Comments on Sharkfest Presentation Materials

I saw that presentations from Sharkfest 2010 are now posted. This is the third year that CACE Technologies has organized this conference. I've had conflicts each of the last three years, but I think I need to reserve the dates for 2011 when they are available. In this post I wanted to mention a few slides that looked interesting.

Jasper Bongertz presented Wireshark vs the Cloud (.pdf) I reviewed this presentation to see if anyone is doing something novel regarding monitoring Cloud environments. In the slide at right you see his first option is to install a monitoring tool inside a VM. That's standard.

In the next slide you see his second option is to select a link upstream from the VM server and tap that line. That's standard too. I know of some cloud providers who use this strategy and then filter the results. You will likely need some robust equipment, depending on active the link is.

In the last slide you see that future options include ensuring that the virtual switch in the VM server provide instrumentation options. From my limited understanding this should be the case with expensive solutions like the Cisco Nexus 1000v, but I don't have any personal experience with that. Any comments from blog readers?

I also wanted to mention SPAN Out of the Box (.pdf) by John He of Dualcomm Technology. In his presentation he advocates replacing a tap with a switch used only for port mirroring, as shown in the slide at left. He's mainly trying to compete on price, since his "USB Powered 5-Port Gigabit Desktop Switch with Port-Mirroring & PoE Pass-Through" sells for $139.95 on his Web site. I'll ask Mr He if I could get a demo switch to see how well it works.

Comments

stretch said…
For anyone interested, the "SPAN Out of the Box" video has been posted here: http://lovemytool.blip.tv/file/3783358/ Not sure about the other one.
Anonymous said…
This is comment about third slide.

Settings of regular virtual switch allows you to set promiscuous mode on whole switch or on single port group. With this option you can create something similar to hub. This way you can implement IDS or do troubleshooting with Wireshark.

With new distributed switch you can do that also, but you can also install 3rd party distributed switch Cisco Nexus 1000V. I suppose that with this switch you can have more control and maybe create SPAN ports.
Jasper Bongertz said…
Hi Richard,
thanks for taking interest in my Sharkfest presentation, a friend gave me a heads up about your site :-)

Regarding the new capture strategies I mention in my presentation I told my audience that while you can use Promiscuous vSwitch mode to get to the packets on a vSwitch it might flood you with too much data in case of hundreds of VMs being active on that particular vSwitch, so you have to use that option with care.

Virtual SPAN sessions are possible using the Cisco Nexus 1000v switch, and as far as I know the SPAN even "travels" with the VM in case it gets moved by manual vMotion or DRS. I haven't had the time to set up a 1000v yet since it is a little complicated, but what I know I took from the offical Cisco documentation.

Virtual Taps are something I have expect to be used in the future; right now Wildpackets has something like it where they use a special VM that redirects the traffic to an external capture device.

BTW someone recorded my session too I think, but the guy doesn't seem to post it anywhere and I have no contact info to ask him.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics