SlideShare a Scribd company logo
How to Use Your IDS Appliance to
    Monitor Virtualized Environments
                                                                  Kate Brew



This material is for informational purposes only and subject to change without notice. It describes Ixia’s present plans to develop and make
available to its customers certain products, features and functionality. Ixia is only obligated to provide those deliverables specifically included in a
written agreement between Ixia and the customer. ©2012 Ixia. All rights reserved.                                                                          1
VMworld Survey Results




   98% thought visibility into VMware environments is critical to their success.
   Moving forward, 82.4% of respondents plan on using a mix of physical
    and virtual monitoring tools
   A whopping 32.4% already using vSphere Distributed Switch. Only 9.4%
    never plan to use it, and only 23.6% were unfamiliar with it.
   Only 13.5% would use a third party vTAP (when asked if they would use a
    virtual TAP from a third party versus the capabilities provided by VMware
    and Cisco to acquire information from a virtual environment for analysis with
    physical tools like IDS).
   84.6% saw a network monitoring switch as a critical infrastructure
    component for virtualization.


                                                                                    2
* Survey of over 150 people at Ixia booth at VMworld 2012
Best Practices

 With virtualization vendor
  capabilities, you can monitor
  virtualized environment with
  existing IDS appliance
  • No need for vTAP
  • “Sanctioned” visibility = cooperation
    from virtualization team
 Network monitoring switch can be
  valuable part of security architecture
  • IDS isn’t the only tool vying for access
  • You have both physical & virtual to
    worry about
                                                            3
How Security Tools get Physical Network Data

 Network TAPs

  •   Device on network that
      passes a copy of every
      packet to tool
  •   Typical use: between Firewall
      & internal network


 SPAN or Mirror ports
  •   Cisco term: Switched Port
      Analyzer
  •   Way to access data by
      mirroring packets in/out of
      port to tool

 4
Increased Demand for Packet-Based Monitoring Tools
                                        EMA Research: Not Just IDS Vying for Visibility


           Demand
Troubleshooting / Packet Analyzers (e.g.                                                 67%
  packet “sniffers” or other analyzers)                                               61%

               Intrusion Detection / Prevention                                     56%
                                                                                     57%

                                Data Loss Prevention*                               56%


             Application Performance Monitor                                  42%
                                                                              42%

                                        Data Recorder                         42%
                                                                    24%

                                          Compliance                          42%
                                                                    26%
  VoIP / Unified Communications / Video                                       40%
                 analyzers                                              29%

                                                        0%    20%         40%       60%        80%
                                                  Feb 2012   Dec 2009
Source: EMA, Sample Size = 91, 139
Network Security Monitoring Problems

 No visibility into virtualized environments

 Too many network segments & not
  enough visibility

 I can’t assess problems fast enough

 Incidents happen off hours (or when
  I’m trying to sleep!)

 Change Board required for any required monitoring changes!

 I’m stuck trying to monitor a 10 / 40G network with 1 / 10G
  tools! Tools are lagging!

 Lousy duplicate packets
Your Network BEFORE Network Monitoring Switch




                                                COMPLIANCE MANAGEMENT TOOL
NETWORK ANALYZER                                        Limited Visibility
Crash Cart Technology

                                                              IDS
                                                    Minimal IT Data Security



                                                              IPS
                                                         Underutilized


                                                  NETWORK DATA RECORDER
                                                          Overloaded
Your Network AFTER Network Monitoring Switch




                           COMPLIANCE MANAGEMENT TOOL




                                      IDS




                                      IPS




                             NETWORK DATA RECORDER




                                NETWORK ANALYZER
Recommendations
                                                                           VMware and other vendors
    VM-to-VM visibility best provided by those with
     existing infrastructure
     •    VMware trusted server resource
     •    Cisco trusted networking resource
     •    Both well known to server and network admins
    Network Monitoring Switch provides advanced
     functionality…
     •    Line-rate Packet De-duplication
               De-dup redundant packets created by VDS, 1000v or vTAP
     •    Traditional packet shaping and conditioning
     •    Traditional intelligent routing capabilities


