Has anyone deployed the network sensor in a cloud environment like AWS/Azure/GCP to act as an IDS? Aside from cost associated with traffic mirroring or the VM itself, I’m wondering if there are any gotchas or risks that might present with this sort of scenario.
Hi,
Not with NSM but with Suricata a few years back in AWS. What I noticed is that if WAF is enabled and properly configured the amount of “bad” traffic is pretty low.
Price in my opinion is the biggest gotcha here. You can get around that with duplicating the traffic with nftabels or something similar.
Good luck!
It is possible to deploy sensors in AWS and GCP.
It is not possible to deploy sensors in Azure at the moment as their VTAP is on hold. They do list third party packet brokers but these introduce complexity and expense.
The main gotcha is around expense. Focus on only monitoring important instances
Can’t wait till Azure has this ability. Been available in AWS for awhile. We’ve been asking for it for years but it seems to be an issue with MSFT 