VMware Hands-on Labs - HOL-2042-01-NET


HOL-2042-01-NET - Secure Data Center Endpoints with VMware AppDefense

Lab Guidance


Note: There are only two modules in this lab.The expected time of completion is 45-60 minutes. 

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual. 

VMware AppDefense is a data center endpoint security product that  protects applications running in virtualized environments. Rather than  chasing after threats, AppDefense understands an application's intended  state and behavior, then monitors for changes to that intended state  that indicate a threat. When a threat is detected, AppDefense  automatically responds. This maximizes efficiency and effectiveness in  Security Operations. It also streamlines the application security  readiness review process.

Lab Module List:

Lab Captains & Support:

This lab would not have been possible without the dedication of the  AppDefense engineering team.Their support and assistance to make this  something suitable for the VMworld HOL environment was instrumental. We  would like to thank the following members:

This lab manual can be downloaded from the Hands-on Labs Document site found here: http://docs.hol.vmware.com

This lab may be available in other languages. To set your language  preference and have a localized manual deployed with your lab, you may  utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console. The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your work must be done during the lab session.  But you can click the EXTEND to increase your time. If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes. Each click gives you an additional 15 minutes. Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters. However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation. Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Overview of VMware AppDefense (15 minutes)

AppDefense Platform Overview


In this section, you will read about VMware's new AppDefense security platform.


 

Description

AppDefense is a data center endpoint security product that embeds threat detection and response into the virtualization layer regarding applications and data live. Leveraging VMware AppDefense delivers three key advantages over existing endpoint security solutions:

Authoritative knowledge of application intended state When you know whats good, you can detect whats bad.

From inside the vSphere hypervisor, AppDefense has an authoritative understanding of how data center endpoints are meant to behave and is the first to know when changes are made. This contextual intelligence removes the guesswork involved in determining which changes are legitimate and which are real threats. AppDefense does not look at a guest workload in isolation. Instead, it manages workloads as part of broader Security Scopes. These scopes allow AppDefense to have a deeper understanding of complex interactive behaviour patterns in the data center as opposed to simply individual machine behaviour.

Automated, precise threat response The right response at the right time. When a threat is detected, AppDefense can trigger vSphere and VMware NSX to orchestrate the correct response to the threat, without the need for manual intervention. For example, AppDefense can automatically:  

Isolation from the attack surface - Protect the protector. The first thing that most malware variants do when they reach an endpoint is disable anti-virus and other agent-based endpoint security solutions. The hypervisor provides a protected location from which AppDefense can operate, ensuring that even if an endpoint is compromised, AppDefense itself is protected.

 

 

 

AppDefense in Action

AppDefense is a foundational security product that has a wide-reaching impact on an organizations security strategy.

Application-centric alerting for the Security Operations Center (SOC) AppDefense doesn't produce a lot of alerts, but when it raises the alarm its smart to listen. The authoritative alerts generated by AppDefense coupled with automated response capabilities allow security administrators to focus on catching and eradicating threats from their environment, rather than sifting through noisy data and investigating threats that aren't there.

Transforming application security readiness reviews In the world of modern application development, applications are launched, changed, and decommissioned rapidly. By the time a security team learns of the existence of a new application, it has often already changed. AppDefense creates a common source of truth between application team and the security teams, streamlining the security review process.

 

 

Application-Centric Security with VMware

VMware has changed the face of network security with our network virtualization platform, VMware NSX, and its ability to enable micro-segmentation across the data center. NSX architects network and security services  such as firewalling directly into the hypervisor, enabling a least privilege model for the network. The net outcome is that network security teams can prevent threats from moving laterally within their environments.

 

AppDefense layers in threat detection and response capabilities into another core area of the infrastructure, enabling a least privilege model for data center endpoints. Should a threat make it onto an endpoint, AppDefense will immediately detect the threat and automatically respond with precision. Together, NSX and AppDefense offer a robust solution for securing the application infrastructure and thus, the applications and data that live there.

 

 

Architecture

 

 

 

AppDefense Capabilities

The AppDefense platform provides:

AppDefense's operation from within the hypervisor also provides protection and abstraction not available with traditional end-point protection platforms creating the most effective least-privilege model for the application layer.

Protection of the Protector in a Separate "Trust Zone"

Kernel Level Monitoring

Memory and Process Monitoring

Unlike other endpoint security products, AppDefense is isolated from the attack surface without sacrificing the context necessary to provide accurate security alerts. Furthermore, AppDefense works with NSX and other infrastructure control points to automate the response to detected threats, minimizing the potential for data exfiltration and the impact to the business.

