Architecting for IDS/IPS


Course Introduction
Course Conclusion
1m 17s
Start course

In this course, we will discuss the fundamentals of intrusion detection and prevention on Amazon Web Services. We will explore the difference between IDS and IPS, and the difference between host-based intrusion prevention, and network-based Intrusion prevention. We’ll also discuss the various AWS architectures, how do you place an IPS, how do you write rules, how do you respond to the incidents that have been detected, and finally the partner solutions available for intrusion prevention with Amazon web services.

Intended audience

  • This course is for developers or operations engineers looking to deploy security solutions applications in production AWS platform
  • People studying for the AWS Security Specialty Certification exam


  • Implementation experience with enterprise security packages
  • Familiarity with industry compliance and security standards including PCI DSS, ISO 27001, HIPAA, and NIST
  • Experience of architectures meeting industry standards such as SAS70, SOC1, FISMA, etc.
  • Fundamental understanding of TCP/IP protocols and packet analysis

Learning objectives

  • Recognize and explain the basics of Intrusion detection/prevention
  • Recognize and explain best practices in designing intrusion detection/prevention architecture
  • Recognize and explain the different types of rules that can be written
  • Recognize and explain core concepts of Incident response
  • Recognize and be able to implement how to go about writing rules
  • Gain an introduction to the various partner solutions available for IDS/IPS on AWS

This Course Includes

35 minutes of high-definition video.

What You'll Learn

  • Course Intro: What to expect from this course:
  • Fundamentals of Intrusion Detection and Preventions: In this lesson, we’ll define intrusion detection, and discuss AWS responsibility for security in the cloud, firewalls, and alerts.
  • IDS/IPS in Detail: In this lesson, we’ll dig deeper into the system architecture associated with IDS/IPS.
  • Rule Writing: In this lesson, we’ll go through rule options.
  • Responding to Incidents: In this lesson, we’ll look at how incidents are detected and the process for responding to them.
  • Architecting IDS/IPS for AWS: In this lesson, we’ll look at the various flavors of AWS architectures available and how we will architect the location and the placement of IDS and IPS devices in these architectures.
  • Administering and Managing the IDS/IPS: In this lesson, we’ll spend some time talking about some best practices in administering and managing your IDS and IPS.
  • Partner Solutions: In this lesson, we’ll look at the partners who offer IPS.
  • Conclusion: A summary and review of what you have learned.

Alright, now let's look at the various flavors of AWS architectures available and how we will architect the location and the placement of IDS and IPS devices in these architectures. Alright this is the first kind of architecture, the simplest one that we're going to look at. This is the VPC with a single public facing subnet. I'm going to assume that all of you know what a VPC is because that is outside the scope of this course.

So here we see traffic coming in to the internet gateway going to the router. Into the gateway, router, and if you see, it goes all the way and then it goes to the EC2 Instance here. It is important to place the IPS or the IDS here. I use the word IDS and IPS interchangeably because like I mentioned, in today's world, the blocking feature can be switched off, it can be used as an IDS and so it can be placed in line or it can be used as an IPS to block the traffic, so here you go, placed right there blocking the traffic and able to see the traffic that is coming from the internet or going out to the internet. Let's now look at the second type of VPC.

So here you have a VPC architecture with a public and a private subnet. I'm going to teach you how to break down these architectures and then you will be able to very logically figure out where to place the IPS, it's not all that complicated. So here you have the traffic coming in into that gateway, going to the router and as we discussed in our previous example with the public subnet, the IPS gets placed before it gets into the public subnet. Here you have a NAT gateway, so I'm placing the IPS on the other side of the NAT gateway. Why is this? Because sometimes you need to know which computer is infected.

So if you place the IPS on the other side of the NAT gateway, what will happen is you will notice traffic coming out of your subnet, but since it's been natted already, it's going to take you a little bit of work to figure out which computer is actually infected. But if you put it on the inside then you will know the IP address of the computer that's been infected even before it hits the NAT gateway. So that's one of the advantages of keeping it inside. Also keeping the IPS on the inside protects is a little bit more because natting prevents a certain amount of attacks from getting through. Now on the other side, we have a private subnet and these are the database servers.

So once again as you see, you keep it on the other side of the router so that you are able to detect the traffic going out and traffic coming in. We're right at the neck of the network. So one more flavor here on VPC architecture, single subnet connected to a VPN. So that means the traffic starts here, comes down here, gets encrypted, comes here, gets unencrypted, goes down to the router, goes up, and goes down here. This has no connection to the internet, but it is connected to the outside world through here. So once again like I always say, put it at the neck here so that you have a router to traffic coming in after the VPN. If you put it here, there's a problem because it's completely encrypted traffic, the IPS will not be able to see it. If you put it here, then right after it comes from the router, you'll be able to see it. Now just in case you were to put a NAT for whatever reason, you'll always make sure that the IPS is after the NAT.

In this particular case you don't need a NAT because it's not going out to the outside world. But if you remember one of the earlier architectures, natting removes the IP addresses and substitutes it with public IP addresses so you will not know which computer is infected, so it's very important to put the IPS behind the NAT, in this case, just put it in the neck. Alright now let's look at one more flavor of VPC architecture, the most complicated. So here you have a VPC with a private, public, and VPN axis, once again, remember what I said, break it down. So let's take with the public, go back and remember what I said about the public gateway.

So the IPS is at the entry point right after the router coming in. So all the traffic going in and out of the web service will be analyzed by the IPS. Now this can be a little bit more complicated by putting in a NAT, there's always a NAT that will be between the router and the So make sure that the IPS is on the other side, the interior side of the NAT so that you know which computer is actually infected.

Now let's talk about the private network here. Very similar to what I said earlier. Traffic coming in, but also notice that this VPN is a VPN-only subnet so unlike the previous example, it's going out, but it's going out through here. So we need to put the traffic of the IPS right here so that you look at the traffic that is coming in through the VPN as well as traffic that's going out. So again, always aim for the neck. You could put in an additional IPS here so that there's a difference in depth, so in case this IPS fails or this IPS fails, you have this. But if this IP has failed, this IPS will not help too much because the traffic for this IPS is coming from the internet gateway all the way in here and then going in here. So if you put an IPS here, then we will be able to look at the traffic that's coming in exclusively from the customer gateway.

It's important not to put the IPS here because then everything will be encrypted, you won't be able to see anything, it's important to put it here so that you will be able to see the traffic after it is unencrypted. So this is what I'm saying, you need to break down the architecture and always put it at the neck, aim for the neck is what I'd say when it comes to IPS placement of IPS's.

About the Author

Vish Chidambaram is an award-winning enterprise security leader with 18+ years of experience, skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace. Here he was responsible for securing a high performance SaaS platform with 40 billion transactions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools. He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them through career transitions. Details can be found at or get in touch by writing to His LinkedIn page can be found at: