How to configure a vTAP for cloud networks
A vTAP can give enterprises better visibility into their cloud networks. Expert Frank Siemons of InfoSec Institute explains how virtual network TAPs work and the available options.
Being able to capture network packets from inside a network at strategic points is invaluable, whether it is done to troubleshoot or for security monitoring.
If, for example, users report that a website is intermittently inaccessible, IT can analyze the captured network packets and find an underlying issue by looking at the interactions between the client and the web server or router.
It's also possible to use an intrusion detection system (IDS) that listens to a stream of network traffic and alerts users when it identifies suspicious or malicious traffic based on known signatures or traffic anomalies.
What is a TAP?
In order to obtain these packets, they need to be intercepted. A network Terminal Access Point (TAP) can be either a virtual or a physical device that listens to the network traffic on its network interfaces and either sends copies of the packets to another system or stores them directly to disk.
A physical TAP can be as simple as a box with mirrors capable of duplicating the light carried by an incoming fiber optic cable. Alternatively, it can be a powered device, sometimes with built-in logic and software and network interfaces. Many professional switches have the option to assign an interface as a TAP port, as well -- this is called a Switched Port Analyzer, or SPAN.
A virtual TAP, or vTAP, is located within a hypervisor such as VMware ESX or Oracle VM VirtualBox. It works in a similar manner by connecting to a virtual traffic flow or virtual switch. A benefit of a vTAP is that it can monitor traffic between two virtual machines within the same hypervisor without the traffic leaving the hardware. With the virtualization of network devices such as firewalls, switches and proxy servers, this has been a popular option in recent years.
TAPs in the cloud
Some cloud service providers (CSPs) have come up with solutions that enable customers to tap into their network traffic. This is important because whether a system is located in a company's own local data center or it is hosted within a cloud instance, visibility into troubleshooting and security monitoring is important.
Some challenges CSPs face, however, arise from the fact that their platform environments are multi-tenant, which obviously raises further privacy and security concerns. The CSP cannot provide a customer access to the lower layer of the network infrastructure in a multi-tenant environment.
Another complication is the location-independent nature of the public cloud. An organization's infrastructure -- including its virtual servers -- can be moved around between data centers and physical systems at any given time. As long as the CSP ensures availability and adheres to all the limitations requested by the customer, such as keeping data within selected geographic areas, this is not an issue. However, this does make it complex to select a static, reliable vTAP.
Finally, cloud network traffic often uses different CSP-specific headers while the packets are in transit. The CSP removes those headers upon delivery of the traffic, but if the traffic was actually intercepted in transit, it would be hard to use in typical security devices and applications.
Because vTAP configuration has been challenging for customers, creative users and researchers have come up with workarounds -- such as network address translation setups for AWS.
Companies relying on network TAP for their products to function, such as Gigamon, have also developed new products and services, such as TAP as a service for OpenStack.
Microsoft can capture network data via the Azure Network Watcher. This works by configuring a Network Watcher at a specific point in the network. It can capture traffic and record it to a file in a specified system or location where it can be analyzed.
This works well when troubleshooting specific network-related issues, but it does not allow for the around-the-clock, real-time monitoring of traffic that is necessary to detect suspicious activity. That requires a live feed of data, either by placing a security device, such as an IDS, inline within the traffic flow or by creating a 24/7 mirrored stream of the traffic and sending that stream to a security device like a vTAP.
Now, Microsoft has gone one step further with the just announced Virtual Network TAP. Even though it is still in the developer preview stage and is only available on systems in specific regions, this is quite a promising development. From a security perspective, having this added visibility opens up a plethora of new capabilities in the Azure cloud. Vendors can now develop and offer additional security products and users can build open source security controls such as Snort IDS and a range of anomaly detection systems.
Although it might not seem so at first glance, this is a big step forward. Other cloud service providers will likely follow suit.
For any company currently using the Azure platform, Azure Virtual Network TAP is a development to follow closely. If there is already a clear need to capture network traffic in real time, enrollment in the preview program might provide some helpful insights before the final tool is released. Hopefully the rest of the public cloud market will offer similar products soon.