Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS


Published on

Kate Brew, Product Marketing Manager at Ixia NVS - a leader in network visibility solutions, presented "How to Use Your IDS Appliance to Monitor Virtualized Environments".

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Ingress Source is traffic going out of VM toward VDS. Traffic seeks ingress to VDS, hense source is called Ingress. Traffic received by VM is Egress Source
  • Admin can chhose a VLAN to encapsulate mirrored packets by selecting Encapulations VLAN box.
  • Depending on traffic to be monitored, choose Ingress, Egress or Ingress/Egress. Then specify the port ID of that particular source VM. To get the port ID number of a VM, Switch to Home>Inventor>Networking view. Select vDS and choose Ports tab. Scroll down to see virtual machines and associated port ID.
  • One configuration both normal traffic and mirror traffic flow through same physical uplink. When network admins are concerned about impact of mirror traffic on normal traffic, they can choose a separate uplink port to send mirror traffic. Traffic destination can be any VM, Vmknic or uplink port.
  • FLIP!!!!
  • FLIP!!!!
  • Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS

    1. 1. How to Use Your IDS Appliance to Monitor Virtualized Environments Kate BrewThis material is for informational purposes only and subject to change without notice. It describes Ixia’s present plans to develop and makeavailable to its customers certain products, features and functionality. Ixia is only obligated to provide those deliverables specifically included in awritten agreement between Ixia and the customer. ©2012 Ixia. All rights reserved. 1
    2. 2. VMworld Survey Results 98% thought visibility into VMware environments is critical to their success. Moving forward, 82.4% of respondents plan on using a mix of physical and virtual monitoring tools A whopping 32.4% already using vSphere Distributed Switch. Only 9.4% never plan to use it, and only 23.6% were unfamiliar with it. Only 13.5% would use a third party vTAP (when asked if they would use a virtual TAP from a third party versus the capabilities provided by VMware and Cisco to acquire information from a virtual environment for analysis with physical tools like IDS). 84.6% saw a network monitoring switch as a critical infrastructure component for virtualization. 2* Survey of over 150 people at Ixia booth at VMworld 2012
    3. 3. Best Practices With virtualization vendor capabilities, you can monitor virtualized environment with existing IDS appliance • No need for vTAP • “Sanctioned” visibility = cooperation from virtualization team Network monitoring switch can be valuable part of security architecture • IDS isn’t the only tool vying for access • You have both physical & virtual to worry about 3
    4. 4. How Security Tools get Physical Network Data Network TAPs • Device on network that passes a copy of every packet to tool • Typical use: between Firewall & internal network SPAN or Mirror ports • Cisco term: Switched Port Analyzer • Way to access data by mirroring packets in/out of port to tool 4
    5. 5. Increased Demand for Packet-Based Monitoring Tools EMA Research: Not Just IDS Vying for Visibility DemandTroubleshooting / Packet Analyzers (e.g. 67% packet “sniffers” or other analyzers) 61% Intrusion Detection / Prevention 56% 57% Data Loss Prevention* 56% Application Performance Monitor 42% 42% Data Recorder 42% 24% Compliance 42% 26% VoIP / Unified Communications / Video 40% analyzers 29% 0% 20% 40% 60% 80% Feb 2012 Dec 2009Source: EMA, Sample Size = 91, 139
    6. 6. Network Security Monitoring Problems No visibility into virtualized environments Too many network segments & not enough visibility I can’t assess problems fast enough Incidents happen off hours (or when I’m trying to sleep!) Change Board required for any required monitoring changes! I’m stuck trying to monitor a 10 / 40G network with 1 / 10G tools! Tools are lagging! Lousy duplicate packets
    7. 7. Your Network BEFORE Network Monitoring Switch COMPLIANCE MANAGEMENT TOOLNETWORK ANALYZER Limited VisibilityCrash Cart Technology IDS Minimal IT Data Security IPS Underutilized NETWORK DATA RECORDER Overloaded
    9. 9. Recommendations VMware and other vendors VM-to-VM visibility best provided by those with existing infrastructure • VMware trusted server resource • Cisco trusted networking resource • Both well known to server and network admins Network Monitoring Switch provides advanced functionality… • Line-rate Packet De-duplication  De-dup redundant packets created by VDS, 1000v or vTAP • Traditional packet shaping and conditioning • Traditional intelligent routing capabilitiesVirtualization Vendor Recommended ApproachVMware VMware vSphere Distributed Switch (VDS)Citrix Open vSwitch with port mirroring, which is integrated with XenServer*Microsoft NI vTAP. Hyper-V R2 SP1 has no port mirroringRed Hat NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroringNetworking Vendor Recommended ApproachCisco Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization VendorIBM IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization VendorExtreme Networks Use Recommended Approach for Virtualization VendorHP Use Recommended Approach for Virtualization VendorJuniper Use Recommended Approach for Virtualization VendorBrocade Use Recommended Approach for Virtualization VendorDell Use Recommended Approach for Virtualization Vendor
    10. 10. Vsphere 5.x VDS enhancments VMworld 2011, VMware announced enhancements to the vSphere Distributed Switch – Port Mirroring = capability to send copy of network packets to monitoring tool • Overcomes limitation of promiscuous mode  Granular control on which traffic monitored • Ingress Source • Egress Source • Helps troubleshooting by providing visibility:  Inter VM traffic  Intra VM traffic10
    11. 11. How it works with VMware11
    12. 12. VMware example• Vsphere Distributed Switch can port mirror to VM or physical switch
    13. 13. Setting up Port Mirroring Session in VMware13
    14. 14. Specify Destinations14
    15. 15. Port Mirroring15
    16. 16. Network Monitoring Switch Control Panel16
    17. 17. Vsphere Distributed Switch Create port in Network Monitoring Switch17
    18. 18. Set Filter Criteria18
    19. 19. De-Duplicate Packets19
    20. 20. Port mirroring on VDS Creates Duplicate Packets – BEFOREVM1 VMn vNIC1 vNICn VDS pNIC VM to Network VM to VM Tool Tool gets dup of VM to VM trafficInter-VM Broadcast would create many copies! 20
    21. 21. Port mirroring on VDS Creates Duplicate Packets – AFTERVM1 VMn vNIC1 vNICn vSwitch pNIC VM to Network VM to VM Tool gets correct VM to VM traffic Tool 21
    22. 22. Bridging the Gap Motivated by increasing visibility needs Trustwave IDS / IPS StillSecure Counter Snipe Network Monitoring SIEM LogRhythm Switch Production McAfee BlueCoat Network DLP EMC-RSA Intrusion Inc. WebSense Trustwave Cisco Juniper Compuware APM Endace Dell HP Corvil Exfo Brocade NW Analyzers Wireshark LogRhythm SS8 NW Forensics Netwitness Niksun Imperva Web Security Fortinet McAfee22 Automation integration with NMS/SIEM providers (Tivoli, CA, HP ArcSight)
    23. 23. Network Monitoring Switch Intelligent Traffic Distribution IT Needs Physical Problem: Limited number of VDS, SPANs & TAPs & many tools needing data Adaptive Response Increasing Customer Needs Benefits  Control access to network ports, tool ports & filters  Tools receive data from multiple network access points Packet Conditioning  Monitor 10 / 40G network with 1 /10G tools Features  Packet aggregation for SPAN/TAP shortage Intelligent  Packet routing to the appropriate tools Traffic Distribution23
    24. 24. Network Monitoring Switch Packet Conditioning IT Needs Problem: Sensitive data, protocols my tools Adaptive can’t understand, duplicate packets caused by Response VDS, SPANs & TAPsIncreasing Customer Needs Benefits  Process packets with filtering & load balancing Packet  Improved incident response Conditioning  Maximized monitoring tool use - exactly right data to right tool  Removal of sensitive data / header Features Intelligent  Filtering, stripping, slicing Traffic Distribution  De-Duplication of replicated packets  Load balancing across multiple tools  Buffering bursty traffic to tools 24
    25. 25. Network Monitoring Switch Adaptive Response IT Needs Problem: Need to troubleshoot network Adaptive problems without manual intervention ResponseIncreasing Customer Needs Benefits  Dynamically update configuration without Change Packet Board approval & manual intervention. Improved & Conditioning simplified troubleshooting. Features  Proactive monitoring (changes, bandwidth, events & Intelligent threats) Traffic  Adaptive incident response proactively adjusts packet Distribution delivery to tools as needed 25
    26. 26. Granular Access Control Can configure to have users or groups can have access to: • Network Ports • Monitoring and Analysis Tools • Dynamic Filters TACACS+, RADIUS 26
    27. 27. Enterprise Reference Architectures VMware Branch offices Branch1 Tool1Branch2 TAP NTO Tool2 ToolnBranch3 Nexus ToR Multiple datacenters 5K Tool1 Tool1 Tool1 NTO NTO TAP NTO Tool2 Tool2 Tool2 Tooln Tooln NTO Tooln Nexus 2K 20G link – aggregated Rack NTO Server 1 Tool1 Server 2 Tool1 NTO NTO Tool2 Server 3 Tool2 27Tooln Tooln
    28. 28. DEMO of How Easy Visibility Can Be28