I am about to migrate from a physical server environment to a VMWare environment as well as integrate some security monitoring (Host IDS being one of them) into the new configuration. I'm in the process of talking with two MSSPs and one of them has suggested a configuration that appears to be efficient and cost effective, however, I'm not 100% convinced it will work as described to me. My new environment, among other things, will consist of 3 physical servers running VMWare with load balancing and auto-failover and 2 separate servers (not running VMWare) dedicated to taking care of our active directory needs. What one of the MSSPs is recommending is that they place the CSA modules for the HIDs on the 2 active directory servers, which all of our users must authenticate through before they are connected to any of the other servers in any manner, instead of placing a CSA module on each of the VMWare servers. This would not only be more cost effective than installing CSA on each virtual server, but would also simplify our monitoring when our environment grows and we add additional virtual servers into the environment by removing the "learning" mode of each CSA.
Has anyone seen this type of configuration before? If so, did it work as desired (provided HIDs monitoring on all of the virtual servers once the user authenticated through the active directory server)? If not, does anyone have any educated doubts about whether or not it will work?