Published: 01 Sep 2008
The explosive growth of virtualized x86 environments over the past several years has challenged traditional security vendors to adapt their appliance/server mentality to a radically different computing environment. The existing approaches to network segmentation, intrusion detection and traffic monitoring have to be rethought. It is an especially daunting task to secure potentially hundreds of virtualized switches sitting on dozens of physical servers connecting hundreds, if not thousands, of virtual machines when there is no guarantee that these virtual switches have any sort of physical connection to the enterprise data center.
Altor Networks seeks to address this problem with Virtual Network Security Analyzer (VNSA) product. Altor has an intriguing concept with VNSA and the as yet unreleased Virtual Network Firewall (VNF), but while it works very well as far as it goes, the concept is not yet ready for prime time.
Altor is clearly aiming at enterprise-level VMware deployments and requires a VMware Virtual Infrastructure 3 (VI3) install. This makes sense, given the market dominance of VMware, but you'll have to search for a Citrix XenServer or Microsoft Hyper-V solution.
Installation is almost childishly simple and consists of simply creating a port group in promiscuous mode on the virtual switches you wish to monitor (to allow network sniffing by the VNSA appliance) and the installation of a VM with the complete Altor VNSA application. You can install the VM either by unpacking a complete image from a standard zip archive or by downloading an Open Virtual Machine Format (OVF) file directly from within Virtual Center.
Once the VM is installed, you must assign the VNSA NICs to the preconfigured promiscuous mode port groups, then power on the VM to perform the expected basic network configuration (IP address, time zone, etc) and assign passwords to the local Altor accounts. The entire process takes minutes and is a perfect example of how virtual appliances should be packaged and distributed.
Altor worked like a charm and didn't cause any conflicts with our existing setup.
Altor VNSA adopts the expected Web-based agent/server approach to network monitoring. VNSA agents are installed on the hosts supporting the monitored virtual switches; these agents forward collected data to the Altor Center master server for analysis and reporting. Once the VM is up and running, the Altor Center Web application can be configured to access Virtual Center.
After providing the appropriate information for the Virtual Center server hostname/IP and Virtual Center login account, Altor Center will query Virtual Center for all registered VMs and populate its internal database with the information. It will then use this information when tracking vSwitch activity and performing analysis. The Altor Center Web UI is a standard tab based interface that is very well laid out and intuitive. It only takes a few clicks to find what you're looking floor and is a no-brainer to navigate--nicely done.
The VNSA agents monitor vSwitches and report back all activity to Altor Center (The output will look familiar if you've ever worked with ntop),. Traffic is broken down by protocol, source/destination, etc and can be sorted and analyzed in a variety of ways from time periods ranging from five-minute intervals on up. Additionally, suspicious activity, such as port scans or user defined high-risk protocols (e.g., unencrypted traffic such as telnet) can be highlighted.
The really interesting aspect of this monitoring is the ability to recognize and track communications between VMs and tag them as application partners. For example, you could use this to determine which Web server VMs are talking to a back-end database server and decide whether or not it was approved traffic. This sort of capability is very handy in large-scale deployments to ensure that policies and procedures are being followed properly and that traffic is flowing through approved channels.
The vendor docs indicate that this information can then be used by the complimentary (and as yet unreleased) Virtual Network Firewall (VNF) product. According to the Altor Web site, VNF is scheduled for a release sometime later this year, so, hopefully, we'll have a chance to see this feature in action sometime soon.
The lack of VNF availability is the Achilles heel of VNSA as it currently ships: You can't really do anything meaningful with the very valuable data that it collects. Sure, it's interesting to see what VMs are talking to each other and what type of traffic they're generating, but you can't do anything with the data.
There is no facility within VNSA to allow/disallow communication between identified partners, nor is there any capacity to generate alerts of any kind, be it SNMP or SMTP to let the sysadmins know that something untoward is occurring. The product assumes that a human will be looking at the Altor Center console and notice any anomalous events. VNSA keeps a historical database of activity that can be queried ad hoc via Altor Center, but any such reporting must be done directly via the Web GUI in real-time and there is no facility to automate scheduled HTML report generation or to email scheduled reports to interested parties.
While this may be adequate for smaller shops, it leaves a lot to be desired for large VMware environments. In such deployments, there are typically numerous groups with varying levels of access and reporting needs. For example, given the current environment of compliance mania (Sarbanes-Oxley, HIPAA, PCI-DSS, etc.), there is a definite need to provide management with dashboard-style "are we compliant?" reports. VNSA is well positioned to be able to provide that sort of information, but cannot do so in its current form.
This is very clearly a 1.0 offering, and we quite frankly question its usefulness as a standalone solution. VNSA should be rolled into a single product with VNF and released as a production-level offering. Altor has significant work to do with adding acceptable enterprise-level reporting, and enhancing the alerting/IDS functionality of the product and should address these issues posthaste. We can't recommend the product as it currently stands, but suggest that anyone running a VMware environment keep an eye on the company. We suspect that this may turn out to be an interesting and useful product once the VNF components are released and hope to see improved alerting and reporting capabilities.
Testing methodology: We installed VNSA in a VI3 environment consisting of ESX 3.5 hosts and a Virtual Center 2.5 console. The ESX hosts were running a mix of Windows 2003, SuSE Linux and Windows XP VMs.