 

 

Conclusion

Congratulations on completing Module 1 -- An overview of the VMware AppDefense Platform.

Proceed to the next module.

Lab Module List:

Module 1 - Overview of VMware App Defense (15 minutes) - Basic - This module will walk you through the structure of the platform.

Module 2 - Exploring & Utilizing the AppDefense Platform (45 minutes) - Basic - This module will walk you through the creation of a security scope. Secondly, you will monitor the application after various attacks have been made. Finally, you will perform remediation, quarantine and upgrade actions.

 

 

How to End Your Lab

 

If you would like to end the lab now, you can simply click the "End" button in the upper part of your screen. Otherwise, please proceed to Module 2.

 

Module 2 - Exploring and Utilizing the AppDefense Platform (45 minutes)

Prepare and Explore the Lab


In this section, we will be preparing the lab for us to learn more about AppDefense. While we are preparing the lab, we will explore the environment (hosts and VMs) in the lab.


 

Open Google Chrome

 

  1. Open Google Chrome on the desktop

 

 

Perform Student Check-In

 

  1. Click on Student Check-In
  2. Enter your email address
  3. Click on Search
  4. Click on Click here to start the preparation workload

The preparation workflow will invoke a script to configure the parameters on the AppDefense appliance.

 

 

Start Preparation Workflow

 

A new window will pop up, showing the status of the preparation script. It will take approximately 5-7 minutes for the preparation workflow to complete.

IMPORTANT: Do not close the window or refresh the browser.

 

Let's access vSphere Web Client and review vCenter Server Inventory while we wait.

 

 

Access vSphere Web Client - vCenter Server

 

  1. Open new browser tab
  2. Click on vSphere - vCenter

 

 

Login to vSphere Web Client

 

  1. Enter administrator@corp.local as the user name
  2. Enter VMware1! as the password
  3. Click on Login

 

 

Review vCenter Server Inventory

 

These are the following objects in vCenter Server inventory:

 

Nested Virtualization: For the purpose of this lab, the two ESXi hosts are actually Nested Virtualization. Nested Virtualization means the ESXi are running inside VMs instead of bare-metal servers. Although Nested Virtualization is not supported for production, it is sufficient for running this lab which is meant for learning AppDefense.

Corde's Cord App: In this lab, we have also provisioned a three-tier web application named Corde's Cord App. The VMs used in this three-tier web application are as follows:

As we proceed with this lab, you will have a hands-on experience of AppDefense's capabilities in alerting, monitoring and integration with NSX as we perform unauthorized and malicious actions on Corde's Cord App.

 

 

 

Preparation Workflow Has Completed

 

The window will show that preparation workflow has completed. We can start performing the steps in this module to learn more about AppDefense.

 

Explore AppDefense in vCenter Server and AppDefense Appliance


In this section, we will exploring the AppDefense Plugin in vCenter Server and AppDefense Plugin.


 

Return to vSphere Web Client

 

  1. Click on vSphere Web Client

 

 

Access AppDefense Plugin

 

  1. Click on Menu
  2. Click on AppDefense

 

 

AppDefense Dashboard

 

Online Trust Analysis - Helps in the analysis of the processes to display the reputation for all the processes that are monitored by AppDefense. The status is displayed as:

 

AppDefense - Displays connection status with the AppDefense Manager when your connectivity mode is SaaS.

 

Hosts and VMs

 

 

AppDefense Widgets

 

  1. You may need to scroll down to see all four widgets

 

There are four widgets in the AppDefense Plugin in vCenter Server:

 

In the next few steps, we will explore Process Reputation and Critical Vulnerabilities.

 

 

Access Process Reputation

 

  1. Click on VIEW ALL

 

Note: If you don't see suspicious behaviour, read through the image below and proceed to the next steps

 

 

Access VM with Suspicious Process

 

You may need to scroll down to see the VM:

  1. Click on app-01a

 

 

Review VM - Guest Monitoring

 

You will be able to review the processes running in the VM. Let's look at the suspicious process:

  1. Click on powershell.exe

 

 

Review Suspicious Process

 

In this view, you will be able to review the details of the suspicious process.

