Tuesday, July 3, 2007

Extending IDS into the virtual environment

I'm going to just credit my colleague Nick for this idea, and maybe someday he can point to this blog post to prove that he thought of it first.

We've been exploring our options for IDS visibility into a virtual switch in order to monitor traffic between VM's; that is, traffic that never shows up on the physical NIC. I've discovered, though I need to confirm, that if you allow a virtual NIC on a VM to enter promiscuous mode on VMWare ESX server, the virtual switch port becomes effectively a span port. Based on this, I've been trying to think of an efficient way to shuttle that sniffed traffic off of the VM and get it where I need it to go.

Nick suggested that perhaps Sourcefire (and IDS vendors in general, too) should just offer a virtual version of their IPS appliance that you can just bring up on your VMWare server. This is so head-slappingly obvious that I can't believe it's not currently an option.

No comments: