For over a year, we have used Altor (now acquired by Juniper and called vGW) to allow inter-vm packet capture on our vswitches.
This was a requirement for our security group to allow "merging the ESXi islands"
Now we're running into support issues - vGW will not support vSphere 5 until a new service pack comes out in a "few months",
I am re-examining vswitch security options, including integrated vmware options (which will presumably not have such support issues).
So can vShield or some native vmware module provide the inter-vm visibility requirement (eg vswitch packet capture -> wireshark) ?
Or do we still need to go 3rd party?
thanks for any feedback,
Hello,
The short answer is no, vShield by itself cannot do packet capture, however, that is not all there is to this. With vSphere 5 there are 4 ways to do packet capturing for IDS/IPS reasons, depending on what licensing you have.
* Use the Pseudo Span port (portgroup ID 4095) on each vSwitch and then use some other IDS/IPS.
* Use a VMSafe-Net IDS/IPS ala Altor/vGW
* If using a dvSwitch use the Mirror Port capability
* If useing the N1KV use the SPAN/ERSPAN port cabability
If it was me, and I already purchased Altor for this, I would delay upgrading to vSphere 5 until its product is available, remember, VMware does not always announce when their products are available so vendors have to play catchup. There is also a good chance Altor/vGW will work with vSphere 5 out of the box. BTW, do not count on vShield always being at the latest when products are released, the next version of vShield is not available just yet, and it is a month after GA.... However, they may be closer together than perhaps another vendor.
In either case, I would install vSphere 5 in a lab environment first and see what else in your security posture may need to change, be updated, before moving to production. You have found one possible issue, are there others? For me, there are a few more, as I am moving from ESX to ESXi.
Always worth testing.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf
Sorry, but will be on vacation until 19Sept with no access to mail or cell.
Sorry, but will be on vacation until 19Sept with no access to mail or cell.
Edward,
vShield 5 released on September 1st.
Sent from iPhone. Please excuse typos or terse responses.
Hello,
I work for Catbird.
We integrate vShield 5 in our product and in addition to the native SPI FW, we provide:
Cheers,
Michael
Hello,
THanks for the update Rob, so vShield 5 came out after GA of vSphere but it was close, perhaps 15 days or a month or so... Which is very good, but it does not add in the ability to perform IDS/IPS out of the box.
Catbird makes use of the Psuedo SPAN, SPAN, and ERSPAN ports available within the virtual network.
For more on how Catbird and others fit into the virtualization security space check out my End-to-End Virtual Environment Security whitepaper.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf
Totally agree. Just wanted to make sure you were up to date that we release vShield 5 during VMworld.
At the simplest level we'd like the ad-hoc ability to capture inter-vm traffic on the vswitches.
Is it practical to use wireshark on vswitches in promiscuous mode per:
http://www.petri.co.il/using-packet-analyzer-on-virtual-network.htm
?
With the distributed vSwitch can I get ALL the vm traffic across all ESXi hosts in the cluster with ONE wireshark VM?
What would the performance penalty be on a 10gig network that is averaging < 1Gb/sec
thanks
Hello,
Yes Wireshark as you want to implement is possible using the Psuedo Span port, but I do not know if wireshark's output is of much use for compliance, as you still need to correlate events, etc. So data gathering is one thing, but use of that data is another issue altogether.
I would not implement something like you are describing just to check a box that yes we are gathering packets, but instead implement something that gives you some better and improved security functionality. Minimally use the data as part of an IDS/IPS solution, or a UAM solution.
If you have ALOT of network traffic you will be writing to disk terabytes of packet captures, this will require you to have a very large storage implementation for a continual capture, depending on how long it is required to legally be stored. The greatest impact will not be the network but will be the storage subsystem where the packet captures are written to disk. You may have to use some sort of caching layer to improve performance.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf