Integration of Kaspersky Security components with VMware virtual infrastructure

Requirements for integration of Kaspersky Security components with VMware virtual infrastructure:

• Virtual infrastructure administration server (VMware vCenter Server, VMware Cloud Director). The component performs administration and centralized management of a VMware virtual infrastructure. The component participates in the deployment of Kaspersky Security. The virtual infrastructure administration server sends the Integration Server information about the VMware virtual infrastructure that is required for operation of the application.
• VMware NSX Manager. The component prepares VMware ESXi hypervisors for deployment of protection, registration and deployment of Kaspersky Security services.
• Virtual filter. This component lets you intercept incoming and outgoing network packets in the traffic of protected virtual machines. In infrastructure managed by VMware NSX-V Manager, the VMware DVFilter technology acts as a virtual filter. In the infrastructure managed by VMware NSX-T Manager, the components of the VMware Network Service Insertion (SI) Service Chaining technology act as a virtual filter.
• Guest Introspection Thin Agent. The component collects data on virtual machines and transmits files to Kaspersky Security for scanning. To enable Kaspersky Security to protect virtual machines, the Guest Introspection Thin Agent component must be installed on these virtual machines. On the virtual machines running Windows, the NSX File Introspection Driver, which is included in VMware Tools package, acts as the Guest Introspection Thin Agent component. For more details please refer to documentation attached to VMware products.

• Guest Introspection service. Provides interaction between the Guest Introspection Thin Agent component installed on the virtual machine and the SVM. In the infrastructure managed by VMware NSX-T Manager, the Guest Introspection ESXi Module acts as the Guest Introspection service. In the infrastructure managed by VMware NSX-V Manager, the Guest Introspection service virtual machine and the Guest Introspection ESXi Module act as the Guest Introspection service.

The File Threat Protection component interacts with the VMware virtual infrastructure in the following way:

1. The user or any application opens, saves, or runs files on a virtual machine that is protected by Kaspersky Security.
2. The Guest Introspection Thin Agent component intercepts information about these events and sends it to the Guest Introspection service.
3. The Guest Introspection service relays information about received events to the File Threat Protection component installed on the SVM.
4. If File Threat Protection is enabled in the active Kaspersky Security policy, the File Threat Protection component scans files that the user or an application opens, saves, or runs on the protected virtual machine:
   • If no viruses or other malware are detected in the files, Kaspersky Security grants access to the files.
   • If the files contain viruses or other malware, Kaspersky Security performs the action that is specified in the settings of the protection profile assigned to this virtual machine. For example, Kaspersky Security disinfects or blocks a file.

Interaction between the Network Threat Protection component and the virtual infrastructure depends on the traffic processing mode of the component. If you use the standard traffic processing mode, the Network Threat Protection component interacts with the VMware virtual infrastructure as follows:

1. The virtual filter intercepts inbound and outbound network packets in the traffic of protected virtual machines and redirects them to the Network Threat Protection component installed on SVMs.
2. If Network Threat Protection is enabled in the active Kaspersky Security policy, in accordance with the configured protection settings, the Network Threat Protection component can scan network packets to detect activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure, and can also scan all web addresses in the HTTP-requests to check if they belong to the web address categories specified in the Web Addresses Scan settings.

   If Kaspersky Security does not detect a network attack, or suspicious network activity, or a web address belonging to the web address categories selected for detection, it allows transfer of the network packet.

   If a network threat is detected, Kaspersky Security does the following:

   • If activity typical of network attacks is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If suspicious network activity is detected, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If a web address belongs to one or more of the web address categories selected for detection, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows access to the web address.

If Kaspersky Security is deployed in the infrastructure managed by VMware NSX-V Manager and the network protection is running in the monitoring mode, the Network Threat Protection component interacts with the virtual infrastructure as follows:

1. The virtual filter passes a copy of virtual machine traffic to the Network Threat Protection component.
2. If Network Threat Protection is enabled in the active Kaspersky Security policy, in accordance with the configured protection settings, the Network Threat Protection component can scan network packets and web addresses as in the standard mode. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it does not take any actions to prevent the threats, but only sends information about the detected threats to Kaspersky Security Center Administration Server.