KeywordsIDS intrusion detection can traffic security
Abstract: For security people, IPs system is not unfamiliar, intrusion protection system (IPS) is placed in the traditional physical network area, it is not easy to integrate into a virtual environment, especially virtual network traffic. A host-based intrusion detection system (IDS) can still function on a virtual machine, but it will now use the resources it extracts from the shared tools to prevent the network from being properly installed.
For security people, IPS systems are not unfamiliar, intrusion prevention system (IPS) is placed in the traditional physical network area, it is not easy to integrate into a virtual environment, especially virtual network traffic. A host-based intrusion detection system (IDS) can still function on a virtual machine, but it will now use the resources it extracts from the shared tools to prevent the network from being properly installed.
The IPs security implementation strategy is described as follows:
Intrusion detection systems and defense systems located at the host and network levels are the main products of today's information security. However, with the advent of virtual technology, many network security experts have realized that the traditional intrusion detection system can not be integrated into the traditional enterprise infrastructure as before or in the virtual network or system work.
For example, network intrusion detection can be more difficult because the default virtual switch for the primary platform vendor is not allowed to establish a Switched Port Analyzer (SPAN) or mirror port to prevent traffic from being replicated to the intrusion detection system (IDS) sensor. Similarly, intrusion prevention systems (IPS) are placed in traditional physical network areas and cannot easily be integrated into a virtual environment, especially virtual network traffic. A host-based intrusion detection system (IDS) can still function on a virtual machine, but it will now use the resources it extracts from the shared tools to prevent the network from being properly installed.
Fortunately, there are many ways to adjust IPs implementation strategies and monitor virtual system traffic. That is what we are proposing here. For beginners, VMware's Virtual Switch or port group is divided into "mixed Mode", in which a virtual IDs sensor can monitor traffic on the same virtual part. In addition, traffic may reach the interface that is monitored by the physical IDs sensor. There are many effective open source and third-party virtual switches that can be manipulated using traditional switches.
For Citrix Systems Inc., the kernel virtual machine (KVMS), and Oracle Corp. (Oracle BAE Inc.) VirtualBox platform, the open Virtual Exchange standard (opened VSWITHCH) provides a completely specific virtual switch, which establishes a span port for traffic mirroring and traffic monitoring. Cisco Systems Inc. (Cisco Sywtems Inc.) The Nexus 1000V commercial switch has the same functionality and uses the famous Cisco IOS command-line interface. These switches support flow data and analysis, and can also be used for form monitoring between systems and networks.
In addition to redesigning their systems and using more multi-purpose virtual switches, network security experts should study the open source and commercial intrusion detection and defense methods that are formatted for virtual devices. Many well-known companies, such as Sourcefire Inc., HP TippingPoint and IBM ISS, have also moved their existing IDs and IPs platforms to a virtual device. These virtual devices can be easily integrated into virtual networks, providing traffic monitoring between virtual machines, virtual and physical networks.
Today's professional virtual products are products from companies such as Reflex Bae LLC, Catbird NX and HyTrust, which provide basic traffic monitoring and analysis in virtual environments. Although they are not really named intrusion detection systems, these products can add a more traditional IPs to granular flow monitoring and access control and greater security behavior analysis for virtual networks.
There are many free products on the market. Both snort and shadow intrusion detection systems and VMware Virtual applicances are free to connect to VMware's virtual environments to monitor and detect intrusion attempts. It is worth mentioning that this unique competency advantage means that VMware surpasses its rivals.
In addition, some of the existing host IDs and IPs products have been tested and certified to work in many virtual environments. Check Point Software Technology Co., Ltd., McAfee and Symantec are representatives of many of the IPs vendors who support the hosts of virtual client systems.
Another represents the Ossec HIDS (an open-source intrusion detection system, now owned by Trend Micro), which has proven to work properly in virtual systems without any stability. Typically, commercial hids and hips agents are tested and modified to use fewer resources on virtual systems to avoid overloading the hypervisor platform. However, host-based equipment still consumes a large amount of resources and intensive management. Additional scheduling and control capabilities also ensure that virtual machines are not overloaded during scanning or monitoring.
For many organizations, the key question should be: "How much surveillance do we need?" Existing hardware facilities can monitor traffic and virtual networks, which are rarely done by most agencies and, if so, only to monitor specific network segments between systems. But for those who want or need a higher level of intrusion detection and defense, the good news is that there are plenty of options at the network and host levels. In any case, as virtualization becomes more prevalent, there is no doubt that virtual IDs and IPs technologies are becoming more common.
Introduction of Virtual IDs IPS security implementation strategy so far, I hope you have mastered and understand, we will continue to organize the relevant content and knowledge.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.