Overview of IDS/IPS
The aim of NSX Intrusion Detection and Prevention Service (IDS/IPS) is to monitor network traffic on hosts and edges for malicious activity by comparing it against a known set of signatures.
The NSX IDS/IPS monitors network traffic on a host for suspicious activity by comparing the traffic against predefined signatures. Each signature defines a pattern for a specific type of network intrusion that must be detected and reported. Upon finding a matching traffic pattern to a signature, a predetermined action is triggered, such as generating an alert or blocking the traffic from reaching its intended destination.
IDS can be implemented in two methods,
- Knowledge-based Signature: These signatures are known by which we can detect malicious instruction sequences specified in the signatures. Hence this method is limited to attacks that are already known. It does not cover the zero-day threats.
- Behavior-based detection: In this method the detection is behavior based. The events which are called informational or info and consists of events that pinpoints the unusual activities in network that are not malicious but provides information while investigating a breach.
Pre-requisites:
- To use IDS/IPS on NSX-T we should have the licenses of Threat Prevention. To know more about licenses check here.
- We make sure for IDS/IPS NSX Edge VM is deployed with at least large form factor.
Considering the above pre-requisites. Let’s begin the configuration of IDS/IPS.
Configuring/Enabling IDS/IPS
Login into NSX and navigate to Security –> Policy Management–>IDS/IPS & Malware Prevention.
(more…)
Prasad P S Blogs 