You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Gary Dixon <Ga...@quadris.co.uk.INVALID> on 2022/07/21 16:20:27 UTC
Intrusion Detection in ACS
Hi All
ACS 4.15.2
Hypervisor: KVM
HyperVisor OS: Ubuntu 20.04
I have been tasked with providing an Intrusion Detection solution for our Cloud customers. Our ACS guest traffic isolation utilises VXLAN and so I have been advised that we cannot implement port mirroring at the physical switch layer.
I have been looking at port mirroring at the KVM host level with setting up ingess/egress qdiscs with TC filters to port mirror the guest traffic along a gretap tunnel to the IDS appliance (which is hosted on another platform). So far this seems to mostly work.
I’m wondering if this is a viable way of implementing IDS ? As for automating the process could this be done as a Cloudstack custom plugin or would this have to be automated externally to cloudstack. Trying to research into this has been challenging to say the least. I would really appreciate if any of you have any pointers or let me know if I am barking up the wrong tree.
Best regards
Gary Dixon
Technical Consultant
T: 0161 537 4980<tel:0161%20537%204980>
W: www.quadris.co.uk
[cid:image001.png@01D89D25.6C8E3740]
The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message.
RE: Intrusion Detection in ACS
Posted by Gary Dixon <Ga...@quadris.co.uk.INVALID>.
Hi Hean
I have been told by my network team that this will not be possible as the guest traffic is encapsulated in VXLAN and the Nexus switches are either not capable of reading the traffic or don't have the appropriate licensed feature
BR
Gary
Gary Dixon
Technical Consultant
T: 0161 537 4980
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and privileged for the private use of the named recipient. The contents of this e-mail may not necessarily represent the official views of Quadris. If you have received this information in error you must not copy, distribute or take any action or reliance on its contents. Please destroy any hard copies and delete this message.
----Original Message-----
From: Hean Seng <he...@gmail.com>
Sent: 21 July 2022 18:41
To: users@cloudstack.apache.org
Subject: Re: Intrusion Detection in ACS
Hi
You should do port mirroring at your Switch or Router , instead of Cloud Node .
On Fri, Jul 22, 2022 at 12:20 AM Gary Dixon <Ga...@quadris.co.uk.invalid> wrote:
>
>
> Hi All
>
>
>
> ACS 4.15.2
>
> Hypervisor: KVM
>
> HyperVisor OS: Ubuntu 20.04
>
>
>
> I have been tasked with providing an Intrusion Detection solution for
> our Cloud customers. Our ACS guest traffic isolation utilises VXLAN
> and so I have been advised that we cannot implement port mirroring at
> the physical switch layer.
>
> I have been looking at port mirroring at the KVM host level with
> setting up ingess/egress qdiscs with TC filters to port mirror the
> guest traffic along a gretap tunnel to the IDS appliance (which is
> hosted on another platform). So far this seems to mostly work.
>
>
>
> I’m wondering if this is a viable way of implementing IDS ? As for
> automating the process could this be done as a Cloudstack custom
> plugin or would this have to be automated externally to cloudstack.
> Trying to research into this has been challenging to say the least. I
> would really appreciate if any of you have any pointers or let me know
> if I am barking up the wrong tree.
>
>
>
> Best regards
>
>
>
> *Gary Dixon*****
>
> Technical Consultant
>
> T: 0161 537 4980 <0161%20537%204980>
>
> W:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.q
> uadris.co.uk%2F&data=05%7C01%7CGary.Dixon%40quadris.co.uk%7Cb1bde5
> a9f2464695d0d008da6b4043cf%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%
> 7C637940220999265387%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
> joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Zm
> ZGhWBUC8fd9IdDkw%2BadSk1rdV6a7ji8mtVjjeN8RQ%3D&reserved=0
>
> *The information contained in this e-mail from Quadris may be
> confidential and privileged for the private use of the named
> recipient. The contents of this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents. Please
> destroy any hard copies and delete this message.*
>
>
>
--
Regards,
Hean Seng
Re: Intrusion Detection in ACS
Posted by Hean Seng <he...@gmail.com>.
Hi
You should do port mirroring at your Switch or Router , instead of Cloud
Node .
On Fri, Jul 22, 2022 at 12:20 AM Gary Dixon
<Ga...@quadris.co.uk.invalid> wrote:
>
>
> Hi All
>
>
>
> ACS 4.15.2
>
> Hypervisor: KVM
>
> HyperVisor OS: Ubuntu 20.04
>
>
>
> I have been tasked with providing an Intrusion Detection solution for our
> Cloud customers. Our ACS guest traffic isolation utilises VXLAN and so I
> have been advised that we cannot implement port mirroring at the physical
> switch layer.
>
> I have been looking at port mirroring at the KVM host level with setting
> up ingess/egress qdiscs with TC filters to port mirror the guest traffic
> along a gretap tunnel to the IDS appliance (which is hosted on another
> platform). So far this seems to mostly work.
>
>
>
> I’m wondering if this is a viable way of implementing IDS ? As for
> automating the process could this be done as a Cloudstack custom plugin or
> would this have to be automated externally to cloudstack. Trying to
> research into this has been challenging to say the least. I would really
> appreciate if any of you have any pointers or let me know if I am barking
> up the wrong tree.
>
>
>
> Best regards
>
>
>
> *Gary Dixon*****
>
> Technical Consultant
>
> T: 0161 537 4980 <0161%20537%204980>
>
> W: www.quadris.co.uk
>
> *The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the named recipient. The contents of
> this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents. Please destroy
> any hard copies and delete this message.*
>
>
>
--
Regards,
Hean Seng