VMware Cloud Community
MikeErter
Enthusiast
Enthusiast
‎05-19-2014 10:04 AM

SNORT IDS on VMware

Hi VMware Community,

There has been a lot of discussion on this topic to date, but we'd just like to check in on current practices and the state of the art around running a SNORT IDS on VMware.

We have a large virtualized environment with multiple clusters and virtual distributed switches and our security team is asking if running SNORT on VMware is a viable option.

Thanks for any insights.

Reply
0 Kudos
3 Replies
Texiwill
Leadership
Leadership
‎05-21-2014 02:06 PM

Hello,

Yes it is possible, many VM based security tools have provided snort based IDs capabilities or rules. Mainly be careful that you have scaled the system sufficiently. If you are using a dvSwitch you can use port-mirroring, or if you are using VSS you can use portgroup 4096 to redirect, if Nexus 1000V ERSPAN, there are many ways to get the data to the VM.


Best regards,

--

Edward L. Haletky

VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Jrlouk
Contributor
Contributor
‎07-28-2014 08:42 AM

Were you successful in implementing this?  I am currently fighting this fight as I can't seem to get it to sniff traffic outside of the cluster where the snort box resides.  Were you able to implement this across all environments?

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎07-29-2014 07:43 AM

Hello,

First what virtual switch are you using, VSS, VDS, Nexus? Second, is the IDS on the same network or in need of routing? For VSS you will need a forwarding virtual machine to get data to your IDS. There are several that can do this. For Nexus you just set the ERSPAN port, for VDS, it can be tricky, so I need to know which you are using.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos