You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Nguyen Anh Tu <ng...@gmail.com> on 2013/03/03 10:05:12 UTC
About intergrating IDS/IPS to CloudStack
I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
effective solution. If you want to use the traditional NIDS, you'll can not
know what do VMs talk each other because this is virtual network.
Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
even affects to performance. Another way is that you use IDS/IPS on Virtual
Router. It's OK but you know that Virtual Router now has to take too many
functions. How about IDS/IPS on Hypervisors? How you think?
---
Nguyen Anh Tu
Cloud Computing Core Dept.
Viettel R&D Institute, Vietnam
Re: About intergrating IDS/IPS to CloudStack
Posted by Sebastien Goasguen <ru...@gmail.com>.
On Mar 5, 2013, at 11:35 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
> Hi Mice,
>
> As your ElasterShield solution, I see that one hypervisor node has one
> ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest
> network, one nic connects to Management network. I wonder that how ESVA
> listens all network package? It has to talk with hypervisor, isn't it? Or
> something likes the "port mirroring" feature on Switch?
>
> @Mice @Sebastien: One more question, do you know how to deploy one more
> SystemVM on CloudStack? Config files for system VMs has to appear somewhere
> in source code
I actually don't. A quick work around is to create a new template, and start an instance with that template in your guest network.
>
> 2013/3/5 Mice Xia <mi...@tcloudcomputing.com>
>
>> If you want to use the traditional NIDS, you'll can not know what do VMs
>> talk each other because this is virtual network.
>> [mice] yes, the drawback of traditional NIDS (deployed in the gateway of
>> an enterprise/datacenter) is that it's difficult to provide fine-grained
>> protection. Without more appliances, traffics inside the datacenter go
>> un-protected.
>>
>> if you use HIDS on VMs then I don't think it is suitable
>> [mice] for an enterprise IT guys can enforce HIDS installed and enabled on
>> each VM; but for a public cloud, agentless solution is more preferred.
>>
>> Another way is that you use IDS/IPS on Virtual Router
>> [mice] VR is an option, but considering the complexity of network topology
>> inside an enterprise or datacenter, what if users adopt shared network (or
>> hybrid network), in this case VR does not work in online mode and traffic
>> prevention is impossible.
>>
>> How about IDS/IPS on Hypervisors
>> [mice] almost all hypervisors have some mechanisms to implement IDS/IPS
>> (even anti-malware) for VMs, it's agentless and provide fine-grained
>> protection for each VM, and that's the solution we are integrating with
>> cloudstack now
>>
>> Regards.
>> Mice
>>
>> -----Original Message-----
>> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
>> Sent: Sunday, March 03, 2013 5:05 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: About intergrating IDS/IPS to CloudStack
>>
>> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
>> effective solution. If you want to use the traditional NIDS, you'll can not
>> know what do VMs talk each other because this is virtual network.
>> Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
>> even affects to performance. Another way is that you use IDS/IPS on Virtual
>> Router. It's OK but you know that Virtual Router now has to take too many
>> functions. How about IDS/IPS on Hypervisors? How you think?
>>
>> ---
>>
>> Nguyen Anh Tu
>>
>> Cloud Computing Core Dept.
>>
>> Viettel R&D Institute, Vietnam
>>
>
>
>
> --
>
> N.g.U.y.e.N.A.n.H.t.U
Re: About intergrating IDS/IPS to CloudStack
Posted by Nguyen Anh Tu <ng...@gmail.com>.
I'm thinking about the following scenario: deploying one IDS virtual
machine, which has two NICs, on each host (XCP). One Nic connect to Guest
network (controlled by OpenvSwitch) and one Nic connect to management
network to raise alerts. VMs traffic is mirrored to IDS port (via
port-mirroring feature on OpenvSwitch). IDS virtual machines are deployed
as similar as SystemVMs (SSVM, CPVM, VR) on CloudStack. How do you think,
guys?
2013/3/11 Mice Xia <mi...@tcloudcomputing.com>
> The security virtual appliance in this solution has only one NIC, and it
> connects to management network in order to communicate with the security
> manager center.