Virtualization Vendor           Recommended Approach


VMware                          VMware vSphere Distributed Switch (VDS)
Citrix                          Open vSwitch with port mirroring, which is integrated with XenServer*
Microsoft                       NI vTAP. Hyper-V R2 SP1 has no port mirroring
Red Hat                         NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroring
Networking Vendor               Recommended Approach
Cisco                           Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization
                                Vendor
IBM                             IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization Vendor
Extreme Networks                Use Recommended Approach for Virtualization Vendor
HP                              Use Recommended Approach for Virtualization Vendor
Juniper                         Use Recommended Approach for Virtualization Vendor
Brocade                         Use Recommended Approach for Virtualization Vendor
Dell                            Use Recommended Approach for Virtualization Vendor
Vsphere 5.x VDS enhancments


 VMworld 2011, VMware announced
  enhancements to the vSphere Distributed
  Switch – Port Mirroring = capability to send
  copy of network packets to monitoring tool
     • Overcomes limitation of promiscuous mode
        Granular control on which traffic monitored
         •   Ingress Source
         •   Egress Source
     • Helps troubleshooting by providing visibility:
        Inter VM traffic
        Intra VM traffic
10
How it works with VMware




11
VMware example


•   Vsphere Distributed Switch can port mirror to VM or physical
    switch
Setting up Port Mirroring Session in VMware




13
Specify Destinations




14
Port Mirroring




15
Network Monitoring Switch Control Panel




16
Vsphere Distributed Switch
     Create port in Network Monitoring Switch




17
Set Filter Criteria




18
De-Duplicate Packets




19
Port mirroring on VDS Creates Duplicate Packets –
                                                               BEFORE



VM1                                                                  VMn




                                  vNIC1   vNICn
                                      VDS
                                     pNIC
      VM to Network

      VM to VM




                                     Tool         Tool gets dup of VM to VM traffic


Inter-VM Broadcast would create many copies!
                                                                                20
Port mirroring on VDS Creates Duplicate Packets –
                                                                AFTER



VM1                                                                   VMn




                                  vNIC1   vNICn
                                     vSwitch
                                      pNIC
      VM to Network

      VM to VM



                                                  Tool gets correct VM to VM traffic



                                                                        Tool

                                                                                 21
Bridging the Gap
                                      Motivated by increasing visibility needs
                                                                                         Trustwave
                                       IDS / IPS                                         StillSecure
                                                                                         Counter Snipe
                Network
               Monitoring                 SIEM                                                           LogRhythm
                Switch
 Production
                                                              McAfee            BlueCoat
  Network
                                           DLP                EMC-RSA           Intrusion Inc.
                                                              WebSense          Trustwave
      Cisco
     Juniper                                                                                Compuware
                                          APM                                               Endace
       Dell
       HP                                                                                   Corvil
                                                                                            Exfo
     Brocade                        NW Analyzers                                            Wireshark
                                                                                            LogRhythm
                                                                                            SS8
                                    NW Forensics                                            Netwitness
                                                                                            Niksun

                                                                                            Imperva
                                     Web Security                                           Fortinet
                                                                                            McAfee
22
                 Automation integration with NMS/SIEM providers (Tivoli, CA, HP ArcSight)
Network Monitoring Switch
                                                                        Intelligent Traffic Distribution
                                 IT Needs
                                                Physical Problem: Limited number of VDS, SPANs &
                                                TAPs & many tools needing data
                                  Adaptive
                                  Response
     Increasing Customer Needs




                                                                       Benefits

                                                   Control access to network ports, tool ports & filters
                                                   Tools receive data from multiple network access points
                                   Packet
                                 Conditioning      Monitor 10 / 40G network with 1 /10G tools


                                                                       Features

                                                 Packet aggregation for SPAN/TAP shortage
                                 Intelligent
                                                 Packet routing to the appropriate tools
                                   Traffic
                                 Distribution

