AWS Intrusion Detection & Prevention System IDS/IPS

An Intrusion Prevention System IPS; is an appliance that monitors and analyzes network traffic to detect malicious patterns and potentially harmful packets and prevent vulnerability exploits. Most IPS offer firewall, unified threat management and routing capabilities

An Intrusion Detection System IDS; is an appliance or capability that continuously monitors the environment sends alerts when it detects malicious activity, policy violations or network & system attack from someone attempting to break into or compromise the system produces reports for analysis.

Network Tap or SPAN: "Traditional approach" involves using a network Test Access Point (TAP) or Switch Port Analyzer (SPAN) to access & monitor all network traffic connection between the AWS Internet Gateway (IGW) and the Elastic Load Balancer would be an ideal place to capture all network traffic. However, there is no place to plug this in between IGW and ELB as there are no SPAN ports, network taps, or a concept of Layer 2 bridging

Packet Sniffing: It is not possible for a virtual instance running in promiscuous mode to receive or sniff traffic that is intended for a different virtual instance.

Deploy a network-based IDS on every instance you deploy IDS workload scales with your infrastructure.

An Agent is deployed on every instance to capture & replicate traffic for centralized analysis

Set up IDS/IPS on a proxy server/NAT through which the network traffic is flowing.

Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Add another tier to the application architecture where a load balancer sends all inbound traffic to a tier of instances that performs the network analysis for e.g. Third Party Solution Fortinet FortiGate.

Create the second VPC where the scalable virtualized IDS/IPS platform resides and route all traffic from this second VPC to the primary application VPC

You can use this to connect multiple Virtual Private Clouds (VPCs) that might be geographically disparate and/or running in separate AWS accounts to a common VPC that serves as a global network transit center.

This network topology simplifies network management and minimizes the number of connections that you need to set up and manage.

Even better, it is implemented virtually and does not require any physical network gear or a physical presence in a colocation transit hub. Here’s what this looks like: