Understanding the vGW Series IDS Module

The vGW Series includes a fully integrated IDS engine that you can use to monitor all virtual network traffic. You can also selectively monitor traffic for a subset of guest VMs or protocols used. The vGW Series matches the selected traffic to the signature database and flags any suspicious activity with high, medium, or low priority alerts.

The vGW Security Design VM allows you to configure the following information to configure IDS for your environment:

The IDS engine shows attacks generated by guest VMs or by physical servers attacking VMs. The IDS engine can identify an attack when one part of the attack is a VM. The IDS module includes the following four tabs:

Top Alerts Tab

The Top Alerts tab presents a graph that shows the alerts that have occurred over a specified period of time; for example, 24 hours. If you specify a different time interval, alerts that have occurred within that period of time are displayed. The graph allows you to see at a glance for each alert type the degree of frequency. It includes a table that identifies the type of alert and its signature ID. If you specify a different time interval, alerts that occurred within that interval are displayed. See Figure 44.

Figure 44: IDS Top Alerts Tab

IDS Top Alerts Tab

The alerts are organized as high, medium, and low with the total number sorting from most frequent to least frequent in the Total column.

For each alert, you can click the Alert Type column heading to show the details for that alert. In response, you see a description of the alert and its signature ID. If you want to know who generated the traffic that caused an alert or where that traffic was destined, click Alert Sources or Alert Targets at the top of the alert’s details page. To change the priority level of an alert or not display information about it, use the IDS Signatures page in the Security Settings section of the Settings module.

Alert details include a description and a signature ID.

Alert Sources Tab

The Alert Sources tab shows which systems have generated traffic matching the IDS signatures in the vGW Series. These systems can be guest VMs (VMs) or physical systems communicating on the virtual network. The columns show high, medium, and low alert counts and a total count. See Figure 45.

The system with the highest total count is displayed at the top of the list. You can sort the display by clicking the High, Medium, or Low columns. You can also click an alert name in the Alert Type column to get information about a specific attack including who generated the traffic or where it was destined.

Figure 45: IDS Alert Sources Tab

IDS Alert Sources Tab

Alert Targets Tab

The Alert Targets tab is the same as the Alert Sources tab except that it lists the systems that are under the most attacks. See Figure 46.

Figure 46: IDS Alert Targets Tab

 IDS Alert Targets Tab

All Alerts Tab

The All Alerts tab shows a complete list of each alert captured by the system for the configured time interval (by default, 24 hours). To show details for a specific alert, click the alert type. By default, the most recent events are displayed at the top of the screen, and older events are shown at the bottom. Alerts are sorted by the Time column. See Figure 47.

Figure 47: IDS All Alerts Tab

IDS All Alerts Tab

Related Documentation