Relevant and Extended Detection with SecureX
December 4, 2021
How to Build an Integrated Security Posture Using XDR
December 6, 2021

Snort 3 Anywhere

We are proud to announce that Snort 3 is officially available in a container form factor (called “Snort 3 Anywhere”) on AWS Marketplace to be consumed in your Kubernetes cluster either running on AWS or On-prem. It’s yet another way that we are fulfilling our vision to simplify security for networks, workloads, and applications across your multi-cloud world.

I am pretty sure you know about Snort, Cisco’s very own piglet. Snort has a long history and is the most recommended, de facto intrusion prevention engine in the industry which is in the hall of fame of greatest open-source software of all time. Snort is widely used, in several of our own products including Cisco Secure Firewall, Cisco Umbrella, Meraki MX, and used by other industry partners. It is also available as a stand-alone open-source package.

The time has come to send Snorty, our pig mascot, on another journey to secure the container revolution…

The Container Revolution 

The past couple of years there has been a tremendous increase in demand for container technologies, and the need to consume capabilities in a containerized form factor. This has fueled the evolution of Cloud Native architectures both on-prem and in the cloud.

As a natural reaction, everyone in the market has started to deliver container-based solutions to satisfy customer needs.  Some of the most popular solutions leverage Docker and Kubernetes technologies.

A short clarification here if you’re lost: Docker itself is an open-source technology (and container file format) which provides a way to containerize applications. It allows you to build and run containers while you develop them. When you have so many containers that you can’t handle them, that’s where Kubernetes become effective. It provides an ecosystem to deal with scaling, complexity, self-healing, deploying, and orchestrating your containers across multiple servers.

One more technology worth mentioning is called Helm. It plays a key role in the solution described below. Quoting from Helm’s site: “Helm is a tool for managing Kubernetes packages called charts.” In essence, you can use Helm charts to bundle all the information required for Kubernetes to instantiate containers. (Think about bootstrap parameters, dependency management, release metadata for lifecycle management.)

The Challenge 

Recently, the growth of distribution channels for containers has made it challenging for customers to consume these products from a single secure and trusted catalogue. If you have hybrid-cloud (a mix of on-prem and cloud) environments – the challenge is even greater.

In more technical terms, there are many different “Artifact Registries” that customers can use in their Kubernetes deployments to access/consume/deploy different solutions provided in a container form factor.

This creates multiple challenges for procurement, security, compliance, and finance teams to manage all the relations, contracts, certify container applications, and release them for consumption in production environments. The pain this challenge creates will only worsen over time, if not addressed.

The Solution 

With the latest addition to AWS Marketplace, which is called “Containers Anywhere” – AWS took a bold step to offer a solution for the above-mentioned challenges customers face.

With the help of AWS Marketplace Container Anywhere – customers can browse, subscribe to, and deploy third party Kubernetes applications through the marketplace. This helps to ease constraints about security, relationship management with different vendors, monitor utilization and billing. The containers offered in the marketplace are vetted through AWS to ensure safety and security.

How does our little Snorty piglet come into play here?

The new offer called “Snort 3 Anywhere” is delivered via Helm chart on the AWS Marketplace which can be easily deployed and used both in AWS and on-prem Kubernetes clusters.

The “Snort 3 Anywhere”offer includes a 1 year Business Subscription for the proprietary snort rules, hence the price tag. (Snort3 itself is open-source and free to use under GPLv2 – so you essentially need to pay for the business rule subscription)

Use Cases 

Now a little bit about the specifics…

Use cases supported by this offer in AWS Container environments:

Snort has been enhanced with a new data acquisition module (DAQ) – that handles the Geneve Encapsulated packets coming out from a GWLB.

Implementing like this enables flexibility for inspecting packets inline or passive mode, but transparently to your environment, leveraging the power of Snort to secure your resources in Amazon ECS, EKS or EKS Anywhere environments. In case of passive mode, the snort instance will be still forwarding traffic, but it will only generate “would have been blocked” events – this is required because we need to send back the inspected traffic to the wire towards the GWLB and encapsulate it with Geneve.

The use cases supported by this offer in an On-prem Kubernetes environment:

  • Inline mode deployment
  • Passive mode deployment

In an on-prem environment for both inline and passive modes we use the well-known afpacket DAQ module.

The DAQ configuration needs to be edited depends on whether you will use snort in AWS or On-prem Kubernetes environment. You can find the daq parameter under the snort3 section in the “values.yaml” file which is part of the Helm chart. You can set it to “gwlb” in case of AWS or “afpacket” for on-prem. In this file you can also configure custom interfaces and set snort from inline to passive mode. The rest of snort parameters and other configuration can be accessed under this link.

As you can see with the help of the Snort 3 Anywhere solution, you can harness the power of Snort in both on-prem and AWS Kubernetes environments, and you can build and customize it to your needs.

In case if you need a more robust cloud native security solution which is orchestrated by Kubernetes and provides REST API support, please check out our Cisco Secure Firewall Cloud Native product.

Further resources


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn