Netflow visibility inside Virtual Environments

I blogged on this topic a few weeks ago but given the huge
interest in this topic I’ve decided to blog on it again. One of the major concerns in virtualized
environments is the lack of visibility of the communication between virtual
machines. With this lack of visibility a
number of challenges start to appear such as security, monitoring and capacity planning.  It’s hard to secure what you can’t see or don’t
know about and it’s hard to determine when you need to add more resources when
you don’t have a clear picture into what applications are consuming them.

This problem is widely known and as a result there are a few
companies that are starting to pop up that are building Virtual Network
Visibility tools. But should you buy yet
another tool to gain visibility into your Virtual Network communication when
you may already have a tool for your physical network? Should you have to have separate tools for
your physical network and virtual network?

One common method of gaining visibility into network
communication is through a technology called Netflow. Netflow was originally developed by Cisco
Systems but has since become a defacto standard for Network Monitoring and
Network Behavioral Analysis. Companies
such as Lancope, Mazu Networks, Plixer International and Arbor Networks all
have products that enable network visibility, monitoring and analysis. These tools typicaly take Netflow feeds from a switch of some sort.  Knowing that some of these tools may
have already been deployed in physical environments, IT staff will now need to
consider  whether or not to buy new
visibility tools to give them visibility into their virtual environment
communication or try and leverage existing solutions already deployed in their
physical environments.

Up until recently there has been no elegant way to export
Netflow records from virtual environments such as VMWare and as a result
companies have had consider purchasing new visibility tools that would often
antiquate their existing physical solutions. This is due to their migration from physical environments to virtual environments.

Montego Networks now has Netflow capability in its
HyperSwitch product which runs inside VMWare and enables security, visibility and control for the virtual environment by leveraging existing tools. Through its API’s and standards based methods
Montego can enable customers to leverage existing infrastructure purchases to
gain visibility and control within the virtual environment.

So, enough of the commercial and lets get on
to the technical meat of this new Netflow enablement within the virtual
environment.

Let’s say that you have a virtual machine that is infected
with a BOT and it is communicating to a Command and Control Site of a BOT-Army. How would you know this? Well, you could have a NetFlow tap at a
network switch close to your internet connection. But what if you have some sort of
communication between VM’s on a non standard port that you are not aware
of? Maybe a machine got infected and is
sending data from the database virtual machine to a web server virtual machine
and then feeding that info from the web server virtual machine to the internet. Your Netflow tap on the internet facing
switch would see traffic coming from the web server virtual machine to the
internet but wouldn’t see that data was being taken from the database, put on
the web server and then fed out to the internet. Kinda tricky to hunt this problem down isn’t it?

So, whats needed is Netflow all the way into the virtual
environment so that it can be fed to the same tools in your physical
environment for easy correlation.

Take a look at the attached screen shot which shows Lancope
and Montego Networks in action.

<—Click to Enlarge

With this level of visibility now you can see who is talking to who, when are they communicating and how much traffic is being consumed by which applications and which virtual machines.  This can now all be done by leveraging existing Netflow analytics tools.

This screen shot is showing flow data of Virtual Machines talking either to the Internet or to other virtual machines within the same environment.  You will notice from the flow data that one of the Virtual Machines has iTunes running on it.  An IT Administrator may have not sanctioned this or even know about it.  But with Flow records you can now see!  Like a new pair of glasses for your virtual environment.  With this visibility you can now go in to the Montego HyperSwitch and enable a firewall policy to block that iTunes traffic as an example.
 

Lancope is just one example here and its important to note that, because Netflow is a defacto standard for this type of visibility, other tools such as those from Mazu Networks, Plixer International and others can be used as well.  They all have their unique advantages and disadvantages but the point here is that dependent upon your prior network purchases in this area you will now be able to leverage existing tools vs. having to purchase new ones in many cases.

Check out Montego Networks at Networld Interop 2008 in the Lancope booth to see the solution in action!

John Peterson
CTO Montego Networks