AppDefense remediation actions with NSX integration
AppDefense has automatic responses using vSphere and VMware NSX, including the ability to block process communication, alert, suspend, shut down the endpoint, and snapshot an endpoint for forensic analysis. These remediation actions can be enforced automatically or manually as well. With AppDefense it is possible to create NSX distributed firewall rules based on the discovered behavior. This configures the necessary micro-segmentation security policies, which are in line with the expected behavior of the application/virtual machine. Remediation action can be set at individual service level within the application scopes.
NSX integration with AppDefnese avoids the process of manually retrieving Application Dependency Mappings for each application in the datacenter, as it gives greater visibility in to every protected VM in the datacenter including the processes running within the OS but also all the in/out bound connection which are made by each process.
When an attacker tries to start a new process, which is not “known good” behavior process, AppDefense can block this (within the virtual machines). This means that AppDefense not only offers security at the network level it also provides security at the process level (within the virtual machine).
How is NSX manager integrated with AppDefense?
As part of AppDefense appliance registration process, customers are required to register it with AppDefense manager, vCenter server and it discovers the NSX managers details integrated with the vCenter automatically.
Once NSX manager is registered with the AppDefense appliance you can notice it automatically creates few objects in the NSX manager which are used to perform the remediation action.
NSX Security tag – AppDefense.AnomalyFound
Security Group – AppDefense Quarantine Group
Security Policy – AppDefense Quarantine Policy
Firewall Rules – To block all In/Out bound traffic from the VM which is quarantined via security policy
How are remediation actions configured to use NSX?
Within AppDefense manager customers get the ability to set the remediation action at the individual service level within the scopes created. This allows the security team to set the remediation actions at a more granular level for each service within an application running in datacenter. Customers can enforce remediation action for all In/Out bound connections, Guest OS integrity, AppDefense module integrity. Currently Linux OS only support In/Out bound connection remediation actions.
What happens when remediation action is triggered?
Whenever AppDefense notices a new behavior post moving the scope in to protected state it triggers the action which is configured for the service which the VM is member. As part of remediation action NSX security tag is assigned to the VM and Appdefense Quarantine policy gets applied to VM to block all the In/Out bound connections from the VM hence, isolating it.