Future Prediction: Network Intrusion Detection System in the cloud

Systems and Application SecurityPresentation: Future Predictions of NIDS in the Cloud

SHU - Information Systems Security (SAS)

Chao-Yang Hsu (22033770)Nuwani Siriwardana (21053949)Scott Storey (15038397)Sedthakit Prasanphanich (22037820)

Outline

Introduction - Deployment Strategies Challenges of integrating NIDS Management of NIDS in the cloud, how

many points do the manager should keep into the account

Example of Cloud provider in terms of NIDS implementation

Future PredictionSummary


Introduction - NIDS Deployment

NIDS

DMZ

NIDS

Behind the Firewall: 1. Highlights problems with the

network firewall policy2. Observes attacks that may

target the web servers inside DMZ.

3. Even if the incoming attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the compromised server

Outside the Firewall: 1. Documents number of

and types of attacks originating on the Internet that target your network.

Intranet


NIDS Deployment

DMZ

On critical subnet or backbones: 1. Detects attacks targeting

your critical systems and applications.

2. Allows focusing of limited resources to the network assets considered of greatest value.

NIDS

EC Servers


Reference: NIST Special Publication on Intrusion Detection Systems

NIDS

NIDS Deployment - Global Organizations

London

NIDS

Collecting Logs and Alarms

Apply rules or U

pdate

Signatures

Chicago

NIDS


Singapore

NIDS

NIDS Deployment - in the Cloud ...

London

Singapore

NIDSNIDS

NIDS

plus Virtualization


Host Machine

Virtual Machines

Traditional Implementation

Chicago


London

Singapore

NIDSNIDS

NIDS

,Virtualization

plus On Demand Request

Pay-per use

Cloud Users

VM Templates


Chicago

Challenges of integrating NIDSDetection Techniques

◦ Both Signature or Anomaly based detection mechanism have their own strengths and weaknesses

The Changing Face of Expanding Networks ◦ Virtualization

Fundamental techniques in Cloud environment

◦ Computation Overhead Processing packets in a large or heavy load network

◦ Configuration Management Rule Sets and Signatures management policies

◦ Information and Events Management Incidents logs correlation and reporting

Application Level and Encrypted Traffics◦ HTTP Strict Transport Security becomes Internet standard

(ex: HTTPS)


How to ...

effectively deploy NIDSs into the Cloud?manage/operate NIDSs efficiently?

May need another key...


new innovations and changes


Managing NIDSs in a Cloud . . . . . .


Applications

OS

Hardware

Applications

OS

Hardware

Applications

OS

Hardware

Virtualization

5 – 10 % usage

90- 95 % not

utilized


Applications

Guest OS

Applications

Guest OS

Applications

Guest OS

Virtualization

Hypervisor

Hardware


It’s Important…..

To deploy virtualization successfully

To provide functionality of an Network Intrusion Detection

System within a cloud environment


Managing an NIDS in a cloud is quite frustrating.

Number of hostsVirtualized environmentOnline security


When protecting a Cloud using an NIDS…

◦It is difficult to analyze logs


Cloud is a cloud. We cannot exactly trace and keep logs for what is happening inside it…….


Online Security


The security problems bring much more economic loss in Cloud Computing than in the other kind of systems.

Hackers are every

where


Security Issues

Cloud data confidentiality issue

Network based attacks on remote Server

Cloud security auditing

Lack of data interoperability standards


Finally,

We have to consider,◦ The size of the cloud

Number of hosts and servers inside the cloud

◦ Virtualized environmentChallenging to deploy correctly

◦ Online security IssuesProtecting a virtual implementation is not easy

when we are managing an NIDS within a cloud…..


What are the big players doing with IDS in the cloud?


Google Cloud

Do Google use an IDS? - Yes, of course they do.

“At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open source and commercial tools for traffic capture and parsing.”

- Security Whitepaper: Google Apps Messaging and Collaboration Products, Google.


Google Cloud

No – They explicitly state they protect their own network, they don’t mention your specific instances.

You are effectively outsourcing everything to a 3rd party.


Google Cloud

All out attack on Google?

Not that likely, but does happen and would probably be noticed.

You would be relatively safe, you are protected by the sheer size of Google. You aren’t a specific target.


Google Cloud

Attack on your specific instance?

Would Google notice?


Amazon Web Services (AWS)

Do Amazon use an IDS? - Yes, of course they do.

“AWS utilizes automated monitoring systems to provide a high level of service performance and availability. Proactive monitoring is available through a variety of online tools both for internal and external use.” - Amazon Web Services: Overview of Security Processes, Amazon.



No – Shared Responsibility Environment

Almost the same as Google so far;Amazon will protect their own systems, you look after your instances.

Amazon Responsibilities Customer Responsibilities

• Host Operating System

• Virtualisation Layer• Physical Security

• Guest Operating System• Associated Application

Software• Configuration of provided

firewall



The main difference between Amazon and Google? - AWS Marketplace

On AWS Marketplace there are 3 different companies offering IDSs specifically designed for AWS.

◦ Alertlogic◦ Metaflows◦ CloudPassage

https://aws.amazon.com/marketplace/search/results/ref=gtw_navgno_search_box/181-2748793-6944127?searchTerms=IDS&search=



The cloud specific solutions for an IDS in AWS are still really in their infancy.

But they are beginning to target the issues surrounding scaling the IDS and monitoring both cloud systems and traditional on site systems with the same software.


Google & AWS Summary

With Google and AWS you can’t monitor the entire network. You are limited to Host-Based Intrusion Detection Systems.

You have no access to the wider network, you need to leave this to the companies hosting your cloud solution.

A business decision needs to be made about if this is acceptable for an individual company.


Google & AWS Summary

Many SMEs don’t have the resource to implement NIDS effectively making cloud services an attractive prospect for them.

Larger enterprises can choose to take a blended approach keeping more business critical systems in a traditional system where they have more control and outsourcing less critical systems.


Prediction Times!• Fast Adaption Rate• Middleware• Virtually Growth


Fast Adaptation rateThe faster the better


Middleware

SHU - Information Systems Security (SAS)Picture from: http://www.rationalsurvivability.com/blog/wp-content/media/2009/01/cloudtaxonomyontology_v15.jpg

PaaS


Virtually Growthfrom normal sensor to mini instance


London

Singapore

NIDS NIDS

NIDS

,Virtualization


Chicago


Centralized Configurationprovide just centralized signature is not enough!

NIDS Deployment - Global Organizations

Chicago

London

Singapore

NIDSNIDS

Collecting Logs and Alarms

Apply rules or U

pdate

Signatures


NIDS

Plus Configuration & Correlation


Summary


ThanksQ&A

Education

Future Prediction: Network Intrusion Detection System in the cloud