According to Forrester Research, in 2013, 74 percent of x86 server OS instances will be operating as virtual servers. With the choice to deploy servers in a virtualized environment comes the responsibility to identify and understand network traffic within, to, and from the virtual environment to reduce overall network security risks. Here is some good news for CSOs looking to enhance the companies risk posture while meeting the needs of compliance regulations. Every VMware ESX server supports a key technology that is instrumental in gaining situational awareness in a virtualized world.  

NetFlow and IPFIX Support

Every VMware ESX server includes native support to export NetFlow or IPFIX data. By enabling the flow exporter on each ESX server and directing it to a suitable flow collector,   a network administrator can conduct constant surveillance of all connections to and from each server. A good flow collector includes traffic flow analytics tools that allow an administrator to determine average connection volumes, ascertain consistent protocol and application behaviors and set up monitors customized to the businesses unique security needs. For example, if a server’s primary purpose allows it to only communicate with internal users, why would it be excessively hitting the DNS or receiving connection requests from servers on the DMZ? A good traffic analytics tool  will help you identify such suspicious network traffic activity to and from your virtual servers.

Traffic flow analytics tools can also support company initiatives to comply with industry or government mandates by providing insights that can help the IT department to: 

  • Verify and demonstrate the effectiveness of internal controls over critical network infrastructure
  • Ensure and optimize network and application performance and availability
  • Leverage user accountability for security and network risk visibility
  • Understand and protect the transmission all financial information that drives the business 
  • Log every transaction in and out of every HIPPA or PCI compliant server for an extended period of time

What do all government, and industry compliance standards and best practices have in common? They all require the definition and implementation of policies and controls to protect information while demonstrating verifiable evidence that those policies and controls are enforced. Flow (NetFlow and IPFIX) collection and reporting allows companies to provide demonstrable evidence of IT compliance with internal governance policies, external regulations, and industry best practices like: HIPAA, FIPS, NERC, SCADA, SOX, COBIT, PCI and NPPI. Why? Because each flow is a transaction which can be archived off indefinitely. 

More specifically when it comes to traffic monitoring and reducing network risk in virtual environments, flow collection and reporting allows administrators to quickly confirm the source of the problem by narrowing down the issue to a specific client, server or network. In some cases, this is done by breaking down the environment into groups where 'locking' policies are put in place which state which groups can communicate with one another. If rules are violated, an alarm is raised and full audits can be run to report on all end systems involved. When it comes to audits, if ample disk space is provided, a good NetFlow and IPFIX solution can save all raw flows from all virtual servers for decades.

Just Turn on IPFIX

The latest version of vSphere (v5.1) supports IPFIX which is the proposed standard for NetFlow. Prior to version 5.1, configuring NetFlow was the only option. If your company’s server environment is looking like the 74 percent predicted by Forrester, why not get a jump on improving your organization’s understanding of all virtual network traffic and reduce compliance risk at the same time. It just might be time to “go with the flow.”