Future Prediction: Network Intrusion Detection System in the cloud


Published on

This group presentation is about the possible way of Netwrok Intrusion Detection System (NIDS) in cloud computing.

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The VMware company ships away more than seven million servers to enterprise business environments a year. Out of those, almost 6 million are, inter-architectural ESX86 servers.These are getting deployed to the data centers by hundreds and thousands inside large enterprises.Normal server architecture has hardware as the bottom layer, OS and then Applications are running on top of the OS. OS and hardware are co-operated by embedded hardware drivers in the OS.When we are assigning an individual server to a cloud service, only an average of 5-10% of the total available hardware resources be utilized for the given task. The other 90-95% of resources are idle and wasted with time.
  • To better utilization, we create a virtual environment which is more like several applications under different Oss running inside the same server. As usual, the bottom layer is the hardware layer, then it replace the host OS with a new layer called hypervisor, which will manage and utilize the available hardware resources according to the tasks for which the above applications are running. Each individual virtual machine consists of its own hard disk, Ethernet interface, etc.A cloud is usually consists of many servers like this.Why worry about intrusions??????-Need adequate security measures to know when you are broken into-How do you know if your web servers are making connections to botnets and command and control servers-How do you respond if your servers are broken into and taken control of, because they are now effectively hit your bottom line. Chances are they are making connection outbound, they are being controlled by someone else, because they are consuming your computing capacity and can extract useful data.
  • It is important to deploy virtualization successfully in order to provide functionality to a proper functionality for a Network IDS within a cloud.If the virtual machines or servers are not correctly configured, the IDS will fail to monitor the traffic passing through.The configurations not only include Application data, it also includes ports, static and Dynamic IP, etc.Mapping which data is duplicated in which server of the cloud is also important in managing an IDS because, even if we prevent an attacker from extracting information through one server, he can still gain the same information using another server.The advantage for using a NIDS is that, using the virtualization, the individuality of each machine provides the IDS with the opportunity of minimizing the impact of a possible attack.
  • Not like a simple network, a cloud uses the resources of several machines to complete a task once its assigned. Other than that, we cannot predict, from which server the file is going to be retrieved when we are giving the command to retrieve our files. The cloud is spread over a number of hosts and servers which are trying to communicate from difference places, flooding requests and responds.
  • it is difficult to analyse logs because communication between many system and many consumers generate large amount of logs
  • The clouds are very well linked with the internet. It does not mean we cannot create isolated privated connections for the cloud. But still, internet is the easiest methods of accessing data in a cloud. So, the online security does matter. Various types of hosts including Work PCs, Personal Desktops, Laptops, Tablets, Mobiles are accessing cloud each minute.
  • 1. Cloud data confidentiality issue Confidentiality of data over cloud is one of the glaring security concerns. Encryption of data can be done with the traditional techniques. However, encrypted data can be secured from a malicious user but the privacy of data even from the administrator of data at service provider‟s end could not be hidden. Searching and indexing on encrypted data remains a point of concern in that case. Above mentioned cloud security issues are a few and dynamicity of cloud architecture are facing new challenges with rapid implementation of new service paradigm. 2. Network and host based attacks on remote Server Host and network intrusion attacks on remote hypervisors are a major security concern, as cloud vendors use virtual machine technology. DOS and DDOS attacks are launched to deny service availability to end users.  3. Cloud security auditing Cloud auditing is a difficult task to check compliance of all the security policies by the vendor. Cloud service provider has the control of sensitive user data and processes, so an automated or third party auditing mechanism for data integrity check and forensic analysis is needed. Privacy of data from third party auditor is another concern of cloud security  4. Lack of data interoperability standards It results into cloud user data lock-in state. If a cloud user wants to shift to other service provider due to certain reasons it would not be able to do so, as cloud user‟s data and application may not be compatible with other vendor‟s data storage format or platform. Security and confidentiality of data would be in the hands of cloud service provider and cloud user would be dependent on a single service provider.
  • Google are a huge company. Of course they use an IDS. They provide services for government, education, business and ordinary people. They wouldn’t have grown quite so big if their systems weren’t secured and they kept losing data.And from their statement, they seem to be using a signature based IDS.So does this mean you can just sit back and not worry about your data in the cloud, because google are looking after it?
  • Google don’t have a security professional sat watching your specific instances. It would be ridiculous to think that they have employed someone to look after you specifically (unless you had specifically paid for this from google).Google aren’t very open about their security. They make a lot of broad sweeping statements and mention some specific types of security, but only the ones that a large number of people will have heard about such as SSL and HTTPS. The sad fact is, this is enough for most people as they aren’t overly interested in security.At no point do google mention they run an IDS to protect your specific instance. You are relying solely on google saying that they are looking after your data and that they will notice a breach and tell you when it happens. With most google cloud products you are outsourcing everything. Except for google compute, where you run your own version of linux, where of course you could put whatever HIDS you want on.
  • Google have a lot of money, they have can throw money at security. Everywhere else security tends to be secondary to a working application. Google are probably spending more on security on cloud computing than an individual or business would.
  • If you are an SME and an attack was launched at your specific instance, you are hoping that google will notice it. You have know way of knowing if an attack has took place unless google notice it and tell you.If 1 instance was picked off out of the entirety of google cloud, would they notice? Would they be bothered by 1 instance going down?This relys on you noticing something is wrong with your data or website and then telling google to go and fix it.Would you be comfortable with this as a business?
  • Amazon are also a huge company, and of course they use an IDS. Their statement isn’t quite as explicit, but definitely makes a nod towards an IDS.They also have numerous certifications that they wouldn’t have achieved without some form of IDS.So, same question as with google. Does this mean we can sit back and not worry>
  • No, But amazon are explicit about this stating a shared responsibility environment.Amazon AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate.The customer assumes responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS provided security group firewall. So far, almost the exact same as google, but they just make the differences in responsibility a bit more explicit. You are responsible for what happens on your instances.
  • AWS Marketplace has 3 companies offering IDS solutions specifically designed for AWS.
  • These services are still in their infancy (there are only 3 around specifically designed for AWS after all!) These can integrate monitoring across cloud based systems and traditional on site applications.
  • Thank you .... Scott Now we listened about the management point about the cloud and the example of the cloud provider. What is the next step? What is the thing that we should look forward about NIDS in the cloud!There are many points out there to look at but we summed up to the 3 things which are crucial to generic Cloud setup
  • Why is it so important to be the first one we are talking about.the thing is thinking about the zero-day attacks. What will happen if attackers decided to use zero-day attack to the cloud? Can we count this as SPoF (Single Point of Failure)? and Do you like it?This kind of features will be critical in the futures. Could you imagine? There is an alert from some segment in the cloud and the cloud environment is adapted to various kind of defenses regarding the attacks! We are not talking about instant patches but imagine like the virtual patching in WAF which learnt about the attack characteristicsTo think about Fast Adaptation rate, I'm thinking about this!
  • There are some research mentioned that we should put the NIDS in the middleware layer in the cloud infrastructure. Traditional IDSs are not suitable for cloud environment as network based IDSs (NIDS) cannot detect encrypted node communication, also host based IDSs (HIDS) are not able to find the hidden attack trail. Kso where is the middleware in the cloud?
  • http://www.rationalsurvivability.com/blog/wp-content/media/2009/01/cloudtaxonomyontology_v15.jpgAs you can see in the pictures, Middleware layer will be in purple.
  • the size and service of cloud is not static. it's dynamically changes everyday. Such as On-demand and Pay-by-use. Are you serious? How traditional NIDS gonna be stay alive in this kind of this environment?
  • there are some research supports that we should create mini IDS instances instead of the normal IDS one. They are deployed between each user of cloud and the cloud service provider. As a result, the load on each IDS instance will be lesser than that on single IDS and hence that small IDS instance will be able to do its work in a better way. For eg. The number of packets dropped will be less due to the lesser load which single IDS instance will have
  • OK, this time we talking about the medium and large enterprises Architectures.Think about international Companies in many branches around the world How could you manage the situation in each cloud? How massively of the IDS implementations.How could the IT and Security team survive if there is some serious situation happens? Can we manage to track the origin or grasp any kind of attackers intention? Can we trace where have they intruding to our perimeter?
  • Back to the same pictures again3 branches how can we managed all of the IDS This features is back to the same situation in the 1 features about the outbreaks. the thing that is different on the 1 features is that we didn't only think about the defenses adaption varies to the attacking patterns. we are also need to thinking about management issue when there is a global policy enforces to all branches around the world how can they manages to applied or deployed at the same time because sometimes it's urgent and need to be done ASAP. Downtime is not an option for the world wide companies.