Now we will use App-defense plugin  to investigate servers with known vulnerabilities..." This is the same for all widgets described in page 41

 

 

Access AppDefense Plugin

 

  1. Click on Menu
  2. Click on AppDefense

 

 

Access Critical Vulnerabilities

 

  1. Click on VIEW ALL

 

 

Review Critical Vulnerabilities

 

  1. Click on Critical
  2. Click on Windows OS
  3. To see details of vulnerability CVE-2014-411, Risk score
    • Click on the "Down Arrow" to see the affected VMs for the stated vulnerability numbe
  4. Expand Affected VMs
  5. Click on db-01

 

 

Review VM - Vulnerabilities

 

In this view, you will be able to review the vulnerabilities of this VM.

 

 

Access AppDefense Plugin

 

  1. Click on Menu
  2. Click on AppDefense

 

 

AppDefense Widgets

 

We have explored Process Reputation and Critical Vulnerabilities.

 

For Windows Integrity Checks widget, you may want to review it after completing a later section named "Attack the Application and Validate Automated Response" in this module. In that section, we will compromise the OS integrity of DB-VM, hence you will be able to see the alerts on Windows Integrity Checks widget.

 

Next, we will explore the AppDefense Appliance.

 

 

Close vSphere Web Client

 

We will not need the vSphere Web Client until later in the lab, so let's close the browser tab.

  1. Click on Close icon

 

 

Access AppDefense Appliance

 

  1. Open new browser tab
  2. Click on AppDefense Applia...

 

 

Proceed to AppDefense Appliance

 

  1. Expand Advanced
  2. Select Proceed to appdefense.corp.local (unsafe)

 

 

Login to AppDefense Appliance

 

  1. Enter admin as the user name
  2. Enter VMware1! as the password
  3. Click on SIGN IN

 

 

Review AppDefense Registration

 

  1. Click on Registration

NOTE: You may need to scroll down to see the NSX details. 

 

Review the parameters configured by the preparation workflow:

IMPORTANT: Take note of the Manager UUID under the AppDefense Manager section. We will verify the Manager UUID when we login to the AppDefense Manager in the next section.

 

Explore AppDefense Manager


In this section, we will be exploring the AppDefense Manager.


 

Access AppDefense Manager

 

  1. Open new browser tab
  2. Click on AppDefense Manag...

 

 

AppDefense Manager Login Page

 

This is the login page for AppDefense Manager. Next, we will retrieve the email and password required for login.

 

 

Retrieve Username for Login

 

  1. Return to the Student Check-In page
  2. Copy the email address for AppDefense's login

IMPORTANT: Your assigned email address may be different from the above screenshot. Please use the email address assigned for your lab.

 

 

Show Password for Login

 

  1. Return to the desktop and double-click on SHOW PASSWORD

 

 

Retrieve Password for Login

 

A window will pop-up for you to retrieve the password.

  1. Press Enter to see password
  2. Copy the password for AppDefense's login (the password is only six characters)
  3. Press Enter to close the window

IMPORTANT: Please only copy the characters highlighted in green. Your password should only have six characters.

 

 

Login to AppDefense Manager

 

  1. Return to the AppDefense Manager page
  2. Paste the assigned email address
  3. Paste the password
  4. Click on SIGN IN

IMPORTANT: Your assigned email address may not be the same. If your login fail, please check your password. Your password should only have six characters.

 

 

Review AppDefense Dashboard

 

The AppDefense Manager is a multi-tenant cloud service that delivers the complete AppDefense feature set. You can use the AppDefense Manager to define the intended behavior and protection rules of your applications and then monitor security events and alerts in real time. In addition to management capabilities, the AppDefense Manager provides process reputation services, machine learning capabilities, and other additional visibility features for your environment.

However, the AppDefense Manager is running in a local instance within the VMware Hands-on Labs environment. Your assigned user is also created in it's own tenant.

In the dashboard view, you are able to review the protection coverage, scopes in discovery, alerts, and provisioning events.

 

 

Close Information Pane

 

  1. Select Close icon after acknowledging the information

 

 

Navigate to AppDefense Appliance

 

Move your mouse to the left-hand navigation bar and:

  1. Click on Inventory
  2. Click on Appliances

 

 

Review AppDefense Appliance

 

You may need to scroll right in the browser to see details of the AppDefense Appliance.

AppDefense Appliance is an on-premises based control point for ingress and egress of data from and to the AppDefense Manager. It brokers connections to the VMware management components like vCenter Server and makes outbound connections to the AppDefense Manager.

 

Review and validate configurations of AppDefense Appliance:

The UUID is the same as the UUID shown in the AppDefense Appliance shown in the previous steps.

 

 

Review Inventory

 

  1. Click on Host to view inventory of ESXi Hosts
  2. Click on VMs and then Assigned to view inventory of VMs

In this lab, we did not provision any container hence there is no inventory on containers.

 

 

Review Unassigned Members

 

  1. Click on Unassigned

This view shows the VMs and containers in the inventory that are not assigned to any security scopes in AppDefense. It will also show the operational status of the host and guest modules of the unassigned VMs and containers.

The orange and red areas represent VMs and containers that are either in discovery mode or under protection.

 

 

Review Downloads

 

  1. Click on Downloads

You may need to scroll right in the browser to see details of the Downloads.

The On-Prem build of the AppDefense Manager used in this lab does not support automatic downloads, so the image on this step is from the actual production cloud based AppDefense Manager. You can see that all documentation, OVA files, VIBs and guest modules are available in the management portal itself.

 

Create and Delete an AppDefense Security Scope


A Security Scope in AppDefense is the foundational component that establishes what the intended state and specific allowed behaviors of an application should be. In this section, we will walk through the steps involved in creating and deleting an AppDefense Security Scope.


 

Scopes

 

  1. Move your mouse over to the left-hand navigation bar and click Scopes

 

 

Review Security Scopes

 

You will notice that a security scope named Corde's Cords App has been created during the preparation workflow. We will review Corde's Cords App in the next section. In this section, you will create a new security scope and add members to the security scope. Finally, you will also learn how to delete the security scope.

  1. Click on Plus icon (+)

A Security Scope defines the relevant configuration elements to protect an application and its constituent workloads. These configuration elements constitute a "blueprint" or "birth certificate" for the application. It contains a description, member workloads, rules and behaviors.

This is fundamental to the AppDefense philosophy. By focusing on applications as opposed to just indvidual endpoints, AppDefense derives a greater contextual knowledge of the intended state of the application.

 

 

Enter Name for Security Scope

 

  1. Enter HOL-App as the Scope Name
  2. Click on CREATE

 

 

Create a Service

 

  1. At the bottom of the page, click Add Service

 

 

Provide Details for Service

 

  1. Enter Core Tier as the Service Name
  2. Select Other from the drop-down list
  3. Click on NEXT

 

In the Service Description, you can specify other information of your choosing. This is not mandatory, but can be useful in operational environments to denote additional relevant information on the service.

 

 

Select Members of Service

 

  1. Select core-A
  2. Click on FINISH

 

 

Understand Behaviors of Service

 

Behaviors are process executions (CLIs) and network activities (inbound and outbound connections) exhibited within a service.

Once scopes and services are created, AppDefense enters Discovery Mode. AppDefense creates a list of allowed behaviors (for example ports and processes) to build a blueprint or a whitelist of the natural state of the application. The system dynamically populates allowed behaviors based on a runtime view of the application over a period. During this time, all relevant activity is recorded as the application is functioning.

During this time, no action is needed as AppDefense is learning the environment automatically.

In cases where you want to specifically define allowed behaviors, you have the option to EXPORT or ADD a behavior.

  1. Note, you can click the X to clear the update message.  

 

 

Scopes Dashboard

 

  1. Click on Scopes

 

 

Confirm Deletion of Security Scope

 

  1. Click on DELETE

 

You have deleted your security scope as it is not needed in the other sections of the lab. In the next section, we will review Corde's Cords App, a security scope that was created during the preparation workflow. Corde's Cords App is also pre-assigned with members and pre-populated with allowed behaviors.

 

Examine Security Scope


In this section, we will explore a security scope named Corde's Cords App which has been created during the preparation workflow. Corde's Cords App is also pre-assigned with members and pre-populated with allowed behaviors. We will now examine Corde's Cords App.


 

Review Security Scope

 

  1. Click on Corde's Cords App

 

A security scope defines the relevant configuration elements to protect an application and its constituent workloads. These configuration elements are like a blueprint or a birth certificate for the application. It contains a description, member workloads, rules, and behaviors. Security scopes are a grouping of data center assets (VMs, Containers, and so on) that make up an application or a regulatory scope.

 

 

Review Application Topology

 

You may need to move around the Topology Canvas to see Web, App and DB Tiers' services.

  1. Click on Application Topology
  2. Click on circle to view Web Tier's services
  3. Click on circle to view App Tier's services
  4. Click on circle to view DB Tier's services

NOTE: Due to the screen resolution of the lab, you may need to move around the topology to see all the services.

IMPORTANT: Legend provides explanation of the graphics used in the topology map.

