ThreatARMOR Reduces Your Network’s Attack Surface

ThreatARMOR Reduces Your Network’s Attack Surface

2014 saw the creation of more than 317 million new pieces of malware. That means an average of nearly one million new threats were released each day.

Here at Ixia we’ve been collecting and organizing threat intelligence data for years to help test the industry’s top network security products. Our Application and Threat Intelligence (ATI) research center maintains one of the most comprehensive lists of malware, botnets, and network incursions for exactly this purpose. We’ve had many requests to leverage that data in support of enterprise security, and this week you are seeing the first product that uses ATI to boost the performance of existing security systems. Ixia’s ThreatARMOR continuously taps into the ATI research center’s list of bad IP sources around the world and blocks them.

Ixia’s ThreatARMOR represents another innovation and an extension for the company’s Visibility Architecture, reducing the ever-increasing size of their global network attack surface.

A network attack surface is the sum of every access avenue an individual can use to gain access to an enterprise network. The expanding enterprise security perimeter must address new classes of attack, advancing breeds of hackers, and an evolving regulatory landscape.

“What’s killing security is not technology, it’s operations,” stated Jon Oltsik, ESG senior principal analyst and the founder of the firm’s cybersecurity service. “Companies are looking for ways to reduce their overall operations requirements and need easy to use, high performance solutions, like ThreatARMOR, to help them do that.”

Spending on IT security is poised to grow tenfold in ten years. Enterprise security tools inspect all traffic, including traffic that shouldn’t be on the network in the first place: traffic from known malicious IPs, hijacked IPs, and unassigned or unused IP space/addresses. These devices, while needed, create a more work than a security team could possible handle. False security attack positives consume an inordinate amount of time and resources: enterprises spend approximately 21,000 hours per year on average dealing with false positive cyber security alerts per a Ponemon Institute report published January 2015. You need to reduce the attack surface in order to only focus on the traffic that needs to be inspected.

“ThreatARMOR delivers a new level of visibility and security by blocking unwanted traffic before many of these unnecessary security events are ever generated. And its protection is always up to date thanks to our Application and Threat Intelligence (ATI) program.” said Dennis Cox, Chief Product Officer at Ixia.

“The ATI program develops the threat intelligence for ThreatARMOR and a detailed ‘Rap Sheet’ that provides proof of malicious activity for all blocked IP addresses, supported with on-screen evidence of the activity such as malware distribution or phishing, including date of the most recent confirmation and screen shots.”

ThreatARMOR: your new front line of defense!

Additional Resources:

ThreatARMOR

Thanks to Ixia for the article.

The Network Design and Equipment Deployment Lifecycle

As we all know, technology has a life cycle of birth, early adoption, mainstream, and then obsoletion. Even the average consumer is very in touch with this lifecycle. However, within this overarching lifecycle there are “mini” lifecycles. One of these mini lifecycles that is particularly important to enterprises is the network design and equipment deployment lifecycle. This lifecycle is the basic roadmap of how equipment gets deployed within a company data network and key a topic of concern for IT personnel. While it’s its own lifecycle, it also aligns with the typical ITIL services of event management, incident management, IT operations management, and continual service improvement.

There are 5 primary stages to the network design and equipment deployment lifecycle: pre-deployment, installation and commissioning, assurance monitoring, troubleshooting, and decommissioning. I’ll disregard the decommissioning phase in this discussion as removing equipment is fairly straightforward. The other four phases are more interesting for the IT department.
The Network Design and Equipment Deployment LifecycleThe adjacent diagram shows a map of the four fundamental components within this lifecycle. The pre-deployment phase is typically concerned with lab verification of the equipment and/or point solution. During this phase, IT spends time and effort to ensure that the equipment/solution they are receiving will actually resolve the intended pain point.