> (this is a little irrelevant to cloudstack) It intercepts the traffic by
> mechanism provided by hypervisors, for xenserver, it co-works with the
> kernel module installed on dom0 to capture packages and redirect to SVA.
> For VMware it has VMsafe API.
>
> Regards
> Mice
>
> -----Original Message-----
> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
> Sent: Wednesday, March 06, 2013 12:36 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: About intergrating IDS/IPS to CloudStack
>
> Hi Mice,
>
> As your ElasterShield solution, I see that one hypervisor node has one
> ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest
> network, one nic connects to Management network. I wonder that how ESVA
> listens all network package? It has to talk with hypervisor, isn't it? Or
> something likes the "port mirroring" feature on Switch?
>
> @Mice @Sebastien: One more question, do you know how to deploy one more
> SystemVM on CloudStack? Config files for system VMs has to appear somewhere
> in source code
>
> 2013/3/5 Mice Xia <mi...@tcloudcomputing.com>
>
> > If you want to use the traditional NIDS, you'll can not know what do
> > VMs talk each other because this is virtual network.
> > [mice] yes, the drawback of traditional NIDS (deployed in the gateway
> > of an enterprise/datacenter) is that it's difficult to provide
> > fine-grained protection. Without more appliances, traffics inside the
> > datacenter go un-protected.
> >
> > if you use HIDS on VMs then I don't think it is suitable [mice] for an
> > enterprise IT guys can enforce HIDS installed and enabled on each VM;
> > but for a public cloud, agentless solution is more preferred.
> >
> > Another way is that you use IDS/IPS on Virtual Router [mice] VR is an
> > option, but considering the complexity of network topology inside an
> > enterprise or datacenter, what if users adopt shared network (or
> > hybrid network), in this case VR does not work in online mode and
> > traffic prevention is impossible.
> >
> > How about IDS/IPS on Hypervisors
> > [mice] almost all hypervisors have some mechanisms to implement
> > IDS/IPS (even anti-malware) for VMs, it's agentless and provide
> > fine-grained protection for each VM, and that's the solution we are
> > integrating with cloudstack now
> >
> > Regards.
> > Mice
> >
> > -----Original Message-----
> > From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
> > Sent: Sunday, March 03, 2013 5:05 PM
> > To: cloudstack-dev@incubator.apache.org
> > Subject: About intergrating IDS/IPS to CloudStack
> >
> > I'm interesting in integrate IDS/IPS to CloudStack, but didn't find
> > any effective solution. If you want to use the traditional NIDS,
> > you'll can not know what do VMs talk each other because this is virtual
> network.
> > Otherwise, if you use HIDS on VMs then I don't think it is suitable.
> > This even affects to performance. Another way is that you use IDS/IPS
> > on Virtual Router. It's OK but you know that Virtual Router now has to
> > take too many functions. How about IDS/IPS on Hypervisors? How you think?
> >
> > ---
> >
> > Nguyen Anh Tu
> >
> > Cloud Computing Core Dept.
> >
> > Viettel R&D Institute, Vietnam
> >
>
>
>
> --
>
> N.g.U.y.e.N.A.n.H.t.U
>
--
N.g.U.y.e.N.A.n.H.t.U
RE: About intergrating IDS/IPS to CloudStack
Posted by Mice Xia <mi...@tcloudcomputing.com>.
The security virtual appliance in this solution has only one NIC, and it connects to management network in order to communicate with the security manager center.
(this is a little irrelevant to cloudstack) It intercepts the traffic by mechanism provided by hypervisors, for xenserver, it co-works with the kernel module installed on dom0 to capture packages and redirect to SVA. For VMware it has VMsafe API.
Regards
Mice
-----Original Message-----
From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
Sent: Wednesday, March 06, 2013 12:36 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: About intergrating IDS/IPS to CloudStack
Hi Mice,
As your ElasterShield solution, I see that one hypervisor node has one ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest network, one nic connects to Management network. I wonder that how ESVA listens all network package? It has to talk with hypervisor, isn't it? Or something likes the "port mirroring" feature on Switch?
@Mice @Sebastien: One more question, do you know how to deploy one more SystemVM on CloudStack? Config files for system VMs has to appear somewhere in source code
2013/3/5 Mice Xia <mi...@tcloudcomputing.com>
> If you want to use the traditional NIDS, you'll can not know what do
> VMs talk each other because this is virtual network.
> [mice] yes, the drawback of traditional NIDS (deployed in the gateway
> of an enterprise/datacenter) is that it's difficult to provide
> fine-grained protection. Without more appliances, traffics inside the
> datacenter go un-protected.
>
> if you use HIDS on VMs then I don't think it is suitable [mice] for an
> enterprise IT guys can enforce HIDS installed and enabled on each VM;
> but for a public cloud, agentless solution is more preferred.
>
> Another way is that you use IDS/IPS on Virtual Router [mice] VR is an
> option, but considering the complexity of network topology inside an
> enterprise or datacenter, what if users adopt shared network (or
> hybrid network), in this case VR does not work in online mode and
> traffic prevention is impossible.
>
> How about IDS/IPS on Hypervisors
> [mice] almost all hypervisors have some mechanisms to implement
> IDS/IPS (even anti-malware) for VMs, it's agentless and provide
> fine-grained protection for each VM, and that's the solution we are
> integrating with cloudstack now
>
> Regards.
> Mice
>
> -----Original Message-----
> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
> Sent: Sunday, March 03, 2013 5:05 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: About intergrating IDS/IPS to CloudStack
>
> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find
> any effective solution. If you want to use the traditional NIDS,
> you'll can not know what do VMs talk each other because this is virtual network.
> Otherwise, if you use HIDS on VMs then I don't think it is suitable.
> This even affects to performance. Another way is that you use IDS/IPS
> on Virtual Router. It's OK but you know that Virtual Router now has to
> take too many functions. How about IDS/IPS on Hypervisors? How you think?
>
> ---
>
> Nguyen Anh Tu
>
> Cloud Computing Core Dept.
>
> Viettel R&D Institute, Vietnam
>
--
N.g.U.y.e.N.A.n.H.t.U
Re: About intergrating IDS/IPS to CloudStack
Posted by Nguyen Anh Tu <ng...@gmail.com>.
Hi Mice,
As your ElasterShield solution, I see that one hypervisor node has one
ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest
network, one nic connects to Management network. I wonder that how ESVA
listens all network package? It has to talk with hypervisor, isn't it? Or
something likes the "port mirroring" feature on Switch?
@Mice @Sebastien: One more question, do you know how to deploy one more
SystemVM on CloudStack? Config files for system VMs has to appear somewhere
in source code
2013/3/5 Mice Xia <mi...@tcloudcomputing.com>
> If you want to use the traditional NIDS, you'll can not know what do VMs
> talk each other because this is virtual network.
> [mice] yes, the drawback of traditional NIDS (deployed in the gateway of
> an enterprise/datacenter) is that it's difficult to provide fine-grained
> protection. Without more appliances, traffics inside the datacenter go
> un-protected.
>
> if you use HIDS on VMs then I don't think it is suitable
> [mice] for an enterprise IT guys can enforce HIDS installed and enabled on
> each VM; but for a public cloud, agentless solution is more preferred.
>
> Another way is that you use IDS/IPS on Virtual Router
> [mice] VR is an option, but considering the complexity of network topology
> inside an enterprise or datacenter, what if users adopt shared network (or
> hybrid network), in this case VR does not work in online mode and traffic
> prevention is impossible.
>
> How about IDS/IPS on Hypervisors
> [mice] almost all hypervisors have some mechanisms to implement IDS/IPS
> (even anti-malware) for VMs, it's agentless and provide fine-grained
> protection for each VM, and that's the solution we are integrating with
> cloudstack now
>
> Regards.
