Skip to main content
Network Sensor Virtual Appliance

Search

Installing the Network Sensor on AWS EC2

© 2024 Cequence Security. All Rights Reserved.

Installing the Network Sensor on AWS EC2

  • Updated on
  • ~ minute read
Download PDF

This guide details the steps involved in deploying the Cequence Sensor virtual appliance on the Amazon Web Services (AWS) platform. Sensor operates as an passive component within the broader Cequence Unified API Protection (UAP) platform, safeguarding your APIs from various threats.

Prerequisites

  • Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific deployment instructions.
  • Enable Traffic Filter on the Cequence UAP platform: Make sure all traffic filters are enabled using the following guide - Enable Traffic Filters.
  • AWS Permissions: You must possess the necessary permissions to launch EC2 instances from the AWS Marketplace.
  • AWS Marketplace Visibility: Ensure Cequence AMIs are visible within your AWS account. Create a ticket with Cequence if they are not, referencing your AWS Account ID. Create a New Ticket: Enable AWS Marketplace AMI
  • Recommended Instance Types: Choose an instance type with sufficient resources, such as t2.medium or better.
  • Recommended Storage Types: Utilize gp2 or gp3 storage types for optimal performance.
  • Cequence Product Visibility: Submit a request to Cequence to enable visibility of their products within the AWS Marketplace for your account.

Deployment Procedure

Launch Sensor EC2 Instance:

  • Access the Amazon EC2 console: https://console.aws.amazon.com/ec2/.
  • Click "Launch Instance" on the dashboard.
  • Under "Choose an Amazon Machine Image (AMI)," select the "AWS Marketplace" category.
  • Search for "Cequence Sensor." If not found, refer to the prerequisites for enabling limited visibility.
  • Click "Select" on the desired AMI.
  • Review the AMI details and click "Continue."
  • Configure instance details:
      • Enter a descriptive name under "Name and tags."
      • Choose the appropriate VPC, subnet, and Availability Zone under "Networking."
      • Select an existing security group or create a new one using Cequence defaults under "Security Groups."
      • Review all configuration settings and click "Launch Instance."

Sensor Setup

Client ID and Secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

SSH to the virtual machine

SSH to the virtual machine using username ubuntu and ssh private key used during launch

Sensor Config Setup

  • Collect and note down the following and set them as environment variables for future reference:
    • cqai.yourdomain.com: your subdomain used in the DNS for the Cequence UAP platform
    • client-id: "Client Name" created in the previous step
    • client-secret: "Client Secret" created in the previous step
    • interface-id: The network interface on the sensor box receiving traffic passively ( e.g eth0)
UAP_SUBDOMAIN=<cqai.yourdomain.com>
CLIENT_ID=<client-id>
CLIENT_SECRET=<client-secret>
INTERFACE_ID=<network-interface>
  • Test connectivity with the Cequence UAP platform: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \
  --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials"
  • Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \
  ${UAP_SUBDOMAIN} \
  ${CLIENT_ID} \
  ${CLIENT_SECRET} \
  ${INTERFACE_ID}

Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.

Was this article helpful?