NDR: Deploying a Virtual Sensor in AWS

Notice

• This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.

•  

  Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.

•  

  Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.

AWS Modular Sensor Deployment

CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. 

Preparing

You must have:

• One IP address with access to a default gateway
• A Stellar Cyber license that can be applied to the sensor

To prepare for the installation:

1. Open firewall ports for log ingestion.
2. Open firewall ports for Network Traffic, Sandbox, and IDS features, as necessary.
3. Reply to your NDR integration ticket for access to the AMI. You must provide:
   1. AWS account name
   2. AWS account number
   3. AWS region for the sensor

Launching the AMI

To configure and launch the AMI:

Use our example as a guideline, as you might be using a different software version.

1. Log in to your EC2 Dashboard.

2. Click on AMIs, under Images.
   1. A list of existing AMIs appears.

3. If you don't see any products, click the drop-down next to the search bar and choose Private images.

1. If you still don't see any products, make sure your region setting is correct.
2. And if you still don't see any products, contact technical support.
3. AMI Names for Stellar Cyber Images
4. For reference, the AMI names for the Stellar Cyber AMIs are as follows:
   1. Modular Sensor – ModularSensor-5-x-y
5. In all cases, the x-y refers to the minor version numbers of the sensor software (for example, ModularSensor-5-1-1).

4. Click the check-box to the left of the AMI. The Launch button activates and the details appear.

5. Click Launch. The Choose an Instance Type page appears.

6. Choose a t2.2xlarge or higher type. Smaller instance types are not supported.
7. Click Next: Configure Instance Details. The Configure Instance Details page appears.

We recommend keeping the default settings.

8. Click Next: Add Storage. The Add Storage page appears.
   1. We recommend keeping the default settings.

2. As an option, you can encrypt your storage volume as follows:

1. Click the Advanced button in the Configure Storage panel.
2. Set the Encrypted dropdown in the EBS Volumes settings to Encrypted.
   1. You can also convert an existing sensor's unencrypted storage volume to use encryption.

9. Click Next: Add Tags. The Add Tags page appears.
   1. Stellar Cyber does not use tags.
10. Click Next: Configure Security Group. The Configure Security Group page appears.

1. You can ignore the warning at the bottom of the page.
2. Security groups define which local ports and remote hosts can reach the sensor. AWS enables SSH by default.

11. Enter the Security group name.
12. Click Add Rule. A new row appears. Configure inbound rules to allow your sensor to communicate with the DP.
    1. If you already added rules on a prior installation, you can choose Select an existing security group to see a list of the existing groups.
13. Click Review and Launch. Make changes if necessary.

14. Click Launch. The Select an existing key pair screen appears. Stellar Cyber is configured with a user name and password, so does not need a key pair.
15. Choose Proceed without a key pair.
16. Click the check-box to acknowledge.

17. Click Launch Instance.
    1. You can launch the image but you cannot copy it. This means that the VM must be deployed in the AWS region where the image was authorized.
18. The VM is now running in the AWS cloud.