Following up on last week’s post about Security Information & Event Management (SIEM) devices, I decided to delve a bit deeper into intrusion detection and prevention (IDS/IPS), as it’s one of those technologies that required adaptation to work with virtualization. If you run a virtualized or cloud environment, I’m sad to tell you that unless you recently purchased a virtualized IDS/IPS device, your current device works fantastic on your network, but is not seeing anything that is going on in your VM environment. Why is that? Let me explain…
IPS devices were designed to protect networks from malicious traffic by sitting inline with the network traffic. Based on rules set by the administrator, the IPS looks for anything that doesn’t fall in line with these rules. Unlike an IDS, because the IPS sits in the network traffic flow (IDS devices are usually used as a network tap), it can thwart attacks by either terminating the user connection, block access to the target, or block access based on the user account, IP address or other distinguishing characteristic. IPS devices can also be used to modify policies and rulesets of other devices such as routers and firewalls, and apply patches or remove properties such as attachments from emails.
Right now were are in the midst of a transformation in IDS/IPS to what we call “NGIPS” or “Next Generation IPS”. These devices take into consideration the traffic from web applications, which may normally be ignored by legacy technologies, as they can masquerade as other files such as web traffic, images and audio/video. This is why you are seeing an influx of solutions from manufacturers such as SonicWALL, Sourcefire, Check Point, IBM and so on. We are also finally starting to see these companies leverage hypervisor APIs to develop solutions for virtualized and cloud environments, which makes me a very happy blogger.
So what can a paravirtualized (a device which is built to leverage APIs which hook into the hypervisor layer of virtual environments to help see into all areas of the virtual layers) IPS appliance do that a traditional IPS cannot? Quite simply, these virtualized IPS devices can tap into the hypervisor layer and look for abnormalities affecting not just inter-VM network traffic, but discrepencies in system usage and resource utilization. This means that should an unauthorized event such as the creation of a virtual NIC that connects 2 adjacent VMs be detected, the event will be prevented and the information will be noted on any connected SIEM devices. Suddenly there is visibility into the underlying workings of a virtual environment, something that until recently, has not been possible with the exception of management information which fed into the virtual platform reporting system. It is critical for any environment with security requirements to be able to have this type of visibility into any resource (virtualized or not) that contains business critical information. But it extends past this as well.
As cloud and virtualized environments become more distributed and shared, the ability to verify that these VMs are protected through the implementation of an IPS device (among other security controls) is paramount in not just proving to the auditors that your resources are protected, but to ensure from an internal visibility perspective that all network traffic and inter-VM behavior can be monitored. This will undoubtedly aid with analyzing the current state of your security posture, but also for forensic analysis should any security or network incident occur.