This document discusses using an IDS appliance to monitor virtualized environments. It summarizes a survey of over 150 VMworld attendees which found that 98% saw visibility into VMware environments as critical, and 84.6% saw a network monitoring switch as important infrastructure for virtualization. The document recommends using virtualization vendor capabilities like VMware's vSphere Distributed Switch to monitor virtual environments with existing IDS appliances without needing third party virtual TAPs. It also discusses how a network monitoring switch can provide valuable access to both physical and virtual environments while addressing the increasing demands on packet-based security and monitoring tools.

1. How to Use Your IDS Appliance to
Monitor Virtualized Environments
Kate Brew
This material is for informational purposes only and subject to change without notice. It describes Ixia’s present plans to develop and make
available to its customers certain products, features and functionality. Ixia is only obligated to provide those deliverables specifically included in a
written agreement between Ixia and the customer. ©2012 Ixia. All rights reserved. 1

2. VMworld Survey Results
 98% thought visibility into VMware environments is critical to their success.
 Moving forward, 82.4% of respondents plan on using a mix of physical
and virtual monitoring tools
 A whopping 32.4% already using vSphere Distributed Switch. Only 9.4%
never plan to use it, and only 23.6% were unfamiliar with it.
 Only 13.5% would use a third party vTAP (when asked if they would use a
virtual TAP from a third party versus the capabilities provided by VMware
and Cisco to acquire information from a virtual environment for analysis with
physical tools like IDS).
 84.6% saw a network monitoring switch as a critical infrastructure
component for virtualization.
2
* Survey of over 150 people at Ixia booth at VMworld 2012

3. Best Practices
 With virtualization vendor
capabilities, you can monitor
virtualized environment with
existing IDS appliance
• No need for vTAP
• “Sanctioned” visibility = cooperation
from virtualization team
 Network monitoring switch can be
valuable part of security architecture
• IDS isn’t the only tool vying for access
• You have both physical & virtual to
worry about
3

4. How Security Tools get Physical Network Data
 Network TAPs
• Device on network that
passes a copy of every
packet to tool
• Typical use: between Firewall
& internal network
 SPAN or Mirror ports
• Cisco term: Switched Port
Analyzer
• Way to access data by
mirroring packets in/out of
port to tool
4

5. Increased Demand for Packet-Based Monitoring Tools
EMA Research: Not Just IDS Vying for Visibility
Demand
Troubleshooting / Packet Analyzers (e.g. 67%
packet “sniffers” or other analyzers) 61%
Intrusion Detection / Prevention 56%
57%
Data Loss Prevention* 56%
Application Performance Monitor 42%
42%
Data Recorder 42%
24%
Compliance 42%
26%
VoIP / Unified Communications / Video 40%
analyzers 29%
0% 20% 40% 60% 80%
Feb 2012 Dec 2009
Source: EMA, Sample Size = 91, 139

6. Network Security Monitoring Problems
 No visibility into virtualized environments
 Too many network segments & not
enough visibility
 I can’t assess problems fast enough
 Incidents happen off hours (or when
I’m trying to sleep!)
 Change Board required for any required monitoring changes!
 I’m stuck trying to monitor a 10 / 40G network with 1 / 10G
tools! Tools are lagging!
 Lousy duplicate packets

7. Your Network BEFORE Network Monitoring Switch
COMPLIANCE MANAGEMENT TOOL
NETWORK ANALYZER Limited Visibility
Crash Cart Technology
IDS
Minimal IT Data Security
IPS
Underutilized
NETWORK DATA RECORDER
Overloaded

8. Your Network AFTER Network Monitoring Switch
COMPLIANCE MANAGEMENT TOOL
IDS
IPS
NETWORK DATA RECORDER
NETWORK ANALYZER

9. Recommendations
VMware and other vendors
 VM-to-VM visibility best provided by those with
existing infrastructure
• VMware trusted server resource
• Cisco trusted networking resource
• Both well known to server and network admins
 Network Monitoring Switch provides advanced
functionality…
• Line-rate Packet De-duplication
 De-dup redundant packets created by VDS, 1000v or vTAP
• Traditional packet shaping and conditioning
• Traditional intelligent routing capabilities
Virtualization Vendor Recommended Approach
VMware VMware vSphere Distributed Switch (VDS)
Citrix Open vSwitch with port mirroring, which is integrated with XenServer*
Microsoft NI vTAP. Hyper-V R2 SP1 has no port mirroring
Red Hat NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroring
Networking Vendor Recommended Approach
Cisco Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization
Vendor
IBM IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization Vendor
Extreme Networks Use Recommended Approach for Virtualization Vendor
HP Use Recommended Approach for Virtualization Vendor
Juniper Use Recommended Approach for Virtualization Vendor
Brocade Use Recommended Approach for Virtualization Vendor
Dell Use Recommended Approach for Virtualization Vendor

10. Vsphere 5.x VDS enhancments
 VMworld 2011, VMware announced
enhancements to the vSphere Distributed
Switch – Port Mirroring = capability to send
copy of network packets to monitoring tool
• Overcomes limitation of promiscuous mode
 Granular control on which traffic monitored
• Ingress Source
• Egress Source
• Helps troubleshooting by providing visibility:
 Inter VM traffic
 Intra VM traffic
10

11. How it works with VMware
11

12. VMware example
• Vsphere Distributed Switch can port mirror to VM or physical
switch

13. Setting up Port Mirroring Session in VMware
13

14. Specify Destinations
14

15. Port Mirroring
15

16. Network Monitoring Switch Control Panel
16

17. Vsphere Distributed Switch
Create port in Network Monitoring Switch
17

18. Set Filter Criteria
18

19. De-Duplicate Packets
19

20. Port mirroring on VDS Creates Duplicate Packets –
BEFORE
VM1 VMn
vNIC1 vNICn
VDS
pNIC
VM to Network
VM to VM
Tool Tool gets dup of VM to VM traffic
Inter-VM Broadcast would create many copies!
20

21. Port mirroring on VDS Creates Duplicate Packets –
AFTER
VM1 VMn
vNIC1 vNICn
vSwitch
pNIC
VM to Network
VM to VM
Tool gets correct VM to VM traffic
Tool
21

22. Bridging the Gap
Motivated by increasing visibility needs
Trustwave
IDS / IPS StillSecure
Counter Snipe
Network
Monitoring SIEM LogRhythm
Switch
Production
McAfee BlueCoat
Network
DLP EMC-RSA Intrusion Inc.
WebSense Trustwave
Cisco
Juniper Compuware
APM Endace
Dell
HP Corvil
Exfo
Brocade NW Analyzers Wireshark
LogRhythm
SS8
NW Forensics Netwitness
Niksun
Imperva
Web Security Fortinet
McAfee
22
Automation integration with NMS/SIEM providers (Tivoli, CA, HP ArcSight)

23. Network Monitoring Switch
Intelligent Traffic Distribution
IT Needs
Physical Problem: Limited number of VDS, SPANs &
TAPs & many tools needing data
Adaptive
Response
Increasing Customer Needs
Benefits
 Control access to network ports, tool ports & filters
 Tools receive data from multiple network access points
Packet
Conditioning  Monitor 10 / 40G network with 1 /10G tools
Features
 Packet aggregation for SPAN/TAP shortage
Intelligent
 Packet routing to the appropriate tools
Traffic
Distribution
23

24. Network Monitoring Switch
Packet Conditioning
IT Needs
Problem: Sensitive data, protocols my tools
Adaptive can’t understand, duplicate packets caused by
Response VDS, SPANs & TAPs
Increasing Customer Needs
Benefits
 Process packets with filtering & load balancing
Packet  Improved incident response
Conditioning  Maximized monitoring tool use - exactly right data to
right tool
 Removal of sensitive data / header
Features
Intelligent
 Filtering, stripping, slicing
Traffic
Distribution  De-Duplication of replicated packets
 Load balancing across multiple tools
 Buffering bursty traffic to tools
24

25. Network Monitoring Switch
Adaptive Response
IT Needs
Problem: Need to troubleshoot network
Adaptive problems without manual intervention
Response
Increasing Customer Needs
Benefits
 Dynamically update configuration without Change
Packet Board approval & manual intervention. Improved &
Conditioning simplified troubleshooting.
Features
 Proactive monitoring (changes, bandwidth, events &
Intelligent threats)
Traffic  Adaptive incident response proactively adjusts packet
Distribution delivery to tools as needed
25

26. Granular Access Control
 Can configure to have users or groups can
have access to:
• Network Ports
• Monitoring and Analysis Tools
• Dynamic Filters
 TACACS+, RADIUS
26

27. Enterprise Reference Architectures
VMware
Branch offices
Branch1
Tool1
Branch2
TAP NTO Tool2
Tooln
Branch3
Nexus ToR Multiple datacenters
5K
Tool1 Tool1 Tool1
NTO NTO
TAP NTO Tool2 Tool2 Tool2
Tooln Tooln NTO Tooln
Nexus 2K
20G link – aggregated
Rack NTO
Server 1 Tool1
Server 2
Tool1 NTO NTO Tool2
Server 3 Tool2 27Tooln
Tooln

28. DEMO of How Easy Visibility Can Be
28