A
on AWS and what I hope isn't a plan to screw partners:
On the 7th of February AWS edited their documentation to include a limit on Traffic Mirror Sessions that wasn't, until then, ever mentioned.

On the 7th of February AWS edited their documentation to include a limit on Traffic Mirror Sessions that wasn't, until then, ever mentioned.
EC2 instances that are not dedicated have a limit of 10 sessions per target. Dedicated hardware has 100.
This is a problem because AWS is effectively imposing a limit that shouldn't exist on the hardware level. At least, not like this.
This is a problem because AWS is effectively imposing a limit that shouldn't exist on the hardware level. At least, not like this.
The capacity of a target was, and should be, limited to its bandwidth. It'd be up to the software and resources (CPU/RAM) of the target instance to make sure that bandwidth was being used correctly (traffic not being dropped and software not losing visibility over traffic).
With the inclusion of these new limits we'll have targets that might have 10 network interfaces with only 1% of bandwidth usage on each, as instances are not constantly generating traffic.
Why have the 10 interfaces to begin with, then? We're missing out on the opportunities offered by a virtual environment by imposing limits that are only true in the physical world (my appliances have 10 NICs, and that's it).
This is hard to maintain, increases the cost of something that wasn't cheap to begin with, and makes for something that was relatively easy to scale a big problem.
Only reasoning I see here: more charges for anyone doing NSM or NIDS in AWS.
Only reasoning I see here: more charges for anyone doing NSM or NIDS in AWS.
We're currently considering adding additional functionalities to 3CS AutoMirror ( https://github.com/3CORESec/AWS-AutoMirror) to minimize this problem, but it's impossible to fix without the help from AWS.
We're waiting on feedback from AWS to know what the hard limit is, as 10 is a soft limit. That being said, I wouldn't be surprised if they tried everything in order to push people over to an NLB, which, again, is overkill and doesn't make sense for all deployments.
There's a a big gap between whatever the hard limit is (let's say 20) and 100, and an expensive NLB or 8 interface cards (if that evens fixes the problem) is NOT the right way to do it.
As this is not something than cannot be discussed with APN, I'd love to talk more about this, and why this will hurt customers and service providers.
Ping: @AWSSupport @AWSSecurityInfo Anything I can do? Somewhere/someone I can reach out to?
Thank you!
Ping: @AWSSupport @AWSSecurityInfo Anything I can do? Somewhere/someone I can reach out to?
Thank you!
To further add to this nonsense:
A c5n.9xlarge, a machine with 36vCPUS and 96GB! of RAM can have up to 8 network interfaces, which adds to 80 allowed mirrored sessions between them.
8 NICs on a machine that costs 900USD/month.
A c5n.9xlarge, a machine with 36vCPUS and 96GB! of RAM can have up to 8 network interfaces, which adds to 80 allowed mirrored sessions between them.
8 NICs on a machine that costs 900USD/month.
We're not paying 900USD because we need the machine. We're paying because of a limit that I'd love to know what reason, other than financial, justifies it.
Does anyone else see the push to NLB becoming clearer?
Does anyone else see the push to NLB becoming clearer?

NSM in AWS was, IMHO, one of the most rewarding security practices you could have in a non-native cloud environment. These changes greatly remove its effectiveness.
*reduce
