Understanding the vGW Series IDS Module

vGW Series includes a fully integrated IDS engine that you can use to monitor all virtual network traffic. It takes into account IPv4 and IPv6 traffic. You can also selectively monitor traffic for a subset of VMs or protocols used. vGW Series matches the selected traffic to the signature database and flags any suspicious activity with High, Medium, or Low priority alerts.

This topic covers the IDS module Alerts pages.

Use the Settings module > Security Settings > IDS Settings page to configure IDS for your environment. See Understanding and Configuring IDS Settings.

The IDS engine shows attacks generated by VMs or by external systems. The IDS engine can identify an attack when one party involved in the attack is a VM.

This topic includes the following sections:

Managing and Sorting Displayed Alerts Information

By default, basic alerts information is displayed for all Alerts tabs. In basic mode, you can change the time interval to control the period for which alerts information is displayed. Also, you can click the displayed information column heads to sort alerts based on alert type, signature ID, total number of alerts of that type, or priority.

For all Alerts tabs, advanced mode gives you the following additional capabilities:

Top Alerts Page

The Top Alerts tab presents a graph that shows the top alerts for attacks that have occurred over a specified period of time, for example 24 hours. If you specify a different time interval, alerts that have occurred within that period of time are displayed. The graph allows you to view at a glance for each alert type the degree of frequency. It includes a table that identifies the type of alert and its signature ID. See Figure 68

Figure 68: IDS Top Alerts

IDS Top Alerts

The alerts are organized as High, Medium, and Low with the total number sorting from most frequent to least frequent in the Total column.

To display advanced mode that gives you more options, click show advanced. Figure 69shows the features that you can use in advanced mode with the time interval changed to reflect information for 30 days.

Figure 69: IDS Top Alerts Advanced Options

IDS Top Alerts Advanced Options

Tip: To change the priority level of an alert or not display information about it, use the Settings module > IDS Signatures page > Security Settings section.

To show information about a specific attack that caused the alert, click its row in the Alert Type column. In response, you see a description of the alert and its signature ID. See Figure 70.

Figure 70: IDS Alert Description

IDS Alert Description

To show additional details for that alert, beneath the alert description click show details. Figure 71 shows the result.

Figure 71: IDS Alert Details

IDS Alert Details

Scroll down on the Alert Details box to see the affected systems and the attack scenarios. See Figure 72.

Figure 72: IDS Alert Details Showing Affected Systems

IDS Alert Details Showing Affected Systems

If you want to know who generated the traffic that caused an alert, click the Alert Sources tab. See Figure 73.

Figure 73: IDS Alert Sources

IDS Alert Sources

If you want to know the traffic destination, click the Alert Targets tab. See Figure 74.

Figure 74: IDS Alert Targets

IDS Alert Targets

Alert Sources Page

The Alert Sources window shows which systems have generated traffic matching the IDS signatures. These systems can be guest VMs or external systems communicating on the virtual network. The columns show High, Medium, and Low alert counts and a total count.

The system with the highest total count is displayed at the top of the list. You can sort the display by clicking the High, Medium, or Low columns. See Figure 73.

Alert Targets Page

The Alert Targets window shows the same information as the Alert Sources page but also it shows a list of the systems that are under the greatest number of attacks. See Figure 74.

All Alerts Page

The All Alerts tab shows a complete list of alerts for attacks captured by the system for the configured time interval (by default, 24 hours). In this example, the time interval has been set to 30 days.

To show details for a specific alert, click the alert type. By default, the most recent events are displayed at the top of the page, and older events are shown at the bottom. See Figure 75.

Figure 75: IDS All Alerts

IDS All Alerts

The Source and Destination columns in the All Alerts page table show machine names, not IP addresses. When you roll the mouse and hover over a machine name, vGW Series displays its IP address. To make it clear which IP address is involved, vGW Series displays only the IP address that the alert pertains to, not all IP addresses for that machine.

Machines for which IPv6 is enabled typically have two addresses bound to each Virtual Network Interface Card (vNIC)–a link local address and a routable address. Typically the link-local address is not used by applications. A machine can have multiple vNICs, each of which might have two IP addresses. Effectively a machine might have many IP addresses bound to it.

Related Documentation