Delivering Cloud-Native network analysis using Barac and AWS
What is AWS VPC traffic monitoring?
Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:
- Content inspection
- Threat monitoring
The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind a Network Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice.
Traffic mirroring: Concepts and Benefits
VPC Traffic Mirroring solution has three components:
- Targets: The destination of the mirrored traffic (it can be Elastic Network interfaces or Network load balancers).
- Filters: Sets of rules that define the traffic that is copied in a traffic Mirror session.
- Sessions: An entity that describes traffic mirroring from a source to a target using filters.
Traffic Mirroring offers the following benefits:
- Simplified operation — Mirror any range of your VPC traffic without having to manage packet forwarding agents on your EC2 instances.
- Enhanced security — Capture packets at the elastic network interface, which cannot be disabled or tampered with from a user space.
- Increased monitoring options — Send your mirrored traffic to any security device.
- The aim of this solution is to monitor network traffic in a VPC (Virtual Private Cloud)
- The idea is to monitor an EC2 instance network traffic by copying any inbound/outbound traffic from a source interface to the destination interface of the monitoring instance (which, in this case, is the ETV platform)
Preparing the environment
- The first step is to create the instances in our VPC.
create the EC2 instance follow these steps:
- Go to “EC2” in AWS services
- In the EC2 section. Click “Launch Instance”
- Choose this AMI (Amazon Machine Image)
- Chose an instance type
- IMPORTANT: When choosing the instance type make sure you choose an instance powered by AWS Nitro system: (A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d)
- PS: Any other type out of the list will not support the AWS VPC Traffic Mirroring
- At the instance review screen, make sure everything is correct before clicking “Launch”
- Choose “create a new key pair” then download the certification file to use it when you ssh the Instance
- Create a second EC2 instance named “monitoring”
using the previous steps.
- You should end up with two instances running in our VPC
Getting started with VPC traffic mirroring
- Let’s review the key elements of VPC Traffic Mirroring and then set it up:
- Mirror Source – An AWS network resource that exists within a VPC and that can be used as the source of traffic. VPC Traffic Mirroring supports the use of Elastic Network Interfaces (ENIs) as mirror sources.
- Mirror Target – An ENI or Network Load Balancer that serves as a destination for the mirrored traffic. The target can be in the same AWS account as the Mirror Source, or in a different account for implementation of the central-VPC model that was mentioned above.
- Mirror Filter – A specification of the inbound or outbound (with respect to the source) traffic that is to be captured (accepted) or skipped (rejected). The filter can specify a protocol, ranges for the source and destination ports, and CIDR blocks for the source and destination. Rules are numbered and processed in order within the scope of a particular Mirror Session.
- Traffic Mirror Session – A connection between a mirror source and target that makes use of a filter. Sessions are numbered, evaluated in order, and the first match (accept or reject) is used to determine the fate of the packet. A given packet is sent to at most one target
- In the case below there already is an ENI that will be used as the mirror source and destination (in a real-world use case one would probably use an NLB destination)
- The MirrorTestENI_Source and MirrorTestENI_Destination ENIs are already attached to suitable EC2 instances.
- Open the VPC Console and scroll down to the Traffic Mirroring items, then click Mirror Targets
- Click “Create traffic mirror target”
- Set the target to the ENI file as shown below. Enter a name and description. Choose the target type: Network Interface. Then click “create”
- The target should now be created and ready for use:
- Now click Mirror Filters and Create traffic mirror filter. Follow these steps to create a simple filter that captures outbound/inbound traffic on three ports (22, 80, and 443)
- Set the inbound/outbound port range to ports 22, 80 and 443
- Name the filter and click “create”
- The filter should now be up and running
- Click Mirror Sessions and Create traffic mirror session. Follow these steps to create a session that uses MirrorTestENI_Source, barac_mirror_target, and barac_filter, to allow AWS to choose the VXLAN network identifier, and indicate that the entire packet are to be mirrored
- Set the Mirror source as shown below
- Set the Filter to the one we created earlier
- Make sure the Session is named appropriately and click “create”
- The AWS VPC traffic mirroring should now be ready to use
Tests and Validation
- Traffic from the mirror source that matches the barac_filter is encapsulated as specified in RFC 7348 and delivered to the mirror target. One can then use BaracCollector to collect the traffic and send to Barac ETV platform
After following the previous, the Barac-AWS integration will be able to collect mirrored traffic and forward it to the Barac-ETV Platform. Please note that these current steps are as of December 2019 and are subject to change in accordance with any updates to either party.