Monitoring Intra-VM network traffic is crucial
Why Monitoring Intra-VM Network Traffic is Crucial
With more and more of IT infrastructures moving to virtual platforms what are the implications for network based security systems and how they can get the visibility they require into network traffic to provide the monitoring capabilities that they have been designed for.
Traditional security systems generally can only see traffic between systems over physical networking infrastructure. However, with the number of servers now been hosted in virtual environments increasing, more traffic is passing intra-vm and less of it is appearing on the physical network.
This can potentially lead to attack scenarios whereby a compromised host in a virtual environment can have access, that isn’t monitored, to all other hosts within that environment. This allows malicious software to move undetected between multiple virtual machines. Monitoring in the physical network environment won’t allow you to see this activity until the malicious activity appears on the physical structure. Web server farms, for example, which have been implemented in a virtual environment with public facing web servers and back-end database servers can often have no monitoring in place.
Network-based security systems need to be able to extend their visibility into the virtual environment to protect against potential attacks. It is, however, possible to gain the same levels of network traffic visibility within a virtual infrastructure when the monitoring solution has the appropriate capabilities.
Another interesting aspect to take note of, when monitoring traffic from virtual environments, is that you may often see high levels of traffic over the iSCSI network protocol. If your virtual environment uses external media storage which is connected using the iSCSI protocol then this is simply the disk I/O traffic between the virtual appliances and their storage media hosting servers.