Open mlissner opened 3 years ago
Note that AWS has a few solutions:
This looks complicated and expensive:
https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html
This we should probably set up b/c it's not that hard and it's probably useful and cheap:
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
I'm sort of thinking that mirroring will be more expensive and complicated than we need, but the flow logs are probably a good idea.
After we have OSSEC (#1574) and canaries in place, we should implement a netflow system to capture and log our network traffic, as recommended here:
https://twitter.com/thegrugq/status/1364582988734849026
One recommendation is softflowd: https://github.com/irino/softflowd.
I also wonder if there's something we could run directly on our router. This might, officially, be overkill, but it's the kind of thing we'll want if we ever have an incident.