VMware AppDefense separates virtual machines (VMs) into categories called scopes and services. A Scope is an application in the datacenter such as a web application whereas a service is a tier of that application. In this example, we could assume, and would be correct, that Services reside within Scopes to model this tiered application architecture. This particular part of the configuration process is where most customers get stuck or ask the question: “is there a right way to setup Scopes and Services?”. The answer to that question is a resounding, “YES!”. Proper Scopes and Services creation is imperative to the correct functionality of VMware AppDefense.
So, let’s talk about Scope creation. I’m going to eat my words a little bit and say this is the least important piece to worry about configuring correctly. This is because VMs will reside in the Services created within a Scope and product functionality such as allowed behaviors apply only within the context of services. Discovery Mode and Protected Mode are set at the Scope level, where remediation actions are set at the Service level.
The primary use for Scopes is to organize your internal applications. Let’s say, for example, that I am a company that hosts a web application and that I have the following applications protected by AppDefense.
- Web Application
- Internal email server
- Internal team chat tool
In the above scenario I would configure one scope per application. I would then have a scope called “Web Application,” a scope called “Email,” and a scope called “Team Chat.”
The above image shows what this would look like in the AppDefense SaaS Manager. Organizing scopes in this way allows you to better identify Services (tiers) for those applications and VMs that will belong to those services.
Creating and Configuring Services
Services are where it’s really important to plan out your categorization and organization. Two items will be in Services: (1) VM(s) which we call “Members” and (2) learned processes and behaviors. Best practice when it comes to adding members is to have homogenous members that is to say that each and every service should ONLY contain VMs that are performing identical or very similar functions and processes. Let’s use the Web Application example from above and assume that your web application is an n-tier architecture application. This means you would probably have a Database Tier, Web Tier, and Application Tier. It would look something like below
In the diagram above we see it’s an n-tier architecture because the various components required to run it all reside on different VMs. Now, if we were to create one Service and throw these three functionally different VMs into it, what would happen? Considering that services are homogenous as mentioned above, the learned behaviors from each of the VMs would apply to the other VMs as well. This would mean that your web VM’s behaviors would apply to, and be allowed, on your database VM. This obviously is not ideal since we would not want web VM behaviors on a database VM.
Therefore, the correct way to setup AppDefense for this type of application is a single scope with three unique services. Configuring services this way ensures that the behaviors learned in that service apply to the VMs and ONLY the VMs that would have identical or similar functions. The below screenshot shows the scope “Web Application” containing three services: “App,” “Database,” and “Web.” We would then add the VMs from each tier in the diagram above, into the corresponding service. If you had two VMs per tier i.e. two database VMs etc… you would then add both those database VMs into the database service because they would perform identical functions. Additionally, if you were to add more VMs to an application tier, you could add that VM into its corresponding service and because the behaviors that would occur on this newly added VM have already been learned by the service, you would not need to go back into Discovery Mode again.
We’ve covered both Scopes and Services creation here. Services creation is just takes a little thought and planning but once properly configured will make managing your virtual environments security much easier!
AppDefense is a data center endpoint security solution that embeds threat detection and response into the virtualization layer and uses machine learning to ensure virtual machines (VMs) and applications are running in a known-good state.
Correct configuration of Scopes and Services is essential to proper product functionality. We hope this blog helps you better understand the methodology required when setting these up. If you’re not leveraging AppDefense today, or would like to learn more please contact sales or visit: https://www.vmware.com/products/appdefense.html.
For more documentation on VMware AppDefense please refer to the VMware AppDefense Documentation.