How to Implement HIDS in the Cloud
The proposed architecture for OSSEC leverages the utilities that many enterprises either already have in use or can easily be deployed today.
Join the DZone community and get the full member experience.Join For Free
Ensuring system security is as important as ensuring overall application security. A Host-based Intrusion Detection Systems (HIDS) provides the ability to identify, detect, and notify any unanticipated system changes that might impact the security of the system. HIDS is a powerful tool to maintain security standards implemented across IT systems. The Open Source HIDS SECurity (OSSEC) tool is one of the more popular HIDS options around.
The OSSEC tool can be implemented in multiple ways and largely depends on your infrastructure: whether you have a fixed number of servers or you have infrastructure that is frequently scaled up or down.
Traditional server-agent model:
Application Tier 1..N
The traditional server-agent model can be followed to monitor the servers with a lightweight agent installed on them, where all agents report to the central OSSEC manager (server) to analyze the events and to generate event notifications as appropriate. This model works quite well for small and large fixed setups. However, there are trade-offs:
Additional server management overhead. You need to manage the OSSEC server itself, along with its agents.
Adding or removing agent overhead. If you have a dynamic environment that involves frequent scaling of servers, then a custom solution is needed to automatically register and de-register the agents in the OSSEC server when scaling occurs.
Limited high availability of OSSEC server. There is an open feature request for making the OSSEC server highly available. Until this has been addressed, your best option is to keep a standby server with the configuration and data volumes replicated in real-time.
The OSSEC can also be installed in a local model, where each server monitors itself. The local OSSEC installation eliminates maintenance overhead for the OSSEC server. In addition, each server reports incidents and unauthorized events.
Following, you will find the steps required to install and incorporate the local model OSSEC into a dynamic infrastructure.
Read the rest of this article and a lot more in:
- Industry Research Data
- Articles Written by Industry Experts
- Cloud Architecture Infographic
- Directory of the Best Tools & Solutions
Opinions expressed by DZone contributors are their own.