I have been thinking more and more about security on our VSA and I am considering installing an AV engine on our VSA server. We are on 2012 - R2 Server Datacenter x64 Edition Build 9600 with ~7700 agents on a VM in Azure with a Xeon E5-2673 v3 @ 2.4GHz & 28GB memory.
Good idea? Bad idea? Comments appreciated...
Thanks in advance... Steve
Pretty sure it's unsupported to do this....I'd check with support first, as K are usually pretty pedantic about VSA server config.
Any AV is going to have a performance impact, at minimum. The application firewall works in a pretty nonstandard way, so any AV that intercepts normal http(s) traffic is probably going to either be ineffective, or break the system. I'd be concerned about AV false-triggering on data collected from agents. E.g. the VSA uses EICAR as par tof the AV system- your AV is going to delete that file, thus breaking parts of the VSA that need that file to run agent tests.
Not sure how you'd get a virus on a K server (other than your server administrator doing something really, really silly) - can you suggest an attack vector you're concerned about?
Frankly, I run our K server without AV and sleep soundly at night, since there's really no viable attack surface, even from our internal network. i.e. no file shares, only web ports open, nobody logged directly into he box (except me when upgrading VSA version), etc.
Kaseya do support AV on the VSA - as long as you have the right exclusions in place.
We have always run AV - Trend Deep Security on our current platform.
I had concerns about using GetURL to passing our custom packages to the managed machines. From outside of the VSA, the path to the packages is accessible via a browser, so my thinking was that the directory structure in general was susceptible as well as the actual packages.
I had an earlier discussion in another post (community.kaseya.com/.../110855.aspx) about the possibility of adding some sort of credential requirement for the getURL function, but as designed, it sounded like it was not doable (maybe some form of token mechanism that limits access to only the agents is needed; as in the Kaseya REST API?); no one that I have talked to at Kaseya has mentioned that it exists already and I suspect not as I can pull my files off the VSA via a browser.
That said, we also use the VSA to pull files (mostly log files) from our equipment back to the VSA via getFile. Then those get pulled back to our machines on our network. I had concerns about this as well.
Until I read Jo Bowers post below and followed the links, I was not aware (I think I forgot as well) that all in/out web traffic goes through the Kaseya Application Firewall (KAF); I assume this is for getURL & getFile. So, my concerns are lessened at this point I think and I have to put my trust into the KAF doing its job :>).
At best, I consider the VSA a gateway drug between our customer's networks and ours, hence my working through this. With the power, comes danger.
Am I missing anything?
We use Webroot with exclusions on both the VSA and SQL servers without issues. Better to have than have not with all the BS viruses and cryptos flying around. Both the on-prem VSA and SQL server are also separated in their own DMZ of our corp network