You can't manage what you can't see: the sequel

Because you can't manage what you can't see, this week we explore another way to gain visibility into a virtualized environment. PacketMotion sends virtual probes into the VM abyss to gain visibility into VM-to-VM communication.

Virtualization and visibility. If it feels like déjà vu all over again, it's because I wrote about this same topic last week (see "You can't manage what you can't see: gaining visibility"). The problem is so pervasive it's worth looking at alternative solutions.

According to Neil MacDonald, VP and Gartner Fellow, "Organizations are concerned with a lack of visibility into virtual networks and security threats from unmonitored VM-to-VM communications. Organizations need visibility across physical and virtual environments without requiring different solutions for each and tools that bring the same level of audit and secure control to the virtual data center as exists today in the traditional physical data center."

This lack of visibility into VM-to-VM traffic (let's call it "the abyss") is a key issue when securing the virtual environment because it makes it nearly impossible to monitor relevant network traffic and satisfy compliance and audit requirements.

The fractal data center

One new solutions aiming to address the need comes from PacketMotion, which has extended its User Activity Management (UAM) and control functionality for the physical environment to the virtual and cloud environments with its PacketSentry Virtual Probe. The Virtual Probe provides the ability to gain macro visibility into the abyss. As a single VM that provides a wide variety of controls while not requiring any hypervisor modifications or direct API calls, the Virtual Probe is a low-risk solution that avoids concerns about risk to the VMware environment.

The PacketSentry Virtual Probe monitors and secures access to sensitive data in VMware hosts and clusters, including monitoring activity between VMs on the same host. It runs as a guest virtual server that consumes less than 4% of a host's CPU resources, even under heavy load. The probe monitors activity and detects data usage that goes outside the bounds of established usage patterns and policies with the intent of preventing malicious use of virtual resources or meeting compliance control objectives. The PacketSentry Probe captures 55 types of transaction-specific metadata points for actions taken against specific files, folders, databases and tables, with user correlation of all activity.

The Virtual Probe can implement multiple controls within a single application and react to patterns in network activity without needing to know specific IP addresses. This is because the PacketSentry policies and controls are deployed through a VM and the Virtual Probe is independent of the VM deployment architecture. This architecture also enables the automated deployment of identity-based polices which can then be enabled throughout the data center.

Organizations can now extend their monitoring and control best practices into an area where they previously had limited visibility and control: the virtual environment. This is done in a way that unifies the visibility and control of both the physical and virtual environments, specifically when there is a hybrid environment.

With the PacketMotion solution, both the Physical and Virtual probes are indistinguishable to each other from the standpoint of the data being created/captured, the reports being generated, and the rules being implemented. As a result, organizations don't have to think about where the information came from. This unified view allows organizations to have a single pane of glass view into both their physical and virtual environments instead of having siloed point solutions to monitor, control and manage each environment.

This solution is not an intrusion prevention system (IPS) that sits at the edge of the network looking for threats that can attack the enterprise. Rather, PacketMotion offers the next line of defense which is intended to be part of a defense-in-depth approach to security. If an attacker makes it through the perimeter, PacketMotion will provide alerts as to what suspicious transactions are being performed against the assets and can, in near real-time, take corrective action to stop the transactions with TCP resets.

South Jersey Healthcare is one of the early users of PacketSentry Virtual probes. "We have been impressed with the visibility provided to us with the PacketMotion's Virtual Probe, and how easy it was to set up," said Andrew Gahm, systems and security engineer at South Jersey Healthcare. "Since we started using the Virtual Probe, we are now able see data we were not seeing before. This new visibility helps us greatly in conducting research and troubleshooting. It also provides us the data we didn't have before for incident investigations. The granular level of detail it captures on each transaction that is tied back to Active Directory provides us with instant insight as to who is doing what, when and to what resource. Before PacketSentry, we had to dig deep and use many tools to get that information -- if we could get it at all."

The PacketMotion solution for the physical and virtual environments is helpful in the event of a security breach. The organization will have the transaction metadata history combined with PacketSentry's analytics to see precisely who is doing (or did) what to which resource(s). If the proper controls are in place, the organization can stop the anomalous activity as it is happening. Otherwise, PacketSentry operates as a forensic tool by providing the analytics to examine the metadata access patterns within the data center or network. These are the basics required to have a chance of detecting any deviation to the norm.

For cloud service providers, the PacketSentry Virtual Probe can be a benefit from several standpoints. First, they can offer the solution as a service to their subscribers to allow them to control and monitor their virtualized cloud assets. Second, PacketSentry can be used as an indemnification tool if there is a breach or other problem within one of their customers' instances. The service provider can utilize the tool to investigate and demonstrate what happened.

PacketMotion helps unify the physical and virtual environments by bridging visibility and control into one holistic view. This is what organizations are clamoring for as they transition applications onto virtual servers and into the cloud.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at


Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022