23
Network Monitoring Switch
                                                                               Packet Conditioning
                            IT Needs
                                               Problem: Sensitive data, protocols my tools
                             Adaptive          can’t understand, duplicate packets caused by
                             Response          VDS, SPANs & TAPs
Increasing Customer Needs




                                                                     Benefits
                                                Process packets with filtering & load balancing
                              Packet            Improved incident response
                            Conditioning        Maximized monitoring tool use - exactly right data to
                                                 right tool
                                                Removal of sensitive data / header

                                                                    Features
                            Intelligent
                                              Filtering, stripping, slicing
                              Traffic
                            Distribution      De-Duplication of replicated packets
                                              Load balancing across multiple tools
                                              Buffering bursty traffic to tools
            24
Network Monitoring Switch
                                                                                Adaptive Response
                            IT Needs

                                               Problem: Need to troubleshoot network
                             Adaptive          problems without manual intervention
                             Response
Increasing Customer Needs




                                                                     Benefits
                                                Dynamically update configuration without Change
                              Packet             Board approval & manual intervention. Improved &
                            Conditioning         simplified troubleshooting.


                                                                    Features
                                                Proactive monitoring (changes, bandwidth, events &
                            Intelligent          threats)
                              Traffic           Adaptive incident response proactively adjusts packet
                            Distribution         delivery to tools as needed


             25
Granular Access Control



 Can configure to have users or groups can
  have access to:
  • Network Ports
  • Monitoring and Analysis Tools
  • Dynamic Filters

 TACACS+, RADIUS



 26
Enterprise Reference Architectures
                                                                              VMware
                        Branch offices
 Branch1
                                         Tool1
Branch2
                      TAP    NTO         Tool2
                                         Tooln
Branch3




            Nexus           ToR                            Multiple datacenters
             5K
                                     Tool1       Tool1                                     Tool1
                                                         NTO               NTO
             TAP            NTO      Tool2       Tool2                                     Tool2
                                     Tooln       Tooln         NTO                         Tooln
           Nexus 2K

                                                                   20G link – aggregated


           Rack                                                NTO
           Server 1                                                                      Tool1
           Server 2
                                                 Tool1   NTO                NTO          Tool2
           Server 3                              Tool2                                 27Tooln
                                                 Tooln
DEMO of How Easy Visibility Can Be




28

More Related Content

What's hot

WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
Cisco Canada
 
BreakingPoint FireStorm CTM Datasheet
BreakingPoint FireStorm CTM DatasheetBreakingPoint FireStorm CTM Datasheet
BreakingPoint FireStorm CTM Datasheet
Ixia
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
Nur Shiqim Chok
 
Virtualization Monitoring Webinar
Virtualization Monitoring WebinarVirtualization Monitoring Webinar
Virtualization Monitoring Webinar
krkingsley
 
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las VegasIntroduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Bruno Teixeira
 
LTE Testing
LTE TestingLTE Testing
LTE Testing
Ixia
 
Switch
SwitchSwitch
Switch1 2d
 
ActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
ActionPacked! Networks Hosts Cisco Application Visibility & Control WebinarActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
ActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
ActionPacked Networks
 
BreakingPoint 3G Testing Data Sheet
BreakingPoint 3G Testing Data SheetBreakingPoint 3G Testing Data Sheet
BreakingPoint 3G Testing Data Sheet
Ixia
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device Evaluation
Ixia
 
Vindicator Overview
Vindicator OverviewVindicator Overview
Vindicator Overviewdp3b58
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOT
pauldeng
 
Understanding SDN
Understanding SDNUnderstanding SDN
Understanding SDN
Saurabh Agarwal
 
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
Nur Shiqim Chok
 
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM System Networking
 
SDN - a new security paradigm?
SDN - a new security paradigm?SDN - a new security paradigm?
SDN - a new security paradigm?
Sophos Benelux
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
F5 Networks
 
Motorola Wing 5.6 specification sheet
Motorola  Wing 5.6 specification sheetMotorola  Wing 5.6 specification sheet
Motorola Wing 5.6 specification sheet
Advantec Distribution
 

What's hot (20)

WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
BreakingPoint FireStorm CTM Datasheet
BreakingPoint FireStorm CTM DatasheetBreakingPoint FireStorm CTM Datasheet
BreakingPoint FireStorm CTM Datasheet
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
 
Virtualization Monitoring Webinar
Virtualization Monitoring WebinarVirtualization Monitoring Webinar
Virtualization Monitoring Webinar
 
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las VegasIntroduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
 
LTE Testing
LTE TestingLTE Testing
LTE Testing
 
Switch
SwitchSwitch
Switch
 
ActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
ActionPacked! Networks Hosts Cisco Application Visibility & Control WebinarActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
ActionPacked! Networks Hosts Cisco Application Visibility & Control Webinar
 
BreakingPoint 3G Testing Data Sheet
BreakingPoint 3G Testing Data SheetBreakingPoint 3G Testing Data Sheet
BreakingPoint 3G Testing Data Sheet
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device Evaluation
 
Vindicator Overview
Vindicator OverviewVindicator Overview
Vindicator Overview
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOT
 
Understanding SDN
Understanding SDNUnderstanding SDN
Understanding SDN
 
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...
 
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
 
SDN - a new security paradigm?
SDN - a new security paradigm?SDN - a new security paradigm?
SDN - a new security paradigm?
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
 
Motorola Wing 5.6 specification sheet
Motorola  Wing 5.6 specification sheetMotorola  Wing 5.6 specification sheet
Motorola Wing 5.6 specification sheet
 

Viewers also liked

Floor Population Metrics, presented by Chip Webb, CTO at Anue Systems
Floor Population Metrics, presented by Chip Webb, CTO at Anue SystemsFloor Population Metrics, presented by Chip Webb, CTO at Anue Systems
Floor Population Metrics, presented by Chip Webb, CTO at Anue Systems
Ixia NVS Group
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 

Viewers also liked (6)

Floor Population Metrics, presented by Chip Webb, CTO at Anue Systems
Floor Population Metrics, presented by Chip Webb, CTO at Anue SystemsFloor Population Metrics, presented by Chip Webb, CTO at Anue Systems
Floor Population Metrics, presented by Chip Webb, CTO at Anue Systems
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 

Similar to Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS

Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Net Optics' Virtualization Solutions Deployment Case Study
Net Optics' Virtualization Solutions Deployment Case StudyNet Optics' Virtualization Solutions Deployment Case Study
Net Optics' Virtualization Solutions Deployment Case Study
LiveAction Next Generation Network Management Software
 
TechWiseTV Workshop: Cisco SD-WAN
TechWiseTV Workshop: Cisco SD-WANTechWiseTV Workshop: Cisco SD-WAN
TechWiseTV Workshop: Cisco SD-WAN
Robb Boyd
 
What is a virtual tap?
What is a virtual tap?What is a virtual tap?
Software-Based Networking & Security for the Cloud
Software-Based Networking & Security for the CloudSoftware-Based Networking & Security for the Cloud
Software-Based Networking & Security for the Cloud
Matt Wolpin
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud   a case study by phi...Yes, you can be pci compliant using a public iaas cloud   a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Khazret Sapenov
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Graeme Wood
 
Vss Security And Compliance For The Cloud
Vss Security And Compliance For The CloudVss Security And Compliance For The Cloud
Vss Security And Compliance For The Cloud
Graeme Wood
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and Troubleshooting
Grant Swanson
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
GuardEra Access Solutions, Inc.
 