> Mice
>
> -----Original Message-----
> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
> Sent: Sunday, March 03, 2013 5:05 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: About intergrating IDS/IPS to CloudStack
>
> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
> effective solution. If you want to use the traditional NIDS, you'll can not
> know what do VMs talk each other because this is virtual network.
> Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
> even affects to performance. Another way is that you use IDS/IPS on Virtual
> Router. It's OK but you know that Virtual Router now has to take too many
> functions. How about IDS/IPS on Hypervisors? How you think?
>
> ---
>
> Nguyen Anh Tu
>
> Cloud Computing Core Dept.
>
> Viettel R&D Institute, Vietnam
>
--
N.g.U.y.e.N.A.n.H.t.U
RE: About intergrating IDS/IPS to CloudStack
Posted by Mice Xia <mi...@tcloudcomputing.com>.
If you want to use the traditional NIDS, you'll can not know what do VMs talk each other because this is virtual network.
[mice] yes, the drawback of traditional NIDS (deployed in the gateway of an enterprise/datacenter) is that it's difficult to provide fine-grained protection. Without more appliances, traffics inside the datacenter go un-protected.
if you use HIDS on VMs then I don't think it is suitable
[mice] for an enterprise IT guys can enforce HIDS installed and enabled on each VM; but for a public cloud, agentless solution is more preferred.
Another way is that you use IDS/IPS on Virtual Router
[mice] VR is an option, but considering the complexity of network topology inside an enterprise or datacenter, what if users adopt shared network (or hybrid network), in this case VR does not work in online mode and traffic prevention is impossible.
How about IDS/IPS on Hypervisors
[mice] almost all hypervisors have some mechanisms to implement IDS/IPS (even anti-malware) for VMs, it's agentless and provide fine-grained protection for each VM, and that's the solution we are integrating with cloudstack now
Regards.
Mice
-----Original Message-----
From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
Sent: Sunday, March 03, 2013 5:05 PM
To: cloudstack-dev@incubator.apache.org
Subject: About intergrating IDS/IPS to CloudStack
I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any effective solution. If you want to use the traditional NIDS, you'll can not know what do VMs talk each other because this is virtual network.
Otherwise, if you use HIDS on VMs then I don't think it is suitable. This even affects to performance. Another way is that you use IDS/IPS on Virtual Router. It's OK but you know that Virtual Router now has to take too many functions. How about IDS/IPS on Hypervisors? How you think?
---
Nguyen Anh Tu
Cloud Computing Core Dept.
Viettel R&D Institute, Vietnam
Re: About intergrating IDS/IPS to CloudStack
Posted by Nguyen Anh Tu <ng...@gmail.com>.
Great!!! That's exactly what I'm looking for. Many thank, Sebastien :-)
2013/3/4 Sebastien Goasguen <ru...@gmail.com>
>
> On Mar 4, 2013, at 8:17 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
>
> > Thanks Sebastien !!! Great idea with setting up one more SystemVM, but I
> > don't know how to do this. Please show me if you don't mind :D
> >
>
> Mice Xia may be able to comment better than I can:
> http://www.slideshare.net/mice_xia/integration-3rd-party-security-solution
>
>
>
> > 2013/3/4 Sebastien Goasguen <ru...@gmail.com>
> >
> >>
> >> On Mar 3, 2013, at 4:05 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
> >>
> >>> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
> >>> effective solution. If you want to use the traditional NIDS, you'll can
> >> not
> >>> know what do VMs talk each other because this is virtual network.
> >>> Otherwise, if you use HIDS on VMs then I don't think it is suitable.
> This
> >>> even affects to performance. Another way is that you use IDS/IPS on
> >> Virtual
> >>> Router. It's OK but you know that Virtual Router now has to take too
> many
> >>> functions. How about IDS/IPS on Hypervisors? How you think?
> >>
> >> You could put an IDS/IPS on each hypervisors but I don't think that will
> >> fall under the control of cloudstack as it would be a baremetal config.
> >> If the virtual route is not "strong" enough you could potentially have
> >> another "system VMs" that only contains the IDS/IPS.
