Monitoring Virtual Data Centers: How to Avoid the Virtual Blind Spot
Kate Brew is product marketing manager at Ixia Network Visibility Solutions.KATE BREW
Virtualization is unquestionably one of the biggest trends in computing in the last decade. By separating different elements of the computing platform, users in a growing number of businesses have done away with the “one app, one server” model and moved to virtual machines (VMs) in order to fully realize the potential of both their servers and their staff. Ignoring the benefits of virtualization is not an option in any competitive industry.
Unfortunately, the fact that many VMs could be handling traffic on a single server has a powerful downside – traffic visibility. The very “many in” notions that VMs are built upon become problematic when trying to trace a packet, or to analyze packet flow in order to understand how a network is performing at any given time.
In many deployments, the lack of visibility into virtual data center security and performance may not become apparent until it’s too late – for example, when a major performance problem occurs with a mission-critical networked application. But by making the right choices in network architecture, administrators can both achieve the business benefits of virtualization and meet the demand for packet-level visibility.
The Anatomy of the Virtual Blind Spot
In a traditional network, traffic analysis is done by tapping into network segments of interest with TAPs or by using port mirroring SPANs, and packet-level data flows between groups of servers in the same subnet can be captured and analyzed in a fairly straightforward manner.
In a virtual world, however, this model breaks down. In virtualized environments, the data may never traverse a physical switch or network, instead remaining in the same physical host, making monitoring difficult. Traffic passes from the virtual adapter to the virtual switch and back out again, without providing a place to monitor traffic.
For many organizations it often takes a network crisis before IT departments realize the consequence of this loss of visibility. Security teams may not realize until the time of a malicious security incident that they cannot see VM-to-VM traffic within the same physical host. Without this visibility, it is impossible to detect and investigate the attack, identify compromised resources, take corrective action and prevent future attacks. Because of the inability to see what’s happening in the virtual data center, it creates the Virtual Blind Spot.
Because virtualization is a mature technology and brings positive ROI so quickly, implementations may speed forward without attention to, or even awareness of the Virtual Blind Spot. Ironically, a virtualized model should be monitored more closely than physical infrastructure, since the design premise is to run the underlying hardware as close to capacity as possible.