Learn more about what VMware AppDefense is and how it works

VMware AppDefense turns traditional security on its head and offers valuable integrations and benefits, but also carries with it the potential for additional cost and complexity.

One of the big announcements at VMworld 2017 was VMware AppDefense. Here, we'll look at what AppDefense is and how it works, but before that, you need to understand the context for application monitoring.

Traditional security practices

Historically, companies spent the vast majority of their security budget on defending perimeter networks. The figures quoted reach as high as 80% of the budget. This often leaves the internal network vulnerable to attack once an intruder gains a foothold.

The many recent high-profile breaches serve as examples why this is an ineffective approach. These intruders got past the hardened perimeter only to find a soft target inside, stealing proprietary or confidential company information. Electronic point-of-sale systems customers use are often directly connected to the internal company network.

Even if anomaly alerts are raised, the sheer volume of data in a modern enterprise environment presents an analysis issue. The default answer is to dump it in a security information and event management (SIEM) database and debug it, which is time-consuming, error-prone, manually intensive and expensive.

Enter VMware AppDefense

VMware's application monitoring tool takes aim at these issues and essentially turns this traditional security approach on its head. AppDefense enforces good rather than looks for bad.

When the state of a good VM or container is known, AppDefense can easily detect any deviation. This allows it to say with a high degree of confidence that something untoward has happened and steps need to be taken.

The whole VMware AppDefense package can be broken down into three distinct phases:


Essentially, AppDefense enforces per-VM microsegmentation at the application layer. Several different types of information are collected through a learning process -- with many items profiled, including processes, network communications, application topology and network boundaries -- and that information is grouped into an intended state profile. This intended state profile is enforced by the ESXi hypervisor.


Once the intended state of a VM is known, any deviation from that is flagged as a potential issue. For example, if a web server suddenly starts talking to an external Network Time Protocol server, it has drifted from its configuration. It could indicate bad behavior or perhaps just accidental changes. AppDefense can also detect other problems in the VM, including bits that have been flipped, odd processes started, new applications and other potential triggers.


Lastly, when VMware AppDefense detects something untoward, it can handle the issue in a number of ways. When paired with NSX, it can take a number of direct actions. Depending on the security stance of the business, AppDefense can perform remedial actions including:

  • Quarantine/block: Automatically isolate the VM for later inspection by the administrator or security team
  • Power off the VM
  • Send alerts to the SIEM system
  • Deletion: Automatically delete the affected VM

This intended state dramatically reduces management complexity and debugging rules. Again, it enforces good rather than looking for bad. This is extremely useful considering application and system complexity is ever-increasing.

AppDefense is actually a cloud-based product. This gels well with the VMware's strategic direction. It can be extended to on premises by means of an application proxy, but all management is done within the cloud environment.

Different product integrations

AppDefense was designed to integrate with NSX and provide other interesting capabilities. One example is the capability to intercept traffic from protected VMs. Adopting NSX involves additional cost and complexity, but it marries well with VMware's application monitoring tool.

AppDefense was designed to integrate with NSX and provide other interesting capabilities.

The NSX tool set includes an individual stateful firewall for each and every VM. While that may sound like a bit of a nightmare in the classic sense of administration, this cloud-based management platform allows easy management and integrates with orchestration tools to ensure that the correct sets of firewall rules are applied to the VM when it's built.

Lastly, it integrates with third-party plug-ins, such as McAfee antivirus, IBM and others to provide agentless management for the infrastructure that's protected.

Benefits of VMware AppDefense

All this may sound a little extreme for SMBs, but the great thing about AppDefense is that it scales to your security requirements.

Not everyone is web scale, but think about how modern environments would benefit from such a system: VMs and containers seen as cattle rather than pets. Destroying the affected VM and redeploying another from scratch is easier than trying to fix the infection and taking on the risks that come with such an approach. This is where VMware AppDefense can just replace the machine, no questions asked, if that's the desired state.

It makes the administrator's life that much easier. It removes a lot of the complexity from the environment and can automatically take predefined actions against VMs that deviate too far from the desired state. Essentially, no matter the size of the estate, it will help enhance security posture.

AppDefense in a nutshell is the evolution of security for a fully virtualized world, and VMware has done a good job in reducing the management load with its new intended state ethos.

Next Steps

Take advantage of vSphere 6.5 security features

Set up VMware VM Encryption

Enable VMware secure boot for VMs

Dig Deeper on VMware management tools