cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mice Xia" <mice_...@tcloudcomputing.com>
Subject RE: About intergrating IDS/IPS to CloudStack
Date Tue, 05 Mar 2013 02:44:33 GMT
If you want to use the traditional NIDS, you'll can not know what do VMs talk each other because
this is virtual network.
[mice] yes, the drawback of traditional NIDS (deployed in the gateway of an enterprise/datacenter)
is that it's difficult to provide fine-grained protection. Without more appliances, traffics
inside the datacenter go un-protected. 

if you use HIDS on VMs then I don't think it is suitable
[mice] for an enterprise IT guys can enforce HIDS installed and enabled on each VM; but for
a public cloud, agentless solution is more preferred.

Another way is that you use IDS/IPS on Virtual Router
[mice] VR is an option, but considering the complexity of network topology inside an enterprise
or datacenter, what if users adopt shared network (or hybrid network), in this case VR does
not work in online mode and traffic prevention is impossible.

How about IDS/IPS on Hypervisors
[mice] almost all hypervisors have some mechanisms to implement IDS/IPS (even anti-malware)
for VMs, it's agentless and provide fine-grained protection for each VM, and that's the solution
we are integrating with cloudstack now

Regards. 
Mice

-----Original Message-----
From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com] 
Sent: Sunday, March 03, 2013 5:05 PM
To: cloudstack-dev@incubator.apache.org
Subject: About intergrating IDS/IPS to CloudStack

I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any effective solution.
If you want to use the traditional NIDS, you'll can not know what do VMs talk each other because
this is virtual network.
Otherwise, if you use HIDS on VMs then I don't think it is suitable. This even affects to
performance. Another way is that you use IDS/IPS on Virtual Router. It's OK but you know that
Virtual Router now has to take too many functions. How about IDS/IPS on Hypervisors? How you
think?

---

Nguyen Anh Tu

Cloud Computing Core Dept.

Viettel R&D Institute, Vietnam
Mime
View raw message