VMware Cloud Community
zanmk
Enthusiast
Enthusiast
‎05-17-2012 03:02 AM

Security monitoring for vSphere

  Hi,

I was looking around for a tool that will monitor security operations performed within virtual infrastructure.

There are nice tools that monitor health or performance but nothing dedicated to security.

So my question is… are there any good tools of an enterprise class that will implement security monitoring ?

Best regards

Martin

0 Kudos
6 Replies
Texiwill
Leadership
Leadership
‎05-20-2012 10:36 AM

Hello,

There are plenty of tools that will monitor several aspects of your virtual environment for security issues, but nothing that is complete. Check out my End to End VIrtualization Security whitepaper (http://www.virtualizationpractice.com/?file_id=41) for a good list of tools. They all have monitoring capabilities for their aspect of security.

Monitoring is such a big term, so what exactly are you trying to monitor? Here are some ideas:

* Log Files -> A good SIEM to correlate events to determine who did what when where and how is needed, such ase RSA EnVision, Splunk, LogRythm, and a few others

* Application Security -> Early Warning systems are usually APM tools to determine if something does not 'act' correctly according to a baseline. Takes a bit more work to use but very helpful

* Network -> IDS, IPS or tools such as Netwitness

* Storage -> an performance management tool would also help as well as log files

* Memory -> Do you know who is accessing your data stores for snapshot and other memory files? ---> Log Files

* Compute -> FT has an interesting set of issues, so apply best practices.

* General Security Health -> security hardening checking tools (there are a few for vSphere 5, but nothing 100% complete), VMware Configuration Manager is a good place to start (vCM) as it will check against the current hardening guide and STIG. (well what it can it is not 100% complete)

* Compliance -> vCM, HyTrust, Catbird, plus many others

* Against Best Practices -> At the moment requires a by hand approach to assessment.

What aspect of Security Monitoring are you interested?

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011, 2012

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
zanmk
Enthusiast
Enthusiast
‎05-20-2012 11:52 PM

Hi Edward,

I’m looking for tool that will gather all events related to user actions. With events I mean changes in configuration of hosts, virtual machines, vCenter and roles.

Would be great to have opportunity to define custom actions for them or forward them another monitoring tool i.e. MS SCOM.

Best regards.
Martin

0 Kudos
arturka
Expert
Expert
‎05-21-2012 12:35 AM

Hi

I’m looking for tool that will gather all events related to user actions. With events I mean changes in configuration of hosts, virtual machines, vCenter and roles.

have you tried to configure vCenter alarms ? there are a lot of things which you can monitor (change host configuration, VM configuration etc) and send SNMP traps to legacy monitoring system

Artur

VCDX77 My blog - http://vmwaremine.com
0 Kudos
zanmk
Enthusiast
Enthusiast
‎05-21-2012 01:33 AM

Using alarms is an option but I was wondering if they are any products like nWorks MP with set of predefined definitions of alarms. Defining  alarms from the scratch will take time, then testing phase, integrating with monitoring infrastructure and finally maintenance. I know that every product, even commercial, also requires time and resources before it gets usable but I want recognize all the options and then decide.

Best regards.

Martin

0 Kudos
michael_40catbi
Enthusiast
Enthusiast
‎05-21-2012 06:56 AM

Hello Martin,

First, I work for Catbird.

In my review of the market, the following is available:

1. Native VMware capabilities, there's quite a lot there.

2. Hytrust has a very sophisticated solution for controlling privileged users and the management of VMware

3. Reflex competes with Hytrust and provides some network controls

4. Catbird provides the most sophisticated hypervisor and virtualization infrastructure controls

The best solution is a hytrust/catbird combo. Hytrust covers the management plane and Catbird covers the data plane.

Catbird and Hytrust made a joint announcement on this solution here.

Best Regards,

Michael

follow me on Twiiter @ _mberman

0 Kudos
Texiwill
Leadership
Leadership
‎06-14-2012 04:31 AM

Hello,

I would look at HyTrust for this level of monitoring.

If the vCenter events are being fed to a third party tool (via snmp), then you will get notification a change occured but not necessarily what that change was. HyTrust acts as a management gateway and always knows who did what even if you use ssh to access the management console directly.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011, 2012

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

vSphere Upgrade Saga -- Virtualization Security Round Table Podcast -- The Virtualization Practice

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos