NetFlow and Visibility in the Virtual Environment

With so much talk about securing communications within the virtual environment and potential hypervisor based attacks, we sometimes forget about the visibility problem within the virtual environment.

Today’s blog is about just that. Visibility!

We’ve all probably heard the saying, its hard to secure what you can’t see and that understanding your environment is the first step to security.  Well, with virtualization, understanding whats going on in your virtual environment is even a challenge.  Because virtual switches are not as feature rich as physical switches we are left unable to do many of the things we’ve done in the physical world that enables visibility.  One of the features that exists in physical switches that is commonly used as a security and visibility tool is Netflow.

Over the past week or so I’ve begun speaking with VMWare customers and Netflow enabled vendors like Mazu Networks (who has an awesome product) and they both have been struggling to figure out an elegant way of gaining visibility into the VM to VM communication within the virtual infrastructure.  You see, in the physical world people turn on Netflow on their switches so that they can do reporting and behavioral analysis but in the virtual world there is no Netflow enabled virtual switch (at least not until now – I’ll get to that in a moment). 

So for companies like Mazu Networks and Lancope and for their customer base that is migrating parts of their network to virtual networks, there exists a significant challenge to the business of behavioral based analysis.  Investment in tools that use Netflow enabled switches now starts to become obsolete for parts of the network that is now virtual. 

We’ve heard vendors to date talk about Virtual Patch Management, Virtual Firewall, Virtual IPS but these talks leave customers confused on what they really need and doesn’t necessarily solve all of the security and visibility challenges they thought they had already addressed.  Hmm.. Maybe whats needed is the ability to enable all of these things.  What about Virtual Behavioral Analysis!  Wow, another Virtual Security product that we haven’t thought about!  Maybe someone could just virtualize a Behavioral Analysis product and run it inside VMWare,  put the world "Virtual" in front of the name of the technology and call it a day?  Hmmm.. Thats probably not a good idea due to the performance impacts you could encounter.  One of the biggest challenges with security is how to do all of the things we’ve done in the physical world in the virtual world without impacting performance.

So, back to visibility… Netflow is a technology originally invented by Cisco that sends flow records to a listening device that does some data crunching on those flow records to give you a visual picture of the data in the network.  With this data you can determine abnormalities in traffic patterns, see who the top talkers are in a network as well as home in on what network applications are running in the environment.  With this information you are now better equipped with the right level of knowledge of the environment to start putting security controls in place.  The problem is that it doesnt exist in the virtual switch provided by VMWare, Citrix, etc..

So, how can we do Netflow in the virtual environment so that we can have "Virtual Behavioral Based Analysis"?  Well after looking into this problem and talking with Netflow experts at Mazu Networks, Montego Networks has now enabled Netflow in its Virtual Security Switch. 

Heres how it works:

VM1 is sending traffic to VM2 and VM3 is sending traffic to VM9 and VM5 is sending traffic to the physical network.  Well, for the VM to VM communication, any physical Mazu or Lancope boxes will have either no visibility or have to get creative and put a solution in place thats not optimal or practical.  Vendors in this space are also probably concerned about shrinking revenue if more of the physical network starts to erode away as virtual networks take off and customers are probably concerned about investment in products that are no longer able to provide maximum value.

So as traffic enters Montego Network’s Virtual Security Switch we will send a Flow record to a Mazu Networks or a like listening device on the physical network.  Since we see VM to VM communication we can extend this capability to 3rd parties by simply sending them a Netflow record for them to analyze and tada!  You have Behavioral Analysis for your virtual environment.  Notice the Netflow text on the bellow graphic.  It depicts collecting data from the virtual servers and sending a Netflow record somewhere.