Cloud Based IDS and IPS Solutions [Updated 2018]

Defense-In-Depth is a term used to describe the practice of creating a multi-layered defense system within a network. Each layer should be covered by one or more different security controls. This will build towards a secure environment without leaving any gaps that an attacker could leverage to compromise a targeted network.

A well configured and properly placed Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) should not be missing from the array of security controls. An IDS/IPS basically operates by listening passively (IDS) or In-line (IPS) to network traffic and matching this traffic to a ruleset covering suspicious and malicious traffic signatures. An IDS system can alert when a match occurs; an IPS system can also block the traffic (hence the “P” for Prevention).

This “listening to network traffic” is somewhat more complex within a 3rd party cloud network. There are several options, however; that will make this possible and which therefore will still enable the use of IDS and IPS controls within the cloud environment.

The two main contributors to the successful deployment and operation of an IDS or IPS are the deployed signatures and the network traffic that flows through it. The network traffic needs to be of interest and relevant to the deployed signatures (why inspect traffic for a known WordPress attack if that service does not exist within the network?). This means the placement of the device is critical. Should the device cover (internet) perimeter or internal subnet-to-subnet traffic for instance?

Traditionally it has been common to place at least one device directly behind the (internet) perimeter firewall (with a broad signature set) and several others between different internal DMZ or LAN segments (with only a narrow, custom signature set to cover potential lateral movement).

A full or hybrid cloud deployment will also require (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Frank Siemons. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/vkI7dCt-tjg/