A common scenario that network engineers and security professionals are taught to avoid are networks with some degree of edge security such as strong firewalls and ACLs, but poor to non-existent internal visibility and enforcement often resulting in an increased risk for lateral attacks and movement.
These networks typically lack appropriate security measures such as an intrusion detection/prevention system (IDS/IPS) solution, and the increased visibility from a complimentary security information and event management (SIEM) or a similar system logging protocol (SYSLOG) monitoring solution.
Today, this perspective is just as relevant in the cloud. Amazon Web Services (AWS) provides us with some traditional tools and techniques to harden network security (Security Groups, Network Access Control Lists [NACLs], and least-privilege permissions) with increased visibility (Amazon CloudWatch, Amazon CloudTrail, Amazon GuardDuty, etc.) These products are a good starting point for your security strategy, but with increasingly more sophisticated threats native to the cloud, customers need a more dynamic and responsive cloud-native IPS to monitor and secure internal AWS network-loads and infrastructure.
The solution: Look-aside inspection
Trend Micro Cloud One™ – Network Security solves this problem by utilizing the look-aside inspection architecture. Leveraging the hub-and-spoke network model of AWS Transit Gateway, Network Security provides profoundly increased visibility and enforcement by “looking-aside” to the Network Security virtual appliance (NSVA) (attached to the transit gateway) to inspect lateral and outbound network-loads. Let’s review some examples of this architecture and how Network Security can integrate with AWS Transit Gateway to enhance security.
1. Look-aside inspection with attached public VPC
In this scenario, Network Security inspects all lateral and outbound network-loads, providing excellent visibility and protection for private workloads both in-between private VPCs and outbound to the internet. This naturally compliments a centralized egress architecture, providing increased visibility and enforcement for all outbound network loads, as well as reduced costs due to less infrastructure (such as multiple NAT gateways in multiple public VPCs).
This deployment also requires very little infrastructure change. In fact, after deploying the security VPC and attaching it to the transit gateway, all that is required is a single static route added to the Transit Gateway Route tables. This single rule will send all network loads to the security VPC for inspection before being routed to their destination, whether it be your internal AWS infrastructure or the internet.
2. Look aside inspection with third-party decrypt and/or proxy support
Network Security can also reside downstream of third-party solutions such as load-balancers, VPN endpoints, and proxy servers, providing complementary layers of security and management. Residing downstream allows for all network loads, including normally encrypted remote user traffic or load-balanced traffic, to be inspected in-line and in the clear without any out of sequence packets or encrypted data.
3. Virtual Private Cloud ingress routing and look-aside inspection architecture
When this architecture is combined with the VPC ingress routing feature, you can inspect inbound traffic destined for public facing resources and utilize Network Security features such as GEO location filtering and fully qualified domain name (FQDN) filtering to block attacks from outside of your region or to block outbound traffic to in appropriate sites and locations.
Conclusion
By leveraging the look-aside inspection model on AWS Transit Gateway, Network Security improves your AWS infrastructure’s security posture and dramatically increases visibility. Network Security can also provide protection from many other AWS services, giving you the flexibility to tailor your architectures as needed without compromising security.
Try Network Security free for 30 days to see how it can seamlessly integrate with your AWS infrastructure.