Desktop virtualization has become a key technology to help organizations transform their desktops to enable business agility, worker flexibility, business continuity, and overall, provide a better way to secure and manage their desktop environments. However, as these organizations begin their transformation, questions surface around the “how-tos” of this new environment. One of the biggest questions we get from customers is around security, and specifically, how to bring effective security measures into these virtual desktops without completely impeding performance.

Given the importance of this to our customers, Citrix has partnered with McAfee to deliver a “secure-by-design” security solution specifically created for XenDesktop. Through our strategic partnership and collaboration agreement, McAfee has developed McAfee Management for Optimized Virtual Environments (MOVE). MOVE AV for VDI is designed to make virtual desktop security simpler and more scalable for virtual desktop deployments by reducing CPU, memory and storage requirements, and simplifying desktop security and lifecycle management.

On March 24th, Kurt Roemer, Citrix, Chief Security Strategist and Matt Fairbanks, McAfee, Senior VP Product and Solutions Marketing spoke about our partnership and how we are working to solve the security needs for desktop virtualization. If you would like to view this webinar, it is still available on-demand here. Now, at this event, we were unable to answer all of the questions from the audience. Here are answers to the remaining questions you raised:

Your questions:

Q: The ePO product requires a unique GUID on a per machine basis and it does not work well in the provisioned environment. The current workaround is to blank the GUID in the provisioned image. The EPO product does not check in immediately without a GUID. Is there a fix or are we going to be “working around” for a while?
A: The best practice at this time is to delete the GUID from the Gold Image and the GUID will be generated when the image comes online. The MA team is aware of this and has plans to address in a future release.

Q: Does it support VMotion yet?
A: MOVE AV communication is IP-based at this time and only supports VMotion when using a load balancing solution. The MOVE AV agents can be pointed at the IP address of the load balancer, and the load balancer can distribute the requests to the virtual security appliances (offload servers).

Q: Does McAfee MOVE AV work when you have a Virtual Desktop whose disk is encrypted at the OS level?
A: If the disk is encrypted in a pre-boot environment, it should function as the encryption is transparent at that point.

Q: Is MOVE AV limited only to VDI or can we use for server?
A: Although the MOVE AV 1.5 for Virtual Desktops product (offloaded On Access Scanning) is designed for VDI, it can be used on Windows 2003 servers. The MOVE AV 2.0 release will be fully supported on Virtual Servers. There is also a MOVE AV for Virtual Servers product available that provides full VirusScan Enterprise in each Guest, and has hypervisor-aware scheduling of On-Demand scans.

Q: Does MOVE AV include an application firewall and antispyware?
A: Antispyware is part of the VSE signature set, but MOVE AV does not include an app firewall at this time. As MOVE AV utilizes VirusScan on the virtual security appliance (offload server), antispyware is included. The desktop firewall will be included in the MOVE AV for Virtual Desktops offering in the 2.0 release.

Q: Do we need to buy vShield endpoint if we use a VMware hypervisor?
A: MOVE AV is a hypervisor agnostic platform and supports all three major hypervisor vendors, non API dependent. It is not necessary to purchase vShield Endpoint.

Q: Does MOVE AV for Servers support Linux?
A: Not currently, but we are looking at adding support for other operating systems.

Q: If the MOVE AV Virtual Appliance fails does all AV protection for guests on that host fail as well?
A: No, we have the ability to set up redundant virtual appliances for failover purposes to ensure scanning services continue uninterrupted.

Q: Why would MOVE AV be a better solution than Solidcore for VDI?
A: MOVE AV is a good solution for a dynamic changing environment, where delta files from the Gold Image must be scanned and protection from Web Malware must be taken into consideration. Application control is very useful in static environments where the applications used don’t change.

Q: If the MOVE AV Virtual Appliance locks up, does it affect the operation of the guest machines?
A: No, we have the ability to set up redundant virtual appliances for failover purposes to ensure scanning services continue uninterrupted.

Q: Is McAfee MOVE AV scanning only the memory verses the C:/ which is read only in a VDI environment?
A: MOVE AV is optimizing the offloading of AV functions, On Access Scanning and .DAT file updating to alleviate the Virtual Machines from these functions. Memory protection can be addressed with the inclusion of Host IPS.

Q: Is the MOVE API for hypervisors still on the roadmap? Is it hypervisor agnostic? XenServer, Hyper-V, ESX? Can it be used with XenClient? How will it work?
A: The solution is hypervisor agnostic today and works with Citrix, Microsoft, and VMware without constraints of an API-based solution. At Citrix Synergy Berlin in Oct ’10, we demonstrated a prototype of MOVE AV on XenClient, but this is in early planning stages at the moment.

Q: Is there a fix for 609357: Quarantine, Clean and Repair functionality is not available with MOVE AV. Only Deny Access and Delete actions are available.
A: Yes, these functions will be available in upcoming releases of MOVE.

Q: Does MOVE AV work for the servers that are supporting the virtual environment? ie. Citrix DDC? or domain controllers?
A: MOVE AV for Servers could be utilized on any supported server OS.

Q: With McAfee MOVE AV, does all traffic then flow through the virtual appliance?
A: Not if a file can be seen in local cache and doesn’t need to be scanned as it has already been scanned by another VM and is clean.

Q: We are both a VMware shop and a Citrix shop, can the Virtual Appliance reside on the VMware side while the MOVE AV Agents are installed on our XenServer VDI?
A: The best performance can be reached if the Virtual Appliances resides on the same hypervisor as the images. However, other options are feasible if there are no constraints on network. MOVE AV virtual appliance is compatible on both XenServer and VMWare ESX platforms.

Q: XenDesktop works with VMware ESX. Does MOVE AV for VDI work in that environment?
A: Yes.

Q: How does your VDI infrastructure support USB devices, like Microphone and USB Scanner?
A: Files from USB devices would be treated the same as those on the native storage volume.

Q: Is MOVE AV network scanning supported on Windows 2008 r2 with XenApp 6?
A: Supported, but not recommended. It is a better scenario for performance to utilize our VSE for Storage products to scan the data where it resides instead of moving the data over the wire to be scanned.

Q: Can you elaborate more on scanning VDI, how it offloads this process to an appliance?
A: The MOVE AV Agent is installed within each guest, files requested are checked against the local guest cache, then a cache lookup connection is made to the virtual security appliance, if the file is not in the global cache, it is scanned. The response is returned back to the MOVE AV agent.

We hope this has helped you understand our joint solution for desktop virtualization security. If you attended our webinar, thank you! If you still would like to view this webinar, you can watch in on-demand here.

We are very excited about this partnership with McAfee. Together, we are about to really bring scale and security back to virtual desktops.