VMware vSphere

I want to setup a Snort IDS to monitor traffic from my VMs.  This means having to look at traffic on the vSwitch since VM-to-VM traffic does not leave the virtual environment. 

I am pretty sure that either method would work, but I am worried about both security and performance.  Promiscuous mode seems to be better from a performance standpoint but is a security concern since any connected NIC, that is put into promiscuous mode, will be able to see all traffic on the network.  Port mirroring is more secure since you can designate a target switch port to send all traffic to, however, it doesn't seem well suited to mirror all traffic on all ports in a portgroup.

Thoughts?

I understand the concern, but there are some ways to mitigate it. I suggest creating a VM portgroup specifically for your Snort IDS to connect to, and set that to promiscuous mode for your vSwitch. That way only your Snort VM can see the traffic.

Xangati actually has a pretty awesome cheat sheet on this: http://www.xangati.com/downloads/pdf/Promiscuous%20Mode%20Instructions.pdf

If you are using a vDS, you can use Netflow (in version 5) or even limit the port count to 1 so that no other VM could be attached to the portgroup as additional security.

Thank you both for your responses.  I was not aware that traffic from one portgroup could see the others if in promiscuous mode even if they shared the same VLAN.  That is very helpful.  Do you know if this will still work in a Distributed Switch environment where the vDS spans many hosts?2

Snivek wrote:

Do you know if this will still work in a Distributed Switch environment where the vDS spans many hosts?

No, it will not, since the physical switches connecting the two ESXi hosts would have no idea/reason to forward frames up to this Promiscous VM portgroup if they are destinated to something else on the network.

Do you know how this might be addressed?  Having an IDS per VM Host does not seem to be a very scalable solution. 

I am not trying to turn this into an IDS planning thread, but curious if vSphere has any technolgies to address this.

Appreciate your answers so far!

Snivek wrote:

I am not trying to turn this into an IDS planning thread, but curious if vSphere has any technolgies to address this.

Not really I am afraid. Like Chris mentioned there is the possibility in ESXi 5.0 to to configure a Netflow client on the Distributed vSwitches and send to a Netflow server for analyze, but I guess that is not enough for you to do any real IDS checking?

Yea, unfortunatly Netflow wont cut it for IDS purposes.

The model that I've seen from various vendors today is to supply a collector / master model where the master node creates a collector agent VM on each host. This is to overcome the requirement of collecting traffic on all hosts. Beyond Xangati that I mentioned, VMware does this too with products like vShield Edge.

Port Mirror in its current form is rather limited, hopefully it gets some developer love. :smileyhappy:

http://blogs.vmware.com/vsphere/2012/06/how-to-use-port-mirroring-feature-of-vds-for-monitoring-virtual-machine-traffic.html

Snivek wrote:

Port mirroring is more secure since you can designate a target switch port to send all traffic to, however, it doesn't seem well suited to mirror all traffic on all ports in a portgroup.

Thoughts?

I agree with Chris. The Promiscous setting should not be placed on the general VM portgroup since that could, as you note, make any VM observe other VMs traffic. Just create a new portgroup with the same VLAN id as the "big" VM portgroup and enable Promiscoues on this portgroup which should only host your IDS system.