Cross-Network Protection

Alert Logic allows you to set up Cross-Network Protection from a manual deployment in the Alert Logic console. Cross-Network Protection create connections across networks, in the same or different deployment, that use resources from a protecting network to protect other networks within the same account.

Cross-Network Protection allows an assigned network appliance, for Network IDS or scanning, to reside outside the protected network. This centralizes the appliances that provide protection to an account, which allows your organization to reduce infrastructure costs. Cross-Network Protection is also convenient for organizations that cannot add more appliances due to lack of address space, or due to policy concerns that prevent in-network deployment.

Protecting networks and protected networks

A protecting network hosts the appliance. The network protected by the protecting network is the protected network.

Protecting networks and protected networks can be VPCs (AWS deployments), VNETs (Azure deployments), or networks (Data Center deployments), depending on your deployment type. The corresponding network type appears as such in your deployments in the Alert Logic console. For more information about deployment types, see Deployment types.

Protecting networks and protected networks are only in manual deployments. The Cross-Network Protection option is visible in manual deployments, and you can only configure a network that can be protected to connect to a protecting network.

Requirements for Cross-Network Protection

Before you set up Cross-Network Protection, you must configure the agents and appliances within your environment to connect with other networks. Otherwise, your appliances and protecting networks cannot communicate with other networks.

For Data Center networks that have no agents installed and are configured to SPAN or another port mirroring feature, Cross-Network Protection will not function. The SPAN configured network will continued to protect Data Center networks configured to the port mirroring feature.

Hosts in the protected network must have valid routes to the private IP address of appliances in the protecting network, using VPC peering, a VPN, or a similar network connectivity option. Appliances in the protecting network must have valid routes to the private IP addresses of protected hosts in the protected network, using VPC peering, a VPN, or a similar network connectivity option.

For information about configuring your AWS environment for AWS VPC peering, see AWS Peering Configurations. To learn how to configure your Azure environment for Azure VNET connections, see Azure VNET Connection tutorial. For an example of how you can configure your Data Center environment, see VPN between Two IOS Routers.

Network IDS protection requirements

For Network IDS protection, hosts in the protected network must be able to connect to appliances in the protecting network. Ensure the following are allowed:

Network access control Applies to Direction Source Rule Destination

Notes

AWS Security Groups, Azure Security Groups Protected hosts Outbound   Permit TCP port 7777 Addresses of appliances in protecting network Agent to Appliance Network IDS traffic forwarding
AWS Network Access Control List Subnets containing protected hosts Outbound   Permit TCP port 7777 Addresses of subnets containing protecting appliances Agent to Appliance Network IDS traffic forwarding
AWS Network Access Control List Subnets containing protected hosts Inbound Addresses of subnets containing protecting appliances Permit TCP port 32768-61000   Agent to Appliance Network IDS traffic forwarding (return traffic)
AWS Network Access Control List Subnets containing protecting appliances Inbound Addresses of subnets containing protected hosts Permit TCP port 7777   Agent to Appliance Network IDS traffic forwarding
AWS Network Access Control List Subnets containing protecting appliances Outbound   Permit TCP port 32768-61000 Addresses of subnets containing protected hosts Agent to Appliance Network IDS traffic forwarding (return traffic)
AWS Security Groups, Azure Security Groups Protecting appliances Inbound Addresses of protected hosts Permit TCP port 7777   Agent to Appliance Network IDS traffic forwarding

Scanning requirements

For scanning, appliances in the protected network must be able to connect to protected hosts in the protected network to perform vulnerability assessment.

When you create an AWS manual mode deployment with the Alert Logic CloudFormation template, the deployment procedure creates a restrictive security group which may not allow vulnerability scans to work properly. The default outbound rules only allow the appliance from the protecting network to reach ports 53, 80, and 443 of the protected network. You must configure the security group of the appliance after you create the deployment to allow all outbound traffic from the protecting network to the protected network. For more information about AWS manual mode scanning appliances, see Deploy scanning appliances.

Ensure the following are allowed:

Network access control Applies to Direction Source Rule Destination

Notes

AWS Security Groups, Azure Security Groups Protected hosts Inbound Addresses of appliances in protected network All ports, protocols   Vulnerability scanning
AWS Network Access Control List Subnets containing protected hosts Inbound Addresses of subnets containing protecting appliances All ports, protocols   Vulnerability scanning
AWS Network Access Control List Subnets containing protected hosts Outbound   Permit TCP port 32768-61000 Addresses of subnets containing protecting appliances Vulnerability scanning (return traffic)
AWS Network Access Control List Subnets containing protecting appliances Outbound   All ports, protocols Addresses of subnets containing protected hosts Vulnerability scanning
AWS Network Access Control List Subnets containing protecting appliances Inbound Addresses of subnets containing protected hosts Permit TCP port 32768-61000   Vulnerability scanning (return traffic)
AWS Security Groups, Azure Security Groups Protecting appliances Outbound   All ports, protocols Appliances in protecting network Vulnerability scanning

Configure Cross-Network Protection

To configure Cross-Network Protection:

  1. In the Alert Logic console, click CONFIGURATION, and then in the Deployments tab, click the deployment for which you want to configure Cross-Network Protection.
  2. Only manual mode deployments have the Cross-Network Protection option.

  3. On the side navigation, click Protection, and then click Options.
  4. Click the network or region you want to protect in the topology diagram, or in the Search Assets field, search for the network or region you want to protect.
  5. Click the search field to search or type the name of a protecting network, and then select one.
  6. Click SAVE.

The protecting network and protected network are now visible in the topology diagram with distinguishing icons. The Cross-Network Protection Breakdown, on the top left of the topology graph, provides an overview of your Cross-Network Protection connections.

View protected networks

To view protected networks:

  1. Click the protecting network icon () to see the number of protected networks currently connected.
  2. Click the details icon () to see a slideout panel that contains protected network names.

View protecting networks

To view protecting networks, click the protected network icon ().

Remove a Cross-Network Protection

To remove a Cross-Network Protection connection:

  1. Click the protected network icon (), and then click the remove icon ().
  2. Click DELETE.

If there are any issues after you setup Cross-Network Protection, Alert Logic will create a configuration remediation in the Remediations page. To learn more about Remediations, see Remediations.