> >>
> >>>
> >>> ---
> >>>
> >>> Nguyen Anh Tu
> >>>
> >>> Cloud Computing Core Dept.
> >>>
> >>> Viettel R&D Institute, Vietnam
> >>
> >>
> >
> >
> > --
> >
> > N.g.U.y.e.N.A.n.H.t.U
>
>
--
N.g.U.y.e.N.A.n.H.t.U
Re: About intergrating IDS/IPS to CloudStack
Posted by Sebastien Goasguen <ru...@gmail.com>.
On Mar 4, 2013, at 8:17 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
> Thanks Sebastien !!! Great idea with setting up one more SystemVM, but I
> don't know how to do this. Please show me if you don't mind :D
>
Mice Xia may be able to comment better than I can:
http://www.slideshare.net/mice_xia/integration-3rd-party-security-solution
> 2013/3/4 Sebastien Goasguen <ru...@gmail.com>
>
>>
>> On Mar 3, 2013, at 4:05 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
>>
>>> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
>>> effective solution. If you want to use the traditional NIDS, you'll can
>> not
>>> know what do VMs talk each other because this is virtual network.
>>> Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
>>> even affects to performance. Another way is that you use IDS/IPS on
>> Virtual
>>> Router. It's OK but you know that Virtual Router now has to take too many
>>> functions. How about IDS/IPS on Hypervisors? How you think?
>>
>> You could put an IDS/IPS on each hypervisors but I don't think that will
>> fall under the control of cloudstack as it would be a baremetal config.
>> If the virtual route is not "strong" enough you could potentially have
>> another "system VMs" that only contains the IDS/IPS.
>>
>>>
>>> ---
>>>
>>> Nguyen Anh Tu
>>>
>>> Cloud Computing Core Dept.
>>>
>>> Viettel R&D Institute, Vietnam
>>
>>
>
>
> --
>
> N.g.U.y.e.N.A.n.H.t.U
Re: About intergrating IDS/IPS to CloudStack
Posted by Nguyen Anh Tu <ng...@gmail.com>.
Thanks Sebastien !!! Great idea with setting up one more SystemVM, but I
don't know how to do this. Please show me if you don't mind :D
2013/3/4 Sebastien Goasguen <ru...@gmail.com>
>
> On Mar 3, 2013, at 4:05 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
>
> > I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
> > effective solution. If you want to use the traditional NIDS, you'll can
> not
> > know what do VMs talk each other because this is virtual network.
> > Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
> > even affects to performance. Another way is that you use IDS/IPS on
> Virtual
> > Router. It's OK but you know that Virtual Router now has to take too many
> > functions. How about IDS/IPS on Hypervisors? How you think?
>
> You could put an IDS/IPS on each hypervisors but I don't think that will
> fall under the control of cloudstack as it would be a baremetal config.
> If the virtual route is not "strong" enough you could potentially have
> another "system VMs" that only contains the IDS/IPS.
>
> >
> > ---
> >
> > Nguyen Anh Tu
> >
> > Cloud Computing Core Dept.
> >
> > Viettel R&D Institute, Vietnam
>
>
--
N.g.U.y.e.N.A.n.H.t.U
Re: About intergrating IDS/IPS to CloudStack
Posted by Sebastien Goasguen <ru...@gmail.com>.
On Mar 3, 2013, at 4:05 AM, Nguyen Anh Tu <ng...@gmail.com> wrote:
> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
> effective solution. If you want to use the traditional NIDS, you'll can not
> know what do VMs talk each other because this is virtual network.
> Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
> even affects to performance. Another way is that you use IDS/IPS on Virtual
> Router. It's OK but you know that Virtual Router now has to take too many
> functions. How about IDS/IPS on Hypervisors? How you think?
You could put an IDS/IPS on each hypervisors but I don't think that will fall under the control of cloudstack as it would be a baremetal config.
If the virtual route is not "strong" enough you could potentially have another "system VMs" that only contains the IDS/IPS.
>
> ---
>
> Nguyen Anh Tu
>
> Cloud Computing Core Dept.
>
> Viettel R&D Institute, Vietnam