AWS Partner Network (APN) Blog

Trellix vIPS and AWS Gateway Load Balancer Integrate for a Next-Gen Intrusion Prevention System

By Manish Kumar, Software Architect – Trellix
By Faisal Pias, Sr. Partner Solutions Architect – AWS
By Asheesh Goja, Principal Solutions Architect – AWS

Trellix-AWS-Partners-2023
Trellix
Trellix-APN-Blog-CTA-2023

Internet-connected systems are increasingly targeted by intricate and sophisticated cyber attacks. As more businesses move their operations to the cloud, fast detection and prevention of such incidents becomes crucial. An advanced intrusion prevention system (IPS) is an important component for safeguarding against complex cyber-attacks.

Trellix’s vIPS solution provides real-time intrusion detection and prevention capabilities, utilizing advanced techniques such as behavioral analysis, north/south and east/west detection, signature-based identification, and signature-less detection, to effectively mitigate evolving cybersecurity threats.

With Trellix vIPS native integration with AWS Gateway Load Balancer, customers can enhance their overall security posture, minimize the risk of data breaches, and ensure the uninterrupted availability and integrity of their cloud-based applications.

Trellix is an AWS Specialization Partner and AWS Marketplace Seller with the Security Competency that is a global cybersecurity company creating a resilient digital world that enables trust and success.

Background

Trellix IPS has been a leading network IPS security solution for the last two decades. As Trellix customers migrate more workloads to Amazon Web Services (AWS), they have asked for a scalable way to deploy Trellix vIPS solution into their Amazon Virtual Private Clouds (VPCs).

Previously, Trellix customers used a probe-based solution within their Amazon Elastic Compute Cloud (Amazon EC2) instances. This approach required network security teams to have access to individual EC2 instances to install the vIPS probe.

In a probe-based solution, vIPS probe shares the available CPU with other processes running within the instance, and this required customers to worry about right-sizing their instances for network traffic inspection. Customers were looking for a solution where scaling IPS appliances is automated and less time-consuming.

AWS Gateway Load Balancer provides both Layer 3 gateway and Layer 4 load balancing capabilities, enabling customers to integrate third-party network traffic inspection appliances in a scalable and highly available manner. Trellix IPS now integrates with GWLB and enables customers to simplify the deployment and operation of their vIPS solution in VPCs.

Trellix vIPS supports deployment for a single VPC for north/south traffic inspection, or for many VPCs in a centralized deployment model for both north/south and east/west traffic inspection. It also offers Trellix Intelligent Virtual Execution (IVX), which is a sandbox technology for malware detection along with signature protection.

In this post, we will discuss why customers are deploying Trellix vIPS with Gateway Load Balancer and how this solution can be procured via AWS Marketplace.

Key Capabilities of Trellix vIPS

Trellix vIPS is a next-generation intrusion prevention system specifically designed for virtualized environments. It provides intelligent security that can detect and block sophisticated threats with unmatched speed, accuracy, and simplicity.

The vIPS delivers enterprise security against sophisticated attacks on virtual infrastructures, and supports deployment as a sensor to monitor both east/west and north/south traffic. Its key capabilities include:

  • Superior Detection:
    • Signatureless detection (sandbox detonation) and behavioral malware detection to catch unknown exploits
    • Real-time signature-based intrusion prevention to stop initial reconnaissance
    • Proprietary/custom signatures
    • Virtual patching capability to protect unpatched systems.
  • Reduced Operational Complexity:

    • Reduce complexity of deployment and management
    • Ease of deployment and management
    • High availability manager (MDR) and sensor (auto-scaling)
    • High-precision verdicts for reduced alert fatigue
    • Unified policies across all networks
  • High Performance:
    • Throughput of up to 1Gbps per sensor with unlimited sensors
    • Automatic scale-in and scale-out to adapt to elastic workloads

Integrating Trellix vIPS with AWS Gateway Load Balancer

The adoption of cloud computing with enterprise applications has led to increase in east/west and north/south traffic. Enterprises have been segmenting their network in the cloud and using policies to protect each segment from internal and external threat.

Under the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud but customers are responsible for security in the cloud. Intrusion prevention within your network environment is one of your organization’s responsibilities.

IPS integrated with AWS Gateway Load Balancer can auto-scale to ensure the IPS is not a bottleneck. Integration with GWLB makes it easy to deploy and manage Trellix IPS while providing high availability and scalability.

Consider the following scenarios to understand multiple ways of integrating Trellix vIPS with Gateway Load Balancer.

Scenario 1: Protect VPCs using distributed data plane (GWLBe) and centralized control plane (GWLB and Trellix vIPS)

This deployment represents VPCs that require Trellix vIPS protection; a protected VPC deploys the GWLB endpoint while Trellix vIPS is centralized. This could be shared by multiple protected VPCs which use subnet routing tables to select the traffic for inspection.

For more information, refer to Trellix vIPS product guide.

Trellix vIPS deployment scenario 1

Figure 1 – Protecting VPC using GWLBe and GWLB and Trellix vIPS.

