This document discusses using an IDS appliance to monitor virtualized environments. It summarizes a survey of over 150 VMworld attendees which found that 98% saw visibility into VMware environments as critical, and 84.6% saw a network monitoring switch as important infrastructure for virtualization. The document recommends using virtualization vendor capabilities like VMware's vSphere Distributed Switch to monitor virtual environments with existing IDS appliances without needing third party virtual TAPs. It also discusses how a network monitoring switch can provide valuable access to both physical and virtual environments while addressing the increasing demands on packet-based security and monitoring tools.
2. VMworld Survey Results
98% thought visibility into VMware environments is critical to their success.
Moving forward, 82.4% of respondents plan on using a mix of physical
and virtual monitoring tools
A whopping 32.4% already using vSphere Distributed Switch. Only 9.4%
never plan to use it, and only 23.6% were unfamiliar with it.
Only 13.5% would use a third party vTAP (when asked if they would use a
virtual TAP from a third party versus the capabilities provided by VMware
and Cisco to acquire information from a virtual environment for analysis with
physical tools like IDS).
84.6% saw a network monitoring switch as a critical infrastructure
component for virtualization.
2
* Survey of over 150 people at Ixia booth at VMworld 2012
3. Best Practices
With virtualization vendor
capabilities, you can monitor
virtualized environment with
existing IDS appliance
• No need for vTAP
• “Sanctioned” visibility = cooperation
from virtualization team
Network monitoring switch can be
valuable part of security architecture
• IDS isn’t the only tool vying for access
• You have both physical & virtual to
worry about
3
4. How Security Tools get Physical Network Data
Network TAPs
• Device on network that
passes a copy of every
packet to tool
• Typical use: between Firewall
& internal network
SPAN or Mirror ports
• Cisco term: Switched Port
Analyzer
• Way to access data by
mirroring packets in/out of
port to tool
4
5. Increased Demand for Packet-Based Monitoring Tools
EMA Research: Not Just IDS Vying for Visibility
Demand
Troubleshooting / Packet Analyzers (e.g. 67%
packet “sniffers” or other analyzers) 61%
Intrusion Detection / Prevention 56%
57%
Data Loss Prevention* 56%
Application Performance Monitor 42%
42%
Data Recorder 42%
24%
Compliance 42%
26%
VoIP / Unified Communications / Video 40%
analyzers 29%
0% 20% 40% 60% 80%
Feb 2012 Dec 2009
Source: EMA, Sample Size = 91, 139
6. Network Security Monitoring Problems
No visibility into virtualized environments
Too many network segments & not
enough visibility
I can’t assess problems fast enough
Incidents happen off hours (or when
I’m trying to sleep!)
Change Board required for any required monitoring changes!
I’m stuck trying to monitor a 10 / 40G network with 1 / 10G
tools! Tools are lagging!
Lousy duplicate packets
7. Your Network BEFORE Network Monitoring Switch
COMPLIANCE MANAGEMENT TOOL
NETWORK ANALYZER Limited Visibility
Crash Cart Technology
IDS
Minimal IT Data Security
IPS
Underutilized
NETWORK DATA RECORDER
Overloaded
8. Your Network AFTER Network Monitoring Switch
COMPLIANCE MANAGEMENT TOOL
IDS
IPS
NETWORK DATA RECORDER
NETWORK ANALYZER
9. Recommendations
VMware and other vendors
VM-to-VM visibility best provided by those with
existing infrastructure
• VMware trusted server resource
• Cisco trusted networking resource
• Both well known to server and network admins
Network Monitoring Switch provides advanced
functionality…
• Line-rate Packet De-duplication
De-dup redundant packets created by VDS, 1000v or vTAP
• Traditional packet shaping and conditioning
• Traditional intelligent routing capabilities
Virtualization Vendor Recommended Approach
VMware VMware vSphere Distributed Switch (VDS)
Citrix Open vSwitch with port mirroring, which is integrated with XenServer*
Microsoft NI vTAP. Hyper-V R2 SP1 has no port mirroring
Red Hat NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroring
Networking Vendor Recommended Approach
Cisco Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization
Vendor
IBM IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization Vendor
Extreme Networks Use Recommended Approach for Virtualization Vendor
HP Use Recommended Approach for Virtualization Vendor
Juniper Use Recommended Approach for Virtualization Vendor
Brocade Use Recommended Approach for Virtualization Vendor
Dell Use Recommended Approach for Virtualization Vendor
10. Vsphere 5.x VDS enhancments
VMworld 2011, VMware announced
enhancements to the vSphere Distributed
Switch – Port Mirroring = capability to send
copy of network packets to monitoring tool
• Overcomes limitation of promiscuous mode
Granular control on which traffic monitored
• Ingress Source
• Egress Source
• Helps troubleshooting by providing visibility:
Inter VM traffic
Intra VM traffic
10
20. Port mirroring on VDS Creates Duplicate Packets –
BEFORE
VM1 VMn
vNIC1 vNICn
VDS
pNIC
VM to Network
VM to VM
Tool Tool gets dup of VM to VM traffic
Inter-VM Broadcast would create many copies!
20
21. Port mirroring on VDS Creates Duplicate Packets –
AFTER
VM1 VMn
vNIC1 vNICn
vSwitch
pNIC
VM to Network
VM to VM
Tool gets correct VM to VM traffic
Tool
21
22. Bridging the Gap
Motivated by increasing visibility needs
Trustwave
IDS / IPS StillSecure
Counter Snipe
Network
Monitoring SIEM LogRhythm
Switch
Production
McAfee BlueCoat
Network
DLP EMC-RSA Intrusion Inc.
WebSense Trustwave
Cisco
Juniper Compuware
APM Endace
Dell
HP Corvil
Exfo
Brocade NW Analyzers Wireshark
LogRhythm
SS8
NW Forensics Netwitness
Niksun
Imperva
Web Security Fortinet
McAfee
22
Automation integration with NMS/SIEM providers (Tivoli, CA, HP ArcSight)
23. Network Monitoring Switch
Intelligent Traffic Distribution
IT Needs
Physical Problem: Limited number of VDS, SPANs &
TAPs & many tools needing data
Adaptive
Response
Increasing Customer Needs
Benefits
Control access to network ports, tool ports & filters
Tools receive data from multiple network access points
Packet
Conditioning Monitor 10 / 40G network with 1 /10G tools
Features
Packet aggregation for SPAN/TAP shortage
Intelligent
Packet routing to the appropriate tools
Traffic
Distribution
23
24. Network Monitoring Switch
Packet Conditioning
IT Needs
Problem: Sensitive data, protocols my tools
Adaptive can’t understand, duplicate packets caused by
Response VDS, SPANs & TAPs
Increasing Customer Needs
Benefits
Process packets with filtering & load balancing
Packet Improved incident response
Conditioning Maximized monitoring tool use - exactly right data to
right tool
Removal of sensitive data / header
Features
Intelligent
Filtering, stripping, slicing
Traffic
Distribution De-Duplication of replicated packets
Load balancing across multiple tools
Buffering bursty traffic to tools
24
25. Network Monitoring Switch
Adaptive Response
IT Needs
Problem: Need to troubleshoot network
Adaptive problems without manual intervention
Response
Increasing Customer Needs
Benefits
Dynamically update configuration without Change
Packet Board approval & manual intervention. Improved &
Conditioning simplified troubleshooting.
Features
Proactive monitoring (changes, bandwidth, events &
Intelligent threats)
Traffic Adaptive incident response proactively adjusts packet
Distribution delivery to tools as needed
25
26. Granular Access Control
Can configure to have users or groups can
have access to:
• Network Ports
• Monitoring and Analysis Tools
• Dynamic Filters
TACACS+, RADIUS
26
27. Enterprise Reference Architectures
VMware
Branch offices
Branch1
Tool1
Branch2
TAP NTO Tool2
Tooln
Branch3
Nexus ToR Multiple datacenters
5K
Tool1 Tool1 Tool1
NTO NTO
TAP NTO Tool2 Tool2 Tool2
Tooln Tooln NTO Tooln
Nexus 2K
20G link – aggregated
Rack NTO
Server 1 Tool1
Server 2
Tool1 NTO NTO Tool2
Server 3 Tool2 27Tooln
Tooln
Ingress Source is traffic going out of VM toward VDS. Traffic seeks ingress to VDS, hense source is called Ingress. Traffic received by VM is Egress Source
Admin can chhose a VLAN to encapsulate mirrored packets by selecting Encapulations VLAN box.
Depending on traffic to be monitored, choose Ingress, Egress or Ingress/Egress. Then specify the port ID of that particular source VM. To get the port ID number of a VM, Switch to Home>Inventor>Networking view. Select vDS and choose Ports tab. Scroll down to see virtual machines and associated port ID.
One configuration both normal traffic and mirror traffic flow through same physical uplink. When network admins are concerned about impact of mirror traffic on normal traffic, they can choose a separate uplink port to send mirror traffic. Traffic destination can be any VM, Vmknic or uplink port.