Our presenter, Ran Nahmias, Net Optics Director of Cloud and Virtualization Solutions, provides an overview of practical challenges to conducting Lawful Intercepts within converged (physical & virtual) or homogenous virtual network environments.
Virtualization in the Data Center, More Than a Trend!
Virtualization has provided network architects with a new level of flexibility and cost-savings in their server deployments. At the same time, that new level of flexibility has created new opportunities for potentially unlawful activity to be concealed or easily moved across legal jurisdictions to avoid prosecution. View this informative webinar to learn about:
Unique enforcement challenges inherent to Virtualization
Compliance challenges created by Virtualized environments
Methods for thwarting virtual machine jurisdiction ‘hopping’
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Lawful Interception in Virtual Environments
1. Lawful Interception in Virtual
Environment
Ran Nahmias
Director, Virtualization and Cloud solutions
Net Optics, Inc.
Intelligent Access and Monitoring
Architecture
2. Presenter
Ran Nahmias
Director, Virtualization and Cloud Solutions
Net Optics, Inc.
Over 15 years of experience in networking, security,
desktop and server virtualization in engineering, product
management and deployment roles for market leaders
such as Check Point Software Technologies, Nice Systems,
Microsoft and Net Optics.
Net Optics Confidential and Proprietary 2
3. Goal
Review how the growing adoption of Virtualization
and Cloud Services challenges Lawful Interception
compliance in converged (physical & virtual) or
homogeneous virtual environments.
Net Optics Confidential and Proprietary 3
4. Agenda
1. Intro
2. Virtualization adoption trends
3. The visibility challenge
4. The elasticity challenge
5. LI Compliance
6. Net Optics solutions
7. Q & A
Net Optics Confidential and Proprietary 4
5. Virtualization In The DC: More Than a Trend
Virtualization deployment increasing year
over year in data centers.
Gartner: over 30% of x86 architecture
servers workloads running on VMs
Double digit annual growth
Virtualization
– Great CAPEX improvements, no visibility.
– Passive monitoring of Inter-Virtual Machine Traffic
is nonexistent.
Net Optics Confidential and Proprietary 5
6. Did You Know?
• Last year was the first year in which more virtual
servers were shipped than physical servers.
• IDC estimates that today nearly 10% of the
information running through servers is doing so on
virtualized systems
• IDC estimates that number to grow to more than
20% in 2015.
• This percentage increases along with the size of the
organization. Some larger environments today operate
with 100% virtualized systems.
Source: EMC and IDC 10/2011
Net Optics Confidential and Proprietary 6
7. Did You Know?
• Cloud computing accounts for less than 2%
of IT spending today, IDC estimates that by 2015
nearly 20% of the information will be "touched"
by cloud computing service
• Perhaps as much as 10% will be maintained in
a cloud.
• Much of the current movement to cloud
architectures is being enabled by pervasive
adoption of virtualization.
Source: EMC and IDC 10/2011
Net Optics Confidential and Proprietary 7
8. Why Should I Care About CLI/VLI
With advanced LI tools, everyone knows you are a
dog, unless you “anonymize” your identity
through the cloud
The secured perimeter no longer exist
New technologies present challenges to observe
and obtain the data
Net Optics Confidential and Proprietary 8
9. Reminder: What is ―The Cloud‖
Monitor the hypervisor and you can monitor the cloud:
Source: VMware
Net Optics Confidential and Proprietary
11. Hypervisor Virtual Network Monitoring Challenge
ESX Virtual Stack
vm1 vm2 vm3
Physical Network
Security &
Virtualization Creates Monitoring
Security, Monitoring and
Compliance Risks Virtual Switch LI
• No visibility into inter-VM traffic, Infosec
vulnerabilities or threats
• Lacks auditing of data passing
between virtual servers
Physical Host Server
• Inability to pinpoint resource
utilization issues
Net Optics Confidential and Proprietary
12. Visualizing the blind spots
VM1 VM2 VM3 VM4
App App App App
Service
OS OS OS OS Console
Virtual Ethernet
Adapters
ESX vSphere
vSwitches
Physical
Ethernet
Adapters
?
Production Production Management
LAN LAN LAN
Tool of choice
Net Optics Confidential and Proprietary
14. Virtualization, Clouds Are Elastic
Virtual
Machines
Virtual
Machines
Virtual
Machines
Data Center
Data Center
Data Center Virtual
Machines
Virtual
Machines
• LI Warrant issued by local WA Data Center
authorities
Data Center
• What happens if the VM of target
of interest transitions to NJ?
Net Optics Confidential and Proprietary
15. Virtualization, Clouds Are Global
Virtual
Machines
Virtual
Machines
Virtual
Machines
Data Center
Data Center
Data Center Virtual
Machines
Virtual
Machines
• LI Warrant issued by USA Data Center
authorities
Data Center
• What happens if the VM of target
of interest transitions to a
different country?
