- How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
- VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
- Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021
An application is analyzed and an intended state is recorded as a baseline. Any behavior failing to conform to that baseline is considered to be in violation, and different actions can be taken, such as suspending or taking a snapshot of the VM to have future proof of the behavior or shutting it down if the application does not behave as expected.
The system can detect infiltrations at the application level and automatically stop the propagation of those infiltrations by stopping communication with the application or shutting it down completely until remediation.
Four major functions
- Application control
- Process analysis
- Anomaly detection and response
- Remediation
You can establish a "known good" or "intended" state for each of your applications or VMs. The intended state can define allowed behaviors in which the application performs normally.
Now, let's say that AppDefense detects a threat that is possibly damaging to your system. It can immediately take actions by using vSphere or NSX.
AppDefense can also suspend or shut down a VM completely to prevent further malicious behavior or possible propagation of the problem to other VMs and other parts of the infrastructure.
If there is no NSX within your environment, AppDefense can still take a snapshot of the suspicious workload for later analysis. This gives you the option to possibly recreate the suspicious behavior.
AppDefense generates alarms from which the admin can see details about the threat and then take any actions to isolate it, stop propagation, or completely eliminate it.
VMware AppDefense components
AppDefense Appliance (OVF) – This is for a local datacenter environment. It is a virtual appliance that checks all the traffic to and from the AppDefense Manager. The on-premises proxy appliance acts as a connection broker to direct traffic to other VMware vSphere components, such as vCenter. It also connects to the AppDefense Manager component.
VMware AppDefense architecture
The AppDefense Manager console – This is used in a cloud environment and defines the protection rules and behaviors of your applications in one place. You can monitor the enforcement of configurations, security events, and alarms from here.
AppDefense Guest module – This is now included with the latest version of VMware Tools and is deployed in the customer VM.
AppDefense Host module (VIB) – There is a VIB (vSphere installation bundle) deployed on each ESXi host; Guest and Host modules work together to monitor and enforce the intended state of the guest behavior.
vCenter Server – If you run vSphere, you already have vCenter installed, but, in this particular case, vCenter is used to gather inventory data on-site. This inventory data is used for security scope assignment, guest readiness (based on OS information), and guest-to-host assignment. AppDefense also uses vCenter to perform remediation actions (suspending a VM).
Optional Components – NSX manager and vRealize Automation.
New in the latest release
The latest version of AppDefense brought a few more features:
- Severity-based remediation actions – You can now kill a process and network connections. With the network disconnected, it allows the App Verification Cloud to first inform you about the issue before taking action.
- Upgrade VM Tools without reboot – You now no longer need to reboot in order to install and upgrade AppDefense on a guest OS.
- FQDN support for allowed behavior – You can now use fully qualified domain names (FQDN) within an allowed behavior definition.
- NSX-T remediation actions – With NSX-T development and the new releases, there is also greater interest in this product and its adoption. Remediation actions using VMware NSX-T are therefore now possible.
VMware AppDefense summary screen
VMware AppDefense is part of vSphere Platinum licensing. VMware vSphere Platinum has been released together with vSphere 6.7 U1 and is part of the new licensing strategy from VMware.
This has resulted in some changes, and there are now only three licensing packages for a datacenter: Standard, Advanced, and Platinum.
Compared to the competition, VMware AppDefense has a few advantages. These include better understanding of distributed application behaviors, which reduces false positives, and the ability to not just detect, but also to remediate, orchestration capabilities.
Note: You will need to have vRA (vRealize Automation product) and NSX within your environment.
VMware AppDefense also has a solid roadmap for introducing machine learning capabilities to enhance anomaly detection within the guest OS.
Final words
VMware AppDefense is enterprise-class AV and thread detection that is tailored to larger enterprises using both the cloud and on-premises environments. Environments such VMware Cloud VMware Cloud on AWS, for example, have direct integration with AppDefense to enforce application-level security.
In the latest release of AppDefense, the Guest module supports VMs with a VM hardware version higher than 13 and a new Linux guest OS has been added, which expands the list of supported OSs.
Subscribe to 4sysops newsletter!
Future releases of AppDefense with machine learning capabilities are really exciting, and I think that VMware is investing heavily in this space—just look at the recent acquisitions of Uhana (specializing in AI platforms) and Bitfusion, which can, with their software platform, accelerate workloads of GPUs, ASIC hardware platforms, and field-programmable gate arrays (FPGA). Basically, what VMware invented over ten years ago for servers, Bitfusion has invented for GPUs, ASICs, and other hardware platforms. Until now, there was only bare-metal deployment possibilities, but, in the future, those workloads will be virtualized as well.