 

The Topology tab enables viewing large amount of complex application behavior data easily in an interactive graphic. A graphical visualization illustrates application behavior, showing the relationships of the services within the application and also the relationships of the connected components (VMs, private address, public address, and so on) to each other. Remote nodes and connectivity information is also graphically displayed in a way to enable users to focus on the application servers that are causal or may have the greatest impact. The tab represents the rules in a graphical manner by using symbols to show how services are related to each other depending on the allowed behaviors and connection rules set for each of the services. The data displayed on the tab is read-only. Any changes made on the Services tab gets reflected on the Topology tab.

 

 

Review Services

 

  1. Click on Services
  2. Click on App Tier 

 

AppDefense creates a list of allowed behaviors (e.g. ports, processes, etc.) to build a "blueprint" or "whitelist" of the intended state of the application. AppDefense can create this blueprint with assistance from provisioning interfaces such as vRealize Automation, vRealize Orchestrator, Puppet, or similar engines.

However, when the application is already deployed, AppDefense can also "learn" these behaviors. After a Security Scope is created and applied to an application, it defaults to "Learning Mode". During this time, all relevant activity is recorded as the application is functioning.

Once reviewed, this master list of intended activity can be validated and/or modified by a security operations team or application owner. After the final intended state is determined, the security scope is placed into "protected mode".

Once the scope is moved into this mode, AppDefense will use the allowed behavior list to enforce the correct security context and posture for the workload against any deviation from that list.

 

IMPORTANT: Do not click on VERIFY AND PROTECT. Normally, the learning period for a workload or application is a recommended 7-14 days. Since we do not have that timeframe from within the HOL lab environment, we have automated most of the "allowed processes" into the creation of the service.

 

 

Review Behaviors

 

  1. Scroll down and search for service named CompatTelRunner.exe
  2. Click on CompatTelRunner.exe

 

 

Review Members

 

  1. Click on Members

 

A member is a virtual machine (VM) within a service. Members or VMs in a service must have an identical operating system (means within a service, all the VMs must be homogeneous – either all Microsoft or all Linux). In this lab, there are two app VMs in the App Tier service.

 

Learn New Behavior in Discovery Mode


In this section, we will examine the Discovery Mode of AppDefense.

Upon creation, scopes are placed into Discovery Mode. In this mode, when AppDefense recognizes a virtual machine exhibiting a new behavior, it adds it to the allowed behavior list for the associated service. Normally, the learning period for a workload or application is 7–14 days, although it can vary depending on the workload. Learned behaviors include process executions, command-line arguments, network connections, and more. This information is organized into a process-specific card view in the Services tab.


 

Access Web-VM

 

  1. Click on Putty icon on taskbar

 

 

Access Putty

 

  1. Select Web-01
  2. Click on Load
  3. Click on Open

 

 

Review Python Versions on Web-VM

 

  1. Type the following command to see the version of python

/usr/bin/python --version

 

  1. Type the following command to see the version of python3

/usr/bin/python3 --version 

You will notice that Python 2.7.5 and Python 3.5.1 are installed on Web-VM.

 

 

 

Review Web Tier Services on AppDefense

 

  1. Return to AppDefense Manager
  2. Click on Web Tier
  3. Click on Behavior

 

 

Examine all Python Behaviors in Web-Tier

 

  1. Search for python in the search bar to identify all python behaviors

You will notice that there is only python2.7 behavior but no python3 behavior in Web Tier. This is because python3 was newly installed and has not been used before.

 

 

Attempt Outbound Connection for Python 3 in Web-VM

 

  1. Return to the desktop and double-click on Outbound for Python on WEB-Tier

 

 

 

Review Outbound Connection Attempt

 

The Putty session will run a script in Web-VM. The script runs for about a minute and does the following:

IMPORTANT: Do not close the Putty Session until prompted to "Press Enter to close this putty session". 

 

 

Identify Python 3 Behavior in Web-Tier

 

  1. Click on Refresh icon
  2. Scroll down and click on python3

 

 

Python 3

 

  1. Expand CLI to see the outbound connection attempt

python3 in Web-VM has attempted an outbound connection to python.org. Since the security scope is still in Discovery Mode, AppDefense recognize this new behavior (python3) and adds it to the allowed behavior list for Web-Tier.

 

Move Security Scope to Protected Mode


In this section, we will move the security scope to Protected Mode. After which, we will review and edit the rules associated with the scope.


