Intrusion Detection

In addition to Cloud Microsegmentation and Zero Trust Network Security, Calico Enterprise provides another layer of security through its Intrusion detection system (IDS).

Calico Enterprise IDS identifies Advanced persistent threats (APTs) through behavior-based detection using machine learning and a rule-based engine that enables active monitoring.

Threat Feed Integration

Custom Alerts

Anomaly Detection

Configure Security


Automate Remediation

Watch Details Video

Threat Feed Integration

Calico Enterprise ingests threat feeds that identify IPs for known bad actors such as botnets. Any ingress or egress traffic to those IPs are automatically blocked and can be configured to generate alerts. In addition, traffic to VPNs and TOR exit nodes is blocked and alerted on.

Firewall often detect and block traffic associated with known bad actors, but do not have visibility into which pod is infected. Calico Enterprise can pinpoint and report on the source of malicious traffic.

Custom Alerts for Known Attacks

Calico Enterprise can alert on unauthorized changes to your cluster and security policies as well as known attack patterns such as domain generation algorithms. Alerts are available out-of-the-box and can be customized or added by your security researchers or ours.

Anomaly Detection

Calico Enterprise evaluates Network flows using machine learning to identify the baseline behavior of your microservice environment and can generate alerts when unexpected behavior is detected. This enables you to detect and protect your network against zero-day exploits.

Port scans, IP sweeps, and service byte anomalies can all be indicators that your environment has been compromised and is hosting an advanced persistent threat. Calico Enterprise detects and alerts on that activity and can quarantine those workloads.

Calico Enterprise can also detect and prevent OWASP Top 10 attacks targeting your microservices.

Configure Security for Critical Workloads

A small set of your workloads may have access to sensitive data, and you will want to put additional detection and alerting for those microservices.

Calico Enterprise provides the ability to configure policies and alerts for a subset of your environment that will detect and alert on abnormal activity, effectively utilizing a moat to protect your critical workloads.

Defining your moat is as simple as using a label and then defining detailed alerts for workloads utilizing those labels.

Calico Enterprise HoneyPods

While inspecting all the network data can enable you to detect attacks, this can cause a huge performance penalty. Calico Enterprise utilizes an elegant approach to identify traffic that warrants deeper inspection.

Calico Enterprise Honeypods are fake pods that run in your cluster. All traffic to these pods generates alerts that trigger further inspection of data.

Once any traffic hits a honeypot, Calico Enterprise inspects packets from this traffic and analyzes it for well-known malware signatures using SNORT and other tools.

Automate Remediation

Calico Enterprise Alerts can trigger automated remediation by cutting the rogue microservice off from the network and generating policy recommendations to prevent future attacks.
The quarantined workload can be left running to allow your SOC Analysts to investigate the malicious workload.

Watch Product Details Video


Interested in trying Calico Enterprise IDS for Kubernetes?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!