tag:blogger.com,1999:blog-4088979.post2683216054742012455..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Virtualized Network Security Monitoring PlatformsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4088979.post-44630888611115050862010-03-31T02:06:15.200-04:002010-03-31T02:06:15.200-04:00Great informative Article on Virtualization. Thank...Great informative Article on Virtualization. Thanks for sharing it here. By the way I have gathered more information on Virtualization through the conference <a href="http://cloudslam10.com" rel="nofollow">Cloudslam 2010</a> which is the 2nd annual and virtual conference on Cloud Computing and its innovations. I got a good chance to meet and talk with the world's leading experts of Cloud Computing through the conference.Unknownhttps://www.blogger.com/profile/00859581972480787527noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36972000668001842902009-05-08T23:47:00.000-04:002009-05-08T23:47:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-90676500191066205422009-05-05T04:58:00.000-04:002009-05-05T04:58:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7322166606292479552009-04-22T10:16:00.000-04:002009-04-22T10:16:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25581556027345291212009-03-24T06:29:00.000-04:002009-03-24T06:29:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-4997853403061266342009-02-14T16:43:00.000-05:002009-02-14T16:43:00.000-05:00There isn't really a recommended number of NICs fo...There isn't really a recommended number of NICs for ESX. It varies quite a bit depending on your needs and specifics of your deployment. I like one for management only, at least one for VMs, and one for storage if using iSCSI. Or multiple bonded NICs for each of those purposes. Some people run all of the above on one NIC, though I would certainly consider that inadvisable.Chris Buechlerhttps://www.blogger.com/profile/14915136057838042206noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-56872169945370668612009-02-13T05:39:00.000-05:002009-02-13T05:39:00.000-05:00I'm going to agree with The Hoff. VNET and hyperv...I'm going to agree with The Hoff. VNET and hypervisor introspection (e.g. VMware's VMsafe API or XenAccess.sf.net) completely changes this layer. This is happening, oh, right about now sometime. Sourcefire, Reflex Systems, and Stonesoft are going to be key monitoring/visibility players because they are in the VMware TAP, third-party access partner program.<BR/><BR/>@ Buechler: Isn't the recommended ESX configuration 4 or 6 NICs? Personally, I'd go with 4 (VMkernel, no NAS or iSCSI) or 6 (VMkernel with NAS and/or iSCSI) as it makes the architecture much easier. I've got some great reference architectures for everyone to check out at some point. Hoff has seen them.<BR/><BR/>I think I've said this numerous times to Bejtlich and Hoff: rpcapd compiles under Unix and Windows (I think I learned this from TToNSM). You can wrap it in stunnel if you'd like. This is going to work with vSwitch and VNET technology, although it's not going to take advantage of the hypervisor introspection layer. I would certainly rather run this than the promiscuous mode available in the VMware VIC vSwitch Security Properties tab.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-6529173286103343932009-02-01T18:19:00.000-05:002009-02-01T18:19:00.000-05:00Oh, and one additional thought I left out - my pre...Oh, and one additional thought I left out - my previous comments were strictly related to monitoring physical links with a virtual machine. What about monitoring traffic between VMs that never leaves the host and touches the physical wire? <BR/><BR/>As Christofer Hoff noted, things are changing considerably related to this. For now, NSM inside a VM may be the only way, or the best way, to monitor traffic between VMs depending on the specifics of your deployment.Chris Buechlerhttps://www.blogger.com/profile/14915136057838042206noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-6593429009177270902009-02-01T18:13:00.000-05:002009-02-01T18:13:00.000-05:00You're looking at things from the huge corporation...You're looking at things from the huge corporation perspective, Richard. And from a hosted hypervisor perspective as well, as I believe last you posted you stated you hadn't used ESX or similar competitive offerings. Addressing your points individually, mostly based on my experience with VMware ESX: <BR/><BR/>1) You can put a whole lot more than 3-5 physical NICs into a single ESX box, and you don't have to share them. A typical 2U server with two PCI-X/PCI-e slots can easily have 10 NICs with two 4 port cards and the usual two onboard cards. These types of things work very well in ESX. <BR/><BR/>2. True, but still works fine. I do it routinely. <BR/><BR/>3. True, but how much? This will differ widely from one scenario to another. <BR/><BR/>4. Yes, but again how much? Also varies greatly. <BR/><BR/>5. Not universally true at all. <BR/><BR/>Points 3-5 are all dependent on the amount of traffic you're monitoring. If you're at a Fortune 100 company monitoring gig taps with high load running over them, then yes, virtualization likely doesn't make sense. If you're a small to mid sized company monitoring a T1 or maybe a 10 Mb Internet or WAN pipe, then it can make sense in some circumstances. You aren't going to be using a considerable amount of resources monitoring that little bit of traffic, and it nullifies all these points. <BR/><BR/>Whether or not you trust virtualization in general, as "Anonymous" posted about, is another discussion entirely. My hands on experience is such that for most things, I trust it. <BR/><BR/>If you're monitoring a lot of traffic (50-100 Mbps or more, though that number will vary between scenarios), I agree entirely with these points. If you aren't, don't write off virtualization so quickly. It still may not make sense depending on the specifics of your environment and your virtualization deployment, but in some instances your options will be either add it to the existing virtualization platform or don't do it at all. NSM can and does work in virtualized environments.Chris Buechlerhttps://www.blogger.com/profile/14915136057838042206noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65293175123263115582009-01-31T05:19:00.000-05:002009-01-31T05:19:00.000-05:00two years ago i wrote in an internal statement som...two years ago i wrote in an internal statement something like "...virtualization interduces a layer of complexity we should not underesitmate.... we need knowledge, experiance and tools to make periodic integrity-checks... we do not have the low-level skill of joanna & co nor the time to develop them... so dear boss, while we evaluate the savings in hardware and energy, lets not forget the follow-up costs..."<BR/>over two years have past since then and things have evolved... but i still miss the tools for integrity checks and can't afford the time for training or experianced personal.<BR/>i am therefore extremly careful with virtualization ... but maybe i take the learned lessons in 'security engeneering' too serious...? what do you think?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27164809984258674092009-01-30T09:06:00.000-05:002009-01-30T09:06:00.000-05:00For some reason the beginning of my comment was lo...For some reason the beginning of my comment was lopped off:<BR/><BR/>Here's what I said:<BR/><BR/>These are all valid and interesting points -- for now.<BR/><BR/>The reality is that there is a sea change coming in some of the underlying networking and security capabilities of (at least) VMware and how that relates to the limitations of currently deploying sensors. <BR/><BR/>I know I'm really drifting form the "virtualizing sensors" discussion point and talking more about "sensors virtualized," but I think they are closely related in the long term.<BR/><BR/>Case in point: The Cisco Nexus 1000v, VNLink and distributed virtual switching when combined with the VMsafe API's mean that the issues associated with the traditional plumbing-in of monitoring solutions changes dramatically. <BR/><BR/>This evolves even further when you consider the integration of the Nexus 5000 and the initiator.<BR/><BR/>The point here is that the capabilities to set filters/triggers across a virtual switching fabric (both in software and hardware) will ultimately simplify and expand the monitoring footprint. It will also potentially lead to folks using more virtual appliances in unique ways.<BR/><BR/>The definition of a sensor at the atomic level will change as will the notion of how we scale them to provide for the capacity that will be needed.<BR/><BR/>This doesn't obviate physical, dedicated sensors entirely, but it solves many of the problems associated with trying to integrate them into consolidating and virtualized infrastructure.<BR/><BR/>These are certainly VMware-centric solutions, but that's exactly why I keep jumping up and down whining about the lack of comparable technologies in the other virtualization platforms. There are some moves afoot with Xen, but we'll see how that moves forward.<BR/><BR/>We can't currently get the visibility parity in virtual environments as we do in physical due to the performance, scale and integration issues you and I talk about, but it's coming.<BR/><BR/>My $0.02<BR/><BR/>/HoffChristofer Hoffhttps://www.blogger.com/profile/06755101021610973483noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-9838939126528333652009-01-30T08:56:00.000-05:002009-01-30T08:56:00.000-05:00This comment has been removed by the author.Christofer Hoffhttps://www.blogger.com/profile/06755101021610973483noreply@blogger.com