  • Future Prediction: Network Intrusion Detection System in the cloud

    1. 1. Systems and Application Security Presentation: Future Predictions of NIDS in the Cloud SHU - Information Systems Security (SAS) Chao-Yang Hsu (22033770) Nuwani Siriwardana (21053949) Scott Storey (15038397) Sedthakit Prasanphanich (22037820)
    2. 2. Outline  Introduction - Deployment Strategies  Challenges of integrating NIDS  Management of NIDS in the cloud, how many points do the manager should keep into the account  Example of Cloud provider in terms of NIDS implementation  Future Prediction  Summary SHU - Information Systems Security (SAS)
    3. 3. Introduction - NIDS Deployment NIDS DMZ NIDS Behind the Firewall: 1. Highlights problems with the network firewall policy 2. Observes attacks that may target the web servers inside DMZ. 3. Even if the incoming attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the compromised server Outside the Firewall: 1. Documents number of and types of attacks originating on the Internet that target your network. Intranet SHU - Information Systems Security (SAS)
    4. 4. NIDS Deployment DMZ On critical subnet or backbones: 1. Detects attacks targeting your critical systems and applications. 2. Allows focusing of limited resources to the network assets considered of greatest value. NIDS EC Servers SHU - Information Systems Security (SAS) Reference: NIST Special Publication on Intrusion Detection Systems NIDS
    5. 5. NIDS Deployment - Global Organizations London NIDS Chicago NIDS SHU - Information Systems Security (SAS) Singapore NIDS
    6. 6. NIDS Deployment - in the Cloud ... London Singapore NIDS NIDS NIDS plus Virtualization SHU - Information Systems Security (SAS) Host Machine Virtual Machines Traditional Implementation Chicago
    7. 7. NIDS Deployment - in the Cloud ... London Singapore NIDS NIDS NIDS ,Virtualization plus On Demand Request Pay-per use Cloud Users VM Templates SHU - Information Systems Security (SAS) Chicago
    8. 8. Challenges of integrating NIDS  Detection Techniques ◦ Both Signature or Anomaly based detection mechanism have their own strengths and weaknesses  The Changing Face of Expanding Networks ◦ Virtualization  Fundamental techniques in Cloud environment ◦ Computation Overhead  Processing packets in a large or heavy load network ◦ Configuration Management  Rule Sets and Signatures management policies ◦ Information and Events Management  Incidents logs correlation and reporting  Application Level and Encrypted Traffics ◦ HTTP Strict Transport Security becomes Internet standard (ex: HTTPS) SHU - Information Systems Security (SAS)
    9. 9. How to ...  effectively deploy NIDSs into the Cloud?  manage/operate NIDSs efficiently? SHU - Information Systems Security (SAS) new innovations and changes
    10. 10. Managing NIDSs in a Cloud . . . . . . SHU - Information Systems Security (SAS)
    11. 11. Application s OS Hardwar e Application s OS Hardwar e Application s OS Hardwar e Virtualization 5 – 10 % usage 90- 95 % not utilized SHU - Information Systems Security (SAS)
    12. 12. Application s Guest OS Application s Guest OS Application s Guest OS Virtualization Hypervisor Hardware SHU - Information Systems Security (SAS)
    13. 13. It’s Important….. To deploy virtualization successfully To provide functionality of an Network Intrusion Detection System within a cloud environment SHU - Information Systems Security (SAS)
    14. 14. Managing an NIDS in a cloud is quite frustrating.  Number of hosts  Virtualized environment  Online security SHU - Information Systems Security (SAS)
    15. 15. When protecting a Cloud using an NIDS… ◦ It is difficult to analyze logs SHU - Information Systems Security (SAS)
    16. 16. Cloud is a cloud. We cannot exactly trace and keep logs for what is happening inside it……. SHU - Information Systems Security (SAS)
    17. 17. Online Security SHU - Information Systems Security (SAS)
    18. 18.  The security problems bring much more economic loss in Cloud Computing than in the other kind of systems. SHU - Information Systems Security (SAS)
    19. 19. Security Issues  Cloud data confidentiality issue  Network based attacks on remote Server  Cloud security auditing  Lack of data interoperability standards SHU - Information Systems Security (SAS)
    20. 20. Finally,  We have to consider, ◦ The size of the cloud Number of hosts and servers inside the cloud ◦ Virtualized environment Challenging to deploy correctly ◦ Online security Issues Protecting a virtual implementation is not easy when we are managing an NIDS within a cloud….. SHU - Information Systems Security (SAS)
