Project Virtual Reality Check

Ruben Spruijt / Jeroen van de Kamp @PROJECTVRC #PROJECTVRC

Jeroen van de Kamp: j.kamp@loginconsultants.nl @theJeroen

Ruben Spruijt: rsp@pqr.nl @rspruijt

Topics of Today
Introduction Project VRC

Deep-Dive into
Impact of App Virtualization in VDI

Comparing HyperVisors for VDI

Comparing AV for VDI

Roadmap

A couple of questions
Whos administering/building VDI?

Whos on Windows XP?

Whos on Windows 7? Whos doing/considering stateful/persistent VDI? Whos doing/considering stateless/non-persistent VDI? Who is using AV in VDI statefull?

Who is using AV in VDI stateless?

Who does a scheduled/manual scan during production hours?

.
Performance Analysis & Review VDI + SBC

Independent & Unbiased

Unbiased and Independent!

..

www.VirtualRealityCheck.net

So far
Phase 1 & 2: SBC

Phase 3: Windows XP & Windows 7

Phase 4: Application Virtualization Phase 5: Anti-Virus > Planned

Test platform VRC

Server Brand/Model
CPU Memory Disk RAID level RAID controller NIC

HPDL380G6
2 x Intel Quad core 5500@2.67GHz Nehalem (16 logical cpu!) 96 GB DDR3 8 x 146Gb, 820.2Gb, dual port 10.000RPM Serial SCSI RAID-5 with online spare HP Smart Array P400i, with 512MB and Battery Backed Write Cache NC373i Gigabit Adapters, Broadcom 5708

vSphere 4.1 Update 2 ESXi

Login VSI
Turn-Key Benchmark for SBC + VDI (hosted)

Considered Industry Standard (driven by Citrix!)

Protocol independent

Standard workloads: light, medium, high & multimedia

Data randomization
Used by: Citrix, MS, Dell, HP, Cisco, VCE, EMC, Intel, Quest, Panologic, Atlantis, Fujitsu, Virsto, Hitachi, Datacore, McAfee, CSC, FusionIO, Unidesk

Single Server

Configuration 1

Start the test

Saturation

Configuration 2

Start the test

Saturation

Login VSI
7 7 7 7

File Share

Logging

Hypervisor

Launcher Master

Launcher Slave

VSI User Simulation workload

Office:
Outlook,
Word, PowerPoint Excel

PDF printer & Adobe PDF Internet Explorer (multiple sites + Flash Video) FreeMind (Java)

VSImax

.
Phase IV

AppVirt on VDI: test setup

3 major AppVirt vendors:

..

Citrix Application streaming

Microsoft App-V VMware ThinApp

Office 2007 suite virtualized as 1 package Different scenarios: streamed, precached, shared cache

VDI
7 7 7 7

AD File Share

Logging

Hypervisor

Please Note
Project VRCs goal is to investigate overall performance impact of AppVirt in VDI.

Project VRC does not recommend virtualizing the Microsoft Office suite as an overall best practice.

streamed vs. Local installed %

Bug > Fix!

streamed vs. Local installed % - upd.

Typical Streaming Scenario

Office Locally Installed
Outlook
Word

PowerPoint

Streamed Apps
Excel 2007
PDF Reader Freemind

Typical Streaming Scenario (%)

AppVirtualization: Conclusion
Worst/worse case scenario or reality?

Impact VSIMax: up to 20-40%

Typical Impact: 5-10%

Streaming apps = up to 22-45% less READ IOs

Streaming apps = up to 20-45% more WRITE IOs

Check response times in whitepaper

Application Virtualization IS key in Optimized (virtual) Desktop

Phase V: Comparing Hypervisors

vSphere: Memory Overcommit: Win7 120VM Pre-Booted

Windows 7 Dynamic Memory (SP1) on Hyper-V

Windows 7 Dynamic Memory (SP1) on Hyper-V

ASLR: Address Space Layout Randomization

ASLR: Address Space Layout Randomization

Hyper-V R2 sp1: ASLR (%)

XenServer 5.6: ASLR (%)

vSphere 4.1: ASLR (%)

Win 7 on XS vs ESXi vs Hyper-V (%)

Win 7 on XS vs ESXi vs Hyper-V (%)

Conclusion
Performance differences are small: max 10%
Hyper-V R2

Dynamic Memory is an important feature

Reduced risk of swap on host level

Behavior under high load: XenServer impressive

VDI & AntiVirus

.
VIRUSSCANNER: TOTAL I/Os

Jonathan Meunier

Anti-virus solutions
Microsoft Forefront Endpoint Protection 10

Trend Micro
OfficeScan 10.5

DeepSecurity 7.5*

McAfee
Move AV 2.0
Endpoint protection*

Symantec Endpoint Protection 12.1

Normal VSI results

Default Install ForeFront ..

Protect desktop VMs

AV directly installed on the VMs
FEP, TM OfficeScan

Manager, agents on the VMs

SEP

Manager, Security VM, agents on the VMs

Deep Security Move

ForeFront Endpoint Protection

AV Image
Deploy

AV VM 1

AV VM x

Hypervisor

Symantec Endpoint Protection

Deployment of the agents Manager Agent VM 1 Agent VM x Linked to AD

Hypervisor

McAfee Move AV

Deployment of the agent

Manager Agent SVM Win 2k8r2 SVM Win 2k8r2 idle VM 1 Agent VM x

Hypervisor

Trend Micro Deep Security

Deployment of the agent

Manager AV SVM Linux

vShield

AV

vShield

VM 1

VM x

FilterDriver

Hypervisor
vShield Appliance

DISCLAIMER!
Results will change!!!

Results are only about performance during production, does not say anything about
Quality of security features
Impact of maintenance

Etc

Context: AV is tested Stateless: VMs are reset before every test

Jonathan Meunier

ForeFront 2010
Custom 1
Incoming files only

Custom 2
Incoming Files
behavior monitoring disable

Network inspection disable

Heuristics Disabled
Custom 2

Trend Micro Office Scan

Behavior Monitor Disable

TM Best Pactices
Max Layer Scan Compressed files = 1

Scan OLE object Max Layer = 1

Disable IntelliTrap

Baseline Response Time

Total IOs

Total Read IOs

Total Write IOs

Total Write IOs @ 60 sessions

Conclusions
Testing AV is complicated

VRC system is balanced: CPU/MEM/DISK IO

AV + Stateless??!!
Image is not fully scanned after resets AV agents loose registration/connection in central

manager after reboot

Licensing/Certificate issues CPU impact on boot or Service do not start

Conclusions
Offloading introduces Response time Latency

Offloading architectures are complicated

Do AV vendors fully understand VDI? (discussion performance versus functionality) Availability Best Practices

Closing thoughts AV
What is the impact AV + AV?

Stateful scenario needs also testing

Scheduled/Manual Scan Need for RAW IO data Memory Consumption Logon Process CPU

Roadmap!?!
Project VRC 2012 =

More info:
www.virtualrealitycheck.net

www.twitter.com/ProjectVRC
www.loginconsultants.com (VSI) www.pqr.nl Special thanks to: Sven Huisman (PQR, @svenh)

j.kamp@loginconsultants.nl rsp@pqr.nl