 

Move Scope to Protected Mode

 

  1. Click on VERIFY AND PROTECT

 

Once the allowed behaviors learning is satisfactory, you can move the scope and all services within the scope to the Protected Mode by clicking on "VERIFY AND PROTECT". Protected Mode marks the golden image of the application state and begins locking down the behavior. After moving to Protected Mode, rules are applied. You can view the applied rule under the Rules tab, and any violations generates an alarm.

 

 

Verify and Protect Scope

 

  1. Click on VERIFY AND PROTECT

 

 

 

Review Rules

 

  1. Click App Tier
  2. You will notice that there is a "Rules" tab after the scope has been moved to Protected Mode. After the security scope is in the Protected Mode, you can still review and edit services associated with the scope.

There are five vectors that are used to alert and remediate. By default, the only action for the Remediation rules is set to Alert and the enforcement is automatic. You can edit the rule settings based on the action that you want AppDefense to take.

Enforce Process Monitoring: How do you want AppDefense to monitor a process execution?

Enforce Outbound Connections: If AppDefense sees a new outbound connection from an allowed process, what do you want it to do?

Enforce Inbound Connections: If AppDefense sees a new inbound connection from an allowed process, what do you want it to do?

Enforce Guest OS Integrity: Windows-only. If AppDefense detects that the integrity of your operating system (OS) has been compromised, what do you like it to do?

Enforce AppDefense Module Integrity: Windows-only. If AppDefense detects the integrity, the AppDefense Module has been compromised (potentially turned off), what do you like it to do?

 

You cannot set automatic remediation action for the Guest module down alert. Remediation for this action can only be taken manually.

 

 

Change Rule Behavior

 

  1. Click on DB Tier
  2. Click on Rules
  3. Click on Edit

 

 

Review Rules of DB Tier

 

  1. Click on Rules
  2. Under Enforce Guest OS Integrity
    • Select Quarantine from drop-down list
    • Select Manually from drop-down list
  3. Click on UPDATE

This will change the default behavior for Guest OS integrity issues to provide a Manual Quarantine option for the VM using an NSX policy. The other remediation actions (e.g. Suspend, Power Off, & Snapshot) are done directly at the vSphere/vCenter level.

 

 

Review Guest OS Integrity

 

You will notice that the remediation action in case of violation is to Quarantine the VM. To use the Quarantine action, AppDefense must be integrated with VMware NSX. In the next section, we will examine the NSX Security Group and Policy that are used for AppDefense.

 

Examine AppDefense Integration with NSX


In this section, we will explore the integration between AppDefense and NSX. We will review the NSX Security Group and Policy that are used for AppDefense.


 

Open vSphere Web Client

 

  1. Open new browser tab
  2. Click on vSphere - vCenter

 

 

Login to vSphere Web Client

 

  1. Enter administrator@corp.local as the user name
  2. Enter VMware1! as the password
  3. Click on Login

 

 

Access Networking and Security (NSX)

 

  1. Click on Menu
  2. Click on Networking and Security

 

 

Review NSX Security Tag

 

  1. Click on Groups and Tags
  2. Click on Security Tags
  3. Search for "appdefense"

The AppDefense.AnomalyFound (Security Tag) was automatically created when the AppDefense Appliance was integrated with NSX Manager during installation.

 

 

Review Security Group and Policy

 

  1. Click on Service Composer
  2. Click on Security Groups
  3. Click on AppDefense Quarantine Group

The AppDefense Quarantine Group was automatically created when the AppDefense Appliance was integrated with NSX Manager during installation. There is currently no VM being quarantined because there is no violation on Guest OS Integrity.

 

 

Review AppDefense Quarantine Policy

 

  1. Click on Security Policies
  2. Click on AppDefense Quarantine Policy

The AppDefense Quarantine Policy was automatically created when the AppDefense Appliance was integrated with NSX Manager during installation.

 

 

View Firewall Rules

 

  1. Click on Firewall Rules

When there is a violation of Guest OS Integrity, these firewall rules will be applied to the quarantined VM.

 

Attack the Application and Validate Automated Response


Now that you have defined the intended state of your application, you will use tools provided to attack the application and observe the results.


 

Brief Workflow

At this point, you have reviewed the installation of AppDefense and its integration with NSX and vCenter. You have created a security scope and added the web and db services to it.

In addition, we have modified rules of the Guest OS Integrity of the DB service so that it would require a manual interaction prior to being quarantined by an NSX policy that was automatically built by AppDefense.

