Security Domain is a separate project with a set of tools needed for IRT to perform incident analysis and cloud forensics. Once a security issue is discovered in one of the project networks, you can switch traffic from the compromised network or the whole project from the Internet to the Security Domain to contain and investigate an incident.
Security Domain may contain the following components but not limited to:
| Component | Description |
|---|---|
| Network IDPS | Provides deep packet inspection and exfiltration of malicious files from the North-South traffic traveling through DMZ. You can create numerous virtual instances of network IDPS as a VNF to scan East-West traffic in your SDN as well. |
| Network monitor | Records the traffic for investigation and forensics purposes. For example, tcpdump or Wireshark. |
| Antivirus | Scans the files extracted from the network N-S traffic. |
| Sandbox | Analyzes discovered malware or suspicious documents in PDF, SWF, DOC formats that may have exploits on board, for example, in email traffic. |
| Forensic tools | Collect digital evidence for the court. |
| Storage | Specially allocated for forensic purposes stores collected digital evidence such as infected VM images, stored illegal data, dumps of network traffic, logs, and so on. |
| Proxy server | Redirects traffic of the compromised network to the Internet through the Security Domain network, where IRT can perform deep packet inspection and hidden monitoring of the ongoing attack. |