Before you can deploy Security Analytics in the Amazon Web Services (AWS) you need to:
- Understand the requirements of your enterprise.
- Know the scope of a Security Analytics deployment.
When you are ready to begin deployment:
- Make sure that you have a Security Analytics"Throughput" license.
- For packet capture in AWS, purchase the Gigamon® solution from Gigamon®.
To assist you in packet implementation, Gigamon will assign a Gigamon account representative and professional services engineer to you who will work closely with RSA staff.
- Use Chrome for your browser (Internet Explorer is not supported).
AWS Environment Recommendations
AWS instances have the same functionality as the Security Analytics hardware hosts. RSA recommends that you perform the following tasks when you set up your AWS environment.
- Based on the resource requirements of the different components, follow best practices to use the system and dedicated storage Elastic Block Store (EBS) Volumes appropriately.
- Make sure that compute capacity provides a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
- Build Concentrator directory for index database on the Provisioned IOPS SSD.
|AMI||Amazon Machine Image|
|AWS||Amazon Web Services|
Bring your own licensing
|CPU||Central Processing Unit|
|AWS Dedicated Instances run in a VPC on hardware that is dedicated to a single customer. Dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts. Dedicated instances may share hardware with other instances from the same AWS account that are not Dedicated instances. Refer to the AWS "Amazon EC2 Dedicated Instance" documentation (https://aws.amazon.com/ec2/purchasing-options/dedicated-instances/) for more information on dedicated instances.|
|An Amazon EBS–optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon EBS I/O. This optimization provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance. Refer to the AWS "Amazon EBS–Optimized Instances" documentation (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html) for more information on EBS-optimized instances.|
|EBS Volume||Elastic Block Store (EBS) volume is a highly available and reliable storage volume that you can attach to any running instance that is in the same Availability Zone. Refer to the AWS "Amazon EBS Volumes" documentation (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) for more information on EBS Volumes.|
|EC2 instance||Virtual server in AWS Elastic Compute Cloud (EC2) for running applications on the AWS infrastructure. See also Instance.|
Enhanced networking provides higher bandwidth, higher packet-per-second performance, and consistently lower inter-instance latencies.
If your packets-per-second rate appears to have reached its ceiling, you should consider moving to enhanced networking because you have likely reached the upper thresholds of the virtual machine network interface (VIF) driver.
Refer to the AWS "How do I enable and configure enhanced networking on my EC2 instances " documentation (https://aws.amazon.com/premiumsupport/knowledge-center/enable-configure-enhanced-networking/) for more information on enhanced networking.
|EPS||Events Per Second|
|GB||Gigabyte. 1GB = 1,000,000,000 bytes|
|Gb||Gigbit. 1Gb = 1,000,000,000 bits.|
|Gbps||Gigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.|
|GHz||GigaHertz 1 GHz = 1,000,000,000 Hz|
|HDD||Hard Disk Drive|
|Instance||A virtual host in the AWS (that is, virtual machine or server in the AWS infrastructure on which you run services or applications). See also EC2 Instance.|
|Instance Type||Specifies the required CPU and RAM for an instance. Refer to the AWS "Amazon EC2 Instance Types" documentation (https://aws.amazon.com/ec2/instance-types/) for more information on instance types.|
|IOPS||Input/Output Operations Per Second|
|Mbps||Megabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.|
|On-Premise||On-premise hosts are installed and run on computers on the premises (in the building) of the organization using the hosts, rather than in the AWS.|
|PPS||Packets Per Second|
|RAM||Random Access Memory (also known as memory)|
|Security Group||Set of firewall rules. Refer to Deployment: Network Architecture and Ports for a comprehensive list of the ports you must set up for all Security Analytics components.|
|Tag||A meaningful identifier for AWS instance.|
|Tap Vendor||Network Tapping Vendor|
|vCPU||Virtual Central Processing Unit (also known as a virtual processor)|
|VPC||Virtual Public Cloud|
|vRAM||Virtual Random Access Memory (also known as virtual memory)|
AWS Deployment Scenarios
The following diagrams illustrate some common AWS deployment scenarios. In the diagrams, the:
- GigaVUE Series (Gigamon® Solution), in combination with Tunneling (created by the
Security Analytics administrator), facilitates packet data capture in AWS.
- CloudLens™ (Ixia® Solution) through Ixia clients and the CloudLens Docker installed on the
Decoder, facilitates packet data capture in AWS.
- Decoder collects packet data. The Decoder captures, parses, and reconstructs all network
traffic from Layers 2 – 7.
- Log Decoder collects logs. The Log Decoder collects log events from hundreds of devices
and event sources.
- Concentrator indexes metadata extracted from network or log data and makes it available
for enterprise-wide querying and real-time analytics while facilitating reporting and alerting.
- Security Analytics Server hosts Incident Management, Reporting, Investigation, Live
Content Management, Administration and other aspects of the user interface.
Full Security Analytics Stack VPC Visibility (Packet Solution)
Hybrid Deployment - Decoder and Log Decoder (Packet Solution)
This diagram shows the Decoder and Log Decoder deployed in AWS with all other Security Analytics components deployed on your premises.
Hybrid Deployment - Decoder, Log Decoder, and Concentrator (Packet Solution)
This diagram shows the Decoder, Log Decoder, and the Concentrator deployed in AWS with all other Security Analytics components deployed on your premises.
You need the following items before you begin the integration process:
- Ixia account (https://login.ixiacom.com/)
- Access to AWS console
- Network rout-able (and proper AWS Security Groups) for the containers to transfer data to
the RSA Security Analytics Suite Decoder.
RSA provides the following Security Analytics services.
- Security Analytics Server
- Event Stream Analysis
- Log Decoder
- Remote Log Collector
Next Topic:Instance Configuration Recommendations
Table of Contents > AWS Deployment