Using the vGW Series Network and Firewall Modules Cooperatively

There are various ways to use the Network module in the service of the Firewall module to build a strong firewall. This topic explores some aspects of the Network module that can be used for this purpose.

Network Assessment

Administrators are not always aware of events that transpire on their virtualized networks because existing software for the virtualized environment does not always expose them. The vGW Series Network module addresses this problem. It gives you a clear view of all traffic flows across your virtualized network. You can view overall throughput, chart protocol usage, identify sources and destinations of traffic, and identify top talkers. You can calculate minimum, maximum, and average figures across specific time intervals for these aspects of your network. For example, the Network > Top Protocols window assessment depicted in Figure 33 shows that the most heavily used protocols are Microsoft SQL Server followed by MySQL. The table beneath the graph gives details on all protocols used in top down order from most to least used.

Figure 33: Top Protocols Across All Machines Example

Top Protocols Across All Machines Example

Because the vGW Series allows you to view activity that occurs inside the hypervisor, you can quickly see who is communicating with whom. If you were to use only the ability to view connections in real time, you would be able to make realistic network assessments. But the vGW Series provides much more information that can contribute to your network assessment.

As Figure 34 shows, the Network module’s Connections tab displays the number of connections in your network across time for all machines, whether the connections are inbound, outbound, or internal. The table beneath the graph shows when the connection was set up and when it ended, the protocol used, the source and destination endpoints, and the bytes transmitted. You can view this kind of information for individual VMs by selecting the VM in the VM tree.

Figure 34: Network Module Connection Tab Information

Network Module Connection Tab Information

Using the Network Module to Observe Traffic Coming Into and Going Out From VMs

The Network module contributes to your ability to create a strong security firewall in many ways. It displays information about all traffic, including traffic internal to a VM, traffic in and out of its vNICs, traffic from another VM on the same host, traffic between VMs on different hosts, or even traffic transmitted through a physical connection. In its simplest sense, you could think of this aspect of the Network module as akin to a packet sniffer.

When you use the Time Interval field to select a different time period, the vGW Series redraws its graphs to let you view traffic patterns that occur during that period. You might want to use this feature to compare activity during one period of time with another, to look at past behavior, or to hone in on a VM to view its activity during a specific period.

For example, you could view all HTTP connections, the workstations involved in them, and how much traffic is transmitted. You could do this for a two day period, then a week, and then longer to observe anomalies that might exist.

Detecting Unexpected and Unwanted Behavior

The Network module can reveal unwanted behavior on your network that should be prohibited or investigated further. There are many examples of the kinds of information that the Network module might reveal. For example, you might notice that:

Using the Network and Firewall Modules Together

The Network module and the Firewall module cooperate allowing you to implement appropriate, strong security for your virtualized environment. By using the Network module to view how VMs behave in real time, you can better analyze your current security posture and observe its weaknesses.

As you begin to lock down your system through the Firewall module, the Network module becomes increasingly useful. After you use the Firewall module to refine the security policy, you can return to the Network module to determine if the change in policy produces the expected behavior.

Perhaps you still notice traffic that should not be allowed. In that case, you can return to the Firewall module, create a rule or modify an existing one, and then look at the behavioral results again in the Network module. You can go back and forth as many times as are required to put in place the desired security policy. You can continue to use the Network module and the Firewall module together to implement the security you desire as your network expands and as its security requirements change.

Related Documentation