IDS

[majst01]

In order to be able to report IDS events we need to install a open source IDS system in the firewall image. We already decided to choose https://suricata-ids.org/. This IDS will be always installed and will listen on all external interfaces. Configuration will be done by:

• metal-networker which has the knowledge of interfaces
• Custom CRD which enables/disables IDS event forwarding to a customer visible pod

A mechanism to update IDS patterns must be enabled to run at a regular basis.

[majst01]

Simple consuming of IDS Stats is implemented in the new firewall-controller: https://github.com/metal-stack/firewall-controller/commit/879ea047855b6c8eb6f06f93463badf1f1f96c92

This will show up like: k describe networkids

Name:         networkids-sample
Namespace:    default
API Version:  firewall.metal-stack.io/v1
Kind:         NetworkIDS
Spec:
  Enabled:   true
  Interval:  10
  Statslog:  /var/log/suricata/stats.log
Status:
  ID Sstatistics:
    Stats:
      capture.errors:          0
      capture.kernel_drops:    0
      capture.kernel_packets:  2
      decoder.bytes:           432
      decoder.pkts:            2
  Last Run:                    2020-04-24T09:20:38Z
Events:                        <none>

This can probably be exposed by default to all customers even if the did not pay for IDS to have a peek preview what they can expect once paying.

@mwindower @chbmuc