Licence Manager

Overview

We're changing the way we handle licencing. Previously, we supplied access to our software by means of a licence file which was installed alongside the software and had to be applied manually. We're changing to a new type of licence manager. This enhanced functionality will automate licence key provision and provide us with metrics about current usage and active users, which will in turn allow us to concentrate our efforts on making our products the best they can be. The new licence manager will also give greater insight into how customers are using the dashboard.

Allowing traffic to leave your private subnets

These instructions are written from a cloud perspective, primarily Amazon Web Services (AWS), however some of the principals translate to an on premise deployment, chiefly proxy. At a very basic level, we need traffic to be able to communicate on port 443 with our Application Programming Interface (API) which is located at https://customers-v1.panintelligence.cloud/dashboard_callback. If you do not already have outbound communication capability from your application server, we’ve listed below a few ways that you could achieve this, and also included some pros and cons for each method.

Egress only internet gateway

Egress gateways can only be used with local resources that have an Internet Protocol version 6 (IPv6) address. Since these are globally available, an egress only gateway prevents traffic from initiating an inbound connection. Traffic is controlled using Network Access Control Lists (NACLs). Security groups cannot reference egress gateways.

Pros

  • ensures your publicly available Internet Protocol version 6 (IPv6) devices are secure

Cons

  • Network Access Control Lists (NACLs) usually need to be set quite broad to be of any use. (leading to inability)

  • Network Access Control Lists (NACLs) are stateless, so leaves connections open.

Nat Gateway

A network address translation (NAT) gateway translates local network traffic and routes it via a single device on the edge of your local network thereby permitting devices to have a route to the Wide Area Network (WAN). Requests are stateful and inbound requests are filtered by the Network Address Translation (NAT) gateway, thus securing your private resources.

Pros

  • private resources can talk to the web without the web initiating the connection to the private resource

  • because outbound traffic is routed via this one device, it becomes easier to monitor traffic and spot nefarious requests.

Cons

  • they cost money, both in terms of device hours and for bytes over the device and leaving your Virtual Private Cloud (VPC)

  • they do not support Internet Protocol version 6 (IPv6) routing

  • they are incredibly complex to set up and maintain

  • they are not cost effective for single workloads

Attaching private subnet to IGW

Each Virtual Private Cloud (VPC) which contains a Panintelligence instance should also have a route to the internet to permit internet traffic to your instance. Normally, to prevent inbound connections, a private subnet does not feature in the same route table as the Internet Gateway (IGW). Network security on Amazon Web Services (AWS) is built up using a combination of 5 factors:

  • security groups

  • Network Access Control Lists (NACLs)

  • Route tables

  • Web Application Firewall (WAF)

  • Flow log monitoring

by placing the subnet in the same route table as the Internet Gateway (IGW), we're peeling back one of these layers.

Pros

  • Very simple to configure

  • Very cheap

Cons

  • over reliant on security groups and Network Access Control Lists (NACLs) to secure instances from mis-configuration or malicious access

Self managed proxy

Since Network Address Translation (NAT) gateway is a managed service, we're paying an overhead cost for maintenance of that service in the form of setup cost and bytes transferred over the device (costs available on Amazon Web Services (AWS) documentation). If we deployed our own Network Address Translation (NAT) device, we could return some of those costs, especially if we're deploying a low fault tolerant system.

Pros

  • could be cheaper than Network Address Translation (NAT)

  • more control of the traffic across the device

Cons

  • patching, maintenance, scaling, availability become your concern

  • need devices deploying in all availability zones, which will quickly negate cost savings

Next gen firewall

Pros

  • the ultimate in protection

  • intelligent intrusion detection

Cons

  • VERY expensive

  • difficult to configure

  • will require specialist skills

If you’re interested in the new Licence Manager, please reach out to your Customer Success Manager who will be able to provide you with more information.