incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastien Goasguen <run...@gmail.com>
Subject Re: About intergrating IDS/IPS to CloudStack
Date Wed, 06 Mar 2013 09:52:09 GMT

On Mar 5, 2013, at 11:35 AM, Nguyen Anh Tu <ng.tuna@gmail.com> wrote:

> Hi Mice,
> 
> As your ElasterShield solution, I see that one hypervisor node has one
> ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest
> network, one nic connects to Management network. I wonder that how ESVA
> listens all network package? It has to talk with hypervisor, isn't it? Or
> something likes the "port mirroring" feature on Switch?
> 
> @Mice @Sebastien: One more question, do you know how to deploy one more
> SystemVM on CloudStack? Config files for system VMs has to appear somewhere
> in source code

I actually don't. A quick work around is to create a new template, and start an instance with
that template in your guest network.

> 
> 2013/3/5 Mice Xia <mice_xia@tcloudcomputing.com>
> 
>> If you want to use the traditional NIDS, you'll can not know what do VMs
>> talk each other because this is virtual network.
>> [mice] yes, the drawback of traditional NIDS (deployed in the gateway of
>> an enterprise/datacenter) is that it's difficult to provide fine-grained
>> protection. Without more appliances, traffics inside the datacenter go
>> un-protected.
>> 
>> if you use HIDS on VMs then I don't think it is suitable
>> [mice] for an enterprise IT guys can enforce HIDS installed and enabled on
>> each VM; but for a public cloud, agentless solution is more preferred.
>> 
>> Another way is that you use IDS/IPS on Virtual Router
>> [mice] VR is an option, but considering the complexity of network topology
>> inside an enterprise or datacenter, what if users adopt shared network (or
>> hybrid network), in this case VR does not work in online mode and traffic
>> prevention is impossible.
>> 
>> How about IDS/IPS on Hypervisors
>> [mice] almost all hypervisors have some mechanisms to implement IDS/IPS
>> (even anti-malware) for VMs, it's agentless and provide fine-grained
>> protection for each VM, and that's the solution we are integrating with
>> cloudstack now
>> 
>> Regards.
>> Mice
>> 
>> -----Original Message-----
>> From: Nguyen Anh Tu [mailto:ng.tuna@gmail.com]
>> Sent: Sunday, March 03, 2013 5:05 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: About intergrating IDS/IPS to CloudStack
>> 
>> I'm interesting in integrate IDS/IPS to CloudStack, but didn't find any
>> effective solution. If you want to use the traditional NIDS, you'll can not
>> know what do VMs talk each other because this is virtual network.
>> Otherwise, if you use HIDS on VMs then I don't think it is suitable. This
>> even affects to performance. Another way is that you use IDS/IPS on Virtual
>> Router. It's OK but you know that Virtual Router now has to take too many
>> functions. How about IDS/IPS on Hypervisors? How you think?
>> 
>> ---
>> 
>> Nguyen Anh Tu
>> 
>> Cloud Computing Core Dept.
>> 
>> Viettel R&D Institute, Vietnam
>> 
> 
> 
> 
> -- 
> 
> N.g.U.y.e.N.A.n.H.t.U


Mime
View raw message