As enterprises continue to digitally transform their business operations, they are finding themselves with increasingly hybrid — and complex — business technology environments to defend.
To protect the traffic flowing from their traditional data centers — and out into the cloud platforms and software services they’ve heavily invested in — organizations have also invested considerably into protecting inbound and outbound traffic. They’ve invested in such security defenses as:
- Cloud security brokers
- Web application gateways
- Malware analysis, and
- Intrusion detection and prevention systems.
It’s a common view that traffic originating outside of the data center is more dangerous than traffic that flows within it, and while there is some truth to that, it’s most certainly not always so. Some of the most dangerous traffic during the subsequent stages of a breach occurs internally.
Consider what attackers typically do when following the compromise of an endpoint, server, or virtualized workload. When attackers gain such access, one of the first things they do is get in place to compromise the next system they can. The goal of this lateral movement is to gain persistence within the enterprise and discover valuable data and resources.
This is one of the reasons why it’s critical that enterprises and security teams don’t neglect network traffic within the data center — because this is where attackers are going to try to dig in.
Targeting the data center
How do attackers move laterally within the data center? Typically, they will try to use credentials, either those they’ve stolen, found or can crack. Most attackers that use hacking techniques rely on credentials being used at some point during their compromise. Other ways include looking for systems that have out of date software, or perhaps those that are misconfigured — and then exploit those weakness.
With enterprises moving away from monolith applications and increasingly toward distributed applications and even a microservices architecture, intra-data center traffic has grown in both volume and importance. It’s clear that security teams must also inspect their traffic internal to the data center.
IDS/IPS: Past, present and future
One of the most common security tools to do this is intrusion detection and prevention systems (IDS/IPS). These systems monitor network traffic (or host/endpoint traffic for host-based IDS/IPS) to attempt to identify and potentially stop security incidents. When it comes to “preventing” or blocking suspicious activity, organizations can choose to block some types of attacks on certain network segments, log suspicious events, or log and notify security personnel of suspicious events.
Modern IDS/IPS systems do this by using signatures to spot known attack techniques; by learning what normal traffic patterns look like and spotting anomalies, analyzing the state of network protocol activity against known benign activity.
What are some features enterprises should seek when deploying an IDS/IPS in their data center? For starters, there should be a look toward IDS/IPS systems designed for modern enterprise architecture. With legacy IDS/IPS, the difficulty in tuning these systems, the false positives they generate, and the difficulty keeping signatures up to date, make them very labor intensive to manage, and security teams limit their use to the most sensitive network segments.
One of the most important features to seek is a distributed network traffic analysis, so that the analysis is truly integrated with the distributed nature of the modern data center. Ideally, the IDS/IPS wouldn’t force enterprises into forcing traffic back to the centralized appliance — a traffic pattern known as “hair pinning” and one that hurts traffic performance.
Other features should help organizations avoid inspection bottlenecks or single points of failure in their design; offer a wide coverage of network traffic and the ability for the security policy of virtualized workloads to travel with the workload as it moves to other locations.
Deploying IDS/IPS within the data center will help organizations to improve their overall security posture, and to comply with regulatory mandates. Many of these regulations call for monitoring covered assets to ensure data isn’t being maliciously accessed. Further, beyond regulations, it’s critical that organizations monitor their internal data center traffic so that they can protect proprietary information and their most sensitive secrets.
Companies like VMware are offering solutions to address the challenges and needs outlined above. VMware’s NSX Distributed IDS/IPS helps security teams respond more effectively to threats across their data centers with a comprehensive set of detection and prevention capabilities that focus on east-west network traffic.
With such a solution deployed, attackers who manage to compromise an endpoint, server, or virtual machine will then have a much more difficult time moving laterally should they try to do things like brute-force attack user credentials or try to employ exploits. With a properly tuned IDS/IPS, such actions can be stopped, and security teams notified.