Posted on CTR-Computer Technology Review
By Ran Nahmias
This article is the second in a two-part series introducing the virtual Tap and exploring how it can cost-efficiently meet many of the needs of Lawful Interception. The first part addressed the challenges associated with Lawful Interception (LI) and compliance inherent to virtualization within converged network environments.
Today’s rapidly growing data volumes and quickening pace of virtualization raise urgent new challenges for service providers in meeting Lawful Interception (LI) mandates. Virtualization itself, while delivering astonishing efficiencies and benefits, also presents a ripe field for illegal activity and intrusion. Service providers are legally responsible for supporting Law Enforcement activities and are, therefore, under increasing pressure to architect in the flexibility and visibility that successful LI demands in the virtual arena. It is imperative for companies to integrate security into the network architecture rather than as a point solution.
A Cost-Effective Virtual Solution Meets LI Needs for Visibility, Compliance, Reliability and Lifecycle Intelligence
To carry out the LI mission in a virtualized environment, law enforcement agencies (LEAs) require from service providers a virtualized, system-agnostic LI architecture -- one that can monitor and correlate vMigration; monitor Inter-VM traffic; and retain multi-hypervisor support.
A network virtual Tap is the ideal resource for service providers in meeting LI security, performance monitoring and compliance needs. Such a Tap reveals 100 percent of inter-VM traffic for total visibility -- capturing all data passing between servers for auditing purposes. It can filter packets of interest at the collection point rather than the inspection point, which minimizes transportation of irrelevant data across networks and optimizes tool utilization, sending appropriate data of interest to the appropriate inspection tool.
Kernel implementation avoids the need for Switched Port Analyzer (SPAN) Ports on Virtual Switch / Promiscuous Mode. A Tap would need to be fault-tolerant, non-disruptive and capable of bridging virtual traffic to physical monitoring tools to enable comprehensive access. Tight integration with VMware vCenter, would enable monitoring through Live Migration (vMotion) for each VM instance (by VM ID).
A virtual Tap actually splits the full duplex link into two streams, for sensors with only one sniffing interface. It can then aggregate traffic to that one interface (although care must be taken not to exceed SPAN port or sensor capacity by aggregating the bandwidth of two Tapped streams).
An LI solution must also map to the virtual machine lifecycle -- all of whose events present monitoring challenges. These lifecycle events encompass:
- Creation of new servers;
- Transition -- since machines change IP addresses and monitoring may be associated with machine ID via vCenter;
- Relocation, as hypervisors move virtual machines around and between physical servers; and
- Termination, as virtual machines are wiped clean or revert back to an unknown state -- particularly if they have been created on demand to handle peaks.
A virtual Tap that integrates tightly with vCenter management is able to provide seamless, continuous monitoring throughout these lifecycle events as they are occurring, with no interruption or disruption of the network.
Tunneling traffic of interest to the physical arena
For networks that need to extend physical Tapping across the LAN / WAN / Cloud infrastructure, a high-throughput tunneling appliance can handle encapsulated network traffic from virtual monitors. This appliance, optimized for point-to-point transition of raw network traffic, would decapsulate tunneled traffic from the virtual Tap and other tunneling devices at full duplex 10GB wire speed. Global deployment capabilities would enable remote locations to capture traffic of interest even where low volume did not justify a local instrumentation layer or IT staff. Traffic of interest is simply encapsulated and sent to the central location in a solution that is ideal for managed services providers.
Load balancing solves oversubscription and leverages 1G tools
Load balancing is an ingenious tactic for sharing the network’s data load among multiple tools. With centralized intelligence for more endpoint, load balancing can also leverage existing (and relatively inexpensive!) 1G tools, giving a service provider more time to plan future growth.
Pre-filtering with Deep Packet Inspection (DPI) enables detection of desired traffic on any port. With DPI, users can identify data of interest and forward it to appropriate monitoring/recording tools. The challenge is that the DPI functionality used for LI purposes, is often limited in its performance. So when users apply DPI technologies and then need to capture and extract Content of Communication (CC) as well as Intercept Related Information (IRI), the overall performance burden of their systems, prevent effective use of the systems. When using Filtering with DPI it can separate information related to the subject that falls within the topic of the inquiry from accidentally gathered information, and adjusts information to a pre-defined delivery format.
In summary, using smart Virtual Tapping can provide the total visibility, scalability, flexibility and reliability to improve the functionality of LI solutions and help those systems to meet the challenges in high-capacity virtualized networks.