Scenario 2: Protect VPCs using centralized data and control plane (GWLBe, GWLB, and Trellix vIPS)

You can use this type of deployment for scaling or inspecting either north/south or east/west traffic. AWS Gateway Load Balancer and GWLB endpoints make appliance fleets easier to deploy and scale. You can protect your workload VPCs in AWS by combining with other networking services such as AWS Transit Gateway.

For more information, refer to Trellix vIPS Product Guide.

Trellix vIPS deployment scenario 2

Figure 2 – Protecting VPCs using GWLBe, GWLB, and Trellix vIPS.

Scenario 3: Inspect inbound traffic using distributed data plane (GWLBe) and centralized control plane (GWLB and Trellix vIPS)

This deployment can be used to scale Trellix virtual appliances horizontally to inspect traffic to and from the VPC. Application Load Balancer (ALB) operates at Layer 7 and enables you to offload Transport Layer Security (TLS). Decrypted HTTP traffic is sent to backend application targets which could be in a different AWS Availability Zone (AZ), enabling HTTP header and payload inspection.

For more information, refer to Trellix vIPS product guide.

Trellix vIPS deployment scenario 3

Figure 3 – Inspecting inbound traffic from the internet using GWLBe, GWLB, and Trellix vIPS.

Intrusion Prevention in Action

Trellix IPS Manager software has a web-based user interface (UI) for configuring and managing Trellix IPS. The Manager functions are configured and managed through a graphical user interface (GUI) application, which includes complementary interfaces for device configuration, alert generation, policy management, and others. All interfaces are logically parts of the Manager program.

The Manager UI include five tabs: Dashboard, Analysis, Policy, Devices, and Manager. This section includes a few illustrations to educate the role of each tab in the Manager.

Devices Tab

The vIPS Cluster tab allows you to configure a cluster, which is a collection of virtual IPS sensors that protect a group of instances. The Clusters tab allows you to configure clusters and the corresponding protected groups.

vIPS Clusters detail in Trellix Device Manager

Figure 4 – vIPS clusters detail in Device Manager.

Policy Tab

To protect virtual machines (VMs), each one needs to be part of a protected VM group. For every account you wish to secure, Trellix recommends you create a separate protected group for different accounts. In the event of an attack, this will help in identifying the account that was attacked.

vIPS Protected Groups detail in Trellix Policy Manager

Figure 5 – vIPS protected groups detail in Policy Manager.

Analysis Tab

The Attack Log lists attacks with most recent being listed first. It contains alerts that are raised whenever there’s a discrepancy in the traffic flowing through the network.

The sensors parsing the traffic detect any attack and raise an alert. Attack details are presented using multiple columns known as attributes, which represent packet fields such as source and destination IP address, as well as sensor analysis fields such as attack severity.

Attack Log details in Analysis tab of Trellix IPS Manager

Figure 6 – Attack Log details in Analysis Tab.

Dashboard Tab

The Dashboard tab is the central interface from which all Manager interface components are available. Data viewed on the dashboard can be customized according to your time preference using the Custom Time Period option from the refresh drop-down.

In addition, you can add monitors of your choice and drag and drop these monitors on the Dashboard tab.

Dashboard tab in Trellix IPS Manager

Figure 7 – Dashboard details.

AWS Marketplace Deployment

The steps for deploying Trellix vIPS via AWS Marketplace are:

  • Go to AWS Marketplace and subscribe to Trellix Intrusion Prevention System Manager. Select the latest software version available to deploy the IPS Manager instance, and configure security group for external and internal communication.
  • Access the IPS Manager using a web browser and configure sensor clusters and policies for protected groups.
  • From AWS Marketplace, subscribe to Trellix Virtual IPS Sensor and select the latest software version available to deploy the vIPS Sensor instance with auto-scaling if needed. Provide IPS Manager and configured sensor cluster details in the instance user data to associate the vIPS Sensor with IPS Manager.
  • Associate the vIPS Sensor with AWS Gateway Load Balancer for traffic inspection. Refer to the Trellix vIPS product guide for configuring Trellix vIPS with GWLB.

Summary

In this post, you learned about the key capabilities of the Trellix vIPS solution, which provides a next-generation intrusion prevention system specifically designed for virtualized environments.

By integrating with AWS Gateway Load Balancer, Trellix vIPS offers real-time intrusion detection and prevention capabilities through a scalable and highly available architecture. Utilizing advanced techniques such as behavioral analysis, north/south and east/west detection, signature-based identification, and signature-less detection, Trellix vIPS enables you to protect your VPC from evolving threats.

Trellix’s vIPS solution is a comprehensive solution for IPS requirements that offers superior detection, high performance, and reduced operational complexity.

.
Trellix-APN-Blog-Connect-2023
.

Trellix – AWS Partner Spotlight

Trellix is an AWS Specialization Partner and global cybersecurity company that’s creating a resilient digital world enabling trust and success.

Contact Trellix | Partner Overview | AWS Marketplace