Onboard CDR for AWS

After deploying a threat scanner, download the scripts from Configure > Threat Scanners.

Deploy the scripts using AWS Cloud Shell and get started with CDR easily.

You can deploy Qualys CDR as a standalone Amazon EC2 virtual machine or in high-availability autoscaling mode.

• Qualys CDR stack consists of one EC2 instance and the required Security Group and IAM role in standalone mode.

• AWS VPC Traffic Mirroring supports a maximum of ten mirror sources per EC2 instance configured as a mirroring target. You can use the high-availability load-balanced autoscaling mode for mirroring from more than ten sources to Qualys CDR.  

1. Go to your AWS Console -> Navigate to CloudShell.

2. Download the qualys_aws_cdr_terraform.zip. Upload it to CloudShell.

3. Extract qualys_aws_cdr_terraform.zip.

4. Modify the terraform.tfvars file to manage deployment variables. Terraform variables are explained in detail in the README.md file.

You can obtain the CDR Key from your deployments on the Threat Scanner tab of TotalCloud. Learn more.

Qualys has shared the latest AMI for your deployment region with your registered AWS account. You 
can find the latest Qualys CDR AMI here as well. 

5. In the deployment wizard, specify the correct AMI ID for the region. Terraform is ready to deploy the CDR in your security account's VPC once terraform.tfvars files are set.

6. Run the following commands to deploy the module to each AWS subscription as needed.   

• terraform init   

• terraform apply -auto-approve 

7. After terraform apply runs successfully and the application registers with Qualys, a CloudFormation stack should be created in the AWS account. This stack should show the resources needed to set up a traffic mirror session.

For Qualys CDR to run in high-availability mode, you must have a VPC with at least two private subnets distributed across multiple AZs (Availability Zones).

Creating Security VPC for HA Deployment  

For Qualys HA high-availability deployment, Qualys virtual appliances should be deployed within VPCs with private subnets across several AZs (Availability Zones). If you do not already have a VPC, deploy the stack below to create a VPC with two Availability Zones and a pair of public and private subnets. This stack is an adaptation of this AWS CloudFormation template. The stack deploys an internet gateway with a default route on a public subnet. Qualys appliances are also registered with the Qualys cloud through NAT gateways (one in each AZ) and default routes in the private subnets.  

Stacks in the image create only VPCs, subnets, and associated networking. As described in Deploying Qualys CDR as a Standalone EC2, the actual Qualys virtual appliances are deployed to this VPC. Qualys CDR can be deployed in high availability autoscaling mode using the Terraform module provided for two availability zones (2AZ) and three availability zones (3AZ).  Deploy the Terraform modeuls for two/three availability zones using the same steps detailed above for Standalone EC2 deployment.

VPC Traffic Mirroring is supported on network interfaces attached to EC2 and EKS instances. You can find a full list of instance types that support VPC traffic mirroring and other considerations here. AWS offers a serverless application for automating traffic mirroring based on VPCs, subnets, or tags as input. 

From the zip file you downloaded when Deploying CDR in Standalone/High-availability mode, you can launch the application using the Terraform module for traffic mirroring, which Qualys provides as an easy-to-use CloudFormation Template.

CDR monitors your network via VPC Traffic Mirroring. The region supported for traffic mirroring as of currently are mentioned here. This information will be relevant when configuring CDR for your network.

By specifying the VPCs or subnets to monitor, the serverless application will set up traffic mirroring sessions on existing instances or future instances in the selected VPCs or subnets. Also, you can specify instance tags so that the serverless application mirrors traffic across instances with matching tags (existing or future).

Terraform's traffic mirroring module simplifies deployment using AWS's in-built features.  This solution uses Network Load Balancer (NLB), Auto-Scaling Group (ASG), and AWS Console. Alternatively, you can use third-party solutions.

For help with deployment, contact your Technical Account Manager.

The Qualys Terraform module for CDR deployment also includes a module to deploy traffic mirroring stacks in traffic source accounts. With the CDR deployment module:

• You can use the mirroring Terraform module. 

• You can also create your Terraform module or use CFT or AWS console to add traffic mirror sessions.

Before configuring a traffic mirror, you must create your security connector. Both configurations are done on the same file.

A security connector is a one-time configuration for CDR onboarding for your AWS account.

Let's see how to configure your connector and traffic mirroring.

