OpenStack Summit May 2015 Vancouver

Administrators use Intrusion Detection Systems (IDS) to alert when hackers attack their systems. These tools have been very effective in traditional networks. But running an IDS "as-a-service" in OpenStack is a relatively unexplored topic and interesting questions arise:


--How does one configure an IDS within a softwae defined network?

--Do popular open source systems like Snort or Bro scale when monitoring many virtual machiness?

--And what happens to the hypervisor's performance when an IDS is busy monitoring logs and traffic?

This talk will discuss current work that engages these questions. In this instance, the IDS is run on a separate machine than the hypervisor, so processing network traffic does not degrade performance. We will show the virtual network that accomplishes this and point to future directions. We will also discuss the benefits of running a host-based IDS such as OSSEC to detect hypervisor break-ins.