Cross-Network Protection

Alert Logic allows you to set up Cross-Network Protection from a manual deployment in the Alert Logic console. Cross-Network Protection creates connections across networks, in the same or different deployment, that use resources from a protecting network to protect other networks within the same account.

Cross-Network Protection allows an assigned network appliance, for Network IDS and scanning, to reside outside the protected network. This centralizes the appliances that provide protection to an account, which allows your organization to reduce infrastructure costs. Cross-Network Protection is also convenient for organizations that cannot add more appliances due to lack of address space, or due to policy concerns that prevent in-network deployment.

The following figure is an example of a network with an appliance in "Deployment A" that is protecting networks in its deployments, and other deployments in the same account:

Protecting networks and protected networks

A protecting network hosts the appliance. The network protected by the protecting network is the protected network.

Protecting networks and protected networks can be VPCs (AWS deployments), VNETs (Azure deployments), or networks (Data Center deployments), depending on your deployment type. The corresponding network type appears as such in your deployments in the Alert Logic console. For more information about deployment types, see About Deployment Types.

Protecting networks and protected networks are only in manual deployments. The Cross-Network Protection option is visible in manual deployments, and you can only configure a network that can be protected to connect to a protecting network.

Requirements for Cross-Network Protection

Before you set up Cross-Network Protection, you must configure the agents and appliances within your environment to connect with other networks. Otherwise, your appliances and protecting networks cannot communicate with other networks.

For Data Center networks that have no agents installed and are configured to SPAN or another port mirroring feature, Cross-Network Protection will not function. The SPAN configured network will continue to protect Data Center networks configured to the port mirroring feature.

Hosts in the protected network must have valid routes to the private IP address of appliances in the protecting network, using VPC peering, a VPN, or a similar network connectivity option. Appliances in the protecting network must have valid routes to the private IP addresses of protected hosts in the protected network, using VPC peering, a VPN, or a similar network connectivity option.

For information about configuring your AWS environment for AWS VPC peering, see AWS Peering Configurations. To learn how to configure your Azure environment for Azure VNET connections, see Azure VNET Connection tutorial. Configuring your Data Center environment to allow cross network connections will vary based on the technology and firewalls in use.

Protection network requirements

The following tables use the 10.0.0.0/24 CIDR block as an example for protecting a network that includes appliances, and 10.1.0.0/24 for what is being protected, including hosts and Alert Logic agents.

AWS IDS appliance

The IDS appliance is in an autoscaling group, so we strongly recommend setting the Protecting CIDR range to at least the subnet CIDR.

Network control Protecting VPC (includes an appliance) Protected VPC (includes agents) Notes
CIDR block (example) 10.0.0.0/24 10.1.0.0/24  
Route table Destination: 10.1.0.0/24 → Target: pcx-12345678 (example) Destination: 10.0.0.0/16 → Target: pcx-12345678 (example)  
NACL outbound 1024-65535 to 10.1.0.0/24 Allow TCP 7777 & 1024-65535 to 10.0.0.0/24 AWS Default 0.0.0.0/0 ANY ANY
NACL inbound Allow TCP 7777 & 1024-65535 from 10.1.0.0/24 1024-65535 from 10.0.0.0/24 AWS Default 0.0.0.0/0 ANY ANY
Security group inbound Allow TCP 7777 from 10.1.0.0/24    
Security group outbound   Allow TCP 7777 to 10.0.0.0/24  

AWS scan appliance

The scan appliance is in an autoscaling group, so we strongly recommend setting the Protecting CIDR range to at least the subnet CIDR.

Network control Protecting VPC (includes an appliance) Protected VPC (includes agents) Notes
CIDR block (example) 10.0.0.0/24 10.1.0.0/24  
Route table Destination: 10.1.0.0/24 → Target: pcx-12345678 (Example) Destination: 10.0.0.0/24 → Target: pcx-12345678 (example)  
NACL outbound Allow ANY PORT/ANY PROTO To 10.1.0.0/24 1024-65535 to 10.0.0.0/24 AWS Default 0.0.0.0/0 ANY ANY
NACL inbound 1024-65535 from 10.1.0.0/24 Allow ANY PORT/ANY PROTO from 10.0.0.0/24 AWS Default 0.0.0.0/0 ANY ANY
Security group inbound   Allow ANY PORT/ANY PROTO to 10.1.0.0/24  
Security group outbound Allow ANY PORT/ANY PROTO to 10.0.0.0/24    

Azure Network IDS and scanning requirements

For Azure environments, ensure the following are allowed:

IDS and scanner functions are performed on the same appliance in Azure; Agent TCP 7777 requirements are met with this configuration. Ensure VNets are peered (either within the same region or globally).
Network control Protecting VNET (includes an appliance) Protected VNET (includes agents and hosts)
CIDR block (example) 10.0.0.0/24 10.1.0.0/24
Network Security Group (NSGs) and/or Application Security Group (ASGs) outbound Allow ANY PORT/ANY PROTO to 10.1.0.0/24  
Network Security Group (NSGs) and/or Application Security Group (ASGs) inbound   Allow ANY PORT/ANY PROTO FROM 10.0.0.0/24

Data Center Network IDS and scanning requirements

For Data Center environments, ensure the following are allowed:

IDS and scanner functions are performed on the same appliance in Data Center deployments; Agent TCP 7777 are met with this configuration. The specifics surrounding this will vary depending on the firewall vendor
Network control Protecting network (includes an appliance) Protected network (includes agents and hosts)
CIDR block (example) 10.0.0.0/24 10.1.0.0/24
Network outbound Allow ANY PORT/ANY PROTO to 10.1.0.0/24  
Network inbound   Allow ANY PORT/ANY PROTO FROM 10.0.0.0/24

Configure Cross-Network Protection

To configure Cross-Network Protection:

  1. In the Alert Logic console, open the deployment for which you want to configure Cross-Network Protection.

    2. Only manual mode deployments have the Cross-Network Protection option.

  2. On the side navigation, click Protection, and then click Options.
  3. Click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
  4. Click the search field to search or type the name of a protecting network, and then select one.
  5. Click SAVE.

The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.

View protected networks

To view protected networks:

  1. Click the protecting network icon () to see the number of protected networks currently connected.
  2. Click the details icon () to see a slideout panel that contains protected network names.

View protecting networks

To view protecting networks, click the protected network icon ().

Remove a Cross-Network Protection

To remove a Cross-Network Protection connection:

  1. Click the protected network icon (), and then click the remove icon ().
  2. Click DELETE.

If there are any issues after you setup Cross-Network Protection, Alert Logic will create a configuration remediation that you can view in the Exposures page. To learn more about remediations, see Remediations view.