Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:
Clear Choice Test VM management
Introduction | Test archive
Inside this test package
Product-by-product summary

Reflex IPS adds security to your VM life

By Tom Henderson and Rand Dvorak, Network World Lab Alliance , Network World , 02/11/2008
  • Share/Email
  • Tweet This
  • Comment
  • Print

Reflex Technologies' Command Center is itself a virtual machine that sits on VMware's ESX server and acts as an intrusion-prevention system, watching connectivity activity between other VMs and the virtual network interface provided by VMware.

RCC watches either a reflection of or directly filtered network traffic flow between physical and virtual network interfaces and monitors and filters traffic based on a rules set of known hacks, cracks and odd behaviors between hosts.

RCC is a nervous beast that only occasionally mischaracterized traffic. Amusingly, it misidentified traffic coming from Virtugo's VirtualSuite (a competing VM management product) as indicative of an instance of eDonkey. Otherwise it was highly accurate.

This product is stunningly simple to use. Installation takes literally seconds. Two modes are available: an inline mode that rests between VM host instances and the virtual network cards in a VMware host server, and a bridged mode that listens to traffic mirrored from the interface. The inline mode can filter traffic based on default or administrator-modified packet filtration rules, while the bridged mode is a listen-only setup.

We used both modes, first as a filtered connection, then as a combined filtered and bridged connection so that we could monitor one host while filtering/monitoring the other one. Each VMware hardware host server had four to six VMs running on it. We used Microsoft's Internet Information Server 6 and Apache as sample applications on each server instance.

Once the RCC VM instance is alive, it immediately starts evaluating packets (or filtering if that's what you've chosen to do) and relationships between VM instances and the rest of the connected world. Sensors on multiple VMware hosts can be setup and linked to a single RCC console.

RCC then categorizes intrusion profile information it's evaluated into low-, medium- and high-concern categories (shown in a 3D bar graph as yellow, orange and red) when it sees a problem not in line with its rule set.

As an example, we probed Server Message Block ports on each server, an action that correctly triggered signature messages of several attack types. Additionally, we had one server pound the DNS ports of another hosted server to trigger the identification of a User Datagram Protocol (UDP) flood attack.

It's also possible to set custom policies, and the one we found most interesting was an alert-and-deny policy for packet flooding that fits the profile of a denial-of-service (DoS) attack. SYN, Fragment, UDP, TCP and Internet Control Messaging Protocol flooding can be detected and automatically denied and/or otherwise spawn a high concern alert. Alas, distributed DoS attacks (we tried could not be filtered (we used more than 10,000 unique IP addresses in our attack).

Each host can then be tuned for a detection-sensitivity level (corresponding to the number of packets flooded) before the filter turns on for each packet type. You can select a single host or a 24 IP address range of VM hosts to be protected in this way. We tried to turn sensitivity to its highest level for our distributed DoS attack but RCC failed to keep up with the floods, in this, our most dastardly of attacks. RCC simply started to halt traffic, slowing packets flowing through the RCC link between the virtual network card in the VMware host, and its targeted/attacked server, until the attack was over.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Partner Content

Gartner 2009 Magic Quadrant for Job Scheduling

Gartner has positioned BMC CONTROL-M in the Leaders Quadrant of their "2009 Magic Quadrant for Job Scheduling." The report assesses the ability to execute and completeness of vision of key vendors in the marketplace. Read a full copy today, courtesy of BMC Software.

Download whitepaper

Dell's SMART Approach to Workload Automation

Read a compelling case study by EMA, Inc. to learn how Dell uses BMC CONTROL-M to cut cost and increase productivity with workload automation.

Download whitepaper

Workload Automation Cost Savings 2 Minute Video

A major computer manufacturer uses BMC CONTROL-M and just four people to schedule and run over 85,000 jobs every month. By switching to BMC CONTROL-M, they more than quadrupled the workload without adding a single staff member.  See how in this 2-minute video overview.

Go to video

Comments (2)
Login
Forgot your account info?

RE: Reflex IPS adds security to your VM lifeBy Anonymous on February 14, 2008, 5:25 pmI tested this product recently and the performance was horrible! It drove my CPU utilization for my ESX server sky high and only got me about 80 meg of throughput...

Reply | Read entire comment

Reflex VSA Rocks!By Zack on February 15, 2008, 8:37 amReflex was a lifesaver for us. Since rolling out VMs a year ago we have been having difficulties in several areas and this product has solved most all of them. *We...

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed