Cloud Based IDS and IPS Solutions [Updated 2019]
Defense-In-Depth is a term used to describe the practice of creating a multi-layered defense system within a network. Each layer should be covered by one or more different security controls. This will build towards a secure environment without leaving any gaps that an attacker could leverage to compromise a targeted network.
A well configured and properly placed Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) should not be missing from the array of security controls. An IDS/IPS basically operates by listening passively (IDS) or In-line (IPS) to network traffic and matching this traffic to a ruleset covering suspicious and malicious traffic signatures. An IDS system can alert when a match occurs; an IPS system can also block the traffic (hence the "P" for Prevention).
Learn Cloud Security
This "listening to network traffic" is somewhat more complex within a 3rd party cloud network. There are several options, however; that will make this possible and which therefore will still enable the use of IDS and IPS controls within the cloud environment.
Placement
The two main contributors to the successful deployment and operation of an IDS or IPS are the deployed signatures and the network traffic that flows through it. The network traffic needs to be of interest and relevant to the deployed signatures (why inspect traffic for a known WordPress attack if that service does not exist within the network?). This means the placement of the device is critical. Should the device cover (internet) perimeter or internal subnet-to-subnet traffic for instance?
Traditionally it has been common to place at least one device directly behind the (internet) perimeter firewall (with a broad signature set) and several others between different internal DMZ or LAN segments (with only a narrow, custom signature set to cover potential lateral movement).
A full or hybrid cloud deployment will also require correct device placement to make sure all relevant traffic, including intra-cloud communications, will still be covered.
CSP Services (3rd party)
Most larger Cloud Service Providers (CSP) such as Microsoft and Amazon, offer their own security services as an add-on to their cloud platform products. This often includes services such as IDS and IPS systems on pre-configured Virtual Appliances. Considering the network architecture can be quite flexible and with the added benefits of using a cloud-aware IDS/IPS "device," this could very well be a good solution. Of course, instead, it is also possible to move further towards outsourcing with for instance a SIEM as a Service or a full 3rd party SOC solution.
On the other hand, if a different, more traditional product or more control is required, it is also possible to place a customer owned device in the public cloud and control that via for instance SSH or HTTPS via a management system.
Customer Managed Device
In any case, within a hybrid environment, customer managed IDS/IPS devices are still required to cover local network traffic and traffic between non-cloud WAN sites. The most important location, however, would be between the local and the cloud network termination point (a gateway). This will allow for the inspection of all local traffic to and from the cloud infrastructure, usually containing communications of many critical services. It is also advised to inspect traffic between local network segments and (VPN) WAN sites, to detect and prevent lateral movement of an attacker. Finally, the local internet traffic is usually routed directly out, instead of being routed via a cloud environment, so a well configured IDS/IPS device on that perimeter is essential.
Host Based vs. Network Based
As explained, an IDS/IPS device analyses network traffic flowing through two or more points. This is called a network based IDS/IPS. Another variety of IDS/IPS is the host-based deployment (HIDS/HIPS). This host-based security application analyses traffic flowing through the network interfaces of the monitored (end-point) system. Although used less frequently than a network based IDS because of the complexities of installing and managing the software, it can provide a much more granular (per single host) control of policies where needed. Because of the working of Virtual Machines in most common cloud platforms, there should not be any compatibility issues. An HIDS or HIPS can monitor a virtual NIC the same as a physical NIC. The OS should actually not show any difference between virtual and physical devices to the applications that are installed.
Log and SIEM
Every rule that matches monitored traffic will create a security event. Within a busy network and at busy network egress and ingress points an IDS/IPS system will generate a lot of data. That data will need to be stored and fed into a system that can be used for analysis, such as a SIEM solution.
Depending on the network layout that data collection and storage point could be within the cloud or on-premises inside the customers' own data center. Deciding on the most efficient location is a matter of weighing up where performance is the most important and looking at the pricing model of the cloud platform provider. In any case, it is important to keep in mind that it will consume important bandwidth to get this data out of/into the cloud platform.
Learn Cloud Security
Conclusion
It is not too difficult to design an IDS or IPS solution that is compatible with both a cloud environment and an on-premises network. As mentioned, a well-defined signature set and well thought through the placement of the sensors are key to making an implementation like this work. Probably one of the first decisions to be made, however, is about how much of this system should be covered by the Cloud Service Provider (outsourced) and how much of it will be the responsibility of the customer. This is a matter of weighing up costs and for instance looking at compliance requirements and regulations. That process is no different from any other service that will be or already has been migrated to a cloud platform.
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- Cloud Based IDS and IPS Solutions [Updated 2019]
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security