This document outlines points to consider when using anti-virus or endpoint security software on Delphix connected Environment Hosts. This document does not present a specific problem and solution. The information here is aimed at helping you understand the implications of using active security solutions on hosts running Delphix Staging instances or VDBs.
The information here is broadly relevant to non-Delphix related hosts also.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases 6.0 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206
220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
Generally, anti-virus software and/or endpoint security software is both intrusive and extremely resource intensive. This is manageable to some degree on personal workstations where, compared to a server, the following is true:
- The IO load is light
- Any impact is confined to a single user
It may also be possible to deploy anti-virus / endpoint security software effectively on servers with low IO throughput. However, the general mode of operation for most software of this type is that it:
- Scans all files being opened and read
- Scans incoming traffic over the network
Therefore, it introduces intensive processing layers between an application and the data. In the case of a database (not specific to Delphix), introducing both latency and consuming compute resources away from the database server is expected to have a negative impact on performance. The more IO intensive that database, the more severe the impact that anti-virus / endpoint-security software is likely to have.
In the case of Staging or Target hosts connected to a Delphix Engine, this problem can be made worse because:
- The databases probably will generate IO load to read files.
- Those files are accessed over the network.
- The Delphix appliance allows multiple VDBs to be easily hosted on a single server, which increases the IO load (and therefore file and network traffic security software will attempt to scan).
- The Delphix appliance is constantly making connections to the Target and Staging hosts and pushing new executable files which will all be scanned.
However, anti-virus / endpoint-security software is not simply file scanning and network scanning. There is a wide range of differences in capabilities and features. To give an example, common security software may provide any of the following:
- File scanning on schedule
- File scanning on open
- File scanning on read system calls
- IP packet sniffing
- Layer 3-5 network traffic analysis
- Binary execution scanning
- Keystroke analysis
- Full Windows win32 API replacement (common with some more invasive endpoint security products like Trusteer)
For this reason, it is not possible for Delphix to provide simple instructions on what to exclude. The toolkit directory path and VDB mount paths would be logical to put on any exception list, as would traffic on TCP ports 8415, 445, 9100, 3260 and 2049, (indeed all the ports mentioned in Delphix network requirements for your dataset type). However, security software can be unpredictable in what it may do or scan.
Deploying Anti-Virus / Endpoint-Security Software
Before deploying security software, a security officer and system administrator should ask the following questions:
- Is this host located on a vulnerable area of the network or a secure area of the network?
- Is the host at risk from end-user actions that may result in security risks (opening attachments, access to the internet, et cetera)?
- What is the expected IO load of the host?
- Does the host have sufficient resources and network throughput to cope with the added load of security software? Will that scale well or poorly under extreme IO loads?
- What is more important for this host? Performance and service availability? Or security (and possible service disruptions)?
- Is there another way to secure the host such as a secure subnet, secure location, named user accounts, et cetera)?
- Probably the simplest question is, if this host was a critical production database server, would you install anti-virus / endpoint-security on it?
It is a fact that negative impact has been observed in many cases due to the specific choices made to secure Delphix connected Environment Hosts. Common problems include:
- Slow performance (minor degradation)
- Slow performance (nearly unusable)
- Service outages (database cannot be provisioned or run)
If the choice or configuration of anti-virus / endpoint security software is a suspected cause for poor IO performance, it is possible that one or more of the following actions may resolve the problem:
- Create an exception list of directories and network interactions that should not be scanned.
- Or, disable the anti-virus / endpoint-security software service.