Inspect IP packet data & Egress control (AWS)
Controlling outbound traffic from a private network (VPC) to an external network is a critical part of managing your network security. You can prevent the users (in EC2) from downloading malware, communicating with insecure nodes, or being attacked by hackers.
There is also an outbound VPC proxy with domain whitelisting and content filtering. https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/
For instance, you can use the HTTP proxy Squid (open-source) which can be running in EC2, AWS Fargate.
This will control and monitor outbound traffic that permits connections to whitelisted domains as well as content filtering based on DNS.
You also can search with ‘egress control’ in AWS Marketplace https://aws.amazon.com/marketplace/search/results?searchTerms=egress+control.
You can purchase many IDS/IPS solutions from AWS Marketplace. Open-source (https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata)/or managed (AWS Marketplace — e.g. https://aws.amazon.com/marketplace/pp/prodview-xhsbijzjvrpei).
Many solutions provide different operational models for IPS and IDS. (PaaS, SaaS, etc.) such as ALERT LOGIC, METAFLOWS network IDS IPS for AWS, Suricata for EC2 Annual Subscription, Valtix Multi-Cloud Network Security (NGFW, WAF, IDS / IPS, DLP.
Those are IDS/IPS solutions you can purchase in the AWS marketplace, there are differences between the solution in architecture, and operational structure but in high-level, they have more and less similar structures.
- You will mirror the traffic to the IDS/IPS solution. (How to mirror the traffic?: https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html)
- The IDS/IPS will analyze the traffic based on the pre-setup rules (+AI, basic common & managed rules, etc.)
- The service provider will provide the control center for you to manage the rules and monitoring logs
There are some debates about whether the company requires an IDS/IPS solution upon your robust, multi-layered, encrypted traffic between nodes and outbound control. But SOC analyzes the alerts which we used to get from IDS/IPS to keep the environment safe.
