This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
Altor VNSA adopts the expected Web-based agent/server approach to network monitoring. VNSA agents are installed on the hosts supporting the monitored virtual switches; these agents forward collected data to the Altor Center master server for analysis and reporting. Once the VM is up and running, the Altor Center Web application can be configured to access Virtual Center.
After providing the appropriate information for the Virtual Center server hostname/IP and Virtual Center login account, Altor Center will query Virtual Center for all registered VMs and populate its internal database with the information. It will then use this information when tracking vSwitch activity and performing analysis. The Altor Center Web UI is a standard tab based interface that is very well laid out and intuitive. It only takes a few clicks to find what you're looking floor and is a no-brainer to navigate--nicely done.
The VNSA agents monitor vSwitches
| and report back all activity to Altor Center (The output will look familiar if you've ever worked with ntop),. Traffic is broken down by protocol, source/destination, etc and can be sorted and analyzed in a variety of ways from time periods ranging from five-minute intervals on up. Additionally, suspicious activity, such as port scans or user defined high-risk protocols (e.g., unencrypted traffic such as telnet) can be highlighted.
The really interesting aspect of this monitoring is the ability to recognize and track communications between VMs and tag them as application partners. For example, you could use this to determine which Web server VMs are talking to a back-end database server and decide whether or not it was approved traffic. This sort of capability is very handy in large-scale deployments to ensure that policies and procedures are being followed properly and that traffic is flowing through approved channels.
The vendor docs indicate that this information can then be used by the complimentary (and as yet unreleased) Virtual Network Firewall (VNF) product. According to the Altor Web site, VNF is scheduled for a release sometime later this year, so, hopefully, we'll have a chance to see this feature in action sometime soon.
The lack of VNF availability is the Achilles heel of VNSA as it currently ships: You can't really do anything meaningful with the very valuable data that it collects. Sure, it's interesting to see what VMs are talking to each other and what type of traffic they're generating, but you can't do anything with the data.
There is no facility within VNSA to allow/disallow communication between identified partners, nor is there any capacity to generate alerts of any kind, be it SNMP or SMTP to let the sysadmins know that something untoward is occurring. The product assumes that a human will be looking at the Altor Center console and notice any anomalous events. VNSA keeps a historical database of activity that can be queried ad hoc via Altor Center, but any such reporting must be done directly via the Web GUI in real-time and there is no facility to automate scheduled HTML report generation or to email scheduled reports to interested parties.
While this may be adequate for smaller shops, it leaves a lot to be desired for large VMware environments. In such deployments, there are typically numerous groups with varying levels of access and reporting needs. For example, given the current environment of compliance mania (Sarbanes-Oxley, HIPAA, PCI-DSS, etc.), there is a definite need to provide management with dashboard-style "are we compliant?" reports. VNSA is well positioned to be able to provide that sort of information, but cannot do so in its current form.
This is very clearly a 1.0 offering, and we quite frankly question its usefulness as a standalone solution. VNSA should be rolled into a single product with VNF and released as a production-level offering. Altor has significant work to do with adding acceptable enterprise-level reporting, and enhancing the alerting/IDS functionality of the product and should address these issues posthaste. We can't recommend the product as it currently stands, but suggest that anyone running a VMware environment keep an eye on the company. We suspect that this may turn out to be an interesting and useful product once the VNF components are released and hope to see improved alerting and reporting capabilities.
Testing methodology: We installed VNSA in a VI3 environment consisting of ESX 3.5 hosts and a Virtual Center 2.5 console. The ESX hosts were running a mix of Windows 2003, SuSE Linux and Windows XP VMs.
This was first published in September 2008