Group Based Policy IDS

asked 2015-08-30 16:48:06 -0500

Bo102010 gravatar image

updated 2015-08-31 21:30:09 -0500

Cisco's http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.html (Group-Based Policy for OpenStack) describes one use case for GBP networking:

Policy layering: ...layering allows application owners to specify the policy pertaining to an application, while infrastructure owners can prescribe security requirements __such as redirection of traffic to a chain of firewall and intrusion-detection system (IDS) solutions before the traffic is sent to the application.__

One of the accompanying images illustrates this ideas:

http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-733126.doc/_jcr_content/renditions/white-paper-c11-733126_3.jpg (image description)

My question is: how does one actually configure an IDS to receive network traffic with GBP? The diagram suggests that there should be a "copy" action, but the http://gbp.readthedocs.org/en/latest/usage.html#the-gbp-model (GBP docs) show that there are only "allow" and "redirect" actions.

If the feature has simply not yet been implemented, what is a recommended way to forward application traffic to an IDS?

edit retag flag offensive close merge delete