Cloud Based IDS and IPS Solutions [Updated 2019]
Defense-In-Depth is a term used to describe the practice of creating a multi-layered defense system within a network. Each layer should be covered by one or more different security controls. This will build towards a secure environment without leaving any gaps that an attacker could leverage to compromise a targeted network.
A well configured and properly placed Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) should not be missing from the array of security controls. An IDS/IPS basically operates by listening passively (IDS) or In-line (IPS) to network traffic and matching this traffic to a ruleset covering suspicious and malicious traffic signatures. An IDS system can alert when a match occurs; an IPS system can also block the traffic (hence the “P” for Prevention).
This “listening to network traffic” is somewhat more complex within a 3rd party cloud network. There are several options, however; that will make this possible and which therefore will still enable the use of IDS and IPS controls within the cloud environment.
The two main contributors to the successful deployment and operation of an IDS or IPS are the deployed signatures and the network traffic that flows through it. The network traffic needs to be of interest and relevant to the deployed signatures (why inspect traffic for a known WordPress attack if that service does not exist within the network?). This means the placement of the device is critical. Should the device cover (internet) perimeter or internal subnet-to-subnet traffic for instance?
Traditionally it has been common to place at least one device directly behind the (internet) perimeter firewall (with a broad signature set) and several others between different internal DMZ or LAN segments (with only a narrow, custom signature set to cover potential lateral movement).
A full or hybrid cloud deployment will also require correct device placement to make sure all relevant traffic, including intra-cloud communications, will still be covered.
CSP Services (3rd party)
Most larger Cloud Service Providers (CSP) such as Microsoft and Amazon, offer their own security services as an add-on to their cloud platform products. This often includes services such as IDS and IPS systems on pre-configured Virtual Appliances. Considering the network architecture can be quite flexible and with the added benefits of using a cloud-aware IDS/IPS “device,” this could very well be a good solution. Of course, instead, it is also possible to move further towards outsourcing with for instance a SIEM as a Service or a full 3rd party SOC solution.
On the other hand, if a different, more traditional product or more control is required, it is also possible to place a customer owned device in the public cloud and control that via for instance SSH or HTTPS via a management system.
Customer Managed Device
In any case, within a hybrid environment, customer managed IDS/IPS devices are still required to cover local network traffic and traffic between non-cloud WAN sites. The most important location, however, would be between the local and the cloud network termination point (a gateway). This will allow for the inspection of all local traffic to and from the cloud infrastructure, usually containing communications of many critical services. It is also advised to inspect traffic between local network segments and (VPN) WAN sites, to detect and prevent lateral movement of an attacker. Finally, the local internet traffic is usually routed directly out, instead of being routed via a cloud environment, so a well configured IDS/IPS device on that perimeter is essential.
Host Based vs. Network Based
As explained, an IDS/IPS device analyses network traffic flowing through two or more points. This is called a network based IDS/IPS. Another variety of IDS/IPS is the host-based deployment (HIDS/HIPS). This host-based security application analyses traffic flowing through the network interfaces of the monitored (end-point) system. Although used less frequently than a network based IDS because of the complexities of installing and managing the software, it can provide a much more granular (per single host) control of policies where needed. Because of the working of Virtual Machines in most common cloud platforms, there should not be any compatibility issues. An HIDS or HIPS can monitor a virtual NIC the same as a physical NIC. The OS should actually not show any difference between virtual and physical devices to the applications that are installed.
Log and SIEM
Every rule that matches monitored traffic will create a security event. Within a busy network and at busy network egress and ingress points an IDS/IPS system will generate a lot of data. That data will need to be stored and fed into a system that can be used for analysis, such as a SIEM solution.
Depending on the network layout that data collection and storage point could be within the cloud or on-premises inside the customers’ own data center. Deciding on the most efficient location is a matter of weighing up where performance is the most important and looking at the pricing model of the cloud platform provider. In any case, it is important to keep in mind that it will consume important bandwidth to get this data out of/into the cloud platform.
It is not too difficult to design an IDS or IPS solution that is compatible with both a cloud environment and an on-premises network. As mentioned, a well-defined signature set and well thought through the placement of the sensors are key to making an implementation like this work. Probably one of the first decisions to be made, however, is about how much of this system should be covered by the Cloud Service Provider (outsourced) and how much of it will be the responsibility of the customer. This is a matter of weighing up costs and for instance looking at compliance requirements and regulations. That process is no different from any other service that will be or already has been migrated to a cloud platform.