Understanding VMware AppDefense

Understanding VMware AppDefense

At VMworld US 2017 this year, VMware announced a new service in the security domain called VMware AppDefense. According to VMware’s website, AppDefense is “A data center endpoint security product that protects applications running in virtualized environments.” If you don’t already know what AppDefense is, that definition won’t make a lot of sense. So in this blog post, I decided to talk about what AppDefense is and how it solves your security concerns.

VMware already had NSX which you can use to configure security policies to allow/deny traffic on your network. But, what about compute?? vSphere is the leading hypervisor that is deployed in DataCenters across the world, so it only makes sense that VMware comes up with an offering that will help you secure your virtual machines or applications running on your compute.

VMware AppDefense is based on the following two principles:

  1. Ensuring good rather than Chasing bad: There are more than 27 million vulnerabilities out there, but only a tiny percentage of 27 million correct behaviors. So instead of trying to ensure that your application is safe from those 27 million vulnerabilities, it is easier to ensure that it is working correctly.
  2. Least Privilege: An application or a system should have access to the resources it needs to get its job done and nothing more.

Ok, that sounds great, but how does AppDefense do that??

AppDefense has three key phases to help secure your applications.

  1. Capture 2. Detect and 3. Respond.

Screen Shot 2017-11-06 at 9.38.30 PM.pngFirst, let’s talk about the CAPTURE phase. You start by deploying an on-premises AppDefense Appliance(Intended State Engine) and you associate it with your vCenter server. This enables the appliance to capture the purpose and intended state of the applications and VMs running in your environment. If you have NSX or vRealize Automation in your environment, then you can optionally link those to the Intended State Engine as well. Once the appliance is aware of your infrastructure, it starts building what we call an Application scope or Intended state of your application. The appliance syncs the configuration and policies to the AppDefense SaaS platform, where VMware will apply Machine Learning algorithms to create a manifest file(intended state configuration) for each of your virtual machines. For eg., your web server should only talk to your application server and not the database server or the only process running on your web server is httpd or your application server does not receive any traffic on port 80/443. This process can take up to two weeks. As part of the on-premises installation, you also install a vSphere Installation Bundle (VIB) that creates a virtual secure enclave on your host. It is in this protected zone that those VM manifest files are stored. This ensures that even if your host is under attack, you still have an intended state for each VM that you can use in the next phase which is the detect phase.

So once you have an intended state configuration for each virtual machine in your environment, the next phase kicks in which is the DETECT phase. It is in this phase where AppDefense is continuously monitoring the runtime state of your applications and VMs with the intended state of your applications and VMs. You will immediately get an alert if these two states do not match. This way you eliminate all the false positives and you know for sure that any alert is worth investigating. Once an alert is generated, AppDefense automatically switches to the respond state.

Great, now we know that our infrastructure is under attack, what next? This is where the RESPOND phase of AppDefense helps you out. It leverages ESX, NSX, and the security ecosystem integrations to automate a library of incident response routines including Snapshot, Suspend, Block Traffic, Quarantine, Network Blocking etc. For eg. If the intended state of your VM was to never reach out to your database, and when under attack it was trying to access the database, the automated incident response can ensure that this traffic is automatically blocked when the runtime state does not match the intended state of the VM.

That’s it. It is this simple. AppDefense is one of the most innovative announcements this year. It is offered as a standalone SKU and you pay per socket per year on a prepaid subscription basis. It comes to around $500 per CPU per year. Currently, AppDefense requires a minimum of vSphere 6.5a, vCenter 6.5, NSX 6.3 and vRealize Automation 7.3, Windows Server 2012R2, and Windows Server 2016.

If you want to learn more then please check out the Resources section on the following page: https://www.vmware.com/products/appdefense.html



2 thoughts on “Understanding VMware AppDefense

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s