Nmedia - Fotolia


Building an intrusion detection and prevention system for the cloud

An intrusion detection and prevention system for cloud services is an important part of an enterprise's security stature. Expert Frank Siemons discusses IDS/IPS in the cloud.

Defense in depth is the practice of creating a multilayered defense system within a network. Each layer should...

be covered by one or more different security controls. This will build a more secure environment, without leaving any gaps that an attacker could leverage to compromise a targeted network.

A well-configured and properly placed intrusion detection system (IDS) or intrusion prevention system (IPS) should not be missing from the array of security controls. These security products operate by listening passively (intrusion detection) or in-line (intrusion prevention) to network traffic and matching this traffic to a rule set covering suspicious and malicious traffic signatures. An intrusion detection system can alert you when a match occurs; an intrusion prevention system can also block the traffic, hence the P, for prevention.

Listening to network traffic is somewhat more complex within a third-party cloud network. There are several options, however, that will make this possible, and which, therefore, will still enable the use of intrusion detection and intrusion prevention system controls within the cloud environment.

Device placement in an intrusion detection and prevention system

The two main contributors to the successful deployment and operation of an intrusion detection and prevention system are the deployed signatures and the network traffic that flows through them. The network traffic needs to be of interest and relevant to the deployed signatures. Why inspect traffic for a known WordPress attack if that service does not exist within the network? This means the placement of the device is critical. For instance, should the device cover internet perimeter or internal subnet-to-subnet traffic?

Traditionally, it has been common to place at least one device directly behind the internet perimeter firewall with a broad signature set and to place several others between different internal DMZ or LAN segments, with only a narrow, custom signature set to cover potential lateral movement.

A full or hybrid cloud deployment will also require correct device placement to make sure all the relevant traffic, including intracloud communications, will still be covered.

Third-party cloud service provider services

Most large cloud service providers, such as Microsoft and Amazon, offer their own security services as add-ons to their cloud platform products. This often includes services such as intrusion detection and prevention systems on preconfigured virtual appliances. The network architecture can be quite flexible, and has the added benefit of using a cloud-aware intrusion detection and prevention device, so this could be a good option for enterprises.

Of course, it is also possible to move further towards outsourcing with offerings like security information and event management (SIEM) as a service or a full third-party security operations center.

On the other hand, if a different, more traditional product or more control is required, it is also possible to place a customer-owned device in the public cloud and to control that with SSH or HTTPS via a management system.

Customer-managed devices

Within a hybrid cloud environment, customer-managed intrusion detection and prevention system devices are still required to cover local network traffic and traffic between noncloud WAN sites.

The most important location, however, is a gateway between the local and the cloud network termination points. This will allow for the inspection of all local traffic to and from the cloud infrastructure, usually containing communications pertaining to many critical services. It is also advised to inspect traffic between local network segments and VPN or WAN sites to detect and prevent lateral movement by an attacker.

Finally, local internet traffic is usually routed directly out, instead of being routed via a cloud environment, so a well-configured intrusion detection and prevention system device on that perimeter is essential.

Log and SIEM

Every rule that matches monitored traffic will create a security event. Within a busy network and at busy network egress and ingress points, an intrusion detection and prevention system will generate a lot of data. That data will need to be stored and fed into a system that can be used for analysis, such as a SIEM.

Depending on the network layout, that data collection and storage point could be in the cloud or on-premises, inside the customers' own data center. Deciding on the most efficient location is a matter of weighing where performance is the most important and looking at the pricing model of the cloud platform provider. In any case, it is important to keep in mind that getting this data out of and into the cloud platform will consume important bandwidth.


It is not too difficult to design an intrusion detection and prevention system that is compatible with both a cloud environment and an on-premises network. As mentioned, a well-defined signature set and well-thought out sensor placement are key to making an implementation like this work.

Probably one of the first decisions to be made, however, is how much of this system should be outsourced to the cloud service provider and how much of it will be the customer's responsibility. This is a matter of weighing costs and looking at compliance requirements and regulations. That process is no different from any other service that will be or already has been migrated to a cloud platform.

Next Steps

Learn more about the basics of IDS and IPS technologies

Find out how to evaluate intrusion detection system vendors

Discover five top considerations for IDS tools

Dig Deeper on Cloud Network Security Trends and Tactics