Future Prediction: Network Intrusion Detection System in the cloud

Systems and Application
Security
Presentation: Future Predictions of NIDS in the
Cloud
SHU - Information Systems Security
(SAS)
Chao-Yang Hsu (22033770)
Nuwani Siriwardana (21053949)
Scott Storey (15038397)
Sedthakit Prasanphanich (22037820)

Outline
 Introduction - Deployment Strategies
 Challenges of integrating NIDS
 Management of NIDS in the cloud, how many
points do the manager should keep into the
account
 Example of Cloud provider in terms of NIDS
implementation
 Future Prediction
 Summary
(SAS)

Introduction - NIDS Deployment
NIDS
DMZ
NIDS
Behind the Firewall:
1. Highlights problems with the
network firewall policy
2. Observes attacks that may target
the web servers inside DMZ.
3. Even if the incoming attack is not
recognized, the IDS can
sometimes recognize the outgoing
traffic that results from the
compromised server
Outside the Firewall:
1. Documents number of and
types of attacks originating
on the Internet that target
your network.
Intranet
(SAS)

NIDS Deployment
DMZ
On critical subnet or
backbones:
1. Detects attacks targeting
your critical systems and
applications.
2. Allows focusing of limited
resources to the network
assets considered of
greatest value.
NIDS
EC Servers
(SAS)
Reference: NIST Special Publication on Intrusion Detection Systems
NIDS

NIDS Deployment - Global
Organizations
London
NIDS
Chicago
NIDS
(SAS)
Singapore
NIDS

NIDS Deployment - in the Cloud ...
London
Singapore
NIDS
NIDS
NIDS
plus
Virtualization
(SAS)
Host Machine
Virtual Machines
Traditional
Implementation
Chicago

London
Singapore
NIDS
NIDS
NIDS
,Virtualization
plus On Demand
Request
Pay-per use
Cloud Users
VM
Templates
(SAS)
Chicago

Challenges of integrating NIDS
 Detection Techniques
◦ Both Signature or Anomaly based detection mechanism have
their own strengths and weaknesses
 The Changing Face of Expanding Networks
◦ Virtualization
 Fundamental techniques in Cloud environment
◦ Computation Overhead
 Processing packets in a large or heavy load network
◦ Configuration Management
 Rule Sets and Signatures management policies
◦ Information and Events Management
 Incidents logs correlation and reporting
 Application Level and Encrypted Traffics
◦ HTTP Strict Transport Security becomes Internet standard (ex:
HTTPS)
(SAS)

How to ...
 effectively deploy NIDSs into the Cloud?
 manage/operate NIDSs efficiently?
(SAS)
new innovations and changes

Managing NIDSs in a
Cloud . . . . . .
(SAS)

Application
s
OS
Hardwar
e
Application
s
OS
Hardwar
e
Application
s
OS
Hardwar
e
Virtualization
5 – 10 % usage
90- 95 %
not utilized
(SAS)

Application
s
Guest OS
Application
s
Guest
OS
Application
s
Guest
OS
Virtualization
Hypervisor
Hardware
(SAS)

It’s Important…..
To deploy virtualization successfully
To provide functionality of an Network
Intrusion Detection System within a
cloud environment
(SAS)

Managing an NIDS in a cloud is quite
frustrating.
 Number of hosts
 Virtualized environment
 Online security
(SAS)

When protecting a Cloud using an
NIDS…
◦ It is difficult to analyze logs
(SAS)

Cloud is a cloud. We cannot exactly
trace and keep logs for what is
happening inside it…….
(SAS)

Online Security
(SAS)

 The security problems bring much more
economic loss in Cloud Computing than in
the other kind of systems.
(SAS)

Security Issues
 Cloud data confidentiality issue
 Network based attacks on remote Server
 Cloud security auditing
 Lack of data interoperability standards
(SAS)