1. Go to the AWS Console > Navigate to CloudShell

2. Go to the unified directory in the CDR deployment module you uploaded earlier to CloudShell.

3. Modify the terraform.tfvars file to manage deployment variables. Terraform variables are explained in detail in the README.md file

As this is your first time setting up CDR, you must create a security connector. The terraform.tfvars file variables are displayed as follows.

Provide the QualysAWSSaaSRegistrationKey. The registration key can be obtained from the Threat Scanner tab of TotalCloud. Refer to Deploy Threat Scanners.

Set EnableSecurityConnector to true. This is a one-time action. Once you have provided the registration key and enabled the connector, it automatically applies to future deployments.

You can set Remediate to Yes or No to discover remediation techniques for the discovered threat updates.

Once the security connector configuration is done, we return to the Traffic Mirror configuration.

The CDR deployment module, as described here, creates traffic mirror targets and filters.  You must use the module output to set the variables shown in the diagram above. 

4. Run the following commands to deploy the module to each AWS subscription as needed.

• terraform init   

• terraform apply-auto-approve 

5. After terraform apply runs successfully and creates the stack, it will add resources to listen to events for workload activation. It will also add functions to update the traffic mirror session. 

You can also follow these steps to configure traffic mirroring sessions with customized options like mirroring only internet traffic, setting filter rules, and cross-account traffic mirroring.

Mirroring Only Internet Traffic

If you wish to mirror only internet traffic or “North-South” traffic and not internal “East-West” traffic, you can either:

• update the Qualys CDR CloudFormation template with the below traffic mirror filter rules, or

• instantiate the template and update the VPC Traffic Mirroring Filter created via the AWS Console

The traffic mirror filter rules below should be updated to include or exclude your "internal" VPC CIDR blocks (e.g., 172.16.0.0/12, 192.168.0.0/16). NATed public load balancer traffic, DNS traffic (to an internal server), etc., can also be included with appropriate rules. For more information, contact your TAM.

QCDRTrafficMirrorFilterRuleIngressRejectLocal:
    Type: "AWS::EC2::TrafficMirrorFilterRule"
    Properties:
      Description: "Qualys Traffic Mirror Filter Rule"
      TrafficMirrorFilterId: !Ref QCDRTrafficMirrorFilter
      TrafficDirection: "ingress"
      RuleNumber: 10
      DestinationCidrBlock: "10.0.0.0/8"
      SourceCidrBlock: "10.0.0.0/8"
      RuleAction: "reject"
QCDRTrafficMirrorFilterRuleEgressRejectLocal:
    Type: "AWS::EC2::TrafficMirrorFilterRule"
    Properties:
      Description: “Qualys Traffic Mirror Filter Rule"
      TrafficMirrorFilterId: !Ref QCDRTrafficMirrorFilter
      TrafficDirection: "egress"
      RuleNumber: 10
      DestinationCidrBlock: "10.0.0.0/8"
      SourceCidrBlock: "10.0.0.0/8"
      RuleAction: "reject"
QCDRTrafficMirrorFilterRuleIngress:
    Type: "AWS::EC2::TrafficMirrorFilterRule"
    Properties:
      Description: "Qualys Traffic Mirror Filter Rule"
      TrafficMirrorFilterId: !Ref QCDRTrafficMirrorFilter
      TrafficDirection: "ingress"
      RuleNumber: 20
      DestinationCidrBlock: "0.0.0.0/0"
      SourceCidrBlock: "0.0.0.0/0"
      RuleAction: "accept"
QCDRTrafficMirrorFilterRuleEgress:
    Type: "AWS::EC2::TrafficMirrorFilterRule"
    Properties:
      Description: "Qualys Traffic Mirror Filter Rule"
      TrafficMirrorFilterId: !Ref QCDRTrafficMirrorFilter
      TrafficDirection: "egress"
      RuleNumber: 20
      DestinationCidrBlock: "0.0.0.0/0"
      SourceCidrBlock: "0.0.0.0/0"
      RuleAction: "accept"

Cross-Account Traffic Mirroring 

Cross-Account traffic mirroring lets you mirror traffic from VPC B in Account B to a (Qualys) traffic mirror target in VPC A in Account A (that was created using Deploying CDR steps detailed above):

1. Utilize AWS Resource Access Manager (RAM) to share the Qualys traffic mirror target.

2. Configure a VPC Peering or Transit Gateway to route traffic between VPCs B and A.

3. Ensure the AllowCIDR parameter in the Qualys CDR template includes the CIDR address block of VPC. 

   1. This is so that packets are delivered to the Qualys CDR instances without being blocked by the 
      respective security groups.