One of my interests, as well as my day job, is cyber security. I have dabbled with running an IDS at home for 10+ years now, but as my hardware aged or died, I just didn’t have the tech at home to do it anymore. With the arrival of my new server, time to virtualize an IDS.
In the physical world, this is “easy”. In the old days, I would plug my 10Mbps hub inline between my cable modem and router/firewall. Off the hub I would connect my monitoring server running Snort. Well things have come a LONG way since then. Now with 100Mbps WAN connections becoming the norm, and gigabit networks in the LAN, a hub isn’t going to cut it. On a managed switch I just configure a port mirror (RSPAN) source and destination. Plug monitoring server into the destination and watch the packets!
As I have virtualized all the things, I need to solve the same problem, but it is going to require a different solution….mucking with Open vSwitch, which Xenserver leverages for its networking stack. Linux Bridge can be swapped in instead of OVS, but I’m not going that route as it is similar to the hub approach, and support for it will most likely be dropped soon.
So I SSH into the Xenserver box as root. I need to use the “ovs-vsctl” tool to configure the virtual switch:
# ovs-vsctl \
-- --id=@p get port vifX.Y \
-- --id=@m create mirror name=mirror0 select-all=true output-port=@p \
-- set bridge xapi1 mirrors=@m
What this does is set the virtual port (vifX.Y) used by the dedicated sensor NIC (eth1) in my ids vm to a variable (@p). It then sets the source ports to ALL and the destination to the previously set variable, creates a mirror (named mirror0) and a variable (@m), and finally sets the mirror to the bridge (xapi1) containing the port. My Xenserver only has one bridge, with all ports connected to it. Think of a bridge as the same as a physical switch.
A great description of all the commands broken out into individual components vs mashed into a single command like I did above:
0: ovs-vsctl \
1: -- --id=@p get port dummy0 \
2: -- --id=@m create mirror name=mirror0 \
3: -- add bridge br0 mirrors @m \
4: -- set mirror mirror0 output_port=@p1 Find the UUID of the target interface
2 Create a mirror
3 Add the mirror to a bridge
4 Configure the mirror to output mirrored packets to the target interface
===========================================================
0: ovs-vsctl \
1: -- --id=@p get port tap0 \
2: -- set mirror mirror0 select_dst_port=@p \
3: -- set mirror mirror0 select_src_port=@p1 Find the UUID of the source interface
2 All packets sent to tap0 will be mirrored
3 All packets sent from tap0 will be mirrored
===========================================================
ovs-vsctl set mirror mirror0 select_all=1
All switch packets will go to dummy0
To undo the mirror config:
# ovs-vsctl clear bridge xapi1 mirrors
References:
http://discussions.citrix.com/topic/308929-how-to-match-ifconfig-list-with-xe-vm-vif-list/
http://docs.citrix.com/content/dam/docs/en-us/xenserver/xenserver-7-0/downloads/xenserver-7-0-vswitch-controller-guide.pdf
http://openvswitch.org/support/dist-docs/IntegrationGuide.md.txt
http://virtually-a-machine.blogspot.com/2011/11/how-to-run-network-monitoring-station.html
http://therandomsecurityguy.com/openvswitch-cheat-sheet/
Leave a Reply