By Randy Chou, CEO at Nubeva Technologies
By Miguel Cervantes, Partner Solutions Architect at AWS
By James Wenzel, Partner Solutions Architect at AWS
Amazon Web Services (AWS) has added a new feature to Amazon Virtual Private Cloud (Amazon VPC) called traffic mirroring. You can think of Amazon VPC traffic mirroring as a virtual network tap that gives you direct access to the network packets flowing through your Amazon VPC.
Customers rely on network tapping and mirroring functions for testing, troubleshooting, network analysis, security, and compliance requirements, to name a few. They are already taking advantage of this new cloud-native network tapping solution, which offers network and security capabilities that are common place in the data center.
Customers who have made the move to AWS enjoy an overwhelming amount of benefits, but also face the challenge of gaining visibility into the network traffic flowing over their Amazon VPC.
Customers would use Amazon VPC flows to see network flows, but they were missing the application-level context of the packet. This left many security teams with a challenge to build complex monitoring solutions that came with undifferentiated heavy lifting.
Now that Amazon VPC traffic mirroring is available, customers can satisfy the needs of their security teams’ requirements and gain visibility into their network.
In this post, we will explore how Nubeva Technologies, an AWS Partner Network (APN) Advanced Technology Partner, built a solution that directly integrates with Amazon VPC traffic mirroring to provide an out-of-band decryption solution for AWS customers.
This joint solution with Nubeva’s product and Amazon VPC traffic mirroring gives customers a surgical approach to capture and analyze network traffic on the AWS Cloud.
What is Amazon VPC Traffic Mirroring?
Amazon VPC traffic mirroring allows you to capture and mirror network traffic for AWS Nitro System-based instances. The key benefit of Amazon VPC traffic mirroring is its relationship to the Elastic Network Interface (ENI) of the Amazon Elastic Compute Cloud (Amazon EC2) instance you want to enable a traffic mirroring session on.
These traffic mirroring sessions allow you to choose to capture all of the network traffic flowing over the ENI, or you can use traffic mirroring filters to capture the packets that are of particular interest to you. You also have the option to limit the number of bytes captured per packet.
You can use VPC traffic mirroring in a multi-account AWS environment, capturing traffic from Amazon VPCs spread across many AWS accounts, and then routing it to monitoring instances, using Amazon VPC peering or AWS Transit Gateway, in a central Amazon VPC for inspection.
A traffic mirroring session can be created and orchestrated using the AWS Software Developer Kit (SDK) or AWS Command Line Interface (CLI). As you create new workloads, enabling Amazon VPC traffic mirroring at the time of launch is just a few additional commands to your build scripts. You can check out those steps here.
What Customers Did Before Amazon VPC Traffic Mirroring
A challenge for network and security monitoring in any environment is traffic gathering and acquisition. In the on-premises world, a number of methods were created to solve this issue, such as SPAN (Switched Port Analyzer) sessions on physical network switches, or putting inline hardware on physical network connections to gain visibility into the traffic flowing over the network.
As your environment continues to grow on AWS, it becomes critical to keep an ever-watchful eye out for unusual traffic patterns or content that could signify a network intrusion, a compromised instance, or some other anomaly.
Solutions for network traffic monitoring on AWS have historically been limited to anything that can be installed on an Amazon EC2 instance, usually in the form of a software agent, or is extracted from Amazon VPC flow logs. This has impacted the adoption of packet-level monitoring in the cloud due to the cost and complexity of traditional solutions, specifically the need to deploy multiple host-based agents as an example.
Amazon VPC traffic mirroring cuts through this problem elegantly. Now, you can simply enable a traffic mirroring session on an individual ENI without impacting the resources on the underlying workload.
Then, you can direct all of this mirrored traffic, or filter based on components like the protocol, source/destination IP address and port, to various tools, such as the open source options Zeek, Suricata, and Moloch, to name a few, or any other monitoring solution. That’s it. No need for expensive tooling or middleware.
Amazon VPC traffic mirroring enables customers to detect network and security anomalies, gain operational insights, implement compliance and security controls, and most importantly troubleshoot network issues.
Amazon VPC Traffic Mirroring Use Cases
Keeping traffic mirroring costs low is critical when companies begin to look at comprehensive monitoring solutions, such as cases where forensic analysis is required. In the case of incident response, there are many facets to it.
Let’s look at a few different techniques you can execute when using Amazon VPC traffic mirroring in practice.
This is the traditional “something happened” button. A company’s security team identifies a potential threat inside their environment, and they start their incident response procedures. Immediately, Amazon VPC traffic mirroring can be enabled on the Amazon EC2 instances in the identified Amazon VPCs. Traffic is then sent, in real-time, to your security tools in your AWS environment.
Further automation can be achieved here to enable traffic mirroring on the fly for Amazon EC2 instances that meet certain threat remediation criteria defined by your organization. Like everything on AWS, it’s simply an API away to enable Amazon VPC traffic mirroring.
This is similar to the option above, except the monitoring is in a constant state. This means you’ll be capturing all in-bound and out-bound communication on an Amazon EC2 instance for the duration of its uptime. Constant capture is what most security organizations do on-premises today, but it has not been possible to easily replicate this in the cloud until now.
You can store packet captures in Amazon Simple Storage Service (Amazon S3) using monitoring tools for long-term archival and ready to analyze when needed. Amazon VPC traffic mirroring allows you to instrument everything and have a forensic record of your network traffic.
The on-demand use case is often too late for many organizations, while the constant approach is often too much. Because of this, many AWS customers choose sampling as a unique and effective approach to monitoring. The automation and orchestration capabilities of Amazon VPC traffic mirroring allows you to monitor one or many groups of Amazon VPC resources for short amounts of time and then shift to another set of resources.
If any of these monitored groups show any irregularities, they can be tagged and immediately set to be monitored by another set of tools for further analysis, while the packet captures continue to sample traffic from the workloads, looking for threats and anomalies.
Filtering Packet Captures on Amazon VPC Traffic Mirroring Sessions
The best thing about packet captures is that you get all the data. The worst thing about packet captures is that you get all the data. The key with any packet capture strategy is being able to ensure you receive exactly what you need in one area, while still preserving the remainder of the data for later analysis as needed. Amazon VPC traffic mirroring allows you to be surgical, as well as expansive at the same time, with the same data.
Amazon VPC traffic mirroring allows for the creation of multiple sessions for a source ENI. This allows various types of traffic to be mirrored to different tools. For instance, maybe all HTTP/HTTPS traffic is sent to an application performance tool for deeper review. At the same time, SMTP traffic is sent to a specialized tool for data loss prevention. Finally, the remainder of the traffic is sent to an IDS solution for further analysis.
TLS/SSL Decryption with Nubeva and Amazon VPC Traffic Mirroring
Nubeva’s TLS Decrypt is a new, out-of-band solution that decrypts SSL/TLS traffic, enabling security and application teams to inspect and monitor their data in motion.
Nubeva’s born-in-the-cloud architecture works great for TLS 1.3, Elliptic Curve Diffie-Hellman Ephemera (ECDHE), perfect forward secrecy (PFS), and pinned certificates. This allows customers to promote encryption in transit practices in their AWS environment, while providing a solution to securely decrypt the mirrored traffic for additional visibility.
More than 70 percent of all network traffic is currently encrypted. Enterprises need to monitor their applications across Amazon VPCs for both security, compliance, application performance and diagnostics reasons.
Figure 1 – Challenges with visibility of encrypted network traffic.
While modern encryption protocols provide the highest levels of security, they also limit visibility due to the packet’s encryption. Nubeva integrates with Amazon VPC traffic mirroring to enable decryption and visibility for mirrored encrypted packets.
Nubeva applies a unique out-of-band decryption approach without software or hardware man-in-the-middle (MITM) components. This architecture uses a key-extraction plane independent of the encrypted traffic plane. Nubeva stores encryption keys securely in Amazon DynamoDB tables in the customer’s own AWS account.
Nubeva’s decryption agents merge keys with encrypted traffic and sends the original encrypted packet, as well as the decrypted packet, to the attached tool. This process ensures that decrypted traffic never traverses the customers Amazon VPC network environment.
Figure 2 – Nubeva Decrypt solution overview.
Customer Success: Financial Services
For one Fortune 500 financial services company, the implication of this capability is significant. This finally unlocks one of the more problematic issues for their security team. One of their top five projects for 2019 was sending decrypted/unencrypted packets to open source tools in the cloud.
In their on-premises data centers, the SOC would decrypt all traffic to their web and app tiers using standard MITM approaches. With the shift to the cloud and the change to TLS 1.2 PFS and TLS 1.3, the MITM approaches simply were not feasible.
With Nubeva’s innovative decryption capabilities, this customer project has new life. It’s now possible to decrypt traffic that no MITM solution could ever hope to decrypt.
Nubeva’s seamless decryption allows customers to send Amazon VPC traffic mirroring data to their centralized Amazon VPC for infosec tooling, which could contain Zeek or Moloch, for example, as well as any other solutions. All of these tools then leverage the key database to search for the applicable keys and unlock visibility for all their tools.
Amazon VPC traffic mirroring and Nubeva are better together. The introduction of Amazon VPC traffic mirroring has increased network visibility possibilities for AWS customers, whether you’re looking to do captures on-demand, constantly, or sample the traffic.
For customers that need the ability to execute even deeper inspection of Amazon VPC network traffic, Nubeva’s TLS decryption works great with Amazon VPC traffic mirroring to decrypt mirrored traffic on the destination for deeper analysis.
Together, this combined elegant solution enables customers to adopt aggressive encryption in their environment, while also enabling IT teams to have the right level of visibility into their cloud network traffic.
Nubeva Technologies – APN Partner Spotlight
Nubeva is an APN Advanced Technology Partner that allows organizations to gain more visibility of their decrypted packet traffic on the AWS Cloud. Nubeva merges TLS keys with packet feeds for multiple tools and services both in-cloud and on-premises.
*Already worked with Nubeva? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.
from AWS Partner Network (APN) Blog