Re: [security-onion] Vsphere OS deployment

[Philip Robson]

Span port needs to be configured.

On Sun, 12 Aug 2018, 22:40 Sierra Warrant, <sierra...@gmail.com> wrote:

I will be deploying SO in 8 different sites on Vsphere that will be also running other Vms on different vlans (ip ranges). I have configured a virtual promiscuous interface on the Vsphere which includes all the vlans on my network and connected it to the monitoring int of my SO sensor.

My question is, will this capture all traffic or do I still need to configure a span port on the physical switch.

Allocation of memory and space should not be a problem. Thanks

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Philip Robson]

Span port on the switch to the nic running in promiscuous mode.

You need a span port so that all the traffic on the switch is mirrored to that port. Without it the nic in promiscuous mode wouldn't see anything.

Unless that nic is shared with other virtual machines, then it would only see that traffic.

On Sun, 12 Aug 2018, 23:24 , <Sierra...@gmail.com> wrote:

Was hoping I didn’t have to do that .Will span ports affect the other VMs running on the esxi?

[Perry Lucas]

If you’re in a Cisco environment, you may want to consider using VACLS, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html (This is 6500 documentation, but it exists on Nexus and product lines as well). Otherwise an option is to consider using a Packet Broker such as Gigamon, Big Switch, or Ixia. I prefer Gigamon, but they are expensive, especially when it comes to their support. The benefit of a packet broker is that there are options to filter, dedupe, and splice traffic to help make your sensors and other network monitoring tools more efficient by only sending them the data they actually need.

[Brian Dorr]

On Sunday, August 12, 2018 at 5:40:15 PM UTC-4, Sierra Warrant wrote:
> I will be deploying SO in 8 different sites on Vsphere that will be also running other Vms on different vlans (ip ranges). I have configured a virtual promiscuous interface on the Vsphere which includes all the vlans on my network and connected it to the monitoring int of my SO sensor.
>
> My question is, will this capture all traffic or do I still need to configure a span port on the physical switch.
>
> Allocation of memory and space should not be a problem. Thanks

It depends on what you are trying to capture. If you are trying to capture everything that is in the Virtual Environment and nothing else outside of that, then you do not need a span port. If you are trying to capture traffic that is on the physical environment then you will need a span port or TAP. To tap the virtual environment, you can create span instance that sends everything to a virtual NIC and attach that virtual NIC to your SO VM and make it a sensor only and forward those logs to a SO Server. It works great, only issue is that in order for it to work, the machines you are tapping have to be on the same physical server to include the TAP you created inside esxi. It sounds harder than it really is, but it works

[Brian Dorr]

Glad to help and good luck