We're changing the way we handle licencing. Previously, we supplied access to our software by means of a licence file which was installed alongside the software and had to be applied manually. We're changing to a new type of licence manager. This enhanced functionality will automate licence key provision and provide us with metrics about current usage and active users, which will in turn allow us to concentrate our efforts on making our products the best they can be. The new licence manager will also give greater insight into how customers are using the dashboard.
These instructions are written from a cloud perspective, primarily Amazon Web Services (AWS), however some of the principals translate to an on premise deployment, chiefly proxy. At a very basic level, we need traffic to be able to communicate on port 443 with our Application Programming Interface (API) which is located at https://customers-v1.panintelligence.cloud/dashboard_callback. If you do not already have outbound communication capability from your application server, we’ve listed below a few ways that you could achieve this, and also included some pros and cons for each method.
Egress only internet gateway
Egress gateways can only be used with local resources that have an Internet Protocol version 6 (IPv6) address. Since these are globally available, an egress only gateway prevents traffic from initiating an inbound connection. Traffic is controlled using Network Access Control Lists (NACLs). Security groups cannot reference egress gateways.
Pros
ensures your publicly available Internet Protocol version 6 (IPv6) devices are secure
Cons
Network Access Control Lists (NACLs) usually need to be set quite broad to be of any use. (leading to inability)
Network Access Control Lists (NACLs) are stateless, so leaves connections open.
Nat Gateway
A network address translation (NAT) gateway translates local network traffic and routes it via a single device on the edge of your local network thereby permitting devices to have a route to the Wide Area Network (WAN). Requests are stateful and inbound requests are filtered by the Network Address Translation (NAT) gateway, thus securing your private resources.
Pros
private resources can talk to the web without the web initiating the connection to the private resource
because outbound traffic is routed via this one device, it becomes easier to monitor traffic and spot nefarious requests.
Cons
they cost money, both in terms of device hours and for bytes over the device and leaving your Virtual Private Cloud (VPC)
they do not support Internet Protocol version 6 (IPv6) routing
they are incredibly complex to set up and maintain
they are not cost effective for single workloads
Attaching private subnet to IGW
Each Virtual Private Cloud (VPC) which contains a Panintelligence instance should also have a route to the internet to permit internet traffic to your instance. Normally, to prevent inbound connections, a private subnet does not feature in the same route table as the Internet Gateway (IGW). Network security on Amazon Web Services (AWS) is built up using a combination of 5 factors:
security groups
Network Access Control Lists (NACLs)
Route tables
Web Application Firewall (WAF)
Flow log monitoring
by placing the subnet in the same route table as the Internet Gateway (IGW), we're peeling back one of these layers.
Pros
Very simple to configure
Very cheap
Cons
over reliant on security groups and Network Access Control Lists (NACLs) to secure instances from mis-configuration or malicious access
Self managed proxy
Since Network Address Translation (NAT) gateway is a managed service, we're paying an overhead cost for maintenance of that service in the form of setup cost and bytes transferred over the device (costs available on Amazon Web Services (AWS) documentation). If we deployed our own Network Address Translation (NAT) device, we could return some of those costs, especially if we're deploying a low fault tolerant system.
Pros
could be cheaper than Network Address Translation (NAT)
more control of the traffic across the device
Cons
patching, maintenance, scaling, availability become your concern
need devices deploying in all availability zones, which will quickly negate cost savings
Next gen firewall
Pros
the ultimate in protection
intelligent intrusion detection
Cons
VERY expensive
difficult to configure
will require specialist skills
If you’re interested in the new Licence Manager, please reach out to your Customer Success Manager who will be able to provide you with more information. |