Lora O'Haver
Senior Solutions Marketing Manager
Blog

Secure your Azure Stack private cloud with sensor-based packet visibility

January 7, 2019 by Lora O'Haver

While cloud computing is widely used to drive digital transformation, some organizations cannot legally, or do not want to, connect their computing infrastructure to the internet. This is often the case for government agencies and contractors, who must adhere to strict security guidelines and compliance regulations. To meet this need, several providers now offer a turnkey private cloud platform, that is completely isolated from the internet, easy to deploy, and flexible to scale. Users are responsible for keeping their private cloud updated, but they have no need to hire cloud architects or developers to maintain the platform or its features, which is where many do-it-yourself private clouds become costly and unwieldy.

Turnkey private cloud providers shield their users from the complexities of the platform by limiting access to the underlying hypervisor layer. This presents a challenge, however, for accessing the packet data used in critical threat detection and security analysis. Users of turnkey private clouds must deploy a visibility platform to gain access to packets in the cloud and ensure they are examined for potential security issues.

Ixia provides sensor based packet access for Azure Stack private clouds.

Private clouds limit public exposure of infrastructure

Sales engineers at Keysight | Ixia recently had the opportunity to work with the network security and operations teams of a national government that was deploying a centralized private cloud to host applications for subsidiary agencies and branches across the globe. They planned to have network traffic from several government agencies—including immigration, defense, and law enforcement—sent to the cloud for monitoring by security solutions. The customer deployed Azure Stack on-premises to achieve the flexibility and cost-efficiencies needed for digital transformation.

The key challenges were to:

  • Design a best-in-class network security architecture that would meet the strict compliance requirements of the government
  • Ensure virtual traffic moving in and out of the government's new Azure Stack private cloud would be 100% monitored for threats and anomalies

Preferred security solutions require network packets

The customer’s security and risk management team evaluated security solutions to protect the government from known malware, help them respond immediately to new threats, and quickly recover from cyber incidents. They chose FireEye, a leading security vendor, to provide network and endpoint threat detection and security forensics. FireEye solutions use deep packet inspection to understand the context of communications moving through the network and to identify “indicators of compromise” that can be evidence of a network attack, data exfiltration, or employee error. Fast delivery of network packets to FireEye’s solution is critical to timely, accurate detection and resolution of issues.

Unfortunately, the government’s existing Gigamon network visibility platform had no solution for seeing packets inside the turnkey Azure Stack platform. A new solution was needed in order to ensure compliance with key security regulations.

Ixia offers the only solution for Azure Stack packet access

Ixia engineers worked closely with the Azure Stack and FireEye teams to develop a CloudLens vTap Sensor with the ability to copy packets inside the private cloud for security monitoring. Ixia is currently the only vendor with a solution for accessing packets inside Azure Stack.

While packet access is critical, Ixia’s cloud visibility solution also features powerful network packet processors (NPBs) that prepare, filter, and deliver data efficiently to any and all monitoring tools. Ixia NPBs eliminate duplicate packets, strip packets of unnecessary headers, and filter packets according to user-defined criteria. The ability to manage packet volume is important for controlling costs and minimizing time to detection. Ixia NPBs also offer active and passive decryption, to eliminate the need for a separate decryption tool.

Key components of private cloud visibility

The following components were key to the design of this government’s security architecture. This approach to cloud visibility can be used in other environments restricted from using internet-based solutions:

  1. Classic virtual taps: In this distributed environment, the security team identified 500 points in their highly-virtualized data center where they wanted to monitor network traffic for potential security threats. In order to access the packets moving between virtual machines, they implemented Ixia CloudLens vTaps to capture and forward what is commonly referred to east-west traffic. Classic style CloudLens vTaps are deployed inside the hypervisor layer, to see every packet.
  2. Azure Stack sensor-based virtual taps: The more challenging part of this environment to monitor was the large, centralized Azure Stack private cloud. This turnkey platform is easy to use and scale, but does not provide users with direct access to the underlying hypervisor platform, essentially shielding virtual traffic in the private cloud from view. Accessing packets in Azure Stack requires a unique vTap Sensor designed specifically for this purpose. Ixia is currently the only vendor that offers this type of solution.
  3. Edge-positioned packet aggregation brokers: Pre-processing and filtering packets of interest using a network packet broker (NPB) makes monitoring more efficient. Geographically distributed environments are often best served by deploying special-purpose NPBs at the network edge to quickly aggregate and filter traffic. This reduces the workload on the central NPB, so the entire system can work more efficiently. In this situation, the government deployed several thousand Ixia Vision Edge NPBs across their global IT environment to serve this function.
  4. Dual, synchronous network packet brokers: In the data center, the government deployed two Ixia Vision ONE packet brokers configured with complete synchronicity between them, to share the workload and provide instant failover in the event of any disruption. Ixia NPBs feature automatic load balancing to manage workloads effectively.

Summary

If you are considering a private cloud deployment—whether a turnkey platform from a cloud vendor or a do-it-yourself project—make sure your plan includes a cloud visibility solution. You will need 100% visibility to all the physical and virtual packets moving through your network to stop known threats, identify new attacks in process, and quickly recover from cyber incidents--whether they are accidental, the work of natural disasters, or malicious in nature.

Learn more about this case study at: Cloud Visibility Overcomes Security Limitation of Turnkey Private Cloud.