VMware AppDefense Overview

AppDefense is a data center endpoint security product that embeds threat detection and response into the virtualization layer on which applications and data live.
AppDefense delivers three key advantages over existing endpoint security solutions:

  • Authoritative knowledge of application intended state.
  • Automated, precise threat response.
  • Isolation from the attack surface.

AppDefense Architecture

The AppDefense architecture is simple and has many integration points for optional configuration and automation engines to connect with it.

  • AppDefense Manager – This is a multi-tenant, secured SaaS deployment engine that provisions the tenant Appliances for Management of the AppDefense components.
  • On-Premises AppDefense Appliance – An OVF deployed virtual appliance that connects to vCenter and any other optional components for configuration and policy synchronization between the AppDefense Manager and on-premises components.
  • vCenter Server – The vCenter Server that manages the hosts and clusters that applications run on which AppDefense will protect. This integration provides the API interface for AppDefense to connect to, to provide automated remediation’s using vCenter actions such as snapshot, poweroff, suspend.
  • AppDefense Host Module – A software Virtual Installation Bundle deployed to all vSphere hosts AppDefense will protect. This module provides the trusted isolation within the hypervisor to store the manifests of context of the protected applications for AppDefense to monitor against.
  • AppDefense Guest Module – The in-guest software module that communicates with the AppDefense Host Module to monitor the kernel integrity of the guest.
  • NSX Manager (Optional) – The NSX Manager is an optional component used by AppDefense through API integrations to create a quarantine security policy within the NSX Manager. AppDefense leverages NSX security tags to provide automated remediation to quarantine an application based on AppDefense remediations.
  • vRealize Automation (Optional) – Integrated with vRealize Orchestrator with connections to vRealize Automation, a tagging option can be placed on the applications in the machine blueprint to automatically place a new application into AppDefense scope.

Now we log in to the AppDefense Portal.

The AppDefense Manager Interface. In this default view, we can see Protection Coverage, Security Scopes, Alarms and Events.

On the Manager in the bottom left corner, you will see a settings icon. CLICK on Appliances. Once the appliance is deployed, the user will log into the AppDefense Cloud Manager and connect the appliance to the their tenant. In addition, the appliance will be connected to various sources in the datacenter (e.g. vCenter or NSX).

Select Inventory on the settings menu. In this view, you can toggle between the ESXi hosts and the VMs that are available within the inventory. AppDefense is watching at the guest and host level for activity, corruption or any other anomalous behaviour.

Select Unassigned VMs. This view shows the virtual machines in the inventory that have not been currently assigned to any security scopes. It will also show the current operational status of the host and guest modules for those particular virtual machines.

It shows the virtual machines in the inventory that have not been currently
assigned to any security scopes. It will also show the current operational status of the
host and guest modules for those particular virtual machines.

Remark: The orange and red areas represent VMs that are either in discovery mode or under
protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s