In this section, we will generate an outbound network connection attempt which will generate an alarm against our security scope. Then we will use scripts to simulate attacks on the kernel and host level AppDefense modules . Once the attacks are executed, we will validate the alarms in AppDefense Manager and perform a Quarantine of the VM. Finally, we will test to ensure the DB VM is isolated.

 

 

Access DB-VM

 

  1. Return to the desktop and double-click on DB-Tier.rdp

DB-Tier.rdp will provide remote desktop access to DB-VM of the application.

 

 

Open TCP Connection on DB-VM

 

  1. Double-click on Open TCP Connection.cmd on the desktop of DB-VM

Open TCP Connection.cmd will run a script to simulate an outbound connection.

 

 

Run Script for TCP Connection

 

  1. Click on Run

 

 

 

Run Script Once for TCP Connection

 

  1. Enter R to run the script

The script executed the following command in an attempt to simulate an outbound connection:

powershell -File Open-TCP-Connection.ps1 -dest www.google.com -port 443

As this attempt is an unauthorized outbound connection, the command prompt shows an "Timeout!" output. We will return to AppDefense Manager to review the events that were captured by this attempt.

 

 

Minimize RDP to DB-VM

 

  1. Click on Minimize icon to return to Main Console

 

 

Access Alerts on AppDefense Manager

 

  1. Access AppDefense Manager
    • Login to app defense manager again if you are logged out
  2. Click on Alerts
  3. Review the alerts generated in the right pane
  4. If you don't see any alerts under uncleared alerts pane, click the refresh Icon. It may take a while for the alerts to appear.

 

 

Clear the alerts  

 

Although the unauthorized outbound connection is benign, it is not a permitted behavior in the DB-VM. Hence we shall not allow the behavior to be added to AppDefense Manager for DB-VM. This way, we will get updated again if anyone tries to perform an unauthorized outbound connection.

Next, we will clear the unauthorized outbound connection alerts triggered from the previous steps.

  1. Check the newly triggered alerts
  2. Click on the Actions menu and select Clear the alerts

 

 

Clear Alerts

 

  1. Click on CLEAR

 

 

Access DB-VM

 

  1. Click on existing DB-Tier.rdp connection

 

Return to the DB-VM.

 

 

Perform OS Integrity Attack on DB-VM

 

  1. Double-click on OS Integrity Attack.cmd on the desktop of DB-VM
  2. GIRogue: OS Integrity Attack.cmd will execute scripts to do the following:
    • Install GIRogue on DB-VM
    • Run the GIRougue service on DB-VM
    • Attack the OS Integrity of DB-VM

 

GIRogue is a process that can be used to simulate different attacks at both the Guest and Host level. The details and specifics of this tool are beyond the scope of this lab.

 

 

Run Script for OS Integrity Attack

 

  1. Click on Run

 

 

 

Review Script Output

 

Two Command Prompt windows will appear. You may need to expand the Command Prompt windows to see the outputs of the scripts.

 

OS Integrity Attack.cmd executed scripts to do the following:

  1. GIRogue is installed successfully
  2. GIRogue service is running
  3. OS Integrity of DB-VM is being attacked and compromised successfully

 

 

 

View Alerts on AppDefense Manager

 

  1. Click on Minimize icon to return to Main Console

 

 

Review Alerts

 

  1. Click on AppDefense Manager
  2. Click on Alerts

 

 

Select Alert

 

  1. Click on Refresh icon if there is no alert - it may take a while for the alert to appear
  2. Click on newly triggered alert

 

 

Select Alert Details

 

  1. Click on Alert ID

Note that your Alert ID may be different.

 

 

Review Alert

 

You will be able to see the details of the Alert on this page.

 

 

Quarantine DB-VM from AppDefense Manager

 

  1. Click on ACTIONS
  2. Click on Quarantine

 

 

Confirm Quarantine of DB-VM

 

  1. Click on QUARANTINE

 

 

Review Alerts

 

You will notice that the remediation status is shown as "Queued: Appdefense- Quarantine". It may take a while for the remediation to be completed.

  1. Click on Alerts

 

 

Review Quarantined DB-VM on NSX Manager

 

  1. Click on Refresh icon if the remediation status is shown as "Queued: AppDefense- Quarantine" - it may take a while for the event to appear

Once the Last Remediation Action is shown as "Action taken: Appdefense - Quarantine", we can proceed to the next step.

 

 

Review Service Composer

 

  1. Click on vSphere Web Client tab
  2. Click on Service Composer
  3. Click Security Groups
  4. Click on AppDefense Quarantine Group

 

You will notice that db-01 is being quarantined.

 

 

Access Web Portal

 

  1. Open new browser tab
  2. Click on Home

 

 

Website Encountered An Error

 

You will notice that the website encountered an error and cannot be loaded. This is because the DB-VM is being quarantined.

 

 

Remove Quarantine of DB-VM

 

  1. Return to vSphere Web Client - Networking and Security
  2. Click on Groups and Tags
  3. Click on Security Tags
  4. Search for "appdefense"
  5. Check AppDefense.AnomalyFound
  6. Click on DETACH VM

 

 

Detach Security Tag from DB-VM

 

  1. Select db-01
  2. Click on Right-Arrow icon
  3. Click on OK

 

 

Verify No VM in Security Tag

 

You will notice VM Count is 0. This means that DB-VM has been removed from the quarantine. Let's try and access the Web Portal now.

 

 

 

Return to Web Portal

 

  1. Click on 192.168.110.175 browser tab
  2. Click on Refresh icon

 

 

Refresh Web Portal

 

With the DB-VM removed from quarantine, the website loads properly as seen in the screenshot above.

 

Upgrade Application Component


In this section, we will examine how upgrades of application components are identified and processed with the AppDefense platform.


 

Access Web-Tier Services in AppDefense

 

  1. Click on AppDefense Manager browser tab
  2. Click Scopes
  3. Click on Corde's Cords App

 

 

  1. Click Services
  2. Click on Web Tier
  3. Search for python3
  4. Click on python3

 

 

Review Python3 Behavior

 

Take note of Hash values of MD5 and SHA256. These Hash values will change after we perform the upgrade of Python3.

 

 

Install Latest Python3 on Web-VM

 

  1. Return to the desktop and double-click on Install Python on WEB-Tier

 

 

 

Python Upgrade

 

You will notice that Python3 version 3.5.1 is currently installed on Web-VM. This script will upgrade the Python3 from version 3.5.1 to 3.6.8 in Web-VM.

 

 

Attempt Outbound Connection for Python 3 in Web-VM

 

  1. Return to the desktop and double-click on Outbound for Python on WEB-Tier

 

 

 

Outbound Connection Initiation

 

The Putty session will run a script in Web-VM. The script runs for about a minute and does the following:

 

IMPORTANT: Do not close the Putty Session until prompted to "Press Enter to close this putty session". 

 

 

View Events on AppDefense Manager

 

  1. Click on AppDefense Manager
  2. Click on Events
  3. Click Upgrade

 

 

Refresh UI

 

  1. Click on Refresh icon if there is no upgrade event - it may take a while for the event to appear

When the upgrade event appears, you will see that AppDefense has captured Python3 upgrade from version 3.5.1 to 3.6.8 in Web-VM.

 

 

Review Python3 Behavior

 

  1. Click on Scopes
  2. Click on Corde's Cords App

 

  1. Click Services
  2. Click on Web Tier
  3. Search for python3
  4. Click on python3

 

 

Verify Hash Value

 

You will notice the Hash values of MD5 and SHA256 have changed. This is because the version of Python3 has changed from version 3.5.1 to 3.6.8. The Hash values are based on the current version (3.6.8) of Python3 installed on Web-VM.

 

 

Verify Old Version of Python3

 

  1. Click on drop-down list to choose the different Python3 versions
  2. Click on older date and time if you wish to see details of the previous version of Python3

You will be able to see the Hash values based on the older version (3.5.1) of Python3.

 

Conclusion


In this module, you went through the basic workflow of creating/deleting security scopes, service definitions and remediation policies.  You then simulated an attack on a test application and observed VMware AppDefense quarantine the virtual machine using VMware NSX security policies.  Finally, you upgraded a application component to see how AppDefense deals with upgrade scenarios in an intended state model.

If you would like more information on VMware's AppDefense, please check out our products page at: www.vmware.com/appdefense

You can proceed to any module in the lab below.

(15 minutes) - Basic - This module will walk you through the structure of the platform.

(45 minutes) - Basic - This module will walk you through the creation of a security scope. Secondly, you will monitor the application after  various attacks have been made. Finally, you will perform remediation, quarantine, and upgrade actions.

If you want to download the manual for this or any other Hands on Lab, please visit http://docs.hol.vmware.com


 

How to End your Lab

 

  1. To end your lab, Click the END

 

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2042-01-NET

Version: 20200326-221046