Overlooked in the hoopla around the VMworld conference was an announcement of the availability of AppDefense, a new product that lets companies restrict the types of operations applications are allowed to run on virtualized servers.
AppDefense works with the VMware hypervisor and can also connect to third-party provisioning, configuration management and workflow automation platforms. It can send out alerts, quarantine apps, shut them down and even restore a VM from an image. All of this is based on AppDefense catching unusual behavior, such as trying to modify the kernel or communicate with an unrecognized remote server.
VMware already has some security features built into its NSX and VSAN products, but those are around networking and storage. AppDefense secures the core virtual machines in vSphere itself. It does this by using behavior-based whitelisting, which is not easy to do on desktops because they run a lot of apps. But on a server, especially a virtual server, it’s a much easier proposition. In some cases, virtual servers run only one or two apps, so shutting out everything else is simple.
Whitelists vs. blacklists
There is some debate over which is the better solution: blacklists or whitelists. Blacklists are used in traditional antivirus and are good at spotting known threats, but they are no good at new, unknown threats. Antivirus vendors have tried to get around this problem by using heuristics to look for suspicious behaviors, such as modifying the OS kernel or communicating with remote servers.
Whitelists basically say no apps can run except the approved ones on the whitelist. And since VMs often have a single purpose, any app other than the approved one will be blocked or shut down and the administrator notified. This lets admins keep on top of potential infections rather than discovering them after the fact.
AppDefense is currently available only for on-premises data centers, but VMware is planning on a cloud-based version down the road.
VMware AppDefense was announced at the VMworld in conference in Las Vegas last month and is currently available for customers using VMware vSphere 6.5.