incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mice Xia" <mice_...@tcloudcomputing.com>
Subject RE: About intergrating IDS/IPS to CloudStack
Date Mon, 11 Mar 2013 02:57:52 GMT
The security virtual appliance in this solution has only one NIC, and it connects to management
network in order to communicate with the security manager center.
(this is a little irrelevant to cloudstack) It intercepts the traffic by mechanism provided
by hypervisors, for xenserver, it co-works with the kernel module installed on dom0 to capture
packages and redirect to SVA. For VMware it has VMsafe API.

Regards
Mice

-----Original Message-----
From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com] 
Sent: Wednesday, March 06, 2013 12:36 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: About intergrating IDS/IPS to CloudStack

Hi Mice,

As your ElasterShield solution, I see that one hypervisor node has one ESVA, which acts like
Virtual Router. ESVA has one nic connects to Guest network, one nic connects to Management
network. I wonder that how ESVA listens all network package? It has to talk with hypervisor,
isn't it? Or something likes the "port mirroring" feature on Switch?

@Mice @Sebastien: One more question, do you know how to deploy one more SystemVM on CloudStack?
Config files for system VMs has to appear somewhere in source code

2013/3/5 Mice Xia <mice_xia@tcloudcomputing.com>

> If you want to use the traditional NIDS, you'll can not know what do 
> VMs talk each other because this is virtual network.
> [mice] yes, the drawback of traditional NIDS (deployed in the gateway 
> of an enterprise/datacenter) is that it's difficult to provide 
> fine-grained protection. Without more appliances, traffics inside the 
> datacenter go un-protected.
>
> if you use HIDS on VMs then I don't think it is suitable [mice] for an 
> enterprise IT guys can enforce HIDS installed and enabled on each VM; 
> but for a public cloud, agentless solution is more preferred.
>
> Another way is that you use IDS/IPS on Virtual Router [mice] VR is an 
> option, but considering the complexity of network topology inside an 
> enterprise or datacenter, what if users adopt shared network (or 
> hybrid network), in this case VR does not work in online mode and 
> traffic prevention is impossible.
>
> How about IDS/IPS on Hypervisors
> [mice] almost all hypervisors have some mechanisms to implement 
> IDS/IPS (even anti-malware) for VMs, it's agentless and provide 
> fine-grained protection for each VM, and that's the solution we are 
> integrating with cloudstack now
>
> Regards.
> Mice
>
> -----Original Message-----
> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
> Sent: Sunday, March 03, 2013 5:05 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: About intergrating IDS/IPS to CloudStack
>
> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find 
> any effective solution. If you want to use the traditional NIDS, 
> you'll can not know what do VMs talk each other because this is virtual network.
> Otherwise, if you use HIDS on VMs then I don't think it is suitable. 
> This even affects to performance. Another way is that you use IDS/IPS 
> on Virtual Router. It's OK but you know that Virtual Router now has to 
> take too many functions. How about IDS/IPS on Hypervisors? How you think?
>
> ---
>
> Nguyen Anh Tu
>
> Cloud Computing Core Dept.
>
> Viettel R&D Institute, Vietnam
>



-- 

N.g.U.y.e.N.A.n.H.t.U
Mime
View raw message