Intrusion Detection and Prevention System for Scalable VPC Security

Implementing an Intrusion Detection and Prevention System for Scalable VPC Security

Prev Question Next Question

Question

A web company is looking to implement an intrusion detection and prevention system into their deployed VPC.

This platform should have the ability to scale to thousands of instances running inside of the VPC.

How should they architect their solution to achieve these goals?

Answers

A. Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see all traffic across the VP.

B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.

C. Configure servers running in the VPC using the host-based ‘route’ commands to send all traffic through the platform to a scalable virtualized IDS/IPS.

D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - D.

Promiscuous mode is not supported in aws hence the options of A is out.

Please find the below developer forums thread on the same.

https://forums.aws.amazon.com/thread.jspa?threadID=35683

Option B would just add an overhead to the infrastructure.

Between Option C and D, an agent would do a better job than the route command.

Please find the below url to a good slide deck from AWS for getting IDS in place.

https://awsmedia.s3.amazonaws.com/SEC402.pdf

The correct answer for this scenario is B - Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.

An intrusion detection and prevention system (IDS/IPS) is a security solution that monitors network traffic for malicious activity and can block or alert on any suspicious traffic. To implement such a system in a VPC, the web company needs to consider scalability and flexibility.

Option A suggests configuring an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see all traffic across the VPC. This approach may work for small-scale environments, but it would not scale to thousands of instances, as it would require too much overhead to monitor all traffic across the VPC.

Option C suggests configuring servers running in the VPC using the host-based ‘route' commands to send all traffic through the platform to a scalable virtualized IDS/IPS. This approach would also require significant configuration changes to all servers in the VPC and would not scale well as the number of servers increases.

Option D suggests configuring each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection. This approach may work, but it would require significant overhead to manage and maintain the agents on each host.

Option B, on the other hand, suggests creating a second VPC and routing all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides. This approach allows for scalability and flexibility because it separates the security solution from the primary application VPC and allows the IDS/IPS platform to be scaled independently. This approach also allows for easier management and maintenance of the security solution, as all traffic is routed through the second VPC.

In summary, creating a second VPC and routing all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides is the best approach to implement an intrusion detection and prevention system into a VPC that needs to scale to thousands of instances.

Prev Question Next Question