Subscribe

Antivirus for filer ? looking for field experience

Hi,

I working on the pre-step for implementing a NetApp filer based on FAS3410.

The file server (today a Win Cluster with few Tb attached) will then be migrated to the Netapp box & CIFS will be used.

I'm therefore looking for field experience over the AV for NetApp filer (a bit from all the approaches, Performance, support quality and so on).

Would it be a good idea to host the AV server within an ESX Infrascture ?? (my first guess would be not to do it).

Thank,

Chris

Re: Antivirus for filer ? looking for field experience

The filer uses something called vscan.  Here's a sample output:

cabo> vscan

Virus scanning is enabled.

Virus scanners(IP and Name)      P/S Connect time (dd:hh:mm)  Reqs    Fails
----------------------------------------------------------------------------
43.160.104.24   \\SNOOPY        Pri    01:09:10             25505        0

List of extensions to scan:
??_,ARJ,ASP,BAT,BIN,CAB,CDR,CL?,COM,CSC,DL?,DOC,DOT,DRV,EML,EXE,GMS,GZ?,HLP,HT?,IM?,INI,JS?,LZH,MD?,MPP,MPT,MSG,MSO,OCX,OFT,OLE,OV?,PIF,POT,PP?,RAR,RTF,SCR,SHS,SMM,SWF,SYS,VBS,VS?,VXD,WBK,WPD,XL?,XML

List of extensions not to scan:
Extensions-not-to-scan list is empty.

Number of files scanned:  4733823
Number of scan failures:  6822
cabo>

Basically your choices are limited to whatever partners Netapp uses with this option.  The big two are Trend and Symantec.  I've run Trend in my shop for years, frankly it's not very exciting.  Namely because all your virus intrusions detection happens at the edge in the form of firewalls, email scanners, desktop  software, etc.  The way vscan works is like a proxy server...you make a file request read or write and the vscan sends the request off to the virus scanner server for a quick scan before serving the data.  Yes this adds latency so make sure you scanner is set up for GB and that you set your conditions not to scan huge files.

Other than that it's really not rocket science.  I think of it as insurance for that rainy day when that consultant comes in with a laptop from hell and proceeds to infect the hand that feeds him.  Of course he was payed in advance...but that's a story for another day.

Regards,

Re: Antivirus for filer ? looking for field experience

Be careful with sizing. The documentation is pretty good on vscan and the sizing of it. As a rough rule of thumb, each vscan server can deal with around 80-120 requests per second. If you're not sure what this works out as, last few customers I had run this had around 5000 users and were getting about 400 requests per second (filer hosting home dirs, user profiles and group shares).

Works well with Trend, Symantec, McAfee, etc Basically just a server that deals with requests, and pretty uneventful. The thing to watch out for is the sizing and whatever default rules you put on. If you put on a default rule of delete on failure, and your AV servers can't deal with the requests quick enough, then innocent files may get deleted.

Re: Antivirus for filer ? looking for field experience

Hi there,

Thanks for you input.

I indeed found out that implementation as such is quiet simple. What i'm actually trying to get from all of you is bits of information on the following questions (sorry if i haven't been clear enough at the first place)

- I have +/- 400 users, all data will be hosted on the Netapp (including home folders, profiles and so on), I think of two AV server to begin with (I'll go deeper in my perf reports to find out exactly the number of request / second & the trends over the past few months). Would that be Ok?

- Can I safely / reasonnably run the AV Servers on an ESX platform ? (I can think of possible network speed issue, an/of performance with the AV Server  self).

- Do you have any recommandations over the AV product itself (of any "NO GO") ? I've got very different experience with the AV vendors (their support to be precise) and i'd like to avoid any known issue while "playing"with the storage.

- With a FAS3140 that will be used for FC / IScsi / CIFS, how would be your recommandations ? My thoughts so far:

     - Out of the 4 NICS, 2 dedicated for Iscsi (In fail-over mode, we're then talking of 1Gb/s throughput)

    2 for CIFS & AV scan ((In fail-over mode, we're then talking of 1Gb/s throughput)

But i still doubet over mixing the AV & CIFS Traffic.

Thanks,

Chris

Re: Antivirus for filer ? looking for field experience

400 users across 2 AV servers sounds plenty, although it does depend how heavy those users are. Some vendors charge you per appliance, so having multiple servers doesn't cost any extra.

The customers I mentioned before all run AV in an ESX environment. Things to watch out for are that the AV server will generally have a very high CPU and Memory usage almost all the time. So whatever you size it for, make sure you have those resources free. You may want to disable DRS for this one server as VMware tends to try move it around a lot!

I haven't had any bad experiences with AV products. Most vendors are relatively good with virus updates. From a support side, I've never really had to deal with it as there's little to support, so I'm afraid can't give you much advice there. What I would say is use a different vendor than your main AV solution. Ideally you would have one vendor on the gateway, a different one on the desktops, then another one on the filer. This helps to cover your bases as each will use slightly different heurestics and have different cycles for virus signature updates.

I think the general rule of thumb is that you need a dedicated network for AV scanning. This would be the case both on the filer and on the ESX side of things. I wouldn't run it over your normal corporate network as there is a lot of traffic, and the response times are very critical! This may leave you in a sticky situation with CIFS traffic though, as you may not want a single NIC for CIFS.

Out of interest, where are you getting 4 ports from? The 3140 has 2 ports onboard (don't confuse the e0M and console ports!!!), and most PCI cards are 4 port cards. So surely you would have either 2 or 6 ports?

Re: Antivirus for filer ? looking for field experience

Thank for your valuable input.

I've just checked for the numbers of NICs, i'm afraid i misread. I'll then go for 6 ports. That would then give:

  - 2 for Iscsci (to be replaced wtih 10GbE when available and when our switches are ready for 10GbE).

  - 2 for AV,

  - 2 for CIFS.

I'll probably contact few vendors for the AV engine and run some tests then

Thanks a lot for your time, it cleared the path for me

Re: Antivirus for filer ? looking for field experience

Hi Christopher,

In our storage infra, we are using Symantec Scan Engine for NetApp and the licensing is base on per filer and per number of users, so you dont have to worry on how many scan servers will you use. To start with 400 users, I recommend to have atleast 3 Scan servers - 2 as your primary scan servers and 1 as your secondary(or backup) scan server, 2 scan server is enough but you dont have any secondary scan server.

In our side, we actually use a good server with a good processor and memory, if your VMWare/ESX can handle the Scan Server CPU & Memory requirements it will be fine, but as my experience, I would not suggest to put the scan servers in an VMWare infra, I suggest that you use a separate stand alone servers.

I've tested and use trend micro, but we choose Symantec its because our corporate is using it already. There is no known issues on both products, just make sure you  read carefully the configuration requirements, coz different brand have difrerent configuration and different behaviors.

For your network configurations, I recommend to have a seprate network/vlan for your scan servers over your CIFS/public traffic.

Hope this help.

Regards,

Anton

Re: Antivirus for filer ? looking for field experience

Hi Antoni,

Thanks for your input.

I'll probably go for 2/AV servers "physical", the stand-by one in ESX.

I'll really have to test all the scanners, as the choice is free here (we have policies for desktop and so on, but this is something a bit different).

Cheers,

Chris