Systems and Application SecurityPresentation: Future Predictions of NIDS in the Cloud
SHU - Information Systems Security (SAS)
Chao-Yang Hsu (22033770)Nuwani Siriwardana (21053949)Scott Storey (15038397)Sedthakit Prasanphanich (22037820)
Outline
Introduction - Deployment Strategies Challenges of integrating NIDS Management of NIDS in the cloud, how
many points do the manager should keep into the account
Example of Cloud provider in terms of NIDS implementation
Future PredictionSummary
SHU - Information Systems Security (SAS)
Introduction - NIDS Deployment
NIDS
DMZ
NIDS
Behind the Firewall: 1. Highlights problems with the
network firewall policy2. Observes attacks that may
target the web servers inside DMZ.
3. Even if the incoming attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the compromised server
Outside the Firewall: 1. Documents number of
and types of attacks originating on the Internet that target your network.
Intranet
SHU - Information Systems Security (SAS)
NIDS Deployment
DMZ
On critical subnet or backbones: 1. Detects attacks targeting
your critical systems and applications.
2. Allows focusing of limited resources to the network assets considered of greatest value.
NIDS
EC Servers
SHU - Information Systems Security (SAS)
Reference: NIST Special Publication on Intrusion Detection Systems
NIDS
NIDS Deployment - Global Organizations
London
NIDS
Collecting Logs and Alarms
Apply rules or U
pdate
Signatures
Chicago
NIDS
SHU - Information Systems Security (SAS)
Singapore
NIDS
NIDS Deployment - in the Cloud ...
London
Singapore
NIDSNIDS
NIDS
plus Virtualization
SHU - Information Systems Security (SAS)
Host Machine
Virtual Machines
Traditional Implementation
Chicago
NIDS Deployment - in the Cloud ...
London
Singapore
NIDSNIDS
NIDS
,Virtualization
plus On Demand Request
Pay-per use
Cloud Users
VM Templates
SHU - Information Systems Security (SAS)
Chicago
Challenges of integrating NIDSDetection Techniques
◦ Both Signature or Anomaly based detection mechanism have their own strengths and weaknesses
The Changing Face of Expanding Networks ◦ Virtualization
Fundamental techniques in Cloud environment
◦ Computation Overhead Processing packets in a large or heavy load network
◦ Configuration Management Rule Sets and Signatures management policies
◦ Information and Events Management Incidents logs correlation and reporting
Application Level and Encrypted Traffics◦ HTTP Strict Transport Security becomes Internet standard
(ex: HTTPS)
SHU - Information Systems Security (SAS)
How to ...
effectively deploy NIDSs into the Cloud?manage/operate NIDSs efficiently?
May need another key...
SHU - Information Systems Security (SAS)
new innovations and changes
SHU - Information Systems Security (SAS)
Managing NIDSs in a Cloud . . . . . .
SHU - Information Systems Security (SAS)
Applications
OS
Hardware
Applications
OS
Hardware
Applications
OS
Hardware
Virtualization
5 – 10 % usage
90- 95 % not
utilized
SHU - Information Systems Security (SAS)
Applications
Guest OS
Applications
Guest OS
Applications
Guest OS
Virtualization
Hypervisor
Hardware
SHU - Information Systems Security (SAS)
It’s Important…..
To deploy virtualization successfully
To provide functionality of an Network Intrusion Detection
System within a cloud environment
SHU - Information Systems Security (SAS)
Managing an NIDS in a cloud is quite frustrating.
Number of hostsVirtualized environmentOnline security
SHU - Information Systems Security (SAS)
When protecting a Cloud using an NIDS…
◦It is difficult to analyze logs
SHU - Information Systems Security (SAS)
Cloud is a cloud. We cannot exactly trace and keep logs for what is happening inside it…….
SHU - Information Systems Security (SAS)
Online Security
SHU - Information Systems Security (SAS)
The security problems bring much more economic loss in Cloud Computing than in the other kind of systems.
Hackers are every
where
SHU - Information Systems Security (SAS)
Security Issues
Cloud data confidentiality issue
Network based attacks on remote Server
Cloud security auditing
Lack of data interoperability standards
SHU - Information Systems Security (SAS)
Finally,
We have to consider,◦ The size of the cloud
Number of hosts and servers inside the cloud
◦ Virtualized environmentChallenging to deploy correctly
◦ Online security IssuesProtecting a virtual implementation is not easy
when we are managing an NIDS within a cloud…..
SHU - Information Systems Security (SAS)
What are the big players doing with IDS in the cloud?
SHU - Information Systems Security (SAS)
Google Cloud
Do Google use an IDS? - Yes, of course they do.
“At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open source and commercial tools for traffic capture and parsing.”
- Security Whitepaper: Google Apps Messaging and Collaboration Products, Google.
SHU - Information Systems Security (SAS)
Google Cloud
No – They explicitly state they protect their own network, they don’t mention your specific instances.
You are effectively outsourcing everything to a 3rd party.
SHU - Information Systems Security (SAS)
Google Cloud
All out attack on Google?
Not that likely, but does happen and would probably be noticed.
You would be relatively safe, you are protected by the sheer size of Google. You aren’t a specific target.
SHU - Information Systems Security (SAS)
Google Cloud
Attack on your specific instance?
Would Google notice?
SHU - Information Systems Security (SAS)
Amazon Web Services (AWS)
Do Amazon use an IDS? - Yes, of course they do.
“AWS utilizes automated monitoring systems to provide a high level of service performance and availability. Proactive monitoring is available through a variety of online tools both for internal and external use.” - Amazon Web Services: Overview of Security Processes, Amazon.
SHU - Information Systems Security (SAS)
Amazon Web Services (AWS)
No – Shared Responsibility Environment
Almost the same as Google so far;Amazon will protect their own systems, you look after your instances.
Amazon Responsibilities Customer Responsibilities
• Host Operating System
• Virtualisation Layer• Physical Security
• Guest Operating System• Associated Application
Software• Configuration of provided
firewall
SHU - Information Systems Security (SAS)
Amazon Web Services (AWS)
The main difference between Amazon and Google? - AWS Marketplace
On AWS Marketplace there are 3 different companies offering IDSs specifically designed for AWS.
◦ Alertlogic◦ Metaflows◦ CloudPassage
SHU - Information Systems Security (SAS)
Amazon Web Services (AWS)
The cloud specific solutions for an IDS in AWS are still really in their infancy.
But they are beginning to target the issues surrounding scaling the IDS and monitoring both cloud systems and traditional on site systems with the same software.
SHU - Information Systems Security (SAS)
Google & AWS Summary
With Google and AWS you can’t monitor the entire network. You are limited to Host-Based Intrusion Detection Systems.
You have no access to the wider network, you need to leave this to the companies hosting your cloud solution.
A business decision needs to be made about if this is acceptable for an individual company.
SHU - Information Systems Security (SAS)
Google & AWS Summary
Many SMEs don’t have the resource to implement NIDS effectively making cloud services an attractive prospect for them.
Larger enterprises can choose to take a blended approach keeping more business critical systems in a traditional system where they have more control and outsourcing less critical systems.
SHU - Information Systems Security (SAS)
Prediction Times!• Fast Adaption Rate• Middleware• Virtually Growth
SHU - Information Systems Security (SAS)
Fast Adaptation rateThe faster the better
SHU - Information Systems Security (SAS)
Middleware
SHU - Information Systems Security (SAS)Picture from: http://www.rationalsurvivability.com/blog/wp-content/media/2009/01/cloudtaxonomyontology_v15.jpg
PaaS
SHU - Information Systems Security (SAS)
Virtually Growthfrom normal sensor to mini instance
NIDS Deployment - in the Cloud ...
London
Singapore
NIDS NIDS
NIDS
,Virtualization
SHU - Information Systems Security (SAS)
Chicago
SHU - Information Systems Security (SAS)
Centralized Configurationprovide just centralized signature is not enough!
NIDS Deployment - Global Organizations
Chicago
London
Singapore
NIDSNIDS
Collecting Logs and Alarms
Apply rules or U
pdate
Signatures
SHU - Information Systems Security (SAS)
NIDS
Plus Configuration & Correlation
SHU - Information Systems Security (SAS)
Summary
SHU - Information Systems Security (SAS)
ThanksQ&A