Last updated on: 2018-12-06
Authored by: Nick Shobe
Rackspace Proactive Detection & Response (PDR) on Amazon Web Services® (AWS) has two main components that need to be implemented in your AWS environment: the Network-based Intrusion Detection (NIDS) appliance infrastructure must be set up, and select vendor agents must be deployed.
To enable visibility of your AWS network, we deploy NIDS appliances to each Amazon Virtual Private Cloud® (VPC) where you have Amazon Elasic Compute Cloud® (EC2) instances being monitored by our Rackspace PDR teams.
Rackspace PDR uses either Amazon CloudFormation® or HashiCorp® Terraform® to deploy NIDS appliances in AWS. Our current NIDS appliances are provided by the Alert Logic® Threat Manager™ offering.
Our PDR teams deploy, manage, and monitor your NIDS Threat Manager appliances. Rackspace PDR has the following platform requirements:
Work with your AWS support team to implement the standards in the following outline. Ensure that ingress and egress requirements pass through any security WAFs or AWS gateway devices that sit in front of 0.0.0.0/0.
The CloudFormation or Terraform templates that you are provided create and manage IAM roles, Security Groups, and so on that aid you in the set up and configuration of the following network configuration outline. You might need to implement some additional network rules where it makes sense for your environment.
In a default environment, our AWS team uses our deployment tools to create and manage the security groups needed to deploy your platform. Customers implementing custom routing or application firewalls should see Rackspace PDR Threat Manager Network Requirements to ensure that your AWS platform conforms to our specifications.
Many appliactions terminate Secure Socket Layer (SSL) and Transport Layer Security (TLS) at the network edge with a load-balancer or web application firewall. If your application uses end-to-end encryption, see the Rackspace PDR SSL Decryption Guide.
Individual PDR agents are deployed and maintained by the Rackspace PDR team. However, we do have base requirements that must be met to ensure that our automated deployment system and PDR support team can access your instances to deploy or troublshoot agents and systems.
Following these steps helps to ensure successful agent deployments:
Due to the various vendors that we have selected to provide the nessessary telemetry to our systems, it is important that you select operating systems and kernel versions that are compatable with the vendor agents. For more information, see the Rackspace PDR System Requirements.
It is important that images taken from hosts that have Rackspace PDR agents deployed be prepared for deployment before using them as base images. Follow the Rackspace PDR Imaging Hosts guide to ensure Golden images are properly prepared.
The current requirement for all AWS environments is to have the SSM agent installed and configured on all Rackspace PDR monitored instances. This enables our select vendor agent deployment platform as well as our security operations team to perform nessessary actions against your infrastructure. For more information, see Install AWS Systems Manager Agent (SSM Agent).
The agents used to provide telementry to our Security Operations Center (SOC) do have specific networking requirements that must be implemented. Use the Rackspace PDR Agent Network Requirements guide to correctly implement network ACLs and firewall rules for your platform.
For more information on the Threat Manager offering, see the Alert Logic upstream vendor documentation.
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License