Azure Virtual Tapping

Streamline Traffic Mirroring in the Cloud with Azure Virtual Network Terminal Access Point (TAP) and Keysight Visibility 

When, where and why traffic mirroring matters

Virtual traffic mirroring is when virtual network TAPs are used to send copies of network packets from virtual environments to out-of-band security and performance monitoring tools – such as solutions from Forescout, RSA, ExtraHop, Riverbed, Darktrace – for analysis. However, with the complexity of hybrid environments, a visibility layer is needed to aggregate and process the tapped traffic and deliver the exact right data to each analysis tool to optimize investments in monitoring and detection.

Microsoft virtual TAPs provide complete, native access across Azure environments to improve threat hunting and detection, triage and investigation, and other vital network and security operations.

Why you need a Keysight Visibility layer

Azure virtual network TAP mirroring provides an agentless option for mirroring VM interface traffic to route it to analysis tools for further deep packet inspection (DPI) or evaluation. A Keysight visibility infrastructure receives and optimizes that traffic, natively in the cloud, to equip enterprises to integrate mirrored traffic seamlessly and efficiently into network and security operations.

Keysight visibility solutions receive the raw packet data from Azure virtual network TAP and process those packets – routing, truncating or tagging them to be traceable – and most importantly, organizing and filtering data so the right data goes to the security and monitoring solution of choice. This way, packet data gets inspected efficiently, allowing for timely insights and subsequent response to any detected threats or anomalies.

Strengthen security posture and compliance

Real-time data improves monitoring and accelerates detection of threats, intrusions, and anomalies, and provides richer insights needed in forensics. Content inspection—DPI—and other analysis, enabled by visibility, helps security experts identify and block lateral movement of malware faster and protect privileged data and customer privacy in accordance with mandates and best practices.

Currently, 45% of alerts turn out to be false positives, which means organizations spend more time addressing false flags than real threats[1]. With a proper implementation to access packet data with Azure virtual network TAP, your team can streamline that data and filter it via Keysight’s Visibility Solution, and then, have a solution such as Forescout’s Threat Detection and Response capabilities improve statistics and optimize reporting. The team fields fewer, and statistically better alerts so they can act more quickly to prevent breaches and attach.

Improve network and app performance

A Keysight visibility layer helps to identify the source of bottlenecks and problematic workloads as well as network topology issues. Detecting configuration issues improves troubleshooting and helps to avoid risk and inefficiencies. Simply put, the right data gets extracted and streamlined for evaluation by the right security and monitoring solutions.

Optimize operations as deployments scale

The proven interoperability of Azure virtual network TAP with Keysight virtual and traditional network packet brokers (vPBs/NPBs) delivers expanded insight throughout the lifecycle of cloud deployments:

Ease of deployment at scale as visibility identifies workloads dynamically based on qualifiers and follows Azure guidelines to auto-scale monitoring policies.

Ongoing traffic and tool optimization: KeysightVision network packet brokers distribute data based on the needs of different target security and monitoring tools and replicate traffic to multiple tools in desired formats. Pre-processing to improve security and monitoring tool utilization includes removing redundant packets, filtering out unwanted headers, and masking sensitive data. The packet received by your security and monitoring solutions has already been stripped down to its core elements, allowing for efficiency and lower incidence of false flags.

Content-based visibility policy and tracking maintains highly available security and monitoring tool delivery paths.

Centralized visualization of state and stats for the entire visibility fabric is provided through orchestration and software as shown below. This enables clear traceability of the path of data from virtual machines to monitoring solution.

Image above: Visibility layer automates orchestration. Based on user intent, Keysight Vision Orchestrator, KVO, automatically creates necessary virtual network TAP mirror session from the VMs of interest and maintains a highly available traffic delivery path from the point of interest to the security and/or monitoring solution. CloudLens vPB receives and processes (optimization, replication, shaping, formatting, transforming) traffic mirrored by vTaps before delivering to target monitoring and analysis solutions.

