Is a limited deployment of ATA still worthwhile? RRS feed

  • Question

  • I have ata gateways paired with each of our physical domain controllers.  However our vmware folks are balking at doing the port mirroring for our virtual dcs.  (I  know, but I've lost that argument.)

    Does a partial deployment still have merit?  Or will this mean that we'll essentially never catch malicious behavior?  I would think it would still have some merit, but have a large blind spot.

    Would including event forwarding from the virtual dcs to one of the existing gateways make sense?  Or would that just confuse things?

    Thursday, October 22, 2015 8:21 PM

All replies

  • Hi,

    I am not sure what you mean exactly, but if you have (if I understood right) a phy ATA GW for each of your phy DCs than you can also install a virtual GW for the virtual DCs. We are currently also dealing with virtual and phy machine, but in our case is the DC phy and the GW virtual. We try to make a port-mirroring on our switch with a dest IP instead of a dest port.

    Windows Event Forwarding: https://technet.microsoft.com/en-us/library/dn707709.aspx#ATASIEM

    The WEF (and also the Syslog option) is only needed to enhance the detection of Pass-the-Hash attack...so in your case I think it doesnt make sense. To get the ATA working you need to mirror the DC port.

    Hope this helps a little for you.


    Friday, October 23, 2015 5:02 AM
  • Our virtual machine guys are refusing to allow port mirroring.  So our virtual dc can't have its traffic mirrored.  I'm just not sure if that completely invalidates our setup...
    Friday, October 23, 2015 5:35 PM
  • Hi,

    I think so...without the mirrored traffic of a DC it is not possible to get ATA working useful.

    Why your guys don't allow Port-Mirroring? They can set up a separat VLAN. On e.g. VMware it can be set up within the original VLAN but mirroring preserve the original VLAN and encapsulate the mirrored traffic. Maybe thats a possible solution for your guys...


    Monday, October 26, 2015 6:18 AM
  • Hi,

    not sure, but I guess it is still about the "all or nothing monitoring" topic. - right? 

    at first - and I guess you know this already, but I want to underline it once more - a Virtual DC is not a good idea from a security perspective. A DC is a holy box and you should really take care of it. And you have a bunch of additional attack vectors, if it is a virtual machine. (And I don't want to write a guidance here here ;-) ). Therefore, if your goal is a secure environment - rethink virtual DCs first. Security is ALWAYS a holistic topic. A professional attacker will always try to find your weak point. 

    This standpoint is similar for analyzing DC traffic. If you have 10 DCs (or 10 keys for a safe in a bank) and you only monitor 9 of these keys...  well how long do you estimate will a professional attacker (or thief) will try to get number 10 ;-) 

    But yes, your environment is more secure if you monitor 9 of 10. If you are already breached or attacked in the future, you can find a bunch of attacks using these DCs. But at least if you find something, you MUST analyze ALL other DCs as well - but then it could be too late - unfortunately (The safe is already empty then and you only have one safe). But maybe then at least, it helps you to find out more details about the attacker.  

    Therefore: You need to clearly define, what you are trying to achieve and always assume breach from the beginning.  

    Wednesday, October 28, 2015 11:37 AM
  • Hello!

    It is technically possible to install the Gateway software on the DC itself. This would solve your problem regarding the refusal to mirror traffic, but likly create others. The Gateway is quite CPU intensive and might impact the DC. I am also not certain that it is an officially supported solution.

    Rock - <You> - Hard place  :-)

    Tuesday, November 24, 2015 10:05 AM
  • Installing the ATA Gateway on the DC itself is not supported and the Gateway service will not start.


    ATA Team

    Gershon Levitz [MSFT]

    Tuesday, November 24, 2015 2:29 PM