Yesterday (6-3-2019) VMware announced the introduction of the Service-Defined Firewall, which I think is one of the greatest announcement since VMware announced NSX including Micro-segmentation. When VMware bought AppDefense I already knew that they had gold in their hands, but during that introduction AppDefense missed the needed integration with VMware NSX to be actual gold!
First let’s take a step back in history: AppDefense is able to gather information from the processes that are running inside the virtual machines. It gathers the running processes and their interactions, by which it creates a “behavior” (also called a “intended based”). The behavior describes which interaction are good and must be allowed. AppDefense is able to, based on these behaviors, to detect any attacks and take (basic) actions (for example quarantine the VM).
So with this version when a VM was attacked and AppDefense could identify the attack, you were able to quarantine the VM .. which resulted in a non-operational services. Yikes .. but he, it’s a good start when you’re able to detect attacks!
The Service Defined Firewall
I’m not a man of marketing terms, and I don’t like this terminology “service defined firewall” either 🙂 For me it’s just a new version of AppDefense which DOES integrate well with VMware NSX which together forms a golden couple.
The new version of AppDefense is able to reflect the behavior with a “App Verification Cloud”, which double-checks if the current behavior has not already have been altered.
This means that you running apps are already checked for their running behavior. WIN!
With the new version of AppDefense it is possible to create NSX firewall rules based on the discovered behavior. This configures the necessary micro-segmentation security policies, which are in line with the expected behavior of the application/virtual machine
This avoids the manual process of manually retrieving Application Dependency Mappings for each application in the datacenter, which was required when building micro-segmentation with VMware NSX (with and without vRealize Network Insight). AppDefense goes one step further than VMware vRealize Network Insight when it comes to planning security, as it also checks the running processes on the virtual machine.
When an attacker tries to start a non-“known good” behavior proces, AppDefense can block this (within the virtual machines). This means that AppDefense not only offers security at the network level it also provide security at the process level (within the virtual machine).
Conclusion
This new version of AppDefense offers new capabilities that, so far as I know, is not available by any other solution (I would like to know if it does). As, per VMware stated, this solution has a 100% score when it comes intrusion prevention tests. Which I can believe as security measurements are taken at the source code (the process).
