In one of the previous blog posts from the load balancing education series, we discussed the Edge Security Pack functionality to provide an additional layer of security in front of an application workload to ensure that only properly authenticated users can interact with the application.
In this role, the LoadMaster acts as a gateway for the application and handles user authentication through a third-party identity provider such as Microsoft Active Directory. At the same time, the LoadMaster exports Network Telemetry to Flowmon Collector to enable an analysis of the application workloads, bandwidth utilization and performance metrics.
As the LoadMaster is responsible for user authentication, it also understands the user identity and can provide authentication logs to Flowmon Collector over syslog, which then correlates the network traffic with user identity and provides full user identity awareness on network telemetry related to application workloads.
In this way, you can pair specific users with the corresponding network traffic and application transactions when investigating performance issues, providing reports or performing root cause analysis. User identity is an integral part of the traffic statistics, available for filtering, querying the data or being embedded into reports such as the following example.
Figure 1: Users “kuba” (IP 10.10.9.20) and “pavel” (192.168.70.1) interacting with an application workload hosted on virtual IP 192.168.60.116.
But first things first. Let’s take a look at how to configure a LoadMaster and Flowmon in order to seamlessly work on providing user identity awareness. You need to enable the ESP on top of the application workflow so the LoadMaster will authenticate users and is able to provide authentication logs. For more details on what the ESP is and how to use it, please refer to online documentation.
The essential LoadMaster–Flowmon integration piece is the log created by the ESP when a user is authenticated by the LoadMaster to access the application workload. More details on ESP logs can be found in the online documentation. Make sure that ESP logs are enabled in the configuration of the corresponding virtual service.
Next, you need to configure the LoadMaster to export ESP logs to an external system over syslog instead of logging them locally.
Figure 2: ESP enabled and properly configured including ESP logging
Figure 3: Local ESP logs disabled
Figure 4: Flowmon Collector using IP address 192.168.60.115 configured as syslog export target from LoadMaster
On the Flowmon side, you need to enable the built-in syslog server and configure the LoadMaster as an authorized source of syslog messages.
Next step is to turn on the User Identity Awareness feature that is based on parsing syslog messages from authentication services that provide user identity with an IP address as part of the message, which is exactly what LoadMaster does. Parsing rules are required to understand log messages from specific sources. The login parsing rule is mandatory; the logout parsing rule is optional and helps to release the IP address to user identity mapping.
Figure 5: Syslog server enabled with external syslog delivery from LoadMaster running on IP address 192.168.60.55. Parsing of the user identity information from syslog messages enabled and parsing rules for login and logoff messages produced by LoadMaster configured.
Flowmon is continuously building and updating the database of user to IP address mapping and performing a data enrichment process. For each flow record received, Flowmon looks for a user ID related to the source IP address and destination IP address and stores that information as part of the flow record. In this way, this information becomes an integral part of the network telemetry database for further processing, data visualization, analysis and reporting or event details in the Flowmon Anomaly Detection System.
The following parsing rules apply for LoadMaster ESP logs:
- Login message -
@ESTRING::User @@ESTRING:USERNAME: logged on from @@ESTRING:ASSIGNED_IP:@
- Logout message -
@ESTRING::[email protected]@ESTRING::\@@ESTRING:USERNAME: @@ESTRING::Deleted expired user [email protected]
Figure 6: Application requests for user “pavel” presented with network performance metrics (round trip time aka network delay and server response time aka application delay). User identity is part of the individual flow records.
User Identity Awareness is a useful feature that will provide additional insight into network traffic as well as valuable user identity context.
LoadMaster with ESP can provide this valuable information in the form of syslog messages to Flowmon, same as any other identity management system. However, Flowmon can also process and combine the user identity information from various sources in a single system. It is just a matter of parsing rules to extract user identity from specific message format. The rest works out for the box.