AWS IDS solution

Fellow security peeps,

What are you using for your AWS (N)IDS solution?

We're currently using Suricata on our most business critical applications (EC2 instances about ~1200 total). Company is moving towards Kubernetes/EKS/Microservices. TLS is used to encrypt most of our traffic, with a lot of internal traffic being encrypted with rotating self-signed certificates. This makes decryption a pain in the ass to manage and therefore an IDS is less effective with traffic over ssl (unless we find a way to MITM and manage all the keys for decryption).

I'm looking to re-architect our IDS solution since it's proving difficult to manage + update rulesets across all of our applications (we have to build a new AMI to update rulesets), TLS is starting to pose a problem, and we don't have strong visibility into our container traffic at the moment (also over ssl — we can potentially use sidecars to mitigate this).

Any suggestions as I venture forth on this journey?

What's your AWS environment like and what are you using for network traffic analysis?

A bit stuck at the moment so any advice is most appreciated. Was looking at going the VPC traffic mirroring route to a load-balanced Suricata ASG, but still the issue with TLS remains — perhaps we can propose to standardize the certs we're using.


Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s