NETWORK AND SECURITY IMPLICATIONS OF VIRTUALIZATION
Server virtualization delivers many benefits, including lower hardware maintenance and energy costs, recovered data center floor space, higher availability, reduced disaster recovery costs, faster server deployments, maximized server capacity and increased flexibility for development and testing environments. However, Enterprises are discovering many network traffic and security concerns associated with migrating to virtualized server environments.
Server Virtualization Concerns
Virtualization introduces new challenges for Enterprises to monitor and secure virtual networks. Because virtual machine-to-virtual machine (VM2VM) communications inside a physical server cannot be seen by traditional network and security devices, this complicates problem identification and resolution, potentially erasing the cost-savings associated with virtual environments. Virtualization raises the following questions:
How do I- identify when a VM is generating an excessive amount of traffic?
- detect services offered by each VM?
- baseline the virtual network to better understand when anomalous traffic is introduced?
- secure VMs without introducing undue administrative burden and performance issues?
- detect unauthorized VM access?
- detect misconfigured firewalls within the virtual environment?
- monitor VMs that "travel" between physical machines?
What Can Be Done to Address These Concerns?
"VM behavioral analysis and monitoring is needed. NAC at VM connection only ensures [that VMs] comply to policy as they connect. A critical part of the NAC process is the ongoing observation of machine behavior to determine if the VM itself becomes compromised." - Gartner, March 6, 2007
Just as internal security and post-admission controls are necessary elements of any security strategy, so too are monitoring and securing virtual environments. When VM2VM communications should not occur, as is often the case, only a monitoring tool can alarm on this activity, which can be indicative of VM compromise or security policy violation, such as unauthorized VM access. In addition, the ability to mitigate via the VM infrastructure offers efficient and expedient resolution for virtual network incidents.
| Virtualization Challenge | StealthWatch Solution |
|---|---|
| Identifying VMs consuming excessive bandwidth | StealthWatch collects and analyzes NetFlow data to establish detailed breakdowns of traffic flows per virtual machine. Measurements include total bytes counts, bps rates and L4 traffic breakdowns. |
| Detecting services consumed per VM | StealthWatch Port Profiling technology maps out all services in use on each virtual machine, enabling drill-down and policy configuration based on applications detected. |
| Baselining virtual networks to identify anomalous traffic | Over time, StealthWatch learns the behaviors of the individual VMs, creating a viewable baseline of behaviors that can be monitored for change using the StealthWatch Zone Policy Engine. |
| Securing VMs without introducing administrative overhead and latency | StealthWatch provides agentless monitoring of VM host behaviors. The impact of enabling NetFlow is negligible compared to value provided. |
| Detecting unauthorized VM access | StealthWatch Zone Locking allows administrators to define virtual firewall rules that dictate appropriate access to virtual environments. |
| Verifying VM firewall configurations | StealthWatch customers use StealthWatch Flow Visualization to identify misconfigured firewall rules and ACLs based on NetFlow data coming directly from the virtual environment. |
| Monitoring VMs that "travel" between physical machines | Physical location of the host machine on which the VM resides is irrelevant to StealthWatch. NetFlow can be exported from anywhere in the network. |
How It Works
NetFlow records communicate statistics between individual VMs. As such, NetFlow is ideally suited to monitoring the virtual infrastructure. VM2VM communications are formatted into a NetFlow PDU and sent out of the VM Server across the network to the StealthWatch Xe for NetFlow collector. As flows arrive at the collector, StealthWatch performs behavior analysis to reveal network congestion issues, policy violations, worm outbreaks and other security and traffic volume related incidents. A single StealthWatch Xe for NetFlow collector supports up to 1000 VM servers simultaneously.