Software-Defined Networking SDN - A Brief Introduction
Software-Defined Networking SDN - A Brief IntroductionSoftware-Defined Networking SDN - A Brief Introduction
Software-Defined Networking SDN - A Brief Introduction
Jason TC HOU (侯宗成)
 
The SDN Opportunity
The SDN OpportunityThe SDN Opportunity
The SDN Opportunity
Juniper Networks
 
Virtual firewall framework
Virtual firewall frameworkVirtual firewall framework
Virtual firewall framework
Nithin Babu
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
PLUMgrid
 
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
Savvius, Inc
 
PLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
PLNOG14: SteelCentral NPM Solution - Tomasz WiniarskiPLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
PLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
PROIDEA
 

Similar to Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS (20)

Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Ixia anue maximum roi from your existing toolsets
Ixia anue   maximum roi from your existing toolsetsIxia anue   maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Net Optics' Virtualization Solutions Deployment Case Study
Net Optics' Virtualization Solutions Deployment Case StudyNet Optics' Virtualization Solutions Deployment Case Study
Net Optics' Virtualization Solutions Deployment Case Study
 
TechWiseTV Workshop: Cisco SD-WAN
TechWiseTV Workshop: Cisco SD-WANTechWiseTV Workshop: Cisco SD-WAN
TechWiseTV Workshop: Cisco SD-WAN
 
What is a virtual tap?
What is a virtual tap?What is a virtual tap?
What is a virtual tap?
 
Software-Based Networking & Security for the Cloud
Software-Based Networking & Security for the CloudSoftware-Based Networking & Security for the Cloud
Software-Based Networking & Security for the Cloud
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud   a case study by phi...Yes, you can be pci compliant using a public iaas cloud   a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
 
Vss Security And Compliance For The Cloud
Vss Security And Compliance For The CloudVss Security And Compliance For The Cloud
Vss Security And Compliance For The Cloud
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and Troubleshooting
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
 
Software-Defined Networking SDN - A Brief Introduction
Software-Defined Networking SDN - A Brief IntroductionSoftware-Defined Networking SDN - A Brief Introduction
Software-Defined Networking SDN - A Brief Introduction
 
QualysGuard InfoDay 2012 - QualysGuard Suite 7.0
QualysGuard InfoDay 2012 - QualysGuard Suite 7.0QualysGuard InfoDay 2012 - QualysGuard Suite 7.0
QualysGuard InfoDay 2012 - QualysGuard Suite 7.0
 
The SDN Opportunity
The SDN OpportunityThe SDN Opportunity
The SDN Opportunity
 
Intro to SDN - Part III
Intro to SDN - Part IIIIntro to SDN - Part III
Intro to SDN - Part III
 
Virtual firewall framework
Virtual firewall frameworkVirtual firewall framework
Virtual firewall framework
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
 
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
Don't Let History Repeat Itself – Network Monitoring and Reporting with Watch...
 
PLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
PLNOG14: SteelCentral NPM Solution - Tomasz WiniarskiPLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
PLNOG14: SteelCentral NPM Solution - Tomasz Winiarski
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at Ixia NVS

  • 1. How to Use Your IDS Appliance to Monitor Virtualized Environments Kate Brew This material is for informational purposes only and subject to change without notice. It describes Ixia’s present plans to develop and make available to its customers certain products, features and functionality. Ixia is only obligated to provide those deliverables specifically included in a written agreement between Ixia and the customer. ©2012 Ixia. All rights reserved. 1
  • 2. VMworld Survey Results  98% thought visibility into VMware environments is critical to their success.  Moving forward, 82.4% of respondents plan on using a mix of physical and virtual monitoring tools  A whopping 32.4% already using vSphere Distributed Switch. Only 9.4% never plan to use it, and only 23.6% were unfamiliar with it.  Only 13.5% would use a third party vTAP (when asked if they would use a virtual TAP from a third party versus the capabilities provided by VMware and Cisco to acquire information from a virtual environment for analysis with physical tools like IDS).  84.6% saw a network monitoring switch as a critical infrastructure component for virtualization. 2 * Survey of over 150 people at Ixia booth at VMworld 2012
  • 3. Best Practices  With virtualization vendor capabilities, you can monitor virtualized environment with existing IDS appliance • No need for vTAP • “Sanctioned” visibility = cooperation from virtualization team  Network monitoring switch can be valuable part of security architecture • IDS isn’t the only tool vying for access • You have both physical & virtual to worry about 3
  • 4. How Security Tools get Physical Network Data  Network TAPs • Device on network that passes a copy of every packet to tool • Typical use: between Firewall & internal network  SPAN or Mirror ports • Cisco term: Switched Port Analyzer • Way to access data by mirroring packets in/out of port to tool 4
  • 5. Increased Demand for Packet-Based Monitoring Tools EMA Research: Not Just IDS Vying for Visibility Demand Troubleshooting / Packet Analyzers (e.g. 67% packet “sniffers” or other analyzers) 61% Intrusion Detection / Prevention 56% 57% Data Loss Prevention* 56% Application Performance Monitor 42% 42% Data Recorder 42% 24% Compliance 42% 26% VoIP / Unified Communications / Video 40% analyzers 29% 0% 20% 40% 60% 80% Feb 2012 Dec 2009 Source: EMA, Sample Size = 91, 139
  • 6. Network Security Monitoring Problems  No visibility into virtualized environments  Too many network segments & not enough visibility  I can’t assess problems fast enough  Incidents happen off hours (or when I’m trying to sleep!)  Change Board required for any required monitoring changes!  I’m stuck trying to monitor a 10 / 40G network with 1 / 10G tools! Tools are lagging!  Lousy duplicate packets
  • 7. Your Network BEFORE Network Monitoring Switch COMPLIANCE MANAGEMENT TOOL NETWORK ANALYZER Limited Visibility Crash Cart Technology IDS Minimal IT Data Security IPS Underutilized NETWORK DATA RECORDER Overloaded
  • 8. Your Network AFTER Network Monitoring Switch COMPLIANCE MANAGEMENT TOOL IDS IPS NETWORK DATA RECORDER NETWORK ANALYZER
  • 9. Recommendations VMware and other vendors  VM-to-VM visibility best provided by those with existing infrastructure • VMware trusted server resource • Cisco trusted networking resource • Both well known to server and network admins  Network Monitoring Switch provides advanced functionality… • Line-rate Packet De-duplication  De-dup redundant packets created by VDS, 1000v or vTAP • Traditional packet shaping and conditioning • Traditional intelligent routing capabilities Virtualization Vendor Recommended Approach VMware VMware vSphere Distributed Switch (VDS) Citrix Open vSwitch with port mirroring, which is integrated with XenServer* Microsoft NI vTAP. Hyper-V R2 SP1 has no port mirroring Red Hat NI vTAP. Enterprise Virtualization 2.2 (KVM) has no port mirroring Networking Vendor Recommended Approach Cisco Cisco Nexus 1000V Series Switches (VMware only) or Recommended Approach for Virtualization Vendor IBM IBM Dist. Virtual Switch 5000V (VMware only) or Recommended Approach for Virtualization Vendor Extreme Networks Use Recommended Approach for Virtualization Vendor HP Use Recommended Approach for Virtualization Vendor Juniper Use Recommended Approach for Virtualization Vendor Brocade Use Recommended Approach for Virtualization Vendor Dell Use Recommended Approach for Virtualization Vendor
  • 10. Vsphere 5.x VDS enhancments  VMworld 2011, VMware announced enhancements to the vSphere Distributed Switch – Port Mirroring = capability to send copy of network packets to monitoring tool • Overcomes limitation of promiscuous mode  Granular control on which traffic monitored • Ingress Source • Egress Source • Helps troubleshooting by providing visibility:  Inter VM traffic  Intra VM traffic 10
  • 11. How it works with VMware 11
  • 12. VMware example • Vsphere Distributed Switch can port mirror to VM or physical switch
  • 13. Setting up Port Mirroring Session in VMware 13
  • 16. Network Monitoring Switch Control Panel 16
  • 17. Vsphere Distributed Switch Create port in Network Monitoring Switch 17
  • 20. Port mirroring on VDS Creates Duplicate Packets – BEFORE VM1 VMn vNIC1 vNICn VDS pNIC VM to Network VM to VM Tool Tool gets dup of VM to VM traffic Inter-VM Broadcast would create many copies! 20
  • 21. Port mirroring on VDS Creates Duplicate Packets – AFTER VM1 VMn vNIC1 vNICn vSwitch pNIC VM to Network VM to VM Tool gets correct VM to VM traffic Tool 21
  • 22. Bridging the Gap Motivated by increasing visibility needs Trustwave IDS / IPS StillSecure Counter Snipe Network Monitoring SIEM LogRhythm Switch Production McAfee BlueCoat Network DLP EMC-RSA Intrusion Inc. WebSense Trustwave Cisco Juniper Compuware APM Endace Dell HP Corvil Exfo Brocade NW Analyzers Wireshark LogRhythm SS8 NW Forensics Netwitness Niksun Imperva Web Security Fortinet McAfee 22 Automation integration with NMS/SIEM providers (Tivoli, CA, HP ArcSight)
  • 23. Network Monitoring Switch Intelligent Traffic Distribution IT Needs Physical Problem: Limited number of VDS, SPANs & TAPs & many tools needing data Adaptive Response Increasing Customer Needs Benefits  Control access to network ports, tool ports & filters  Tools receive data from multiple network access points Packet Conditioning  Monitor 10 / 40G network with 1 /10G tools Features  Packet aggregation for SPAN/TAP shortage Intelligent  Packet routing to the appropriate tools Traffic Distribution 23
  • 24. Network Monitoring Switch Packet Conditioning IT Needs Problem: Sensitive data, protocols my tools Adaptive can’t understand, duplicate packets caused by Response VDS, SPANs & TAPs Increasing Customer Needs Benefits  Process packets with filtering & load balancing Packet  Improved incident response Conditioning  Maximized monitoring tool use - exactly right data to right tool  Removal of sensitive data / header Features Intelligent  Filtering, stripping, slicing Traffic Distribution  De-Duplication of replicated packets  Load balancing across multiple tools  Buffering bursty traffic to tools 24
  • 25. Network Monitoring Switch Adaptive Response IT Needs Problem: Need to troubleshoot network Adaptive problems without manual intervention Response Increasing Customer Needs Benefits  Dynamically update configuration without Change Packet Board approval & manual intervention. Improved & Conditioning simplified troubleshooting. Features  Proactive monitoring (changes, bandwidth, events & Intelligent threats) Traffic  Adaptive incident response proactively adjusts packet Distribution delivery to tools as needed 25
  • 26. Granular Access Control  Can configure to have users or groups can have access to: • Network Ports • Monitoring and Analysis Tools • Dynamic Filters  TACACS+, RADIUS 26
  • 27. Enterprise Reference Architectures VMware Branch offices Branch1 Tool1 Branch2 TAP NTO Tool2 Tooln Branch3 Nexus ToR Multiple datacenters 5K Tool1 Tool1 Tool1 NTO NTO TAP NTO Tool2 Tool2 Tool2 Tooln Tooln NTO Tooln Nexus 2K 20G link – aggregated Rack NTO Server 1 Tool1 Server 2 Tool1 NTO NTO Tool2 Server 3 Tool2 27Tooln Tooln
  • 28. DEMO of How Easy Visibility Can Be 28

Editor's Notes

  1. Ingress Source is traffic going out of VM toward VDS. Traffic seeks ingress to VDS, hense source is called Ingress. Traffic received by VM is Egress Source
  2. Admin can chhose a VLAN to encapsulate mirrored packets by selecting Encapulations VLAN box.
  3. Depending on traffic to be monitored, choose Ingress, Egress or Ingress/Egress. Then specify the port ID of that particular source VM. To get the port ID number of a VM, Switch to Home>Inventor>Networking view. Select vDS and choose Ports tab. Scroll down to see virtual machines and associated port ID.
  4. One configuration both normal traffic and mirror traffic flow through same physical uplink. When network admins are concerned about impact of mirror traffic on normal traffic, they can choose a separate uplink port to send mirror traffic. Traffic destination can be any VM, Vmknic or uplink port.
  5. FLIP!!!!
  6. FLIP!!!!