When it comes to vGW antivirus and IDS, we get a lot of questions about performance, signatures, and whether traffic has to be sent to an external device for inspection.
With vGW, both the IDS and antivirus engine signatures are housed on the vGW Security VM (SVM). The packets are not sent to an external location for processing on the antivirus engine.
vGW antivirus also comes in two flavors: 1) an on-access scan and 2) an on-demand scan. Think of on-access as real time with a micro agent loaded in each VM, but with the signature repository residing on the SVM. If, for instance, a user tries to save an infected file to their VDI VM, the vGW on-access scan will intercept and quarantine the file. The on-demand option is more like point-in-time or offline antivirus. It uses a micro snapshot, scans the offline VMDK file, and then recommits the snapshot. This way, you can optionally schedule your VM scans during maintenance windows or off-peak hours to ensure that virus scanning does not negatively impact business-critical traffic.
Finally, the IDS engine is not inline and, therefore, firewall performance is not directly affected and the maximum throughput on any ESX/ESX(i) host in the environment is approximately 2 Gbps. The IDS processing is done on the SVM with stats rolled up for reporting to the Security Design management center. This processing can also be exported using packet mirroring or spanning to an external engine. Please note that this is only IDS and not an IPS option.
For more information please contact Cloud Security Sales.
Discussing a wide range of topics impacting enterprises and
data center security.