Image above: A typical deployment model. As shown here, Keysight Visibility Orchestrator (KVO) provides a central hub for managing virtual visibility. KVO discovers an elastic pool of Keysight CloudLens virtual packet brokers (vPBs) and manages the lifecycle, state and stats for the entire visibility fabric.

Stronger UX, security, and ROI all start with access to clean, reliable data. Keysight CloudLens virtual visibility solutions ensure organizations net the greatest value from investments in Azure virtual network TAP traffic mirroring. Keysight ensures and streamlines access to reliable data needed to keep networks and applications performing the way top-flight users need them to perform. Security leaders benefit from illuminating the blind spots threat actors use to hide within virtual environments and faster detection and response across evolving hybrid networks.

In Azure cloud deployments, you can run sensors in collector mode (as shown in customer application 1 in the deployment model diagram). CloudLens sensors in collector mode discover all the Azure virtual network TAP traffic mirroring sessions and the source attached to that target session. In collector mode, the CloudLens Sensor receives all the traffic information for the monitored instances enabled with Azure virtual network TAP and forwards it to virtual Packet Broker (vPB) to further optimize traffic before forwarding it to tools or to a static destination for analysis.

The collector instance is transparent and does not display in CloudLens Manager. However, all the instances that are forwarding traffic through the Azure virtual network TAP towards the collector are visible in CloudLens Manager, as if they have sensors installed on them.

To function as a collector, the sensor must have the –runmode parameter set to collector.

Why Keysight with Microsoft

 Microsoft and Keysight have validated the interoperability and efficiency of Azure Virtual Network TAP and Keysight’s CloudLens vPB with Keysight Vision Orchestrator – the combined solution provides seamless access to packet data and allows proper optimization for efficient evaluation by threat and detection solutions.

Keysight Test Tools and Microsoft

Keysight partners with Microsoft to enhance Azure’s performance and scalability through its traffic generators. Azure teams use these tools to showcase their platform’s capabilities, while infrastructure teams leverage them for data-driven design and engineering decisions, ensuring efficiency and reliability in new offerings. Additionally, the Azure services team relies on Keysight’s test tools for application and attack simulation, enabling rigorous internal testing and compelling customer demos that highlight Azure’s scale and effectiveness. This symbiotic collaboration not only strengthens Azure’s ability to deliver high-performing, secure, and scalable cloud solutions but also expands Keysight’s reach to new customers.

See virtual visibility in Action: Microsoft, Keysight and Forescout deliver real-time actionable insights

NetOps and SecOps teams need complete solutions. Microsoft and Keysight work with industry-leading performance and security monitoring solutions to accelerate detection, analysis, and response.

The Forescout platform features DPI with support for more than 350 standard and proprietary protocols to provide extensive visibility into complex network activity. The platform also leverages machine learning and GenAI to identify early warning signs of cyber or operational threats such as unusual behaviors, incorrect process values, unexpected changes, or unauthorized connections.

Azure virtual network TAPs access data from cloud environments that Keysight visibility solutions filter and streamline to Forescout for use in analysis. 

“Working with our partners Microsoft and Keysight, Forescout is able to provide complete visibility, control of compliance and risk, and quick response to threats as they happen as well as the ability to take real automated action to defend against attacks across IT, IoT, IoMT, and OT environments,” says Rob McNutt, Chief Strategy Officer at Forescout. “With these complete solutions, routine tasks handled by security teams can be automated which translates into orchestrated actions across customers’ security operations to drive faster, more efficient response”

Further reading

For more information about Keysight CloudLens, visit : 

• https://www.keysight.com/us/en/products/network-visibility/cloud-visibility/cloudlens-software-suite.html
• https://getnetworkvisibility.com/deep-packet-inspection/
• https://www.forescout.com/wp-content/uploads/2018/08/Agentless-Visibility-and-Control-ForeScout-White-Paper.pdf
• https://docs.forescout.com/bundle/dpi-plugin-connected-1-0-h/page/c-dpi-plugin.html

[1] https://www.forescout.com/solutions/threat-detection-and-response/#:~:text=Network%20Traffic%20Analysis%20with%20DPI,unexpected%20changes%2C%20or%20unauthorized%20connections.

Related

Resources