Understanding the vGW Series Introspection Image Enforcer Feature

The vGW Security Design VM Introspection module provides a constellation of information that allows you to monitor the software installed in MS Windows and Linux guest virtual machines (VMs). It gives you deep knowledge into the state of a VM and the applications flowing between VMs, and how they are used. It can tell you the operating system versions and the services patches versions that are installed on VMs. It presents this information about the installed software to you through graphical summary comparisons and detailed statistics in table format. To facilitate management of this large amount of information and to enable you to pro-actively classify applications, the vGW Series provides an Introspection feature called the Image Enforcer.

Central to the Image Enforcer feature is the concept of a Gold Image. A Gold Image is a template from which VMs are derived, but it can also be an active VM. The Gold Image template or VM candidate has a valid and desirable configuration. When it is identified as a Gold Image, the VM is elevated to the level of a model VM configuration.

You use the Enforcer Profiles tab to create a profile for a Gold Image. In the profile, you also specify the VMs to be compared against the Gold Image and parameters that qualify the comparison. You can allow VMs to deviate from the Gold Image in various ways.

When a template is used as a Gold Image, usually the VMs that are derived from it are compared against it. For example, you might want to determine how much and in what ways their configurations have been changed since they were instantiated from the template. However, you can specify any VMs to compare against a Gold Image, not only those that were derived from it.

You can direct the vGW Security Design VM to take certain actions based on the outcome of the comparison. For example, you can direct it to quarantine noncompliant VMs. VMs that are quarantined are viewable in the Image Enforcer page and the Main module’s Quarantine page. From the Quarantine page, you can release a quarantined VM, for example, and modify it to reinstate it as a valid VM or to perform other kinds of remediation. For details on the Main module’s Quarantine tab, see Understanding the vGW Series Main Module.

You can use the Image Enforcer tab to view a summary of the comparison results and gain an overall sense of the compared VMs’ conformance to the Gold Image. You can also view a bar graph specific to a particular VM to see the degree to which it conforms.

There are many ways in which to use the Image Enforcer feature:

Consider another case. Suppose you want to use a template whose configuration is approved by auditors for PCI compliance as a Gold Image and call that Gold Image PCI-Win-Template. You could then compare the VMs belonging to the Win-PCI-Servers and PCI-Desktop VMs groups against the PCI-Win-Template Gold Image. As part of the comparison criteria, you might specify that applications classified as “known” are allowed. Although the Gold Image configuration does not contain them, a VM whose configuration contains these known applications would not be considered non-compliant.

vGW Series automatically creates a compliance rule for each Gold Image that is a template. By default, it inspects the VMs derived from the Gold Image, and it generates an alert when the compliance state changes.

You can specify when the vGW Series should scan the VMs. You can set up a scan to take place when specific events occur or based on a defined schedule that you create using the Scheduling tab. You can also limit the number of concurrent scans.

Related Documentation