Exploring Options to Tap East-West Traffic in Virtualized Networks
Posted by Hassan Khanafer on 2024 Aug 14th
Exploring Options to Tap East-West Traffic in Virtualized Networks
Monitoring east-west traffic in virtualized networks is essential for detecting malicious lateral movement, analyzing network performance, and ensuring compliance with regulations. East-west traffic refers to data flows within an enclave, such as communication between virtual machines (VMs) in a data center, as opposed to north-south traffic that crosses the boundary of an enclave. Here, we will explore various methods to capture and analyze this critical network traffic.
Understanding East-West Traffic Flows
Over the past decade, the terms "east-west" and "north-south" have emerged to describe network flows within and across the boundaries of an enclave, respectively. Monitoring east-west traffic involves collecting data on communications between individual endpoints within the network, which can be complex due to the numerous switches, VLANs, and security controls involved. Here are the most effective options for tapping into this traffic.
| Method | Definition | Usage | Benefits | Considerations |
| SPAN or Port Mirroring | Copying traffic from a switch port or VLAN to a designated port for monitoring | Configure on a core switch to capture traffic to/from servers | Easy setup, no physical hardware changes, passive method | Ensure traffic analysis tool is connected to the SPAN or mirror port, either on a dedicated server or NIC |
| Virtual Port Groups | Promiscuous mode on virtual port groups within a hypervisor | Deploy a network sensor as a VM to monitor internal and external VM traffic | Quick setup, no physical hardware needed, ideal for POCs | Modify security settings of virtual port group to allow promiscuous mode |
| Mirror Ports on Virtual Switches | Port mirroring on distributed virtual switches | Capture traffic across multiple hypervisors with a single network sensor | Efficient for large networks, provides comprehensive visibility | Requires configuration of port mirroring on distributed switches |
| Virtual TAPs | Software-based solutions that capture data between VMs | Monitor traffic within virtualized environments using hypervisor features | Enables monitoring and alerts in virtualized environments, integrates with virtual-native tools | Depends on hypervisor capabilities, may require additional configuration |
| Physical Network TAPs | Copies traffic between two network devices to a monitor port | Place TAPs at strategic points like firewall connections | Real-time, unimpeded monitoring, captures detailed network data | Initial downtime for installation, potential network performance impact if not managed properly |
| Packet Brokers | Directs selected data packets to specific network traffic analysis tools | Manage multiple SPAN outputs and direct traffic to various tools | Aggregates and directs traffic efficiently, ideal for extensive monitoring needs | Complements TAPs by managing captured traffic and distributing it to necessary tools |
Choosing the right method to tap east-west traffic depends on your network topology and specific monitoring needs. Each method offers unique benefits and considerations, ensuring that you can achieve comprehensive visibility, enhance security, and maintain optimal network performance.