Understanding the vGW Series Introspection Module

The Introspection module of the vGW Security Design VM lets you monitor the software in your virtual infrastructure that is installed in all MS Windows virtual machines (VMs) and all Linux VMs that support RPM package manager. Without installing endpoint software in the guest VMs, vGW Series can determine which applications are installed, the operating system type (for example, for MS Windows, XP, 2003, and so on), and identify registry values and any applied updates (hotfixes).

When the system scans for installed applications on MS Windows systems, it also scans registry information. Mostly the vGW Security VM performs the scans. Because vGW Security VMs are responsible for most of the scanning, scalability concerns are lessened, the process is faster, and introduction of new security risks is avoided.

For Introspection, the vGW Series centralizes the scanning engine to limit disk, disk IO, memory, and CPU consumption, and to distribute the load across all parts of the system. However, both the vGW Security Design VM and the vGW Security VM engage in the process. That is, by default the scan is performed by the vGW Security VM, but it is possible to scan a VM on which the vGW Security VM is not installed. In this case, the scan is performed by the vGW Security Design VM and access to the ESX/ESXi host on TCP port 902 is required.

The Introspection module relies on taking a snapshot of a VM and analyzing it. This method guarantees that there is no adverse impact on the active VM during the scan. After the scan is complete, the snapshot is deleted immediately.

The scan does not use network packets to probe applications in the VM. Rather, it uses native VMware interfaces to examine the disk contents. This enables a fast and accurate scan. It takes only a few seconds for vGW Series to analyze the installed applications.

The ability to determine exactly which applications are installed allows the security policy for those VMs to be precise and dynamically applied. For example, you can analyze the VMs to determine which ones are running the Apache Web server. You can then place those VMs in a Smart Group and give it a name such as “webservers”. You can configure this policy group to allow communication through HTTP/HTTPS. For details on Smart Groups, see Understanding vGW Series Smart Groups. For details on Policy Groups, see Understanding and Using the vGW Series Firewall Module.

The Introspection module makes it possible for you to assess applications that are installed in the environment that are secured and those that are required but are missing. For example, you can quickly identify VMs that do not have an vGW Endpoint, if the Endpoint is required. You can quarantine these VMs with a restrictive firewall policy.

Although the Introspection feature is not intended to replace a patch management solution, you can use its capabilities in this area to determine if certain hotfixes are missing. You can then quarantine the hosts without the required hotfixes until the patch management solution deploys the proper updates.

The vGW Security Design VM groups the introspection results by type (application, operating system, and hotfix). It provides graphical summary comparisons and detailed statistics about the installed software in table format.

Warning: TCP Port 902 must be open between the vGW Security Design VM and the ESX/ESXi hosts for Introspection to work properly.

The Introspection screen includes the following tabs:

Related Documentation