Anatomy of Virtual Server Visibility

Anatomy of Virtual Server Visibility

Hover over the diagram below for more information.
Virtual Machine Service Console StealthWatch FlowSensor vNic vSwitch VM Server SteathWatch FlowCollector Physical Network Uplink

Virtual Machine

A VM (Virtual Machine) is a virtualized operating system running within a single VM server. Many VMs may exist within a single VM server, each having a unique operating system and network configuration. For each VM, StealthWatch tracks:

  • Top IP conversations, source/destination hosts, and layer-4 services in use by the VM
  • Total bps to hosts outside the local VM server
  • Total bps rates to other VMs within the same VM server
  • VM state, mac and IP address(es), hostname(s), vNICs associated
  • Historical breakdowns of VM traffic by layer-4 port
 

Click on an image to enlarge.

Service Console

The "Service Console", also known as the "VMKernal Interface", is used for diagnostics and management of the VM Server itself. It is important to monitor and secure this aspect of the VM Server given the amount of power and control gained by an attacker once a Service Console is compromised. For each Service Console, StealthWatch tracks:

  • Connections to/from the Service Console port
  • Service Console traffic in bps, pps, and % of configured utilization threshold
  • Ports in use on the Service Console
  • VMotion events occuring across the Service Console port; VMotion flows are stored and made available in variety of reports
  • IP address and MAC in use by the Service Console

StealthWatch FlowSensor VE

The StealthWatch FlowSensor VE installs on the VM Server as a small, lightweight virtual network appliance. One FlowSensor is configured for each VM Server. Once provisioned, the FlowSensor begins sending small "flow records" out of the virtual environment, across the physical network to a "Flow Collector". The Flow Collector performs the heavy lifting of reporting, analysis, and storage of information about the virtual network; freeing the VM Server to deal with production traffic

The StealthWatch FlowSensor VE:

  • Installs as a 150MB VMware OVF image
  • Is a VMware certified virtual network appliance
  • Has a 512MB maximum memory consumption
  • Promiscuosuly captures communications between VMs; recording vNIC statistics in the process
  • Is low I/O, almost no physical disk usage (for diagnostic logging and packet captures only)
  • Exports Lv9 to the StealthWatch Flow Collector

Click on an image to enlarge.

vNic

A VM may have one or more Virtual Network Interface Cards (vNICs). StealthWatch provides configuarble thresholds for bandwidth utilization alerting and tracks a variety of statistics per vNIC, including:

  • vNIC MAC and IP address(es)
  • DSCP reporting (for QoS)
  • Top IP conversations, source/destination hosts, and layer-4 services inbound/outbound from the associated VM
  • Historical breakdowns of traffic by layer-4 port inbound/outbound of the vNIC
  • Graphical breakdown of bps, pps, and % utilization per vNIC

Click on an image to enlarge.

vSwitch

One or more Virtual Switches (vSwitches) are configured within the VM Server to allow for segmentationof traffic across different subnets and vLAN assignments. The StealthWatch FlowSensor VE, a small, lightweight virtual network appliance to be installed per VM Server, captures all communications that traverse the vSwitches.

VM Server

Each VM Server houses one or more VMs running Linux, Windows, and a variety of other operating systems and/or virtual appliances. For each VM Server, StealthWatch tracks:

  • Top IP conversations, source/destination hosts, and layer-4 services in use by the VM Server
  • Total bps to hosts outside the local VM Server
  • Total bps rates between local hosts within the VM Server
  • Historical breakdowns of VM Server traffic by layer-4 port
  • # unique IP addresses sourced from within this VM Server
  • # active vNICs within the VM Server
  • VM state summary report (on/off/suspended)

Click on an image to enlarge.

SteathWatch FlowCollector

Lancope's StealthWatch FlowCollector is a 1U or 2U network appliance that installs outside of the virtual environment ensuring that flow processing and storage occurs "out-of-band" of production. Flows are exported from the FlowSensor VE virtual applicance across the physical network to StealthWatch FlowCollector.

Combined with the StealthWatch Management Console, the StealthWatch FlowCollector provides over 180 customizable reports designed to illustrate every aspect of the virtual network environment.

 

Click on an image to enlarge.

Physical Network Uplink

The VM Server is connected to the Physical Network through an Uplink consisting of one or more 100Mbps or 1Gbps Ethernet cables. StealthWatch provides detailed insight into the Uplink connection for each VM Server.

Additionally, StealthWatch is designed to monitor physical network switches and routers surrounding the virtual server environment. Virtual network vSwitches are shown along side traditional network infrastructure such as Cisco Catalyst 6500 or Brocade (Foundry) ServerIron switch.

Click on an image to enlarge.