I'm thinking about the following scenario: deploying one IDS virtual machine, which has two NICs, on each host (XCP). One Nic connect to Guest network (controlled by OpenvSwitch) and one Nic connect to management network to raise alerts. VMs traffic is mirrored to IDS port (via port-mirroring feature on OpenvSwitch). IDS virtual machines are deployed as similar as SystemVMs (SSVM, CPVM, VR) on CloudStack. How do you think, guys?
2013/3/11 Mice Xia <mice_...@tcloudcomputing.com> > The security virtual appliance in this solution has only one NIC, and it > connects to management network in order to communicate with the security > manager center. > (this is a little irrelevant to cloudstack) It intercepts the traffic by > mechanism provided by hypervisors, for xenserver, it co-works with the > kernel module installed on dom0 to capture packages and redirect to SVA. > For VMware it has VMsafe API. > > Regards > Mice > > -----Original Message----- > From: Nguyen Anh Tu [mailto:ng.t...@gmail.com] > Sent: Wednesday, March 06, 2013 12:36 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: About intergrating IDS/IPS to CloudStack > > Hi Mice, > > As your ElasterShield solution, I see that one hypervisor node has one > ESVA, which acts like Virtual Router. ESVA has one nic connects to Guest > network, one nic connects to Management network. I wonder that how ESVA > listens all network package? It has to talk with hypervisor, isn't it? Or > something likes the "port mirroring" feature on Switch? > > @Mice @Sebastien: One more question, do you know how to deploy one more > SystemVM on CloudStack? Config files for system VMs has to appear somewhere > in source code > > 2013/3/5 Mice Xia <mice_...@tcloudcomputing.com> > > > If you want to use the traditional NIDS, you'll can not know what do > > VMs talk each other because this is virtual network. > > [mice] yes, the drawback of traditional NIDS (deployed in the gateway > > of an enterprise/datacenter) is that it's difficult to provide > > fine-grained protection. Without more appliances, traffics inside the > > datacenter go un-protected. > > > > if you use HIDS on VMs then I don't think it is suitable [mice] for an > > enterprise IT guys can enforce HIDS installed and enabled on each VM; > > but for a public cloud, agentless solution is more preferred. > > > > Another way is that you use IDS/IPS on Virtual Router [mice] VR is an > > option, but considering the complexity of network topology inside an > > enterprise or datacenter, what if users adopt shared network (or > > hybrid network), in this case VR does not work in online mode and > > traffic prevention is impossible. > > > > How about IDS/IPS on Hypervisors > > [mice] almost all hypervisors have some mechanisms to implement > > IDS/IPS (even anti-malware) for VMs, it's agentless and provide > > fine-grained protection for each VM, and that's the solution we are > > integrating with cloudstack now > > > > Regards. > > Mice > > > > -----Original Message----- > > From: Nguyen Anh Tu [mailto:ng.t...@gmail.com] > > Sent: Sunday, March 03, 2013 5:05 PM > > To: cloudstack-dev@incubator.apache.org > > Subject: About intergrating IDS/IPS to CloudStack > > > > I'm interesting in integrate IDS/IPS to CloudStack, but didn't find > > any effective solution. If you want to use the traditional NIDS, > > you'll can not know what do VMs talk each other because this is virtual > network. > > Otherwise, if you use HIDS on VMs then I don't think it is suitable. > > This even affects to performance. Another way is that you use IDS/IPS > > on Virtual Router. It's OK but you know that Virtual Router now has to > > take too many functions. How about IDS/IPS on Hypervisors? How you think? > > > > --- > > > > Nguyen Anh Tu > > > > Cloud Computing Core Dept. > > > > Viettel R&D Institute, Vietnam > > > > > > -- > > N.g.U.y.e.N.A.n.H.t.U > -- N.g.U.y.e.N.A.n.H.t.U
