PacketMotion Extends Activity Monitoring To VMware Environments

Enterprises will be able to monitor activity within VMware environments with the release of PacketMotion's PacketSentry Virtual Probe, a virtual machine version of its security appliance. Like the physical appliance, Virtual Probe collects and analyzes network traffic for anomalous user behavior and enforces corporate policy for security and regulatory compliance.

"We're 80 percent virtualized, and we're now monitoring things we couldn't see before," says Andrew Gahm, systems and security engineer at South Jersey Healthcare. "We can collect data we never could have because it never touches a wire."

Both the physical appliances, which sit on a span port off a network, and the virtual probes, which are installed as a VM on a host server, filter, record and analyze packets based on enterprise preferences, as well as on predefined and customizable rules. Both are managed through a common console, PacketSentry Manager, for security monitoring in hybrid data centers.

Security and compliance efforts can be compromised by the lack of visibility into virtual networks, as organizations are unable to detect suspicious activity on and between critical application servers and databases. Privileged user responsibility and separation of duties can break down as administrators assume responsibility for physical hosts, rather than particular server groups. The dynamic nature of virtualization--in which servers are quickly created, taken down and moved--further complicates administration and policy enforcement.

PacketMotion calls PacketSentry a user activity management (UAM) product, identifying primary use cases as:

The new product extends these use cases to virtualization and enables organizations to track location and usage of virtual assets. Because it can see and analyze all network traffic chosen by the enterprise, Packet Sentry is a valuable tool for identifying and isolating security events for rapid incident response.It is, in fact, the primary use case at South Jersey Healthcare, where Gahm's staff was using it to locate and contain a worm infecting one of his PCs when Network Computing called to interview him.

"Anti-virus software would clean it, but not tell us who put it there," he said. "We ran a report that told us who was infected, who it was, the IP address, who logged in, and went out and shut it down immediately." The benefit, he adds, comes in responding in minutes as opposed to hours spent troubleshooting, and being alerted quickly. "A lot of times we had to wait for a user to tell us there was a problem. By that time, several other computers could be infected."

Virtual Probe supports VMware vSphere version 4.0 and greater and ESX version 3.5 and greater. It will also support other hypervisors in future releases. It is priced at $4,995 for a five- pack of monitored VMs and $21,995 for a 25-pack.

See more on this topic by subscribing to Network Computing Pro Reports 2011 Salary Survey: Security (subscription required).