ArticlePosted on CTR-Computer Technology Review
By Ran Nahmias

This article is the second in a two-part series introducing the virtual Tap and exploring how it can cost-efficiently meet many of the needs of Lawful Interception. The first part addressed the challenges associated with Lawful Interception (LI) and compliance inherent to virtualization within converged network environments.

Today’s rapidly growing data volumes and quickening pace of virtualization raise urgent new challenges for service providers in meeting Lawful Interception (LI) mandates. Virtualization itself, while delivering astonishing efficiencies and benefits, also presents a ripe field for illegal activity and intrusion. Service providers are legally responsible for supporting Law Enforcement activities and are, therefore, under increasing pressure to architect in the flexibility and visibility that successful LI demands in the virtual arena. It is imperative for companies to integrate security into the network architecture rather than as a point solution.

A Cost-Effective Virtual Solution Meets LI Needs for Visibility, Compliance, Reliability and Lifecycle Intelligence
To carry out the LI mission in a virtualized environment, law enforcement agencies (LEAs) require from service providers a virtualized, system-agnostic LI architecture -- one that can monitor and correlate vMigration; monitor Inter-VM traffic; and retain multi-hypervisor support.

A network virtual Tap is the ideal resource for service providers in meeting LI security, performance monitoring and compliance needs. Such a Tap reveals 100 percent of inter-VM traffic for total visibility -- capturing all data passing between servers for auditing purposes. It can filter packets of interest at the collection point rather than the inspection point, which minimizes transportation of irrelevant data across networks and optimizes tool utilization, sending appropriate data of interest to the appropriate inspection tool.

Kernel implementation avoids the need for Switched Port Analyzer (SPAN) Ports on Virtual Switch / Promiscuous Mode. A Tap would need to be fault-tolerant, non-disruptive and capable of bridging virtual traffic to physical monitoring tools to enable comprehensive access. Tight integration with VMware vCenter, would enable monitoring through Live Migration (vMotion) for each VM instance (by VM ID).

A virtual Tap actually splits the full duplex link into two streams, for sensors with only one sniffing interface. It can then aggregate traffic to that one interface (although care must be taken not to exceed SPAN port or sensor capacity by aggregating the bandwidth of two Tapped streams).

An LI solution must also map to the virtual machine lifecycle -- all of whose events present monitoring challenges. These lifecycle events encompass:

  1. Creation of new servers;
  2. Transition -- since machines change IP addresses and monitoring may be associated with machine ID via vCenter;
  3. Relocation, as hypervisors move virtual machines around and between physical servers; and
  4. Termination, as virtual machines are wiped clean or revert back to an unknown state -- particularly if they have been created on demand to handle peaks.

A virtual Tap that integrates tightly with vCenter management is able to provide seamless, continuous monitoring throughout these lifecycle events as they are occurring, with no interruption or disruption of the network.

Tunneling traffic of interest to the physical arena
For networks that need to extend physical Tapping across the LAN / WAN / Cloud infrastructure, a high-throughput tunneling appliance can handle encapsulated network traffic from virtual monitors. This appliance, optimized for point-to-point transition of raw network traffic, would decapsulate tunneled traffic from the virtual Tap and other tunneling devices at full duplex 10GB wire speed. Global deployment capabilities would enable remote locations to capture traffic of interest even where low volume did not justify a local instrumentation layer or IT staff. Traffic of interest is simply encapsulated and sent to the central location in a solution that is ideal for managed services providers.

Load balancing solves oversubscription and leverages 1G tools
Load balancing is an ingenious tactic for sharing the network’s data load among multiple tools. With centralized intelligence for more endpoint, load balancing can also leverage existing (and relatively inexpensive!) 1G tools, giving a service provider more time to plan future growth.

Pre-filtering with Deep Packet Inspection (DPI) enables detection of desired traffic on any port. With DPI, users can identify data of interest and forward it to appropriate monitoring/recording tools. The challenge is that the DPI functionality used for LI purposes, is often limited in its performance. So when users apply DPI technologies and then need   to capture and extract Content of Communication (CC) as well as Intercept Related Information (IRI), the overall performance burden of their systems, prevent effective use of the systems. When using Filtering with DPI it can separate  information related to the subject that falls within the topic of the inquiry from accidentally gathered information, and adjusts information to a pre-defined delivery format.

In summary, using smart Virtual Tapping can provide the total visibility, scalability, flexibility and reliability to improve the functionality of  LI solutions and help those systems to meet the challenges in high-capacity virtualized networks.

The HPC Advisory Council has published the agenda for the Israel Supercomputing Conference coming up next week, on February 7 in Tel Aviv. Featuring speakers from acedemia and industry companies like AMD, Intel, IBM, Mellanox, ScaleMP, Tel Aviv University and yours truly. This one-day event will cover advanced HPC topics from around the world. I am looking forward to hear the opening keynote session by Isaac Ben-Israel, Tel-Aviv University (Cyber Security and high power computing in Israel) in light of the recent cyber security related events in Israel. It should be fun. I am looking forward to see as many of you there.


-- Sharon


Director xStream™ 2.5 and iLinkagg xStream™ 2.5 was released last week, adding additional capabilities and mainly increasing the overall performance envelope of this device. This release includes new, high-performance features for greater accuracy, easier management and higher usability. 
Port Tagging!
Ingress and egress VLAN management  
Increase tool-sharing capability
Boost Network Intelligence
Increased Filters: now supporting  4000 Plus (xStream only) 
Smoother Manageability
Higher usability
Learn more about this release here
Customers with software subscription can download the upgrade package, documentation and release notes from the customer portal.
- Sharon 

Net Optics Expands Capabilities and Accelerates Global Reach

We are excited to announce that we've taken our successful relationship with Triplelayer and nMetrics and made it official…we've acquired the private Australia-based distributor and its sister company, a leader in network insight and analysis software.  Customers will immediately find integrated solutions such as the innovative appTap, the market's only remote and branch office visibility and analysis software.

The acquisition provides Net Optics with additional building blocks from which it plans to innovate the next generation of solutions.

Our vision with this acquisition is to help our customers increase network access and consolidate tools to achieve a monitoring architecture that delivers end-to-end visibility and lower cost, as well as providing customers an opportunity to scale their overall network performance and security.  By incorporating existing nMetrics technologies into our own solutions, we are able to make advanced technology not only easy to use, but extremely cost-efficient for our customers.

Watch this video to hear Net Optics Founder and Chairman of the Board Eldad Matityahu provide more details about the acquisition and what it means for our customers.

ArticlePosted on CTR-Computer Technology Review
By Ran Nahmias
This article is the first in a two-part series addressing the challenges associated with Lawful Interception (LI) and compliance inherent to virtualization within converged network environments.
Virtualization has provided network architects with exceptional new levels of flexibility and cost-savings in their server deployments. At the same time, however, that flexibility creates new opportunities to conceal unlawful activity and to frustrate or delay enforcement, Lawful Interception (LI), and prosecution by moving a virtual host across legal or geographical jurisdictions.
Armed with the appropriate tools and knowledge, companies can address LI and compliance challenges inherent to virtualization within converged network environments and take steps to thwart “jurisdiction hopping.” Protecting the virtual infrastructure calls for innovative strategies and solutions that support Service Providers and Law Enforcement Agencies (LEAs) in carrying out their respective missions.

Virtualization, the Cloud Infrastructure, and Lawful Interception Challenges
Law enforcement agencies and service providers are under intense pressure to thwart terrorists and other malicious intruders who are often armed with sophisticated technology expertise and ample resources. In the past, for example, it was relatively easy to identify peer-to-peer applications or chat using well-known port numbers -- but no more. Traffic patterns have changed, and nowadays, with most applications using standard HTTP and SSL to communicate, there’s an added burden on LI systems to identify more targets on larger volumes of data with fewer filtering options.
Social networking is also pushing usage to exponential levels, giving lawbreakers a growing range of encrypted communication channels to exploit. Effective Lawful Interception technology must now be able to collect volume traffic and handle data at unprecedented high speeds and with pinpoint reliability.
Defending the Network from Multiple Threats
By law, a service provider must maintain the equipment needed to fulfill the unique requirements of LI’s high-stakes missions. Solutions should map to LI standards and be able to isolate suspicious voice, video or data streams for an interception based on IP address, MAC address or other parameters. To carry out its purpose, Lawful Interception needs:

  • The ability to intercept all applicable communications of a certain target without gaps in coverage, including dropped packets, where missing encrypted characters may render a message unreadable or incomplete;
  • Total visibility into network traffic at any point in the communication stream -- no blind spots;
  • Adequate processing speed to match network bandwidth;
  • Undetectability, unobtrusiveness, and lack of performance degradation (a red flag to criminals and terrorists on alert for signs that they have been intercepted);
  • Real-time monitoring capabilities, because time is of the essence in preventing a crime or attack and in gathering evidence;
  • The ability to provide intercepted information to the authorities in the agreed-upon handoff format; and
  • The technology to load-share and balance traffic handed to the LI system.

Network operators and service providers also have their own respective needs, including cost effectiveness, minimal impact on the network, compatibility with existing technology and scalability for growth.

Virtualization Deployment Raises the LI Stakes Even Higher
Virtualization is more than a trend; it’s a revolution. The adoption of Virtualization and Cloud Services challenges LI compliance in converged (physical and virtual), as well as homogeneous environments. And although virtualization momentum promises great improvements in CAPEX, the ability to passively monitor Inter-Virtual Machine traffic has been almost nonexistent. Cloud computing currently accounts for less than two percent of IT spending today, but IDC estimates that by 2015, nearly 20 percent of information will be “touched” by cloud computing, with as much as 10 percent actually maintained in a cloud.
Elasticity and lack of virtual visibility threaten security
In order to conduct effective LI, agencies and service providers need total visibility across the entire network -- data center, core network, and remote branches. Anything not visible is vulnerable. Lack of visibility into inter-VM (virtual machine) traffic reduces the ability to audit data passing between virtual servers, with a consequent inability to pinpoint resource virtualization issues. Until very recently, virtualization itself was practically synonymous with invisibility, creating severe security, monitoring and compliance risks.
For LI purposes, virtualized environments and clouds are frustratingly elastic and global. For example, what happens to an LI warrant issued by local Washington State authorities if the VM target of interest transitions to New Jersey? What becomes of an LI warrant issued by U.S. authorities if the VM target of interest transitions to a different country?
Unfortunately, the so-called “secure perimeter” no longer exists, giving rise to issues of compliance, internal/external intrusions, lawful interception and cybercrime. Security must become an integral part of the actual network architecture, rather than a point solution. Achieving security, given the lack of, or costliness of 10G monitoring and security tools, is a key challenge -- as is the ability of such tools to operate at line rates with the desired low latency. Inter-VM capacity is growing, and a virtual switch, independent of wired infrastructure, easily operates at 10GB speeds.
Network speed and complexity are spiraling
Networks are becoming more complex as new applications of VoIP, 4G/LTE and video gain popularity. To further complicate matters, undesirable effects such as jitter, oversubscription and blocking are all magnified in 10G networks. Accelerating speeds raise concerns over link saturation and oversubscription because at 10G, 40G and 100G rates, current tools and instruments simply can’t keep up.
Switching oversubscription occurs as the queue exceeds the size of the physical hardware buffer, and packets are dropped. Even at low or average traffic, oversubscription can cause queuing that leads to short periods of maximum bandwidth utilization. This sets the stage for quality degradation and its unwelcome outcomes.
Latency and jitter -- during which only one packet can be transmitted from each physical output port of a switch -- are also risks. Resource contention is another threat to reliable function, arising when two packets arrive from separate input ports to the same output port (uplink) at about the same time.
Technical Limitations: Promiscuous Mode and Utilization of SPAN Ports
Existing virtual monitoring solutions require promiscuous mode and utilization of Switched Port Analyzer (SPAN) ports. But switch-level monitoring can degrade vSwitch throughput by up to 50 percent, so this approach may require multiple vSwitches to recreate adequate throughput capacity. Utilization of SPAN ports exposes all traffic -- both relevant and irrelevant -- at a maximum capacity of 10GB per vSwitch. And in a hosting situation, multiple customers may be residing on the same virtual machine (possibly several per physical virtualization server), so complexity can grow astoundingly.
Further, mirroring traffic does not allow for filtering to capture traffic of interest only; rather it enables capture of “all or nothing.” This becomes a real limitation given the volume of “useless” traffic sent over the network.
A probe is a VM layer machine/appliance that operates only in the confined server it resides on and may be developed only for a specific product. Most local VM probes require a dedicated core to operate; they cannot deliver a broad view of the environment and hence fail to offer “big picture” visibility. Conversely, tools that aggregate traffic see the big picture of patterns across the entire network/data center.
Cost issues collide with the LI mission
Service providers also take on new costs when addressing the needs of Lawful Interception. In order to serve the LI agenda, service providers can incur new training, migration and operations costs for LI-relevant technology. These costs are sure to rise, what with the stress of content classification needs and the changing landscape of security threats.
Overall costs also rise with the obligation to maintain full monitoring capacity (very likely to be irrelevant) and to transmit all captured data across wired networks to the instrumentation layer -- another expensive infrastructure requirement. For service providers, leveraging the existing investments in 1G tools and postponing purchase of expensive new 10G monitoring tools is very desirable.


Part two of this series will introduce the virtual Tap and explain how it can cost-efficiently meet many of the needs of Lawful Interception.


