Virtualization-Based Security with a Subatomic Footprint!
- No one disputes that virtualization-based security is the most secure and effective approach to solving the endpoint security challenge!
- Bromium has now reduced its virtualization resource footprint to run effectively even on devices with only 4 GB RAM!
- You can now leverage the power of virtualization based security without having to upgrade your endpoint hardware or operating system!
In my last blog entitled Client-Side Virtualization Security at Warp Speed, I discussed some of the incredible performance improvements we made to our Bromium Secure Platform in our recent release and showed how we have reduced our resource footprint at load to be equal to (and sometimes lower) than the resources consumed without Bromium.
At the end of my previous blog there is a link to a YouTube video on the Bromium channel showing a side-by-side comparison of a laptop running with and without Bromium. The laptop was running Windows 8.1 and had 8 GB RAM. For that last two years we find that most customers purchasing new hardware are choosing 6 – 8 GB RAM as their baseline. If you have 6 GB RAM+, there has never been a problem running Bromium’s virtualization-based security from a memory perspective. However, there are still a large number of desktops and laptops in enterprises today that have only 4 GB RAM and there will be for quite some time.
Anyone who knows anything about virtualization, knows that it can be memory hungry. So, running a robust virtualization based security engine on an endpoint with 4 GB RAM proved to be quite a challenge. However, since we have some of the best virtualization engineers and Windows performance experts on the planet, this was a challenge that we were more than happy to accept!
I’m delighted to report that with our latest 3.2 Update 5 release of Bromium, we are able to not only run on devices with 4 GB RAM, but we are able to provide an excellent user experience as well! In order to prove this point, I went on eBay and purchased a 6 year old laptop with first generation i3 CPU for testing. Here is what I bought.
- Lenovo ThinkPad Edge – Manufactured July 2010
- Intel i3-M330 2.13 GHz (1st generation i3 dual core with HT)
- 4 GB RAM (2996 MB usable by Windows 7 32-bit)
- Hard Drive = 250 GB SATA 7200 RPM
- Integrated Intel HD Graphics
I loaded Windows 7 Enterprise 32-bit and joined it to my internal Active Directory environment. I also loaded the following additional software on it to ensure it had some standard enterprise tools on it taking up extra resources in the background.
- Microsoft Security Essentials for AV with Windows Defender
- Microsoft SCCM Agent
- Microsoft App-V Agent
- Citrix Receiver
- Apple iTunes
- Lenovo laptop tools and software services
- MS Office, Skype, Java, Adobe PDF, Adobe Flash, Silverlight, IE, FF, Chrome, etc…
As noted in my previous blog, I have an extensive collection of AutoIT automation scripts that I have written to simulate user activity. I used the same script that I used on the Windows 8.1 laptop that browses to 7 websites over the course of 6 minutes. During the test both Outlook and Skype were also open and connected to their servers for the entire duration of testing. I also collected detailed performance monitor logs during the entirety of the test.
So, how did this old laptop perform with and without Bromium? I’m happy to say that it performed quite well and provided a good user experience with Bromium enabled! I even went so far as to use this laptop as my primary daily device for several days and I had no issues or complaints. I even wrote this blog using this old device! Now let’s get on to the numbers!!!
I ran the test using three scenarios…
- No Bromium
- Bromium 3.2 Update 5 with Standard Policies
- Bromium 3.2 Update 5 with Tracking Protection List Policy (TPL)
The following chart below highlights key CPU, memory and disk counters that were tracked. Keep in mind lower numbers are better, with the exception of Min MEM Avail. A higher amount of minimum memory available is better.
|Scenario||CPU||Min MEM Avail||Total Disk MB||IOPS|
|No Bromium||37%||466 MB RAM||439 MB||27 IOPS|
|Bromium 3.2 U5||34%||643 MB RAM||1189 MB||28 IOPS|
|Bromium 3.2 U5 + TPL||20%||666 MB RAM||744 MB||16 IOPS|
As you can see from the numbers above, we actually used less CPU and less memory with Bromium on this 4GB laptop than without during the test! Amazingly, even on a 4GB device, both Bromium scenarios had approximately 200 MB more free memory available than the non-Bromium test. Page file was nearly identical between all the test scenarios as well (260 – 310 MB of peak page file usage). As mentioned in the previous blog, the Bromium test with the Tracking Protection policy used far less CPU due to the enhanced Ad Blocking capabilities now built into Bromium! In fact, with Tracking Protection we reduced CPU usage by a whopping 54% when compared to native IE without Bromium!!!
So how do we do it? How do we shrink the memory footprint of our virtualization engine to subatomic levels? Well, there’s a lot of Bromium patented intellectual property at play, but some of the magic involves clever ways we make use of an advanced virtualization function built into the Intel CPU called Extended Page Tables (EPT). The AMD equivalent is Rapid Virtualization Indexing (RVI). This is the reason we require EPT or RVI in addition to VT-x or AMD-V in order to run Bromium. Fortunately, most Intel and AMD CPUs released since 2010 have these features.
Adding upon these CPU features, we employ some nifty memory deduplication and compression techniques that allow us to squeeze an incredible number of virtual machines into a physical space smaller than what is required by the native app on the local OS! The final part of the secret sauce is the clever way in which we leverage disk resources. If a micro-VM is no longer active, we can dedupe, compress and coalesce its memory into a large sequential IO operation. We can essentially suspend an entire micro-VM and write it to disk using only about 60 – 100 MB of disk space! Because even tired old spinning hard disks like the one in this old Lenovo laptop handle large block IO quite efficiently, we maintain great performance and user experience without requiring an SSD!
Hard disks perform much better handling larger files using sequential IO than they do lots of small files. This is the reason you can typically copy a single 100 MB file much faster than 1,000 small 100 KB files taking the same space. Here’s a little tip as well, if you are running Bromium on an old spinning hard disk, keeping 15% of the disk space free and keeping the disk defragmented will speed up Bromium performance by ensuring our large block IOs are not overly fragmented!
You can see our use of large sequential IO in action by looking at the Total Disk MB and IOPS counters included in the chart above. Both Bromium tests had a greater total amount of MB read/written to the disk; however, take notice how the IOPS for the TPL enabled Bromium test was significantly lower than the non-Bromium test. IOPS for the Bromium test with a standard policy were almost identical to those of the test without Bromium. How are we able to read/write so much more data to the disk, but use the same or fewer IOPS? It all comes back to the large sequential IO. While the native browser on the non-Bromium system sends thousands of small random IOPS to the disk, Bromium captures those IOPS in RAM and compresses and coalesces them into large block IO before they ever hit the disk!
Enough talk, check out the video below and you can see the tests that I ran showing how Bromium performs. I recorded videos of the tests and my colleague Andy Winiarksi was kind enough to put them side-by-side with some great commentary! I encourage you to watch it full-screen.
With Bromium’s latest innovations you can now bring the power of virtualization based security to devices with as little as 4 GB RAM running Windows 7, Windows 8.1, or Windows 10! However, don’t take my word for it, contact me or your local Bromium sales representative for details on how you can test it for yourself!