Daily Network Monitor

In a recent edition of the INFOWORLD VIRTUALIZATION REPORT there is some news about a new way to manage VMWare.

As reported by this story:

Hyperic Inc. is making available its virtualization management solution Hyperic HQ for VMware. According to the company, the solution will enable data centers to consolidate complete discovery, monitoring, analysis and control of all application, system and network assets, both inside and outside of the virtual machines powered by VMware.

A big industry concern right now is how to manage or monitor the data center environment once virtualization is added into the mix. Industry watchers like Andi Mann, EMA Senior Analyst for Systems Management explains, “Virtualization magnifies management complexity by consolidating physical servers into multiple virtualized ones, each physical and virtual server with their own OS, configuration, applications. This means that what used to be maybe ten unique server environments can now become hundreds very quickly. A holistic approach to the manageability of all the various IT assets from applications to systems to networks becomes essential.”

Hyperic says that its HQ for VMware solution dramatically extends the capabilities to manage and analyze the full virtual stack, including the operating systems and applications running within the virtual machine, which also compliments VMware’s own management solution, VirtualCenter.

See the Hyperic product here.

I came across a very interesting abstract for an IEEE Paper published by SprintLabs, called “Impact of Packet Sampling on Portscan Detection”.

Abstract—Packet sampling is commonly deployed in highspeed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of non-volume based anomalies, portscans, which are associated with worm/virus propagation.

Existing portscan detection algorithms fall into two general approaches: targetspecific and traffic profiling. We evaluated representative algorithms for each class, namely (a) TRWSYN that performs stateful traffic analysis, (b) TAPS that tracks connection pattern of scanners, and (c) Entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider’s backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives.

Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling.

(more…)

As reported in IT Week, IBM is to acquire network performance monitoring and service management firm Vallent for an undisclosed sum.

Wireless service providers use Vallent apps to monitor network infrastructure, to get advanced warnings of dropped calls and traffic bottlenecks before customer service level agreements are breached.

IBM bought network monitoring firm MicroMuse in February, and plans to deliver a single management and performance platform for fixed-line, wireless, IP and converged fixed/mobile infrastructures.