Net Optics Confidential and Proprietary
16. CLI/VLI Solutions Requirments
Monitor all blind spots
Monitor VM migration
Monitor Inter-VM traffic
Multi Hypervisor support
LI system agnostic
Easily integrate with existing
infrastructure
Net Optics Confidential and Proprietary 16 16
17. Existing Technology Solutions
PROBE
Server Server Server
VM VM VM
Virtual Machine
Layer
Prod
Specific
Virtual Ethernet
Adapters
Virtual Switch
Layer
(VMware, Cisco) Virtual Switch
Physical Ethernet
Adapters
Network
Physical Analysis
Device
Net Optics Confidential and Proprietary
18. Limitations of Current Solutions
All existing alternate solutions require promiscuous
mode and utilization of SPAN port
Switch Level Monitoring
• Degrades vSwitch throughput by up to 50%, may require
multiple vSwitches to recreate needed throughput capacity
• All or nothing solution (traffic mirrored)
• Local operation does not provide ―big picture‖ visibility
• Traffic sent out via tunnel or feeding local probe
Local VM Probe
• Most probes require dedicated core to operate
• Probes are developed for specific product
• Local operation does not provide ―big picture‖ visibility
Net Optics Confidential and Proprietary 18
19. A Different Approach for Hypervisor Monitoring
Server Server Server Phantom
VM VM VM Controller
Enables Security,
Performance Monitoring and
Compliance
• 100% visibility of inter-VM Hypervisor
Virtual Tap
traffic
• Kernel implementation—no
need for SPAN Ports / Virtual Switch
Promiscuous Mode on Cisco
1000V
• Bridges virtual traffic to
physical monitoring tools
pNIC pNIC
Network
Physical Analysis Device
Net Optics Confidential and Proprietary
20. Tunneling traffic of interest to the physical
ESX
ESX vm1 vm2 vm3
ESX vm1 vm2 vm3
vm1 vm2 vm3
Activity
Monitor
V Switch
Hypervisor
Encapsulation
Tunnel
LEA
Existing LEA
infrastructure
Net Optics Confidential and Proprietary 20
21. What do you
do with all that
virtual traffic?
Net Optics Confidential and Proprietary
22. There is light
at the end of
the tunnel…
Net Optics Confidential and Proprietary
23.
24. Phantom HD
• A high-throughput
ESX Virtual Hosts
purpose built
tunneling appliance Phantom vm1
Controller ESX 3
(VM)
vm2 vm3
Phantom vm1 vm2 vm3
• Developed to Controller ESX 4
(VM)
Phantom vm1 vm2 vm3
Controller
handle (VM)
Phantom
Controller
vm1 vm2 vm3
encapsulated (VM)
network traffic from Phantom
Monitor™
Phantom monitors LAN/WAN Phantom
Monitor™
• Optimized for point Virtual
Switch
Phantom
Monitor™
to point transition of Virtual
Phantom
Monitor™
Hypervisor Switch
raw network traffic Hypervisor
Virtual
Switch
Virtual
Hypervisor Switch
Hypervisor
Net Optics Confidential and Proprietary
25. Phantom HD–Single Location Deployment
ESX
ESX v v v
ESX v m vm vm
• Decapsulates tunneled vm1
m1
1
vm2
m2
2
vm3
m3
3
Physical Server Physical Server
traffic from Phantom
Virtual Tap and other Phantom
Monitor
Phantom Physical Server Physical Server
™
Monitor
Phantom
tunneling appliances Hypervisor
™
Monitor
V
V
™ Switch
Hypervisor V Switch
• Full Duplex 10GB wire
Hypervisor Switch
speed performance Encapsulation
Tunnel
• Augments physical Tap
extensibility across
LAN / WAN / Cloud Phantom HD™
infrastructure LAN/WA
N
Net Optics Director™
LEA 1 LEA 2
LEA 3 LEA 4
Net Optics Confidential and Proprietary
26. Phantom HD–Global Deployment
Remote Site / Branch Office Local Data Center
ESX
ESX v v v
ESX v m vm vm
Physical Server vm1 vm2 vm3
m1 m2 m3
1 2 3
Physical Server Physical Server
Physical Server
Phantom
Monitor
Phantom Physical Server Physical Server
™
Monitor
Phantom
™
Monitor
V
Hypervisor ™ Switch
V
Hypervisor V Switch
Phantom HD™ Hypervisor Switch
Encapsulation
Tunnel Encapsulation
LAN/WAN Tunnel
• Remote locations capturing traffic
of interest where low volume
does not justify local Phantom HD™
instrumentation layer or IT staff LAN/WA
N
• Traffic of interest encapsulated
Net Optics Director™
and sent to central location
• Excellent for managed services LEA 1 LEA 2
providers
LEA 3 LEA 4
Net Optics Confidential and Proprietary
29. Final Q&A, Wrap-up
Q&A
For additional information about Phantom Virtual Tap, including
access to the 30-day trial download:
http://gurl.im/1ca8290
For additional information about Phantom HD:
http://gurl.im/dc69291
Sign up for email notifications of future webinars:
http://gurl.im/dd29292
Net Optics Confidential and Proprietary 29
This diagram – Converged solution – where physical and virtual monitoring traffic is merged and monitored by your existing Physical Tools Phantom Monitor (Virtual Tap) installed in your ESX hypervisor sends GRE encapsulated traffic to the Phantom HD where it is decapsulated and sent to the Net Optics Director. At the same time, your physical monitoring traffic is sent directly to the Net Optics Director Data Monitoring Switch The Director then switches your converged monitoring traffic out to your existing tools. The benefit to you?: Your existing Monitoring Infrastructure extends to both Virtual and Physical traffic.
The big BIG picture. Central offices and remote officesDevices and personnel not located at remote locationsUse Phantom HD to encapsulate traffic of choice from your remote location