Before you can deploy RSA NetWitness® Platform in the Amazon Web Services (AWS), you need to:
- Understand the requirements of your enterprise.
- Know the scope of a NetWitness Platform deployment.
When you are ready to begin deployment:
- Make sure that you have a NetWitness Platform "Throughput" license.
For packet capture in AWS, you can purchase either of the following Third-Party solutions. If you engage one of these third-parties, they will assign an account representative and a professional services engineer who will work closely with RSA Support.
AWS Environment Recommendations
AWS instances have the same functionality as the NetWitness Platform hardware hosts. RSA recommends that you perform the following tasks when you set up your AWS environment.
- Based on the resource requirements of the different components, follow best practices to use the system and dedicated storage Elastic Block Store (EBS) Volumes appropriately.
- Make sure that compute capacity provides a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
- Build Concentrator directory for index database on the Provisioned IOPS SSD.
AWS Deployment Scenarios
The following diagrams illustrate some common AWS deployment scenarios.
Full NetWitness Platform Stack VPC Visibility
This diagram shows all NetWitness Platform components (full stack) deployed in AWS.
Hybrid Deployment - Decoder and Log Decoder
This diagram shows the Decoder, and Log Decoder deployed in AWS with all other NetWitness Platform components deployed on your premises.
Hybrid Deployment - Decoder, Log Decoder, and Concentrator
This diagram shows the Decoder, Log Decoder, and the Concentrator deployed in AWS with all other NetWitness Platform components deployed on your premises.
In the diagrams, the:
- GigaVUE Series (Gigamon® Solution) is an agent-based solution that uses Tunneling (implemented by the NetWitness Platform administrator) to facilitate packet data capture in AWS.
BIG-IP (f5® Solution) is a load balancing solution that uses a Network Decoder acting as a sniffer (customized by the NetWitness Platform administrator) to facilitate packet capture in AWS.
- Decoder collects packet data. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 – 7.
- Log Decoder collects logs. The Log Decoder collects log events from hundreds of devices and event sources.
Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while facilitating reporting and alerting.
- Endpoint Hybrid - collects endpoint data. The Endpoint Hybrid comprises of Endpoint Server, Log Decoder, and Concentrator. For more information, see NetWitness Endpoint Insights Configuration Guide.
- NetWitness Server hosts Respond, Reporting, Investigate, RSA Live Content Management, Administration, Endpoint Hybrid/Log Hybrid and other aspects of the user interface.
User Entity and Behavior Analytics (UEBA) provides comprehensive user and entity behavioral analytics to better detect, investigate, and respond to advanced internal attacks and identity-based anomalies.
You need the following before you begin the integration process:
- Access to AWS console
- Network rout-able (and proper AWS Security Groups) for the containers to transfer data to the NetWitness Platform Decoder.
RSA provides the following NetWitness Platform services.
- NetWitness Server
- Admin Server
- Config Server
- Event Stream Analysis
- Investigate Server
- Orchestration Server
- Reporting Engine
- Respond Server
- Security Server
- Log Decoder
- Remote Log Collector
- Endpoint Server
- User and Entity Behavior Analytics (UEBA)