Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Protection and Multi-user VDI environments

Cb Protection and Multi-user VDI environments

This article comes from Tracy Camp (Lead, Principal Engineer).

We have been putting a lot of engineering focus on ensuring that Cb Protection (CbP) scales appropriately in ‘VDI’ environments like Microsoft Server Remote Desktop Services (RDS) or Citrix XenDesktop.  These products essentially make use of the underlying multi-user capabilities of the Microsoft Windows Server platforms to provide multiple concurrent desktop sessions against a single running instance of Microsoft Windows Server.  This method of implementing a VDI environment means that a CbP agent manages all of the activity of every logged in user concurrently.  In such environments the number of events and objects that the CbP agent must track can be on the order of a magnitude larger than a Microsoft Windows Server hosting some workload with a finite number of interactive users.

We are not done with improving our performance in multi-user VDI environments by any means.  This post is intended as a status report on our progress to date.

In our analysis of performance in a multi-user VDI environment, we discovered two general areas of performance bottleneck that predominated.

Impact from number of processes running in a typically busy multi-user VDI environment.

We recently released CbP 7.2.3 patch 3 which changes the way we handle process locks.  We have modified the granularity of locks used in the parity.sys driver to track processes and loaded images within a process from a global system-wide lock to a per-process lock.  What this means is that we do not have to interrupt activities occurring on other processors every time we need to read or update information about a specific process.  This allows for more parallelism from hardware to be achieved and is a generally beneficial improvement to many workloads aside from multi-user VDI.

We have a dedicated in-house team that runs an extensive set of performance benchmarks.  This includes typical desktop workloads, as well as server and software engineering workloads. In order to test the effectiveness of this change in a VDI environment, our performance test team invested in a 3rd party tool intended for tuning VDI environments.

Because the details of our specific test VDI environment and just about any other production environment will differ and a fair amount of complexity is involved in setting up, conducting, and interpreting the results, we are avoiding using ‘specific numbers’ here. However, we can say that we are seeing a 30% improvement performance in this area between 7.2.3 patch 2 and 7.2.3 patch 3.

User login and logoff impact

Our analysis showed that another of our performance bottlenecks was due to activity associated with updating the user-specific portions of the current policy.  Specifically  per-user rules, or macros that referenced a user-profile or registry hive, could result in a large amount of work to recalculate the effective policy on each user login and logoff event.  In a busy multi-user VDI environment, user login and logoff events are frequently as common as launching and closing business applications. 

In the forthcoming 8.0 release we have made two changes to the CbP agent, the first is to only recalculate the effective policy set on user login, if a user logs off, we will leave the per-user policies in place until the next policy re-calculation occurs.  The second change is to change how we handle user-profile directories or user hives from being a set of specific file or registry paths that are re-calculated for each individual user, to being symbolic patterns.  This can reduce the size of the effective policy set in a busy multi-user VDI environment considerably and can frequently reduce the number of times that the effective policy set needs to be re-calculated due to a user logging in.

As we get closer to 8.0 General Availability we will post the results of performance tests.

What does this all mean?

It means that we at Carbon Black are committed to your success and are working very hard to deliver constant improvement in our endpoint agent not only as a powerful security platform, but a performant one as well.  We are pleased to offer you the 7.2.3 patch 3 and upcoming 8.0.0 release.  We are not done.

Comments

In the 8.0.0 could you please come up with a solution to show when cellphones are connected to an endpoint when they use MTP and PTP? This is essential to protecting our network.

Thanks,

Phylis Herrin

Application Administrator II

Cahaba Government Benefit Administrators®, LLC

500 Corporate Parkway

Birmingham, AL 35242-5448

Phone: 205 220-1446

Email: pherrin@cahabagba.com<mailto:pherrin@cahabagba.com>

Would these improvements translate to a VDI environment using VMware software, such as Horizon or Horizon Air?

These enhancements are specific to VDI based on Terminal Services. Our understanding of Vmware Horizon is that it is based on thinly provisioned virtual machines. It's a very different architecture and presents entirely different performance challenges.

If you have a chance, could you add this to our Idea Central area so that other customers can vote of supporting this platform?

Thanks for the info Tim and Tracy.  Have you done any testing with XenApp or is this strictly limited to XenDesktop?

So i am on 8.0 cd 3, going to cd4 next week. And we are still having issues with any citrix vdi. Huge cpu hit during logon and offs, it is manageable until there are more than 3 already logged in and it and freezes for everyone since the cpu is pegged. Adding more cpu's does solve the issue if that's what the official answer is. It would cost a few million to do that, though.

Hi,

Can you open up a support ticket so that we can capture the data necessary to get to the bottom of this?

Thanks,

Tim

My original request was this:

In the 8.0.0 could you please come up with a solution to show when cellphones are connected to an endpoint when they use MTP and PTP? This is essential to protecting our network.

Is this what you want me open up a ticket for?

Thanks,

Phylis Herrin

Application Administrator II

Cahaba Government Benefit Administrators®, LLC

500 Corporate Parkway

Birmingham, AL 35242-5448

Phone: 205 220-1446

Email: pherrin@cahabagba.com<mailto:pherrin@cahabagba.com>

Hi Phylis,

I was replying to Douglas regarding his VDI performance issue.

Unfortunately, we currently do not have MTP and PTP support on the roadmap.

Tim

Hi

Also experiencing high CPU usage and CB touching every file a user opens ..using 2008 R2 with XenApp and 20-25 users per server, CB v 5.0.1.50401

Can anyone confirm the support status in a multi-user RDS with  XenApp site with DB 5.0.1? I cannot find any info, and readme file with the installer says "not suitable for VDI".

regards

Colin

Hi Colin,

Are you talking about Cb Response or Cb Protection (formerly Bit9)? In either case, I would recommend opening a ticket with Support.

Tim

Hi Tim,

Its Carbon Black Sensor

The readme says "not suitable for VDI - Fat and Citrix only".  So not very clear. We use both  - VDI PC for single users in test env -  and multiple users on XenApp (test and production) , from single gold image on 2008 R2 server. Is there a standard support statement to confirm multi-user support?

thanks

Colin

"As we get closer to 8.0 General Availability we will post the results of performance tests." Any update on that? We still have many issues with citrix in general.

We do not have formal test results to share. However, with 8.0 P6 we have seen improvements in login times with up to 32 users per server. It was roughly a 20% improvement in login times. It is important to note that performance in this area is related to the number of rules the deployment has. In one instance we had a customer with 4000 rules and they did not see any login performance improvements. In that situation it was recommended to look at reducing the total number of rules.

Yeah...we are those 4000+ people. And there is not much i can do to reduce it and remain secure. We have just too many programs in our 52+ companies. I guess at this point citrix is just not going to work with CBP in our environment.  We will try it again in 9.0. 

Why not a small, independent CbP deployment for the Citrix env?

I was hoping to stay away from that as it just another thing to manage, but i think that is the way we are going to go. I will have to check on the licencing cost for that vs our citrix admins not being so stingy with "right sizing" them with one core on an etch-a-sketch.

A bit on the happy news front...we don't charge for the server component.  Run as many Protection servers as you wish just as long as the total number of agents does not exceed your total license count :-)

Article Information
Author:
Creation Date:
‎10-14-2016
Views:
10297