Skip to content

Delivering Cloud-Native network analysis using Barac and AWS

Delivering Cloud-Native network analysis using Barac and AWS

You are here:
  • Main
  • ETV Platform
  • Delivering Cloud-Native network analysis using Barac and AWS
< All Topics
Table of Contents

What is AWS VPC traffic monitoring?

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:

  • Content inspection
  • Threat monitoring
  • Troubleshooting

The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind a Network Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice.

Traffic mirroring: Concepts and Benefits

Concepts:

VPC Traffic Mirroring solution has three components:

  • Targets: The destination of the mirrored traffic (it can be Elastic Network interfaces or Network load balancers). 
  • Filters: Sets of rules that define the traffic that is copied in a traffic Mirror session.
  • Sessions: An entity that describes traffic mirroring from a source to a target using filters.

Benefits:

Traffic Mirroring offers the following benefits:

  • Simplified operation — Mirror any range of your VPC traffic without having to manage packet forwarding agents on your EC2 instances.
  • Enhanced security — Capture packets at the elastic network interface, which cannot be disabled or tampered with from a user space.
  • Increased monitoring options — Send your mirrored traffic to any security device.

Architecture

  • The aim of this solution is to monitor network traffic in a VPC (Virtual Private Cloud)
  • The idea is to monitor an EC2 instance network traffic by copying any inbound/outbound traffic from a source interface to the destination interface of the monitoring instance (which, in this case, is the ETV platform)

Preparing the environment

  • The first step is to create the instances in our VPC. 
  • To create the EC2 instance follow these steps: 
    • Go to “EC2” in AWS services
A screenshot of a cell phone

Description generated with very high confidence
  • In the EC2 section. Click “Launch Instance”
A screenshot of a cell phone

Description generated with very high confidence
  • Choose this AMI (Amazon Machine Image)
A screenshot of a social media post

Description generated with very high confidence
  • Chose an instance type
  • IMPORTANT: When choosing the instance type make sure you choose an instance powered by AWS Nitro system: (A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d) 
    • PS: Any other type out of the list will not support the AWS VPC Traffic Mirroring 
  • At the instance review screen, make sure everything is correct before clicking “Launch”
  • Choose “create a new key pair” then download the certification file to use it when you ssh the Instance 
A screenshot of a cell phone

Description generated with very high confidence
  • Create a second EC2 instance named “monitoring” using the previous steps.
    • You should end up with two instances running in our VPC
A screenshot of a cell phone

Description generated with very high confidence

Getting started with VPC traffic mirroring

  • Let’s review the key elements of VPC Traffic Mirroring and then set it up:
    • Mirror Source – An AWS network resource that exists within a VPC and that can be used as the source of traffic. VPC Traffic Mirroring supports the use of Elastic Network Interfaces (ENIs) as mirror sources.
    • Mirror Target – An ENI or Network Load Balancer that serves as a destination for the mirrored traffic. The target can be in the same AWS account as the Mirror Source, or in a different account for implementation of the central-VPC model that was mentioned above.
    • Mirror Filter – A specification of the inbound or outbound (with respect to the source) traffic that is to be captured (accepted) or skipped (rejected). The filter can specify a protocol, ranges for the source and destination ports, and CIDR blocks for the source and destination. Rules are numbered and processed in order within the scope of a particular Mirror Session.
    • Traffic Mirror Session – A connection between a mirror source and target that makes use of a filter. Sessions are numbered, evaluated in order, and the first match (accept or reject) is used to determine the fate of the packet. A given packet is sent to at most one target
  • In the case below there already is an ENI that will be used as the mirror source and destination (in a real-world use case one would probably use an NLB destination)
A screenshot of a cell phone

Description generated with very high confidence
  • The MirrorTestENI_Source and MirrorTestENI_Destination ENIs are already attached to suitable EC2 instances.

Configuration

Create Target

  • Open the VPC Console and scroll down to the Traffic Mirroring items, then click Mirror Targets
A screenshot of a cell phone

Description generated with very high confidence
  • Click “Create traffic mirror target”
A screenshot of a cell phone

Description generated with very high confidence
  • Set the target to the ENI file as shown below. Enter a name and description. Choose the target type: Network Interface. Then click “create”
A screenshot of a cell phone

Description generated with very high confidence
  • The target should now be created and ready for use:

Create Filter

  • Now click Mirror Filters and Create traffic mirror filter. Follow these steps to create a simple filter that captures outbound/inbound traffic on three ports (22, 80, and 443)
A screenshot of a cell phone

Description generated with very high confidence
  • Set the inbound/outbound port range to ports 22, 80 and 443
  • Name the filter and click “create”
A screenshot of a cell phone

Description generated with very high confidence
  • The filter should now be up and running
A screenshot of a cell phone

Description generated with very high confidence

Create Session

  • Click Mirror Sessions and Create traffic mirror session. Follow these steps to create a session that uses MirrorTestENI_Source, barac_mirror_target, and barac_filter, to allow AWS to choose the VXLAN network identifier, and indicate that the entire packet are to be mirrored
A screenshot of a cell phone

Description generated with very high confidence
  • Set the Mirror source as shown below
  • Set the Filter to the one we created earlier
  • Make sure the Session is named appropriately and click “create”
A screenshot of a cell phone

Description generated with very high confidence
  • The AWS VPC traffic mirroring should now be ready to use
A screenshot of a cell phone

Description generated with very high confidence

Tests and Validation

  • Traffic from the mirror source that matches the barac_filter is encapsulated as specified in RFC 7348 and delivered to the mirror target. One can then use BaracCollector to collect the traffic and send to Barac ETV platform
A screenshot of a cell phone

Description generated with very high confidence

Conclusion 

After following the previous, the Barac-AWS integration will be able to collect mirrored traffic and forward it to the Barac-ETV Platform. Please note that these current steps are as of December 2019 and are subject to change in accordance with any updates to either party.