Configuring Virtual Switches for Use with PVS February 7, 2014 (Revision 1)
Table of Contents Introduction... 3 Basic PVS VM Configuration... 3 Platforms... 3 VMware ESXi 5.5... 3 Configure the ESX Management Portal... 3 Step 1: Configure Networking... 4 Step 2: Create a New Port Group... 5 Step 3: Select the Virtual Machine... 6 Step 4: Name Port Group and Set VLAN ID... 7 Step 5: Edit Port Group... 8 Step 6: Enable Promiscuous Mode... 9 Configure the PVS VM... 9 Step 1: Configure Properties... 10 Step 2: Start the PVS VM... 11 VMware vsphere 5... 11 Configure VDS... 11 Step 1: Select VDS for Port Mirroring... 12 Step 2: Select a Session Type... 12 Step 3: Configure Port Mirror Set... 13 Step 4: Select Ports to be Monitored... 14 Step 5: Select Destination Port... 15 Step 6: Review Information and Apply... 16 Microsoft Hyper-V... 16 Set Mirroring Destination Port... 16 Configure Mirrored Ports... 20 For More Information... 23 About Tenable Network Security... 24 2
Introduction The Tenable Passive Vulnerability Scanner (PVS ) monitors network traffic at the packet layer to determine topology and identify services, security vulnerabilities, suspicious network relationships, and compliance violations. Passive Vulnerability Scanner provides visibility into both server and client-side vulnerabilities, discovers the use of common protocols and services (e.g., HTTP, SQL, file sharing), and performs full asset discovery for both IPv4 and IPv6, and even on hybrid networks. Virtualization of server rooms provides an added challenge to monitoring the network. Communication between VMs within the virtual switch is not monitored by the standard monitoring tools on the physical network since traffic between VMs does not route to the physical switch. Tenable s Passive Vulnerability Scanner provides the ability to passively scan virtual network traffic between VMs that are in the same virtual switch as a deployed PVS VM. This document provides an overview of the standard methods to configure the virtual switches in various systems to provide PVS with a SPAN or mirror port to gather data from inside the virtual network between VMs. While some platforms provide the ability to send monitored traffic to a remote host, the guidance provided in this document describes an environment where PVS is configured on a VM within the virtual switch cluster. The exact desired options may vary based on local monitoring requirements. The platform use to generate the technical steps in this document was configured with the most recent versions of the software. If you are using older or newer software revisions, some of these steps may vary. Basic PVS VM Configuration The first step in the process is to install a PVS VM that is attached to the virtual switch's span port. Tenable's VM Appliance can be used for this purpose. The Tenable Appliance VM and its documentation can be downloaded from the Tenable Support Portal and installed as many times as your license allows. When configuring, ensure that the configured networking ports include the monitoring port(s) of the virtual switch. Under the PVS configuration, confirm that the monitored port(s) include the ports configured for mirroring. Platforms VMware ESXi 5.5 Configuring the virtual switch provided with VMware ESXi for monitoring uses a port group set for promiscuous mode. Only attach VMs to this port group that will be used to monitor the traffic. Any VM using this port group will have the ability to monitor all traffic. Configure the ESX Management Portal The following steps are performed on the ESX Management Portal. 3
Step 1: Configure Networking Log in to the ESX management portal and navigate to the Configuration tab for the ESXi host. Select Networking from the Hardware list and click on Properties. 4
Step 2: Create a New Port Group From the Properties page under the Ports tab, click Add to create a new port group. 5
Step 3: Select the Virtual Machine From the displayed window, select Virtual Machine and click Next. 6
Step 4: Name Port Group and Set VLAN ID Set a descriptive name for the new port group and a VLAN ID, if desired. Setting the VLAN ID to 4095 will utilize the special VMware VLAN to monitor all other VLANs. Once set, click Next and then Finish. 7
Step 5: Edit Port Group After returning to the Properties page, select your new port group and click Edit. 8
Step 6: Enable Promiscuous Mode On the port group properties page, select the Security tab and click on the checkbox next to Promiscuous Mode. From the drop-down menu select the Accept option. Once set, select the OK button. Configure the PVS VM The following steps are performed on the Properties tab of the PVS VM within the VM platform. For further guidance on configuring PVS please refer to the PVS User Guide available on the Tenable Support Portal. 9
Step 1: Configure Properties After creation of the port group on the ESX management console, navigate to the Properties tab of the PVS VM within the VM Platform. Create or edit a network adaptor for PVS that will be used to monitor the virtual switch activity. In the Properties area of the adapter settings, set the Network Connection s network label to the newly created port group. Select OK to apply the settings. 10