During the installing and commissioning phase, the new equipment is installed, turned on, configured, connected to the network and validated to ensure that the equipment is functioning correctly. This is typically the least costly phase to find set-up problems. If those initial set-up problems are not caught and eliminated here, it is much harder and more costly to isolate those problems in the troubleshooting phase.

The assurance monitoring stage is the ongoing maintenance and administration phase. Equipment is monitored on an as-needed or routine basis (depending upon component criticality) to make sure that it’s functioning correctly. Just because alarms have not been triggered doesn’t mean the equipment is functioning optimally. Changes may have occurred in other equipment or the network that are propagating into other equipment downstream and causing problems. The assurance monitoring stage is often linked with proactive trend analysis, service level agreement validation, and quality of service inspections.

Troubleshooting is obviously the reactionary portion of the lifecycle devoted to fixing equipment and network problems so that the network can return to an optimized, steady state condition. Most IT personnel are extremely familiar with this stage as they battle equipment failures, security threats and network outages due to equipment problems and network programming changes.

Ixia understands this lifecycle well and it’s one of the reasons that it acquired Breaking Point and Anue Systems during 2012. We have capabilities to help the IT department in all four of the aspects of the network design and equipment deployment lifecycle. These tools and services are focused to directly attack key metrics for IT:

  • Decrease time-to-market for solutions to satisfy internal projects
  • Decrease mean-time-to-repair metrics
  • Decrease downtime metrics
  • Decrease security breach risks
  • Increase business competitiveness

The exact solution to achieve customer-desired results varies. Some simple examples include the following:

  • Using the NTO monitoring switch to give your monitoring tools the right information to gain the network visibility you need
  • Using the NTO simulator to test filtering and other changes before you deploy them on your network
  • Deploying the Ixia Storm product to assess your network security and also to simulate threats so that you can observe how your network will respond to security threats
  • Deploying various Ixia network testing tools (IxChariot, IxNetwork) to characterize the new equipment and network during the pre-deployment phase

Additional Resources:

Ixia Solutions

Network Monitoring

Related Products

Ixia Net Optics Network Taps Ixia Net Tool Optmizers
Ixia Network Tap
Ixia Net Optics network taps provide access for security and network management devices.
Net Tool Optimizers
Out-of-band traffic aggregation, filtering, dedup, load balancing

Thanks to Ixia for the article.

Don’t Be Lulled to Sleep with a Security Fable. . .

Don’t Be Lulled to Sleep with a Security Fable. . .Once upon a time, all you needed was a firewall to call yourself “secure.” But then, things changed. More networks are created every day, every network is visible to the others, and they connect with each other all the time—no matter how far away or how unrelated.

And malicious threats have taken notice . . .

As the Internet got bigger, anonymity got smaller. It’s impossible to go “unnoticed” on the Internet now. Everybody is a target.

Into today’s network landscape, every network is under the threat of attack all the time. In reaction to threats, the network “security perimeter” has expanded in reaction to new attacks, new breeds of hackers, more regions coming online, and emerging regulations.

Security innovation tracks threat innovation by creating more protection—but this comes with more complexity, more maintenance, and more to manage. Security investment rises with expanding requirements. Just a firewall doesn’t nearly cut it anymore.

Next-generation firewalls, IPS/IDS, antivirus software, SIEM, sandboxing, DPI: all of these tools have become part of the security perimeter in an effort to stop traffic from getting in (and out) of your network. And they are overloaded, and overloading your security teams.

In 2014, there were close to 42.8 million cyberattacks (roughly 117,339 attacks each day) in the United States alone. These days, the average North American enterprise fields around 10,000 alerts each day from its security systems—way more than their IT teams can possibly process—a Damballa analysis of traffic found.

Your network’s current attack surface is huge. It is the sum of every access avenue an attacker could use to enter your network (or take data out of your network). Basically, every connection to and/or from anywhere.

There are two types of traffic that hit every network: The traffic worth analyzing for threats, and the traffic not worth analyzing for threats that should be blocked immediately before any security resource is wasted inspecting or following up on it.

Any way to filter out traffic that is either known to be good or known to be bad, and doesn’t need to go through the security system screening, reduces the load on your security staff. With a reduced attack surface, your security resources can focus on a much tighter band of information, and not get distracted by non-threatening (or obviously threatening) noise.

Thanks to Ixia for the article.

The State of Enterprise Security Resilience – An Ixia Research Report

Ixia, an international leader in application performance and security resilience technology, conducted a survey to better understand how network security resilience solutions and techniques are used within the modern enterprise. While information exists on security products and threats, very little is available on how it is actually being used and the techniques and technology to ensure that security is completely integrated into the corporate network structure. This report presents the research we uncovered.

During this survey, there were three areas of emphasis exploring security and visibility architectures. One portion of the survey focused on understanding the product types and use. The second area of emphasis was on understanding the processes in use. The final area of emphasis was on understanding the people components of typical architectures.

This report features several key findings that include the following:

  • Many enterprises and carriers are still highly vulnerable to the effects of a security breach. This is due to concerns with lack of following best practices, process issues, lack of awareness, and lack of proper technology.
  • Lack of knowledge, not cost, is the primary barrier to security improvements. However, typical annual spend on network security is less than $100K worldwide.
  • Security resilience approaches are growing in worldwide adoption. A primary contributor is the merge of visibility and security architectures. Additional data shows that life-cycle security methodologies and security resilience testing are also positive contributors.
  • The top two main security concerns for IT are data loss and malware attacks.

These four key findings confirm that while there are still clear dangers to network security in the enterprise, there is some hope for improvement. The severity of the risk has not gone away, but it appears that some are managing it with the right combination of investment in technology, training, and processes.

To read more, download the report here.

The State of Enterprise Security Resilience - An Ixia Research Report

Thanks to Ixia for the article.

Don’t Miss the Forest for the Trees: Taps vs. SPAN

These days, your network is as important to your business as any other item—including your products. Whether your customers are internal or external, you need a dependable and secure network that grows with your business. Without one, you are dead in the water.

IT managers have a nearly impossible job. They must understand, manage, and secure the network all the time against all problems. Anything less than a 100 percent working network is a failure. There is a very familiar saying: Don’t miss the forest for the trees. Meaning don’t let the details prevent you from seeing the big picture. But what if the details ARE the big picture?

Today’s IT managers can’t miss the forest OR the trees!

Don’t Miss the Forest for the Trees: Taps vs. SPAN

Network visibility is a prime tool in properly monitoring your network. You need an end-to-end visibility architecture to truly see your network. This visibility architecture must reveal both the big picture and the smallest details to present a true view of what is happening in the network.

The first building-block to your visibility architecture is access to the data. To efficiently monitor a network, you must have complete visibility into that network. This means being able to reliably capture 100% of the network traffic under all network conditions.

To achieve this, devices need to be installed into the network to capture that data using “taps” or Switch Port Analyzers (SPANs).

A tap is a passive splitting mechanism placed between two network devices. It provides a monitoring connection. Using taps, you can easily connect monitoring devices such as protocol analyzers, RMON probes and intrusion detection and prevention systems to the network. The tap duplicates all traffic on the link and forwards this to the monitoring device. Any monitoring device connected to a tap receives the same traffic as if it were in-line. This includes all errors. Taps do not introduce delay, or alter the content or structure of the data. They also fail open so that traffic continues to flow between network devices, even if you remove a monitoring device or power to the device is lost.

A SPAN port – also known as a mirroring port – is a function of one or more ports on a switch in the network. Like a tap, monitoring devices can also be attached to this SPAN port.

So what are the advantages of taps vs SPAN?

  • A tap captures everything on the wire, including MAC and media errors. A SPAN port will drop those packets.
  • A tap is unaffected by bandwidth saturation. A SPAN port cannot handle heavily used full-duplex links without dropping packets.
  • A tap is simple to install. A SPAN port requires an engineer to configure the switch or switches.
  • A tap is not an addressable network device. It cannot be hacked. SPAN ports leave you vulnerable.
  • A tap doesn’t require you to dedicate a switch port to monitoring. It frees the monitoring port up for switching traffic.

Don’t Miss the Forest for the Trees: Taps vs. SPAN

Thanks to Ixia for the article.

Do You Have a Network Operations Center Strategy?

Do You Have a Network Operations Center Strategy?The working definition of a Network Operations Center (NOC) varies with each customer we talk with; however, the one point which remains unified is that the NOC should be the main point of visibility for key functions that combine to provide business services.

The level at which a NOC ‘product’ is interactive depends on individual customer goals and requirements. Major equipment vendors trying to increase revenue are delving into management and visibility solutions with acquisitions and mergers, and while their products may provide many good features; those features are focused on their own product lines. In mixed vendor environments this becomes challenging and expensive, if you have to increase the number of visibility islands.

One trend we have seen emerging is the desire for consolidation and simplification within the Operations Centre. In many cases our customers may have the information required to understand the root cause but, getting to that information quickly is a major challenge across multiple standalone tools. Let’s face it, there will never be one single solution that will fulfill absolutely all monitoring and business requirements, and having specialized tools is likely necessary.

The balance lies in finding a powerful, yet flexible solution; one that not only offers a solid core functionality and feature set, but also encourages the orchestration of niche tools. A NOC tool should provide a common point of visibility if you want to quickly identify which business service is affected; easily determine the root cause of that problem, and take measures to correct the problem. Promoting integration with existing business systems, such as CMDB and Helpdesk, both northbound and southbound, will ultimately expand the breadth of what you can accomplish within your overall business delivery strategy. Automated intelligent problem resolution, equipment provisioning, and Change and Configuration Management at the NOC level should also be considered as part of this strategy.

Many proven efficiencies are exposed when you fully explore tool consolidation with a goal of eliminating overlapping technologies and process related bottlenecks, or duplication. While internal tool review often brings forth resistance, it is necessary, and the end result can be enlightening from both a financial and a process aspect. Significant cost savings are easily achieved with fewer maintenance contracts, but with automation a large percent of the non-value adding activities of network engineers can be automated within a product, freeing network engineers to work on proactive new innovations and concepts.

b2ap3_thumbnail_Do_You_Have_a_NOC_Strategy_2.jpgThe ‘Dark Side’

Forward thinking companies are deploying innovative products which allow them to move towards unmanned Network Operations Center, or ‘Dark NOC’. Factors such as energy consumption, bricks and mortar costs, and other increasing operational expenditures strengthen the fact that their NOC may be located anywhere with a network connection and still provide full monitoring and visibility. Next generation tools are no longer a nice to have, but a reality in today’s dynamic environment! What is your strategy?

Ixia Taps into Visibility, Access and Security in 4G/LTE

The Growing Impact of Social Networking Trends on Lawful Interception

Ixia Taps into Visibility, Access and Security in 4G/LTELawful Interception (LI) is the legal process by which a communications network operator or Service Provider (SP) gives authorized officials access to the communications of individuals or organizations. With security threats mushrooming in new directions, LI is more than ever a priority and major focus of Law Enforcement Agencies (LEAs). Regulations such as the Communications Assistance for Law Enforcement Act (CALEA), mandate that SPs place their resources at the service of these agencies to support surveillance and interdiction of individuals or groups.

CALEA makes Lawful Interception a priority mission for Service Providers as well as LEA; its requirements make unique demands and mandate specific equipment to carry out its high-stakes activities. This paper explores requirements and new solutions for Service Provider networks in performing Lawful Interception.

A Fast-Changing Environment Opens New Doors to Terrorism and Crime

In the past, Lawful Interception was simpler and more straightforward because it was confined to traditional voice traffic. Even in the earlier days of the Internet, it was still possible to intercept a target’s communication data fairly easily.

Now, as electronic communications take on new forms and broaden to a potential audience of billions, data volumes are soaring, and the array of service offerings is growing apace. Lawful Interception Agencies and Service Providers are racing to thwart terrorists and other criminals who have the technological expertise and determination to carry out their agendas and evade capture. This challenge will only intensify with the rising momentum of change in communication patterns.

Traffic patterns have changed: In the past it was easier to identify peer-to-peer applications or chat using well known port numbers. In order to evade LI systems, the bad guys had to work harder. Nowadays, most applications use Ixia Taps into Visibility, Access and Security in 4G/LTE standard HTTP and in most cases SSL to communicate. This puts an extra burden on LI systems that must identify overall more targets on larger volumes of data with fewer filtering options.

Social Networking in particular is pushing usage to exponential levels, and today’s lawbreakers have a growing range of sophisticated, encrypted communication channels to exploit. With the stakes so much higher, Service Providers need robust, innovative resources that can contend with a widening field of threats. This interception technology must be able to collect volume traffic and handle data at unprecedented high speeds and with pinpoint security and reliability.

LI Strategies and Goals May Vary, but Requirements Remain Consistent

Today, some countries are using nationwide interception systems while others only dictate policies that providers need to follow. While regulations and requirements vary from country to country, organizations such as the European Telecommunications Standards Institute (ETSI) and the American National Standards Institute (ANSI) have developed technical parameters for LI to facilitate the work of LEAs. The main functions of any LI solution are to access Interception-Related Information (IRI) and Content of Communication (CC) from the telecommunications network and to deliver that information in a standardized format via the handover interface to one or more monitoring centers of law enforcement agencies.

High-performance switching capabilities, such as those offered by the Ixia Director™ family of solutions, should map to following LI standards in order to be effective: They must be able to isolate suspicious voice, video, or data streams for an interception, based on IP address, MAC address or other parameters. The device must also be able to carry out filtering at wire speed. Requirements for supporting Lawful Interception activities include:

  • The ability to intercept all applicable communications of a certain target without gaps in coverage, including dropped packets, where missing encrypted characters may render a message unreadable or incomplete
  • Total visibility into network traffic at any point in the communication stream
  • Adequate processing speed to match network bandwidth
  • Undetectability, unobtrusiveness, and lack of performance degradation (a red flag to criminals and terrorists on alert for signs that they have been intercepted)
  • Real-time monitoring capabilities, because time is of the essence in preventing a crime or attack and in gathering evidence
  • The ability to provide intercepted information to the authorities in the agreed-upon handoff format
  • Load sharing and balancing of traffic that is handed to the LI system .

From the perspective of the network operator or Service Provider, the primary obligations and requirements for developing and deploying a lawful interception solution include:

  • Cost-effectiveness
  • Minimal impact on network infrastructure
  • Compatibility and compliance
  • Support for future technologies
  • Reliability and security

Ixia’s Comprehensive Range of Solutions for Lawful Interception

This Ixia customer, (the “Service Provider”), is a 4G/LTE pioneer that relies on Ixia solutions. Ixia serves the LI architecture by providing the access part of an LI solution in the form of Taps and switches. These contribute functional flexibility and can be configured as needed in many settings. Both the Ixia Director solution family and the iLink Agg™ solution can aggregate a group of links in traffic and pick out conversations with the same IP address pair from any of the links.

Following are further examples of Ixia products that can form a vital element of a successful LI initiative:

Test access ports, or Taps, are devices used by carriers and others to meet the capability requirements of CALEA legislation. Ixia is a global leader in the range and capabilities of its Taps, which provide permanent, passive access points to the physical stream.

Ixia Taps reside in both carrier and enterprise infrastructures to perform network monitoring and to improve both network security and efficiency. These inline devices provide permanent, passive access points to the physical stream. The passive characteristic of Taps means that network data is not affected whether the Tap is powered or not. As part of an LI solution, Taps have proven more useful than Span ports. If Law Enforcement Agencies must reconfigure a switch to send the right conversations to the Span port every time intercept is required, a risk arises of misconfiguring the switch and connections. Also, Span ports drop packets—another significant monitoring risk, particularly in encryption.

Director xStream™ and iLink Agg xStream™ enable deployment of an intelligent, flexible and efficient monitoring access platform for 10G networks. Director xStream’s unique TapFlow™ filtering technology enables LI to focus on select traffic of interest for each tool based on protocols, IP addresses, ports, and VLANs. The robust engineering of Director xStream and iLink Agg xStream enables a pool of 10G and 1G tools to be deployed across a large number of 10G network links, with remote, centralized control of exactly which traffic streams are directed to each tool. Ixia xStream solutions enable law enforcement entities to view more traffic with fewer monitoring tools as well as relieving oversubscribed 10G monitoring tools. In addition, law enforcement entities can share tools and data access among groups without contention and centralize data monitoring in a network operations center.

Director Pro™ and Director xStream Pro data monitoring switches offers law enforcement the ability to perform better pre-filtering via Deep Packet Inspection (DPI) and to hone in on a specific phone number or credit card number. Those products differs from other platforms that might have the ability to seek data within portions of the packet thanks to a unique ability to filter content or perform pattern matching with hardware and in wire speed potentially to Layer 7. Such DPI provides the ability to apply filters to a packet or multiple packets at any location, regardless of packet length or how “deep” the packet is; or to the location of the data to be matched within this packet. A DPI system is totally independent of the packet.

Thanks to Ixia for the article.

Ixia Taps into Hybrid Cloud Visibility

Ixia Taps into Hybrid Cloud VisibilityOne of the major issues that IT organizations have with any form of external cloud computing is that they don’t have much visibility into what is occurring within any of those environments.

To help address that specific issue, Ixia created its Net Tool Optimizer, which makes use of virtual and physical taps to provide visibility into cloud computing environments. Now via the latest upgrade to that software, Ixia is providing support for both virtual and physical networks while doubling the number of interconnects the hardware upon which Net Tool Optimizer runs can support.

Deepesh Arora, vice president of product management for Ixia, says providing real-time visibility into both virtual and physical networks is critical, because in the age of the cloud, the number of virtual networks being employed has expanded considerably. For many IT organizations, this means they have no visibility into either the external cloud or the virtual networks that are being used to connect them.

The end goal, says Arora, should be to use Net Tool Optimizer to predict what will occur across those hybrid cloud computing environments, but also to enable IT organizations to use that data to programmatically automate responses to changes in those environments.

Most IT organizations find managing the network inside the data center to be challenging enough. With the additional of virtual networks that span multiple cloud computing environments running inside and outside of the data center, that job is more difficult than ever. Of course, no one can manage what they can’t measure, so the first step toward gaining visibility into hybrid cloud computing environments starts with something as comparatively simple as a virtual network tap.

Thanks to IT Business Edge for the article.

Inline Security Solutions from Ixia

Flexible, Fail-Safe Inline Security Boosts Agility, Availability, and Resilience While Reducing Network Costs

As networks deliver more services and carry ever-higher volumes of multiprotocol traffic, data rates continue to soar. Voice, data, and streaming video now travel on one wire, raising security and compliance issues. Today’s intense threat landscape demands multiple proactive security systems throughout the network for a strong, layered security posture. These proactive devices include firewalls, next-gen firewalls, web-application firewalls, and Intrusion Prevention Systems (IPS)—and all require inline network deployment.

Multiple inline security resources can themselves actually become points of failure and vulnerability. They bring concerns about network uptime, performance, operational ownership, security flexibility and overall costs. Despite redundancy and other protections, they must be taken offline for upgrades and scheduled or unscheduled maintenance. Further, if a tool loses power or becomes overprovisioned, the network link can break and traffic cease to flow.

Now, Ixia’s Inline Security Framework offers a proven solution for deploying multiple inline security tools. This smart approach improves your network’s availability, agility, performance, and functionality, while providing greater security, flexibility, and resilience, and lowering overall costs and personnel workloads.

Ixia’s Inline Security Framework protects your network uptime with multiple resources: Bypass switch bi-directional heartbeat monitoring for system, link and power failures ensures uninterrupted network uptime while increasing network availability. Security tool load balancing ensures efficiency while enabling you to leverage existing tool investments and add capacity as needed, rather than investing in a forklift upgrade.

Replacing multiple inline security devices with a single passive bypass switch eliminates network maintenance downtime while providing a pay-as-you-go capacity upgrade path for your changing security needs—dramatically reducing costs of migrating your 1G tools to the 10G environment, for example.

Ixia Net Optics Bypass Switches offer proven, fail-safe Inline protection for your security and monitoring tools. A heartbeat packet protects the network link from application, link, and power failure: if a packet doesn’t return, the switch instantly goes into bypass mode and takes that appliance out of the traffic path. With support for 10Mbps to 40Gbps connectivity, you receive automated failover protection on full duplex traffic streams connected to the monitoring tools. Because the Bypass Switch is passive, link traffic continues to flow even if the Bypass itself loses power.

Packet Brokers reside behind the bypass switch to provide additional flexibility and control over traffic flow for inline security tools. These packet brokers provide advanced control of traffic as it traverses the security tools, including load balancing, traffic aggregation from multiple links, application filtering, and out-of-band access.

Ixia’s robust Inline Security Solutions give you the confidence of assured inline availability for improved business continuity and network health. Find out more about how our cost-effective inline approach extends the availability and security of your network.

Inline Security Solutions from Ixia

Related Products

 

Net Optics Bypass Switches

Net Optics Bypass Switches

Fail-safe deployments for inline security tools

Security Packet Brokers

Security Packet Brokers

Inline traffic aggregation, filtering, failover, and load balancing for security tools

Thanks to ixia for the article.

A Simple Solution To Combatting Virtual Data Center Blind Spots

Blind spots are a long-established threat to virtual data centers. They are inherent to virtual machine (VM) usage and technology due to the nature of VMs, lack of visibility for inter- and intra-VM data monitoring, the typical practices around the use of VM’s, and the use of multiple hypervisors in enterprise environments.

Virtual machines by their nature hide inter- and intra-VM traffic. This is because the traffic stays within in a very small geographic area. As I mentioned in a previous blog, Do You Really Know What’s Lurking in Your Data Center?, Gartner Research found that 80% of VM traffic never reaches the top of the rack where it can be captured by traditional monitoring technology. This means that if something is happening to that 80% of your data (security threat, performance issue, compliance issue, etc.), you’ll never know about it. This is a huge area of risk.

In addition, an Ixia conducted market survey on virtualization technology released in March 2015, exposed a high propensity for data center blind spots to exist due to typical data center practices. This report showed that there was probably hidden data, i.e. blind spots, existing on typical enterprise data networks due to inconsistent monitoring practices, lack of monitoring practices altogether in several cases, and the typical lack of one central group responsible for collecting monitoring data.

A Simple Solution To Combatting Virtual Data Center Blind SpotsFor instance, only 37% of the respondents were monitoring their virtualized environment with the same processes that they use in their physical data center environments, and what monitoring was done usually used less capabilities in the virtual environment. This means that there is a potential for key monitoring information to NOT be captured for the virtual environment, which could lead to security, performance, and compliance issues for the business. In addition, only 22% of business designated the same staff to be responsible for monitoring and managing their physical and virtual technology monitoring. Different groups being responsible for monitoring practices and capabilities often leads to inconsistencies in data collection and execution of company processes.

The survey further revealed that only 42% of businesses monitor the personally identifiable information (PII) transmitted and stored on their networks. At the same time, 2/3 of the respondents were running critical applications across within their virtual environment. Mixed together, these “typical practices” should definitely raise warning signs for IT management.

Additional research by firms like IDC and Gartner are exposing another set of risks for enterprises around the use of multiple hypervisors in the data center. For instance, the IDC Virtualization and the Cloud 2013 study found that 16% of customers had already deployed or were planning to deploy more than one hypervisor. Another 45% were open to the idea in the future. In September 2014, another IDC market analysis stated that now over half of the enterprises (51%) have more than one type of hypervisor installed. Gartner ran a poll in July 2014 that also corroborated that multiple hypervisors were being used in enterprises.

This trend is positive, as having a second hypervisor is a good strategy for an enterprise. Multiple hypervisors allow you to:

  • Negotiate pricing discounts by simply having multiple suppliers
  • Help address corporate multi-vendor sourcing initiatives
  • Provide improved business continuity scenarios for product centric security threats

But it is also very troubling, because the cons include:

  • Extra expenses for the set-up of a multi-vendor environment
  • Poor to no visibility into a multi-hypervisor environment
  • An increase in general complexity (particularly management and programming)
  • And further complexities if you have advanced data center initiatives (like automation and orchestration)

One of the primary concerns is lack of visibility. With a proper visibility strategy, the other cons of a multi-hypervisor environment can be either partially or completely mitigated. One way to accomplish this goal is to deploy a virtual tap that includes filtering capability. The virtual tap allows you the access to all the data you need. This data can be forwarded on to a packet broker for distribution of the information to the right tool(s). Built-in filtering capability is an important feature of the virtual tap so that you can limit costs and bandwidth requirements.

Blind spots that can create the following issues:

  • Hidden security issues
  • Inadequate access to data for trending
  • Inadequate data to demonstrate proper regulatory compliance policy tracking

Virtual taps (like the Ixia Phantom vTap) address blind spots and their inherent dangers.

If the virtual tap is integrated into a holistic visibility approach using a Visibility Architecture, you can streamline your monitoring costs because instead of having two separate monitoring architectures with potentially duplicate equipment (and duplicate costs), you have one architecture that maximizes the efficiency of all your current tools, as well any future investments. When installing the virtual tap, the key is to make sure that it installs into the Hypervisor without adversely affecting the Hypervisor. Once this is accomplished, the virtual tap will have the proper access to inter and intra-VMs that it needs, as well as the ability to efficiently export that information. After this, the virtual tap will need a filtering mechanism so that exported data can be “properly” limited so as not to overload the LAN/WAN infrastructure. The last thing you want to do is to cause any performance problems to your network. Details on these concepts and best practices are available in the whitepapers Illuminating Data Center Blind Spots and Creating A Visibility Architecture.

As mentioned earlier, a multi-hypervisor environment is now a fact for the enterprise. The Ixia Phantom Tap supports multiple hypervisors and has been optimized for VMware ESX and kernel virtual machine (KVM) environments. KVM is starting to make a big push into the enterprise environment. It has been part of the Linux kernel since 2007. According to IDC, shipments of the KVM license were around 5.2 million units in 2014 and they expect that number to increase to 7.2 million by 2017. A lot of the KVM ecosystem is organized by the Open Virtual Alliance and the Phantom vTap supports this recommendation.

To learn more, please visit the Ixia Phantom vTap product page, the Ixia State of Virtualization for Visibility Architectures 2015 report or contact us to see a Phantom vTap demo!

Additional Resources:

Ixia Phantom vTap

Ixia State of Virtualization for Visibility Architectures 2015 report

White Paper: Illuminating Data Center Blind Spots

White Paper: Creating A Visibility Architecture

Blog: Do You Really Know What’s Lurking in Your Data Center?

Solution Focus Category

Network Visibility

Thanks to Ixia for the article.