Alert Logic® requires good visibility into customers’ environments in order to provide the best security value possible. This article is intended as a guideline for managing configuration options within your environment to help Alert Logic gain the best possible visibility.
Note: The following information applies only to customers with Cloud Defender and Threat Manager entitlements.
Blockers to Environment Visibility
The following examples are blockers to Alert Logic visibility into your environment:
Potential Subnets and Monitoring Policy
In order to have visibility of traffic from the network within your environment, the hosts and subnets that make up your network must be included within the monitoring policy.
A monitoring policy is a set of instructions allowing the appliance to know which networks to monitor. It can be created and modified to include hosts and subnets within the Alert Logic console at Configuration > Network IDS > Policies > Monitoring.
Agents and Assignment Policies
Agents can be placed on specific hosts; they bind to the network interface of the host and send copies of network traffic to the Threat Manager appliance. This configuration is a protected host, which can be viewed in the Alert Logic Console at Configuration > All Deployments > Networks and Protected Hosts > Protected Hosts.
In order to have visibility of traffic to and from a protected host, the protected host must be assigned to an assignment policy. This is a set of instructions for an agent, so that it knows which Threat Manager appliance to report and send traffic to.
Assignment policies are created and modified within the Alert Logic console at Configuration > Network IDS > Policies > Assignment. Once created, assignment policies can then be assigned in Configuration > All Deployments > Networks and Protected Hosts > Protected Hosts.
Agent Health Status
Agents have several statuses to indicate their health and ability to collect and send traffic to the Alert Logic Threat Manager appliance. Confirm that your agent status is set to ‘OK’ to confirm that your agent is able to transport data from the host to the appliance.
SSL Certificates and Encrypted Traffic
If there are no certificates installed on the appliance, Alert Logic will be unable to decrypt and monitor any SSL traffic that is received. To resolve this, confirm that your certificates are up-to-date and that you have provided the most recent certificates to Alert Logic. Upload and manage certificates in the Alert Logic console or terminate SSL before it reaches the appliance.
Due to the nature of Diffie-Hellman and the use of shared secret keys, Alert Logic cannot decrypt this traffic. Thus, we cannot effectively monitor this traffic.
For full visibility, Alert Logic suggests utilizing a different cipher suite, such as RSA, with in-date certificates uploaded. There are a few solutions if you wish to continue utilizing Diffie-Hellman:
- SSL bridging. This is a process in which a device, usually located at the edge of a network, decrypts SSL traffic and then re-encrypts it before sending it on to the web server.
For this to work, SSL bridging would have to be implemented at a load balancer that is situated before the intrusion detection system (IDS). Traffic would still be encrypted before the load balancer; it is then decrypted and sent through the IDS as decrypted traffic. After it has passed through the IDS, itis re-encrypted with another certificate.
- SSL offloading. This is the process of removing the SSL-based encryption from incoming traffic that a web server receives to relieve it from decryption of data. This option, like SSL bridging, would have to be implemented at a load balancer situated before the IDS. This option decrypts Diffie-Hellman, and no re-encryption takes place after.
Web Applications Over Non-Standard Ports
The standard HTTP ports that Alert Logic appliances have coverage for are 80, 81, 8000, and 8080 (and 443 for HTTPS). Any of your web applications that are not utilizing these ports will not have the best coverage that Alert Logic can provide. This is because certain signatures have been created to fire on malicious traffic going over these specific ports.
If you do utilize non-standard ports for HTTP/HTTPS, Alert Logic recommends changing them to be in line with the standardized ports above. If this is not possible, please open a ticket with Support.
Please sign in to leave a comment.