VMware: How to Perform Network Traffic Analysis Without TAP
We are all becoming acutely aware of the importance of east-west protection. Recent security breaches have highlighted the role of Zero Trust as an essential strategy to protect valuable information. As a result, organizations are explicitly considering the security of east-west traffic flows to prevent adversaries from gaining a foothold in the data center and moving sideways across the network to access high-value data.
The biggest problem with advanced threat protection is the need to inspect all network traffic to prevent unwanted access by hackers, malicious insiders, or users with compromised accounts.
The traditional approach is to configure a series of network test access points (TAPs) to see traffic passing through the network. The exploited traffic is then sent to a centralized Network Traffic Analyzer (NTA) device for monitoring. All of this – designing the infrastructure, acquiring the devices and devices, configuring them, implementing them and managing them – can present serious problems.
Let’s take a look at the challenges of the traditional approach, then show how a distributed implementation can not only address the challenges but also provide operational simplicity.
Challenges of the TAP network
TAP Challenge 1: Where to place the TAPs
A network architect must determine which network assets are the most critical, which locations are of the greatest risk, and what data needs to be protected. All of this helps determine where to place the TAPs.
TAP Challenge 2: How many TAPs to place
Budget limitations prevent TAPs from being placed anywhere. You have to take into account not only the number of TAPs, but also the total traffic to be processed. Sometimes an upgrade of the existing TAP network infrastructure is necessary. Most organizations end up placing TAPs in a few strategic places. This results in incomplete coverage.
TAP Challenge 3: What types of TAP
Physical cables can be plugged into TAPs to capture traffic flowing through the physical network. But because traffic inside a host in a virtual environment does not flow through a physical network, virtual TAPs must be used to capture east-west communication between workloads.
TAP Challenge 4: How to secure the TAP infrastructure
Devices, whether physical or virtual, need to be secure. This means investing time and energy to prevent an attacker from compromising the TAP network (for example, by copying traffic or eliminating alerts.)
TAP Challenge 5: How to manage the TAP infrastructure
Managing a TAP network can become difficult because multiple generations of devices and devices from different vendors make it difficult to patch and upgrade the TAP device.
The challenges of the NTA appliance
These are just the challenges associated with APRs. NTA appliances present their own challenges.
NTA Challenge 1: Aggregated NTA capacity
NTA appliances must be able to aggregate and process traffic flows from TAP devices. Due to budget constraints, many organizations select an appliance that will handle a certain percentage of their TAP traffic. However, an NTA appliance without sufficient capacity may not be able to handle all the traffic, resulting in gaps in visibility.
NTA Challenge 2: NTA capacity for east-west network traffic.
During the active phase of an attack, attackers spend the majority of their time moving sideways through an organization’s environment. To detect such lateral movement, the NTA appliance must handle both north-south and east-west traffic. Again, budget decisions can lead to insufficient visibility capability over east-west traffic that could harbor advanced threats.
Respond to challenges
All of the challenges presented by a traditional approach can be solved through a distributed implementation. VMware’s Advanced Threat Prevention (ATP) package, an add-on to the NSX Distributed Firewall, provides east-west protection against advanced threats while increasing operational simplicity. Its built-in NTA capability analyzes traffic passing through the data center. The underlying technology is based on fully distributed software sensors that move traffic inspection to each workload: the NTA “sensor” is co-located with the workload by design.
Responding to TAP challenges 1-5
Since no separate TAP network needs to be created or maintained, it is not necessary to determine how many TAPs, what type, where to place, or how to secure or manage.
In a distributed implementation, the NTA sensor uses the capacity available on the physical server running the workload. As more workloads are added, so are physical servers, which means more processing power for distributed engines. Distributed processing capacity increases or decreases with servers, so the NTA can handle all sensor data and scale up to the east-west traffic scale.
Response to challenges 1 and 2 of the NTA
The capacity increases or decreases with the workload, eliminating the need to worry about the overall TAP capacity or the ability of the NTA to handle east-west traffic.
Operational simplicity without compromise
The VMware ATP package simplifies the approach to advanced threat prevention, providing complete visibility into traffic moving laterally within the network (east-west). Thanks to the distributed architecture, NTA becomes much simpler and more efficient. Without the need to get up and manage a separate TAP network or deal with NTA appliances, organizations enjoy complete protection and operational simplicity.
Learn about VMware’s ATP package for the NSX Distributed Firewall and see how it provides constant vigilance over east-west traffic and protection against advanced threats. Download the document here.