Understanding the vGW Series Introspection Module

The vGW Security Design VM Introspection module lets you monitor the software installed on guest virtual machines (VMs) in your virtual infrastructure. You can monitor software that is installed on all MS Windows VMs and some Linux VMs that support the RPM package manager when the system scans for installed applications. Without installing endpoint software in the guest VMs, vGW Series can determine which applications are installed, the operating system type (for example, for MS Windows, XP, 2003, and so on), and it can identify registry values and any applied updates (hotfixes).

Note: Because not all Linux VMs support RPM, we recommend that you refer to the Juniper JTAC Knowledge Base for the most current information.

When the system scans for installed applications on MS Windows VMs, it also scans registry information. Mostly the vGW Security VM performs the scans.

For Introspection, the vGW Series centralizes the scanning engine to limit disk IO, memory, and CPU consumption, and to distribute the load across responsible vGW Security VMs. Because vGW Security VMs are responsible for most of the scanning, scalability concerns are lessened, the process is faster, and introduction of new security risks is avoided. Although most of the scanning is constrained to vGW Security VMs, both the vGW Security VM and the vGW Security Design VM engage in the process. That is, by default the scan is performed by the vGW Security VM, but it is possible to scan a VM on which the vGW Security VM is not installed. The scan can be performed by the vGW Security Design VM.

Warning: TCP Port 902 must be open between the vGW Security Design VM and the ESX/ESXi hosts for Introspection to work properly if the vGW Security Design VM is performing it.

The Introspection module relies on taking a snapshot of a VM and analyzing it. This method guarantees that there is no adverse impact on the active VM during the scan. After the scan is complete, the snapshot is deleted immediately. The Introspection feature is supported in both IPv4 and IPv6 environments. vGW Series can mount disks that belong to VMs with either an IPv6 address or IPv4 address bound to them.

The scan does not use network packets to probe applications in the VM. Rather, it uses native VMware interfaces to examine the disk contents. This enables a fast and accurate scan. It takes only a few seconds for vGW Series to analyze the installed applications.

The ability to determine exactly which applications are installed allows the security policy for those VMs to be precise and dynamically applied. For example, you can analyze the VMs to determine which ones are running the Apache Web server. You can then place those VMs in a Smart Group and give it a name such as “webservers”. You can configure this Smart group with a policy that allows communication through HTTP/HTTPS.

The Introspection module makes it possible for you to assess applications that are installed in the environment that are secured and those that are required but are missing. For example, you can quickly identify VMs that do not have an vGW Endpoint, if the Endpoint is required. You can quarantine these VMs with a restrictive firewall policy.

Although the Introspection feature is not intended to replace a patch management solution, you can use its capabilities in this area to determine if certain hotfixes are missing. You can then quarantine the hosts without the required hotfixes until the patch management solution deploys the proper updates.

The vGW Security Design VM groups the introspection results by type (application, operating system, and hotfix). It provides graphical summary comparisons and detailed statistics about the installed software in table format.

The Introspection page includes the following tabs:

Related Documentation