A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC.
How should they architect their solution to achieve these goals?
To implement an intrusion detection and prevention system that can scale to thousands of instances running inside a VPC, the best approach is to create a second VPC and route all traffic from the primary application VPC through this second VPC where the scalable virtualized IDS/IPS platform resides. This solution allows for centralized monitoring and control of incoming and outgoing traffic, ensuring that all traffic is inspected before reaching the servers. Additionally, this architecture supports scalability by utilizing a separate, dedicated VPC for the IDS/IPS platform, making it more manageable and efficient for large-scale deployments.
So i googled and found this on A nother Cloud G u r u site: B is the correct answer. The key line of the question is - "thousands of instances running in the VPC" . Option C does not confirm that the incoming traffic is passed through the IDS/IPS before reaching the host, which is one of the primary feature/requirement of any IDS/IPS. THe traffic will need to pass through the IDS so that any vulnerability could be assessed. Moreover in Option C, you can not expect to manage thousands and thousands of Servers through host based routing. Option A is invalid as promiscuous mode is not supported in AWS. Option D does not meet the IPS requirement and moreover although it can perform IDS activities but again it is not a scalable solution. SO, OPTION B is the correct ANSWER.
I found the same Cloud G U R U Jayendra Patil is wrong. B is the right answer
I will go for "B" as this is how IDS/IPS are being deploy. "D" not possible as this will create additional CPU workload which should be prevent.
D is correct answer. you can scale IDS/IPS depending on the volume.
B... Security Team need a clean room or network for IDS/IPS.. Seperate VPC is the answer
D --> This architecture is better suited for HIPAA compliance customers where they make use of the Gateway Load balancer. CISCO NGFW integration with Gateway Load Balancer is a classic example for this type of scenario.
Typo with the above option. It's B.
https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/ AWS mentions this as a use case in the GLB webpage. this is definitely the correct approach
Its says within a VPC . So best option is D . configuring each host with an agent that collects and sends network traffic to a centralized IDS/IPS platform (option D) is the best approach for achieving scalable and effective intrusion detection and prevention in a VPC
Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.
Answer: b
It has to be 'B'
By creating a second VPC and routing all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides. By separating the IDS/IPS platform into its own VPC, you can control the network traffic flow and apply security measures effectively. This architecture allows for scalability by handling the traffic from the primary application VPC through the dedicated IDS/IPS VPC, where the virtualized IDS/IPS platform can analyze and monitor the traffic.
B is correct
A. Not scalable B. Doable, C. Traffic reaches the hosts before IDS/IPS processing, IDS may be okay but not IPS D. The same issue as C, and scalability is not mentioned. So my choice is C
Only B can be the right answer, IDS/IPS must analyze traffic BEFORE the traffic reach the instance
B, Gateway Load Balancer is needed https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html
B. There was a similar question and its answer was such as B.
There's same question at official exam from AWS.
D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.
Routing traffic from1 VPC to other is older method. I work in an organization and we use Agent based monitoring only. D seems correct.