Step 2: Start the PVS VM Start the PVS VM and configure the PVS to use the promiscuous network adapter for monitoring. Start (or restart) the PVS service with the new settings. Network traffic on the virtual switch will now be collected by the PVS. VMware vsphere 5 Port Mirroring has been introduced to VMware's vsphere Distributed Switch (VDS) in vsphere 5.0. Configure VDS Log in to the VMware ssphere web client and perform the following steps. 11
Step 1: Select VDS for Port Mirroring Select the VDS to configure for port mirroring from the list. Navigate to the Manage tab and select Port Mirroring from the settings. Click the New button to begin configuring a new port mirror configuration via the wizard. Step 2: Select a Session Type The first option is to select a session type. For this example we will use Distributed Port Mirroring, which is similar to a SPAN port on traditional hardware switches. 12
Step 3: Configure Port Mirror Set Under the Edit Properties option provide a name for this port mirror set. Ensure the Status setting is Enabled. As this port is only used to monitor traffic, the Normal I/O may be left in the Disallowed setting. The Mirrored packet length and Sampling rate settings may be adjusted as needed for the environment. The default settings are recommended for initial installation. The Description may be entered to provide more information about the use of this mirrored port. 13
Step 4: Select Ports to be Monitored Next, select the port(s) to be mirrored for this set. One or more ports may be selected for monitoring. Once selected, click the OK button. Determine which direction of traffic to monitor with this mirror, the Ingress, Egress, or Ingress/Egress (both directions). Your local environment will determine the choice, but monitoring both directions will yield the maximum information for PVS. Click Next when complete. 14
Step 5: Select Destination Port Select the destination port(s) that will receive the mirrored traffic. The port(s) selected are what PVS is configured to monitor. Click Next when set. 15
Step 6: Review Information and Apply Finally, review the information for the mirror set and click Finish to apply. Once completed, and the PVS configured and running as described in the Configure the PVS VM section of this document, the PVS will start collecting data. Microsoft Hyper-V The configuration settings have been configured using Hyper-V running on Microsoft Server 2012. Hyper-V mirroring settings are between VMs utilizing virtual ports on the same virtual switch. When adjusting the settings, the VM will need to be powered off. After the changes are made, power on the VM to enable the new configuration. Set Mirroring Destination Port Log in to the Hyper-V server and access the properties of the PVS server s VM to perform the following steps. The first set of instructions will set the mirroring destination port on the PVS server VM. 16
1. Navigate to the Settings option under Actions on the PVS VM. 17
2. Select the Advanced Features option on the network adaptor that will be used to receive port mirrored traffic from other VMs that the PVS will monitor. 18
3. On the right will be an option for Port mirroring containing a drop-down menu labeled Mirroring mode. Select Destination from the available options. 4. Click on Apply and then select OK to continue. 5. Start the VM with the PVS monitoring the configured port. 19
Configure Mirrored Ports This second set of instructions describes configuring the mirrored ports of the monitored VMs. 1. Navigate to the Settings option under Actions on the VM with port(s) to be mirrored. 20
2. Select the Advanced Features option on the network adaptor(s) that will be used to send port mirrored traffic to the port that PVS will be monitoring. 21
3. On the right will be an option for Port mirroring containing a drop-down menu labeled Mirroring mode. Select Source from the available options. 4. Apply the changes and select OK. 5. Start the VM. Traffic to and from the configured port will be sent to the Destination port configured on the PVS server to be processed by PVS. 22
For More Information vsphere Networking: http://pubs.vmware.com/vsphere-50/topic/com.vmware.icbase/pdf/vsphere-esxi-vcenter-server-50-networking-guide.pdf Tenable regularly updates PVS s plugins, which can be viewed online at: http://static.tenable.com/dev/tenable_plugins.pdf An RSS feed of the latest plugins is available here: http://www.tenable.com/pvs.xml A document describing Tenable Product Plugin Families is available on the Tenable website: http://static.tenable.com/documentation/tenable_products_plugin_families.pdf Tenable Network Security, Inc. may be contacted via email for PVS support at sales@tenable.com or support@tenable.com. 23
About Tenable Network Security Tenable Network Security is relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world s largest companies and governments, to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Its Nessus and SecurityCenter solutions continue to set the standard to identify vulnerabilities, prevent attacks and comply with a multitude of regulatory requirements. For more information, please visit www.tenable.com. GLOBAL HEADQUARTERS Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. 24