Ah Ha MomentGarner’s Analyst Jonah Kowall recently published a research note discussing the future of End-User Experience Monitoring in APM (See  End-User Experience Monitoring in APM: Past, Present and Future Published: 11 January 2012. Analyst: Jonah Kowall).
I thought that I should address the tactical issues of End-User Experience Monitoring in virtual systems. A big problem that was only mentioned briefly. I will.
There's one big impact to Kowall’s analysis: Convergence. Convergence of  APM/NPM and Access switching (which is called  “Aggregation” in this research note). It will take some time, starting with improved integration between APM and access switching, but it'll take place eventually.
Here are the reasons that this convergence will happen:
Effective deployment of network-based packet capture varies based on the ability to properly aggregate network traffic in key locations....The network must be designed with a traffic aggregation layer in place, and must use matrix or specialized network devices in order to get more granular filtering of traffic being sent to the monitoring systems....The traffic aggregation network can be leveraged not only for APM use cases, but also for security monitoring products and network performance monitoring tools.
So in order to make APM effective, products like Net Optics Director (for 1/10G networks) or Director xStream and xBalancer (for 10G networks) must be deployed. Technological convergence is the tendency for different technological systems to evolve towards performing similar tasks. Convergence can refer to previously separate technologies that now share resources and interact with each other synergistically. (see also wiki).
Modern applications and data centers introduce visibility issues for APM/NPM: 
  • Monitoring of encrypted traffic 
  • More complicated application delivery architecture  
  • Integration of on- premises  and in-the-cloud applications (different locations which are also “elastic”)
Some vendors of network-based packet capture are counteracting those challenges by allowing packet capture and analysis on server-side devices (on-premises only). Those solutions has other limitations like performance challenges, need to support multiple OS and application servers as well as inability to monitor inter-vm traffic effectively. 
The solution would be tighter integration of the visibility systems and APM/NPM products.
Your thoughts? 
-- Sharon 

A look back at 2011 and what's new for 2012

2012 just got started and already we are busy working on the next line of products to ease your ability to monitor your network and achieve 100% visibility.  2011 was an exceptional year.  We celebrated our 15 year anniversary, expanded our global reach in China, South America, and Europe, and innovated new technologies that tackled virtual problems in real time.   The launch of the Phantom Virtual Tap and the Phantom HD marked the first and only products to provide real-time visibility in the cloud.  Our innovations gained the attention of Inc., which named us to the magazine’s top 500/5000 list for the second year in a row, and Red Herring, which awarded us its global and North American award for technological innovation.

And it’s our technology that we hope our customers continue to notice, as we continue to invent solutions that meet the ever-evolving challenges of our modern day networks. CEO and President Bob Shaw provides more details about how specific Net Optics products can help solve your network monitoring dilemmas.

Watch the video now.

Read the Press Release

As I look at 2011, we introduced technology that solved 2 or 3 big challenges that customers had. First of all, the whole world of cloud and virtualization was an area of the network that customers were blind to so we launched the whole Phantom Virtual Tap solution that gives you the ability now to have complete visibility of your cloud and virtual space.

In the core, in the data center part of our business, we launched the xBalancer, which allows customers to be able to deal with one of the biggest challenges which is the network’s growing faster than the ability for the tools to keep up. The xBalancer bridges that gap.

01:11:55 And then when it comes to remote sites and branch offices, the appTap was a complete breakthrough piece of technology because you now have the ability to have a view and insight into what’s happening in your remote and branch offices and view all that data in a single pane of glass,Indigo Pro. So now you can see your network from a virtual world, core and data, all the way to your remote and branch offices. And that’s just the beginning because in 2012 we’re going to add the next layer of innovation to help our customers win in their markets.

Get Ready It's a Jungle Out There

Few days into 2012 and it is clear that corporate risk level are still high and security officers should continue to be on high alert.

When it comes to customer data, private and non-public information, application level attacks continue to lead the charts of top attack vectors. It is amazing that organizations are still not adopting strict security programs that enforce security standards. A recent event from Israel hows how a relatively simple attack (that could have been easily prevented) is creating real pain to customers as well and drives an entire nation amuck in fear of cyber security.

While Application level vulnerabilities increase the risk factor for attacks and hacks on private and other types of sensitive data it is less relevant for corporate governance and compliance. Lack of proper policy enforcement and visibility into employees activity  (especially privileged users) is increasing the risk of fraud, unauthorized access to data, corporate espionage, data leakage and other types of non-compliance. Leveraging the great cost and scale benefits of cloud computing and virtualization is the risk officer’s visibility nightmare, as these systems do not follow the “right” corporate  behavior which is essential for monitoring: The Cloud is elastic by nature, can be provisioned automatically and migrate between systems and even data centers dynamically.  

So, on one hand nothing was changed – compliance, visibility, application control and user activity  continue to be the top risk factors, but on the other hand, the associated attack vectors are more serious and as a result, also the consequences. As Randy Newman wrote, ‘it’s a jungle out there’.

Be safe.

-- Sharon 


(image source: