How to deploy open source network ids/ips in AWS
Setting up an EC2 instance as a VPC security gateway can monitor and protect your cloud assets. The EC2 security gateway routes IP traffic between the VPC and the Internet and therefore has complete visibility of the full-duplex traffic to and from your protected instances. The Network IDS running on the EC2 gateway instance will then allow you to identify and shut down threats as if it was deployed in a physical network.
- Launch a VPC and give it a network range (ex. 10.0.0.0/8)
- Create a private subnet (ex. 10.1.1.0/24) and a public subnet (ex. 10.1.100.0/24)
Set up the NAT gateway:
- Launch the EC2 security gateway instance on the public subnet.
- Assign an EIP address to the instance. This will be your externally routable address.
- Make sure to modify the network adapter to DISABLE src/dst Checking
- Configure this instance as a normal NAT device for the private subnet:
- echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
Add additional IP addresses on the public subnet (if needed):
- EC2 will automatically assign a public subnet address to your instance once it is launched. Each instance can have additional IP addresses on the public subnet assigned to it in step 2
- For each of these IP addresses you can assign an EIP. Limits may apply depending on the type of instance you choose.
Set up the routing tables:
- The public subnet should have a default route for 0.0.0.0/0 to an amazon IGW device
- The private subnet should have a default route for 0.0.0.0/0 to the instance id of the MetaFlows EC2 instance
- Launch the EC2 instances to be monitored in the private subnet
- Add port forwarding rules to iptables for publicly accessible services. You can follow these instructions to do that https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html