security Center. They contain general information
about the incidents.
L–67
Lab 11
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
●
Task D: Study the Network attack report
By default, there is no network attack report in Kaspersky Security Center. We will create it in this task.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
Conclusion
In this lab, we tested Network Protection using a test attack utility and test malicious links. We also created a network attack
report to consult aggregate information.
L–70 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
Lab 12.
Test Network Monitor
Scenario. The Network Protection service of Kaspersky Security for Virtualization can detect advanced network attacks. To
enable enhanced traffic analysis, you need to activate the service with an Enterprise license.
Install an Enterprise license on the service virtual machines and test enhanced network protection.
Contents:
Kaspersky Security for Virtualization does not have a license for workstations that supports Enterprise capabilities. To be able
to consume Enterprise capabilities on workstations, use a per-processor license (for hypervisors) rather than a per-node license
(for virtual machines).
Install a per-CPU Enterprise license on the service virtual machines. It enables you to activate enhanced network traffic
scanning on servers and workstations.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
5. Click Select
6. Click Add
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
Open a test malicious link in Internet Explorer and receive a verdict by Network Monitor.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and KSC-Svr machines must
be powered on.
Open a file with a captured network attack in the WireEdit editor, and replace the IP address of the attacked computer with the
IP address of Windows-Svr.
The task is performed on Windows-Svr. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
Task E: Reproduce the file with the captured network attack on the server
and check the results
Use the PlayCap program to replay network traffic on the Windows-Svr computer and receive a verdict in the Kaspersky
Security Center console.
The task is performed on Windows-Svr. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
Conclusion
In this lab, we have tested Network Monitor using a pseudo-malicious link and pre-captured network traffic.
v1.4.5