VMware : How to Achieve TAP-less Network Traffic Analysis

We're all becoming extremely aware of the importance of east-west protection. Recent security breaches have highlighted the role of Zero Trust as an essential strategy to protect valuable information. As a result, organizations are explicitly considering the security of east-west traffic flows to prevent adversaries from gaining a foothold in the data center and moving laterally across the network to access high-value data.

The biggest problem with protecting against advanced threats is the need to inspect all network traffic to prevent unwanted access by hackers, malicious insiders, or users with compromised accounts.

The traditional approach involves setting up a series of network Test Access Points (TAPs) to see traffic going over the network. Tapped traffic is then sent to a centralized Network Traffic Analyzer (NTA) appliance for monitoring. All of this - designing the infrastructure, acquiring the devices and appliances, configuring, implementing, and managing them-can present serious issues.

Let's look at the challenges of the traditional approach, and then show how a distributed implementation can not only respond to the challenges but also provide operational simplicity.

TAP Network Challenges

TAP Challenge 1: Where to put the TAPs

A network architect must determine which network assets are most critical, which locations present the greatest risk, and what data must be protected. All this goes into determining where to place TAPs.

TAP Challenge 2: How many TAPs to place

Budget limitations prevent TAPs from being placed everywhere. One needs to consider not just the number of TAPs, but also the total traffic to be processed. Sometimes an upgrade to the existing TAP network infrastructure is required. Most organizations end up placing TAPs in a few strategic places. This results in incomplete coverage.

TAP Challenge 3: Which types of TAPs

Physical cables can be plugged into TAPs to capture traffic that flows across the physical network. But because traffic inside a host in a virtual environment doesn't travel across a physical network, virtual TAPs must be used to capture east-west communication among workloads.

TAP Challenge 4: How to secure the TAP infrastructure

Devices - whether physical or virtual - need to be secured. This means investing time and energy to prevent the risk of an attacker compromising the TAP network (e.g., by copying traffic, or eliminating alerts.)

TAP Challenge 5: How to manage the TAP infrastructure

Management of a TAP network can become difficult as more generations of devices and devices from different vendors complicate patching and upgrading of the TAP device.

NTA Appliance Challenges

Those are just the challenges that relate to TAPs. NTA appliances present their own challenges.

NTA Challenge 1: Aggregate NTA capacity

NTA appliances need to be able to aggregate and process the traffic flows from TAP devices. Due to budgetary constraints, many organizations select an appliance that will handle a certain percentage of their TAP traffic. Yet an NTA appliance without sufficient capacity may not be able to process all traffic, causing gaps in visibility

NTA Challenge 2: NTA capacity for east-west network traffic.

During the active phase of an attack, the attackers spend the majority of their time, moving laterally within an organization's environment. To detect such lateral movement, the NTA appliance needs to handle both north-south and east-west traffic. So again, budgetary decisions can lead to insufficient capacity for visibility into east-west traffic that might harbor advanced threats.

Responding to the Challenges

All of the challenges presented by a traditional approach can be resolved via a distributed implementation. VMware's Advanced Threat Prevention (ATP) package, an add-on to the NSX Distributed Firewall, provides east-west protection against advanced threats while increasing operational simplicity. Its built-in NTA capability analyzes traffic passing through the data center. The underlying technology is based on distributed all-software sensors that move traffic inspection out to each workload: the NTA "sensor" is co-located with the workload by design.

Response to TAP Challenges 1-5

Because no separate TAP network must be created or maintained, there is no need to determine how many TAPs, what type, where to place, or how to secure or manage.

In a distributed implementation, the NTA sensor uses the spare capacity available on the physical server running the workload. As more workloads are added, so too are physical servers, which means more processing power for the distributed engines. The distributed processing capacity grows or shrinks with the servers, so the NTA can handle all sensor data and adjust to the scale of east-west traffic.

Response to NTA Challenges 1 and 2

Capacity expands or shrinks with the workload, eliminating the need to worry about aggregate TAP capacity or the NTA's ability to handle east-west traffic.

Operational Simplicity Without Tradeoffs

The VMware ATP package simplifies the approach to advanced threat prevention, providing comprehensive visibility into traffic that moves laterally inside the network (east-west). Thanks to the distributed architecture, NTA becomes vastly simpler and more effective. With no need to stand up and manage a separate TAP network or deal with NTA appliances, organizations gain comprehensive protection along with operational simplicity.

Check out VMware's ATP package for the NSX Distributed Firewall and see how it ensures constant vigilance over east-west traffic and protection against advanced threats. Download the paper here.