Security domain

Security domain

Security Domain is a separate project with a set of tools needed for IRT to perform incident analysis and cloud forensics. Once a security issue is discovered in one of the project networks, you can switch traffic from the compromised network or the whole project from the Internet to the Security Domain to contain and investigate an incident.

Security Domain may contain the following components but not limited to:

Security Domain components

Component

Description

Network IDPS

Provides deep packet inspection and exfiltration of malicious files from the North-South traffic traveling through DMZ. You can create numerous virtual instances of network IDPS as a VNF to scan East-West traffic in your SDN as well.

Network monitor

Records the traffic for investigation and forensics purposes. For example, tcpdump or Wireshark.

Antivirus

Scans the files extracted from the network N-S traffic.

Sandbox

Analyzes discovered malware or suspicious documents in PDF, SWF, DOC formats that may have exploits on board, for example, in email traffic.

Forensic tools

Collect digital evidence for the court.

Storage

Specially allocated for forensic purposes stores collected digital evidence such as infected VM images, stored illegal data, dumps of network traffic, logs, and so on.

Proxy server

Redirects traffic of the compromised network to the Internet through the Security Domain network, where IRT can perform deep packet inspection and hidden monitoring of the ongoing attack.