Ingress Source is traffic going out of VM toward VDS. Traffic seeks ingress to VDS, hense source is called Ingress. Traffic received by VM is Egress Source
Admin can chhose a VLAN to encapsulate mirrored packets by selecting Encapulations VLAN box.
Depending on traffic to be monitored, choose Ingress, Egress or Ingress/Egress. Then specify the port ID of that particular source VM. To get the port ID number of a VM, Switch to Home>Inventor>Networking view. Select vDS and choose Ports tab. Scroll down to see virtual machines and associated port ID.
One configuration both normal traffic and mirror traffic flow through same physical uplink. When network admins are concerned about impact of mirror traffic on normal traffic, they can choose a separate uplink port to send mirror traffic. Traffic destination can be any VM, Vmknic or uplink port.
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS
VMworld Survey Results 98% thought visibility into VMware environments is critical to their success. Moving forward, 82.4% of respondents plan on using a mix of physical and virtual monitoring tools A whopping 32.4% already using vSphere Distributed Switch. Only 9.4% never plan to use it, and only 23.6% were unfamiliar with it. Only 13.5% would use a third party vTAP (when asked if they would use a virtual TAP from a third party versus the capabilities provided by VMware and Cisco to acquire information from a virtual environment for analysis with physical tools like IDS). 84.6% saw a network monitoring switch as a critical infrastructure component for virtualization. 2* Survey of over 150 people at Ixia booth at VMworld 2012
Best Practices With virtualization vendor capabilities, you can monitor virtualized environment with existing IDS appliance • No need for vTAP • “Sanctioned” visibility = cooperation from virtualization team Network monitoring switch can be valuable part of security architecture • IDS isn’t the only tool vying for access • You have both physical & virtual to worry about 3
How Security Tools get Physical Network Data Network TAPs • Device on network that passes a copy of every packet to tool • Typical use: between Firewall & internal network SPAN or Mirror ports • Cisco term: Switched Port Analyzer • Way to access data by mirroring packets in/out of port to tool 4
Increased Demand for Packet-Based Monitoring Tools EMA Research: Not Just IDS Vying for Visibility DemandTroubleshooting / Packet Analyzers (e.g. 67% packet “sniffers” or other analyzers) 61% Intrusion Detection / Prevention 56% 57% Data Loss Prevention* 56% Application Performance Monitor 42% 42% Data Recorder 42% 24% Compliance 42% 26% VoIP / Unified Communications / Video 40% analyzers 29% 0% 20% 40% 60% 80% Feb 2012 Dec 2009Source: EMA, Sample Size = 91, 139
Network Security Monitoring Problems No visibility into virtualized environments Too many network segments & not enough visibility I can’t assess problems fast enough Incidents happen off hours (or when I’m trying to sleep!) Change Board required for any required monitoring changes! I’m stuck trying to monitor a 10 / 40G network with 1 / 10G tools! Tools are lagging! Lousy duplicate packets
Your Network BEFORE Network Monitoring Switch COMPLIANCE MANAGEMENT TOOLNETWORK ANALYZER Limited VisibilityCrash Cart Technology IDS Minimal IT Data Security IPS Underutilized NETWORK DATA RECORDER Overloaded
Your Network AFTER Network Monitoring Switch COMPLIANCE MANAGEMENT TOOL IDS IPS NETWORK DATA RECORDER NETWORK ANALYZER
Recommendations VMware and other vendors VM-to-VM visibility best provided by those with existing infrastructure • VMware trusted server resource • Cisco trusted networking resource • Both well known to server and network admins Network Monitoring Switch provides advanced functionality… • Line-rate Packet De-duplication De-dup redundant packets created by VDS, 1000v or vTAP • Traditional packet shaping and conditioning • Traditional intelligent routing capabilitiesVirtualization Vendor Recommended ApproachVMware VMware vSphere Distributed Switch (VDS)Citrix Open vSwitch with port mirroring, which is integrated with XenServer*Microsoft NI vTAP. Hyper-V R2 SP1 has no port mirroringRed Hat NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroringNetworking Vendor Recommended ApproachCisco Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization VendorIBM IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization VendorExtreme Networks Use Recommended Approach for Virtualization VendorHP Use Recommended Approach for Virtualization VendorJuniper Use Recommended Approach for Virtualization VendorBrocade Use Recommended Approach for Virtualization VendorDell Use Recommended Approach for Virtualization Vendor
Vsphere 5.x VDS enhancments VMworld 2011, VMware announced enhancements to the vSphere Distributed Switch – Port Mirroring = capability to send copy of network packets to monitoring tool • Overcomes limitation of promiscuous mode Granular control on which traffic monitored • Ingress Source • Egress Source • Helps troubleshooting by providing visibility: Inter VM traffic Intra VM traffic10