Trend Micro recommends the following deployment configuration when deploying Deep Security on Microsoft Hyper-V:
Deep Security Agent should be installed within each guest operating system in each virtual machine (VM). This provides the maximum amount of context and security for each guest. Recommendation Scan can be used to determine the applicable set of Intrusion Prevention, Integrity Monitoring and Log Inspection rules required per guest. Anti-Malware, Web Reputation, and Firewall policies can also be individually configured per guest using the Agent deployment.
If protection of the Parent Partition (also known as the Management Operating System) is desired, additional steps have to be taken to ensure that network traffic is not inspected twice. It is recommended to choose one of the following options:
- Do not utilize Intrusion Prevention in the parent partition.
- Utilize Intrusion Prevention in the parent partition, but utilize the Firewall policy assigned to the Agent in the parent partition to bypass incoming and outgoing traffic for the IPs of the VMs being hosted. This can be accomplished through the use of two Bypass rules - one for incoming and one for outgoing - that operate on the destination IP range of guests for incoming traffic, and the source IP range of guests for outgoing traffic. The use of Bypass skips the Intrusion Prevention rule processing, thus preventing duplicate inspection of the traffic in both the parent partition and guest virtual machine.
It is also advised to use Bypass rules, like the second option above, if using a Firewall policy on the parent partition.