In an article titled VMware dispels virtualization myths, Bridget Botelho wrote:
"One significant issue with virtual machine security is with virtual switch isolation," said Burton Group's Wolf."The current all-or-nothing approach to making a virtual switch 'promiscuous' in order to connect it to an IDS/IPS is not favorable to security."
For example, "if you connect an IDS appliance to a virtual switch inpromiscuous mode," Burton said, "not only can the IDS capture all of the traffic traversing the switch, but every other VM on the same virtual switch in promiscuous mode could capture each other's traffic as well. "Users should be aware of this and work around it."
This is an overall decent article but parts are very misleading.
I got in touch with Andrew Lambeth of VMware's Networking team for clarification. This is what he had to say:
We allow (and encourage) users to configure only the vswitch ports they really need to be promiscuous as such. This is *not* an all or nothing vswitch setting as was stated, but rather a per *portgroup* setting. The vswitch-wide setting that probably confused him is not the only way to enable promiscuous mode. The right way to configure a vswitch for IDS/IPS is to create a separate portgroup from those used for normal VMs and configure only that portgroup for "Promiscuous Allowed". This prevents any normal VMs connected to the other portgroups on the vswitch from being allowed to sniff traffic not intended for them while allowing only the IDS/IPS VM to sniff.
So, there. That myth should now be laid to rest. But also a lesson learned: press journalists should try to do some fact checking before posting articles!
I rather enjoyed the following quote though:
Analyst Chris Wolf of Midvale, Utah-based Burton Group said that from a reliability standpoint, running applications on a VM may be even more secure than running them on a dedicated physical machine.
My RSS Feed
I think what the originator
I think what the originator is trying to get is, is that there is no way to monitor the virtual switch. while moving to seperate port groups does help in sending the traffic back out to the real switch, it does increase operational overhead and moves the problem away from VMware.
what is happening in the Cisco relationship is maybe a better question? Will we get a Cisco virtual switch and if so will we get the logging we crave and need. Vmware always promote using internal virtual switches in security setups and DMZ, to make that a reality we need logging at the v switch layer.
Monitoring the vswitch is possible today
Actually what is being described here is a way to monitor traffic on the virtual switch from a VM, *not* pushing the traffic out to and external switch. You connect your IDS VM to the vswitch using a portgroup with promiscuous mode, and then it can see all the traffic on the vswitch (or just on one VLAN if you prefer). Using a separate portgroup for the IDS VM is done in order to prevent the other VMs from being able to sniff each others traffic (which was Chris's original complaint).
These are very interesting
These are very interesting questions. However, I don't have the answers. I'll be sure to update here if anything relevant comes up.
Irfan
My apologies
Irfan, please disregard my previous comment. I validated some of my incorrect assumptions with testing last night and notified Warren Wu of my results. IDS integration with ESX is very easy when the IDS is placed in an isolated promiscuous-enabled port group. I plan to post an article regarding this issue on SearchServerVirtualization.com to further clarify. I also plan to contrast ESX IDS integration with that of other virtualization platforms (XenSource, Virtual Iron, MS Virtual Server).
Thanks for helping me get to the bottom of my own incorrect assumptions.
~Chris Wolf
Glad to help
Hey Chris:
You are welcome. I'm glad we got to the bottom of this. Also very happy to see that you acted quickly in researching and correcting the information surrounding this issue.
I noticed that Bridget Botelho has posted a new article with clarifications. Good to see that.
Irfan
ps. Sorry for the late reply. I was out at the IEEE IISWC 2007 conference in Boston presenting a paper last week. I'll blog about that experience and the paper shortly.
The Problem Still Remains
The argument that multiple port groups solve the problem, in my opinion, is a stretch. In a typical IDS deployment, all VMs monitored by an IDS would be in the same port group. There is no intelligence in ESX to specify a many-to-one mirror for unicast traffic. In other words, ESX has no idea which port in a port group connects to the IDS. So ultimately when a port group is set to promiscuous mode - accept, all ports in the port group are mirrored to each other. This allows the IDS appliance, along with all other VMs in the port group, to capture the unicast traffic of each VM in the port group.
IMHO, placing multiple nodes in a promiscuous-enabled port group is a security risk. Port groups alone do not solve the security issue. VMware needs to engineer a monitor port as part of the vswitch and port group architecture that allows administrators to configure many-to-one port mirroring. This would allow administrators to connect an IDS to a network segment using the same approach that's used with physical switches today.
I'm glad you enjoyed my reliability quote. :)
~Chris Wolf
When connecting a VM to
When connecting a VM to portgroup 4096 (or was it 4095), it is able to monitor the whole vSwitch.
Gabrie
http://www.GabesVirtualWorld.com
I tried it with port 4096
I tried it with port 4096 and its fine.
Regards,
chi straightening irons