VMware

Overview of VMware AppDefense

VMware AppDefense is a data center endpoint security product that protects applications running in virtualized environments. AppDefense understands an application’s intended state and behavior, then monitors for changes to that intended state that indicate a threat. When a threat is detected, AppDefense automatically responds

VMware AppDefense Components

The primary components of the VMware AppDefense platform are:

The AppDefense Manager console is a multi-tenant cloud service provided instance to define the intended behaviour and protection rules of your applications in one place. You can monitor the enforcement of configuration, security events and alarms from here.

The AppDefense Appliance is an on-premises based control point for ingress and egress of data from and to the Manager. It brokers connections to the VMware management components (e.g. vCenter) and makes outbound connections to the AppDefense Manager.

The AppDefense Guest module which in now included with the latest version of VMTools is deployed in the customer VM.  This module along with supporting AppDefense Host Modules (in the form of VMware Installable Bundles) deployed on the ESX host. These two components work in concert to monitor and enforce the intended state of the guest behaviour as well as ensure that the protection controls are isolated in the hypervisor away from the guest “attack surface”.

vCenter is used to gather inventory data on the customer’s site. This inventory data is used for security scope assignment, guest readiness (based on OS information) and guest to host assignment. AppDefense can also use vCenter to perform remediation actions in response to security events, such as suspending a guest.

NSX (Optional) is used as an additional, optional remediation channel for AppDefense. Specifically, NSX can be used to automatically or manually quarantine the machine(s) if any of the protection rules are violated.

vRealize Automation/vRealize Orchestrator (Optional) can be optionally used to capture application context at provisioning time from the Application blueprint.

AppDefense Capabilities

The AppDefense platform provides:

  • Application Control — Comprehensive viewing and grouping of workloads in the datacenter, their intended state, and allowed behaviour
  • Run-Time Anomaly Detection & Control — Monitor the real time state of the OS and user application, alert and control process, network and kernel events
  • Process Analysis — The built-in process analysis engine gives overall process maliciousness rating as well as specific traits that are potentially suspicious
  • Orchestrated Remediation — Full visibility into the virtual infrastructure, as well as the guest OS and application stack provides a more effective way to orchestrate specific and relevant remediations during a security incident.

Log in to the AppDefense Portal

The AppDefense Manager Interface

In this default view, AppDefense dashboard you can see Protection Coverage, Security Scopes, Alarms and Events

AppDefense Appliance Menu

The AppDefense appliance is a single, on-premises control point for ingress and egress of data to and from the AppDefense manager. It brokers connections to the VMware management components (like vCenter) and makes outbound connections to the AppDefense Cloud Manager.

The AppDefense appliance is deployed at the customer site through a standard .ovf deployment workflow. Once the appliance is deployed, the user will log into the AppDefense Cloud Manager and connect the appliance to the their tenant.  In addition, the appliance will be connected to various sources in the datacenter (e.g. vCenter or NSX).

The Inventory

In this view, you can toggle between the ESXi hosts and the VMs that are available within the inventory and determine whether or not their respective modules are installed, OS versions, etc. This is accomplished by simply clicking on the “Hosts” or “VMs” tab at the top of the menu.

AppDefense is watching at the guest and host level for activity, corruption or any other anomalous behavior.  

Unassigned VMs

This view shows the virtual machines in the inventory that have not been currently assigned to any security scopes.  It will also show the current operational status of the host and guest modules for those particular virtual machines.  

The orange and red areas represent VMs that are either in discovery mode or under protection.

Viewing Downloads

The On-Prem build of the AppDefense Manager used in this lab does not support automatic downloads, so the image on this step is from the actual production cloud based AppDefense Manager. You can see that all documentation, ova files, VIBs and guest modules are available in the management portal itself.

We will show how to create Scopes in the. next blog post. Stay tuned!

Additional resources: