VMware Cloud Community
TheVMinator
Expert
Expert
Jump to solution

Traffic Inspection and Security Compliance

I'm looking at options invovling traffic inspection using port mirroring on the virtual networking inside ESXi in order to assist with things like intrusion detection and identifying network traffic anomalies indicating potential security events.

The question is, if I deploy a solution that performs this by becoming a destination port of a traffic mirroring session, are the gains I get by identifying anomalies and intrusion detection worth it, given the increased risks of the collector now receiving all the egress frames of VMs in my environment?

Thoughts / opinions welcome.

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I think an IDS, analytics is worth it, but if your system is sufficient large enough then you may want to route such items through a Gigamon virtual device to be handled by other tools plugged into it.

The real question will be if you do this, do you have a large enough SIEM to parse all the possible events and correlate them over all your networks. If your intent is to analyze traffic to determine what is false and what is not, then what is the tool you will be using to do this and how does it fit into your network to give the best response time. If your response is too slow then an event will have passed you by. Active Response is critical but having the data to do so is more so.

If you do not have a tool, then design to what you desire, and then pick a tool that will work to your specifications.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
2 Replies
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I think an IDS, analytics is worth it, but if your system is sufficient large enough then you may want to route such items through a Gigamon virtual device to be handled by other tools plugged into it.

The real question will be if you do this, do you have a large enough SIEM to parse all the possible events and correlate them over all your networks. If your intent is to analyze traffic to determine what is false and what is not, then what is the tool you will be using to do this and how does it fit into your network to give the best response time. If your response is too slow then an event will have passed you by. Active Response is critical but having the data to do so is more so.

If you do not have a tool, then design to what you desire, and then pick a tool that will work to your specifications.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
TheVMinator
Expert
Expert
Jump to solution

ok thanks again

Reply
0 Kudos