Finally,
 We have to consider,
◦ The size of the cloud
Number of hosts and servers inside the cloud
◦ Virtualized environment
Challenging to deploy correctly
◦ Online security Issues
Protecting a virtual implementation is not easy
when we are managing an NIDS within a cloud…..
(SAS)

What are the big players doing with IDS
in the cloud?
(SAS)

Google Cloud
Do Google use an IDS? - Yes, of course they
do.
“At many points across our global network, internal
traffic is inspected for suspicious behavior, such as
the presence of traffic that might indicate botnet
connections. This analysis is performed using a
combination of open source and commercial tools for
traffic capture and parsing.”
- Security Whitepaper: Google Apps
Messaging and Collaboration Products, Google.
(SAS)

Google Cloud
 No – They explicitly state they protect their
own network, they don’t mention your
specific instances.
 You are effectively outsourcing everything
to a 3rd party.
(SAS)

Google Cloud
All out attack on Google?
Not that likely, but does happen and would
probably be noticed.
You would be relatively safe, you are
protected by the sheer size of Google. You
aren’t a specific target.
(SAS)

Google Cloud
Attack on your specific instance?
Would Google notice?
(SAS)

Amazon Web Services (AWS)
Do Amazon use an IDS? - Yes, of course they
do.
 “AWS utilizes automated monitoring systems to
provide a high level of service performance and
availability. Proactive monitoring is available
through a variety of online tools both for internal
and external use.” - Amazon Web Services:
Overview of Security Processes, Amazon.
(SAS)

No – Shared Responsibility Environment
Almost the same as Google so far;
Amazon will protect their own systems, you
look after your instances.
Amazon Responsibilities Customer Responsibilities
• Host Operating System
• Virtualisation Layer
• Physical Security
• Guest Operating System
• Associated Application Software
• Configuration of provided firewall
(SAS)

The main difference between Amazon and
Google? - AWS Marketplace
On AWS Marketplace there are 3 different
companies offering IDSs specifically
designed for AWS.
◦ Alertlogic
◦ Metaflows
◦ CloudPassage
(SAS)

The cloud specific solutions for an IDS in
AWS are still really in their infancy.
But they are beginning to target the issues
surrounding scaling the IDS and monitoring
both cloud systems and traditional on site
systems with the same software.
(SAS)

Google & AWS Summary
With Google and AWS you can’t monitor the
entire network. You are limited to Host-Based
Intrusion Detection Systems.
You have no access to the wider network, you
need to leave this to the companies hosting
your cloud solution.
A business decision needs to be made about
if this is acceptable for an individual company.
(SAS)

Google & AWS Summary
Many SMEs don’t have the resource to
implement NIDS effectively making cloud
services an attractive prospect for them.
Larger enterprises can choose to take a
blended approach keeping more business
critical systems in a traditional system where
they have more control and outsourcing less
critical systems.
(SAS)

Prediction Times!
• Fast Adaption Rate
• Middleware
• Virtually Growth
(SAS)

Fast Adaptation rate
The faster the better
(SAS)

Middleware
(SAS)

(SAS)
Picture from: http://www.rationalsurvivability.com/blog/wp-content/media/2009/01/cloudtaxonomyontology_v15.jpg
PaaS

Virtually Growth
from normal sensor to mini instance
(SAS)

London
Singapore
NIDS NIDS
NIDS
,Virtualization
(SAS)
Chicago

Centralized Configuration
provide just centralized signature is not enough!
(SAS)

NIDS Deployment - Global
Organizations
Chicago
London
Singapore
NIDS
NIDS
(SAS)
NIDS
Plus Configuration & Correlation

Summary
(SAS)

Thanks
 Q&A
(SAS)

Future Prediction: Network Intrusion Detection System in the cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (6)

Similar to Future Prediction: Network Intrusion Detection System in the cloud

Similar to Future Prediction: Network Intrusion Detection System in the cloud (20)

Recently uploaded

Recently uploaded (20)

Future Prediction: Network Intrusion Detection System in the cloud

Editor's Notes