Architecture of AppDefense in Non-SaaS Setting
The VMware vSphere Platinum edition delivers advanced security capabilities fully integrated into the hypervisor. It combines the industry leading capabilities of vSphere with VMware AppDefense, delivering purpose-built VMs to secure applications. vSphere Platinum secures infrastructure and applications by leveraging the hypervisor and the power of machine learning in a way that is built-in, operationally simple, and with minimal overhead or impact on performance. vSphere Platinum allows the vSphere Admin to deliver secure infrastructure and applications by enabling virtual machines to run in a “known good” state. AppDefense delivers key capabilities to protect applications running on vSphere. AppDefense understands an application’s intended state and behavior, then monitors for changes to that intended state.
VMware AppDefense has two components which include an on-prem appliance and SaaS component. This gives a flexibility to our customer to choose different connectivity model with AppDefense service. By default, the AppDefense Appliance enables only the AppDefense Plug-In in vCenter Server. Switching the AppDefense Appliance connectivity to SaaS enables the AppDefense Appliance to communicate with the AppDefense Service, enabling the complete solution.
In this blog post I will explain how to run VMware AppDefense [in non-SaaS mode]. This solution is perfect for most of federal customers who generally do not have internet connectivity from their appliances or decides to run AppDefense without SaaS subscription. With vSphere Platinum customers get an AppDefense Plugin in vCenter Server which provides them process & network connection visibility within vCenter server. Now before I get into details of capabilities of AppDefense plugin let me discuss about the architecture of AppDefense in non-SaaS mode.
AppDefense has three components to get you the visibility inside your VMs i.e. on-prem appliance, host module and guest module. The AppDefense plugin and modules talk to the appliance over HTTPS. Within the AppDefense plugin you get all the process and network connection details.
The AppDefense appliance can run in offline mode or online mode i.e. with internet connectivity and no SaaS subscription. In the above architecture, the dotted HTTPS line to the AppDefense cloud indicates the online (SaaS) mode. Each mode has unique capability which it can provide to IT staff. In completely offline mode the customer has two advantages including:
1. One-click install workflows in vCenter; to perform module installations
2. Process & network visibility
This provides customers and their IT staff with visibility inside of their VMs. Infrastructure teams can view the processes & network connections details and identify process with network behaviors, execution path, CLI and arguments.
In the case where a customer has internet connectivity, on their on-prem appliances they can take advantage of additional capabilities within plugin which include:
1. Software process reputation
The AppDefense plugin receives reputation score from our security partner, Carbon Black’s data feeds. This information is helpful for IT teams, as it helps them to quickly identify high risk processes running inside their VMs. Process reputation is calculated based on trust and threat score based on their hash values and network behavior. This view also gives a holistic view of protection coverage of your environment with information about hosts and VMs coverage.
2. Automatic upgrades
This option in the plugin allows customers to upgrade host and guest modules using one-click feature. It also reports status of module and version in the plugin. It allows infrastructure owners to plan and schedule upgrades of modules from the vCenter Server.
If customers decide to run AppDefense in offline or non-SaaS mode, AppDefense plugin provides visibility into their VMs. The plugin provides all the capabilities to run, manage & monitor AppDefense and to protect their VMs from running any malicious processes. This is helpful for our customers who have very controlled environment with no internet connectivity as well. The AppDefense plugin makes thing easier for a vSphere Administrator to monitor and address threats because this allows the administrator to quickly correlate those threats to objects, they manage instead of IP addresses or ports. Furthermore, we can see what is happening within an individual VM in the Hosts and Clusters view that we tend to spend most of our time in.
Finally, as you can see that the vCenter Server plugin for vSphere Platinum creates a way for vSphere Administrators to easily monitor and collaborate with the Security Team to create an even more secure and efficient virtual infrastructure.