VMware Cloud Community
fletch00
Enthusiast
Enthusiast
‎09-14-2011 10:49 AM

vShield - can it do packet capture?

For over a year, we have used Altor (now acquired by Juniper and called vGW) to allow inter-vm packet capture on our vswitches.

This was a requirement for our security group to allow "merging the ESXi islands"

Now we're running into support issues - vGW will not support vSphere 5 until a new service pack comes out in  a "few months",

I am re-examining vswitch security options, including integrated vmware options (which will presumably not have such support issues).

So can vShield or some native vmware module provide the inter-vm visibility requirement (eg vswitch packet capture -> wireshark) ?

Or do we still need to go 3rd party?

thanks for any feedback,

http://vmadmin.info

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
0 Kudos
9 Replies
Texiwill
Leadership
Leadership
‎09-14-2011 10:59 AM

Hello,

The short answer is no, vShield by itself cannot do packet capture, however, that is not all there is to this. With vSphere 5 there are 4 ways to do packet capturing for IDS/IPS reasons, depending on what licensing you have.

* Use the Pseudo Span port (portgroup ID 4095) on each vSwitch and then use some other IDS/IPS.

* Use a VMSafe-Net IDS/IPS ala Altor/vGW

* If using a dvSwitch use the Mirror Port capability

* If useing the N1KV use the SPAN/ERSPAN port cabability

If it was me, and I already purchased Altor for this, I would delay upgrading to vSphere 5 until its product is available, remember, VMware does not always announce when their products are available so vendors have to play catchup. There is also a good chance Altor/vGW will work with vSphere 5 out of the box.  BTW, do not count on vShield always being at the latest when products are released, the next version of vShield is not available just yet, and it is a month after GA.... However, they may be closer together than perhaps another vendor.

In either case, I would install vSphere 5 in a lab environment first and see what else in your security posture may need to change, be updated, before moving to production. You have found one possible issue, are there others? For me, there are a few more, as I am moving from ESX to ESXi.

Always worth testing.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
admin
Immortal
Immortal
‎09-14-2011 11:06 AM

Sorry, but will be on vacation until 19Sept with no access to mail or cell.

0 Kudos
admin
Immortal
Immortal
‎09-14-2011 11:16 AM

Sorry, but will be on vacation until 19Sept with no access to mail or cell.

0 Kudos
admin
Immortal
Immortal
‎09-14-2011 11:16 AM

Edward,

vShield 5 released on September 1st.

Sent from iPhone. Please excuse typos or terse responses.

0 Kudos
michael_40catbi
Enthusiast
Enthusiast
‎09-14-2011 11:22 AM

Hello,

I work for Catbird.

We integrate vShield 5 in our product and in addition to the native SPI FW, we provide:

  • Packet capture capabilities
  • Micro-segmentation
  • Elastic zoning and security policy enforcement
  • Automated compliance scoring
  • Integrated access control with ids/ips
  • Netflow analysis and graphs
  • Many other capabilities

Cheers,

Michael

0 Kudos
Texiwill
Leadership
Leadership
‎09-14-2011 11:34 AM

Hello,

THanks for the update Rob, so vShield 5 came out after GA of vSphere but it was close, perhaps 15 days or a month or so... Which is very good, but it does not add in the ability to perform IDS/IPS out of the box.

Catbird makes use of the Psuedo SPAN, SPAN, and ERSPAN ports available within the virtual network.

For more on how Catbird and others fit into the virtualization security space check out my End-to-End Virtual Environment Security whitepaper.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
admin
Immortal
Immortal
‎09-14-2011 12:03 PM

Totally agree. Just wanted to make sure you were up to date that we release vShield 5 during VMworld. Smiley Wink

0 Kudos
fletch00
Enthusiast
Enthusiast
‎09-15-2011 10:38 AM

At the simplest level we'd like the ad-hoc ability to capture inter-vm traffic on the vswitches.

Is it practical to use wireshark on vswitches in promiscuous mode per:

http://www.petri.co.il/using-packet-analyzer-on-virtual-network.htm

?

With the distributed vSwitch can I get ALL the vm traffic across all ESXi hosts in the cluster with ONE wireshark VM?

What would the performance penalty be on a 10gig network that is averaging < 1Gb/sec

thanks

VCP5 VSP5 VTSP5 vExpert http://vmadmin.info
0 Kudos
Texiwill
Leadership
Leadership
‎09-19-2011 04:59 AM

Hello,

Yes Wireshark as you want to implement is possible using the Psuedo Span port, but I do not know if wireshark's output is of much use for compliance, as you still need to correlate events, etc. So data gathering is one thing, but use of that data is another issue altogether.

I would not implement something like you are describing just to check a box that yes we are gathering packets, but instead implement something that gives you some better and improved security functionality. Minimally use the data as part of an IDS/IPS solution, or a UAM solution.

If you have ALOT of network traffic you will be writing to disk terabytes of packet captures, this will require you to have a very large storage implementation for a continual capture, depending on how long it is required to legally be stored. The greatest impact will not be the network but will be the storage subsystem where the packet captures are written to disk. You may have to use some sort of caching layer to improve performance.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos