Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2395
Views
5
Helpful
3
Replies

IDS in a Virtualized Environment

Go to solution
lamav
Level 8
Level 8

‎07-07-2011 06:03 AM - edited ‎03-10-2019 05:24 AM

Can anyone elaborate on an IDS solution for a virtualized environment?

I  have blade servers running ESX/ESXi - heavily virtualized environment.  Im using blade switches as chassis I/O - no pass throughs.

The  requirement is to run an IDS service such that VM-to-VM traffic is  monitored. The traffic flow can be between two VMs on the same blade, 2  VMs on two separate blades in the same chassis, or two VMs on two  separate chasses...

In that case, I see 3 traffic flows off the bat...

same blade: vm-to-vm traffic is switched by a hypervisor switch (1000v or vmware vDS).

different blades in same chassis: vm-to-vm traffic will leave blade and be switched by chassis hardware switch (chassis I/O blade).

different chassis: vm-to-vm traffic will have to go to ToR (maybe even end-of-row).

NOTE: if VMs are on different VLANs, traffic will always go to end-of-row/agg switches (the L3/L2 boundary).

So  given all those possible flows, what is the best way to go about  deploying an IDS service? Placement? Virtual or physical? etc....

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7
In response to lamav

‎07-08-2011 12:34 PM

You're right, dragging the vm to vm traffic out of the box for IPS inspection and then stuffing it back in will be a bandwidth bottleneck. I doubt that it would cost you more CPU to move those bits aournd than to run an IPS Sensor inside the box (ala Sourcefire).

To minimize the bandwidth bottleneck you can add Ethernet interface(s) to your ESXi server and even bundle several togther if you need more bandwidth than a single pair can provide.

- Bob

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rhermes
Level 7
Level 7

‎07-07-2011 08:36 AM

Since you're asking this question in a Cisco forum, I assume you are looking for a Cisco type answer.

Cisco does not have any VM based sensors (unlike Sourcefire, and maybe some other vendors).

It appears that you can not configure a virtual switch to span traffic externally. However you CAN set up a VMware host to promiscuously receive a copy of all traffic on the vswitch.

I read about this solution that might help, but I've never tired it:

“The Solera V2P Tap is a VMware™ virtual appliance that passively  captures network traffic flowing through an ESX Server virtual switch.  The Solera V2P Tap then regenerates that traffic to any physical port,  and then onto the physical wire, for complete visibility into the  traffic and analysis by any existing security or management tool for  in-depth monitoring or analysis.”

http://www.soleranetworks.com/products/datasheets/datasheetV2Ptap_web.pdf

- Bob

Go to solution
lamav
Level 8
Level 8
In response to rhermes

‎07-07-2011 08:35 PM

Bob, thank you for your answer and the link. I read it. Good stuff.

Some things come to mind wrt the solera networking solution.

I like the idea of forwarding all traffic from the vIDS appliance in each ESX host to the physical network's IDS appliance, but that means vm-to-vm traffic will be replicated and forwarded to the phsyical network, thereby using network bandwidth. So you would probably have to send all the vIDS traffic out of the ESX host through a separate NIC to, say, an OOB network.

Theres also the load the vIDS puts on the CPU....

Thoughts?

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to lamav

‎07-08-2011 12:34 PM

You're right, dragging the vm to vm traffic out of the box for IPS inspection and then stuffing it back in will be a bandwidth bottleneck. I doubt that it would cost you more CPU to move those bits aournd than to run an IPS Sensor inside the box (ala Sourcefire).

To minimize the bandwidth bottleneck you can add Ethernet interface(s) to your ESXi server and even bundle several togther if you need more bandwidth than a single pair can provide.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card