    21. 21. What are the big players doing with IDS in the cloud? SHU - Information Systems Security (SAS)
    22. 22. Google Cloud Do Google use an IDS? - Yes, of course they do. “At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open source and commercial tools for traffic capture and parsing.” - Security Whitepaper: Google Apps Messaging and Collaboration Products, Google. SHU - Information Systems Security (SAS)
    23. 23. Google Cloud  No – They explicitly state they protect their own network, they don’t mention your specific instances.  You are effectively outsourcing everything to a 3rd party. SHU - Information Systems Security (SAS)
    24. 24. Google Cloud All out attack on Google? Not that likely, but does happen and would probably be noticed. You would be relatively safe, you are protected by the sheer size of Google. You aren’t a specific target. SHU - Information Systems Security (SAS)
    25. 25. Google Cloud Attack on your specific instance? Would Google notice? SHU - Information Systems Security (SAS)
    26. 26. Amazon Web Services (AWS) Do Amazon use an IDS? - Yes, of course they do.  “AWS utilizes automated monitoring systems to provide a high level of service performance and availability. Proactive monitoring is available through a variety of online tools both for internal and external use.” - Amazon Web Services: Overview of Security Processes, Amazon. SHU - Information Systems Security (SAS)
    27. 27. Amazon Web Services (AWS) No – Shared Responsibility Environment Almost the same as Google so far; Amazon will protect their own systems, you look after your instances. Amazon Responsibilities Customer Responsibilities • Host Operating System • Virtualisation Layer • Physical Security • Guest Operating System • Associated Application Software • Configuration of provided firewall SHU - Information Systems Security (SAS)
    28. 28. Amazon Web Services (AWS) The main difference between Amazon and Google? - AWS Marketplace On AWS Marketplace there are 3 different companies offering IDSs specifically designed for AWS. ◦ Alertlogic ◦ Metaflows ◦ CloudPassage SHU - Information Systems Security (SAS)
    29. 29. Amazon Web Services (AWS) The cloud specific solutions for an IDS in AWS are still really in their infancy. But they are beginning to target the issues surrounding scaling the IDS and monitoring both cloud systems and traditional on site systems with the same software. SHU - Information Systems Security (SAS)
    30. 30. Google & AWS Summary With Google and AWS you can’t monitor the entire network. You are limited to Host-Based Intrusion Detection Systems. You have no access to the wider network, you need to leave this to the companies hosting your cloud solution. A business decision needs to be made about if this is acceptable for an individual company. SHU - Information Systems Security (SAS)
    31. 31. Google & AWS Summary Many SMEs don’t have the resource to implement NIDS effectively making cloud services an attractive prospect for them. Larger enterprises can choose to take a blended approach keeping more business critical systems in a traditional system where they have more control and outsourcing less critical systems. SHU - Information Systems Security (SAS)
    32. 32. Prediction Times! • Fast Adaption Rate • Middleware • Virtually Growth SHU - Information Systems Security (SAS)
    33. 33. Fast Adaptation rate The faster the better SHU - Information Systems Security (SAS)
    34. 34. Middleware SHU - Information Systems Security (SAS)
    35. 35. SHU - Information Systems Security (SAS) Picture from: http://www.rationalsurvivability.com/blog/wp-content/media/2009/01/cloudtaxonomyontology_v15.jpg PaaS
    36. 36. Virtually Growth from normal sensor to mini instance SHU - Information Systems Security (SAS)
    37. 37. NIDS Deployment - in the Cloud ... London Singapore NIDS NIDS NIDS ,Virtualization SHU - Information Systems Security (SAS) Chicago
    38. 38. Centralized Configuration provide just centralized signature is not enough! SHU - Information Systems Security (SAS)
    39. 39. NIDS Deployment - Global Organizations Chicago London Singapore NIDS NIDS SHU - Information Systems Security (SAS) NIDS Plus Configuration & Correlation
    40. 40. Summary SHU - Information Systems Security (SAS)
    41. 41. Thanks  Q&A SHU - Information Systems Security (SAS)