AWS VPC Traffic Mirroring for Secrets, Visibility, and Security Management

VPC Traffic Mirroring: An overview

Unlock deep insights into your AWS infrastructure with VPC Traffic Mirroring. This feature enables seamless network traffic capture and analysis within your Virtual Private Cloud (VPC). By mirroring data from Elastic Network Interfaces to dedicated monitoring instances, you gain unparalleled visibility for troubleshooting, security monitoring, and performance optimization. Elevate your AWS experience by harnessing the power of VPC Traffic Mirroring for a robust and secure cloud environment.

Network monitoring tools that work with VPC Traffic Mirroring

In conjunction with AWS VPC Traffic Mirroring, leveraging open-source monitoring tools like Zeek and Suricata elevates network analysis and security. Zeek excels in protocol analysis, extracting essential metadata, while Suricata, with its powerful rule-based engine, enhances intrusion detection capabilities. This combination empowers AWS users to monitor, analyze, and secure network traffic. It provides a robust open-source solution for optimizing the AWS VPC environment with comprehensive insights and threat detection.

Key Concepts of VPC Traffic Mirroring

AWS Traffic Mirroring is a pivotal feature in AWS that facilitates detailed analysis and monitoring of the network traffic in the Virtual Private Cloud (VPC). Here are key concepts to grasp:

1. Mirror Source: This is the network resource (like an Elastic Network Interface) whose inbound and outbound traffic is duplicated for analysis. Mirroring can be applied at the instance or subnet level.
2. Mirror Target: The instance to which mirrored traffic is sent for analysis. It runs monitoring tools, allowing you to inspect, analyze, or store the duplicated traffic.
3. Filtering: AWS VPC Traffic Mirroring supports filters to selectively mirror specific traffic based on defined criteria like IP addresses, protocols, and ports, providing flexibility in capturing relevant data.
4. Session: A configuration defining the flow of mirrored traffic. It includes the source, target, and filter configurations.
5. Analyzer: The instance running monitoring tools (e.g., Zeek, Suricata) to analyze mirrored traffic for troubleshooting, security analysis, and performance monitoring.

Steps to implement VPC Traffic Mirroring Policy

Now follow the steps to implement VPC Traffic Mirroring using the open-source tool Suricata.

1. Log in to the AWS Console and access the target EC2 instance terminal (in my demo, I am using a Linux instance), where you want to install the Suricata tool.
2. Now execute the commands below in the EC2 instance to install Suricata. (Works with Amazon Linux2)You capture and check the path “/var/log/suricata/fast.log”
3. Now, create the Mirror Target. Open VPC Console, then from the left pane under the Traffic Mirroring option, select ‘Mirror targets’, click the ‘Create traffic mirror target’ button, configure as shown in the figure below, and click ‘Create.’
4. The next step is to create a Mirror Filter. From the same VPC console again, Go to the left pane; under the option, Traffic Mirroring, select ‘Mirror filters’ and then click ‘Create traffic mirror filter.’ Then, configure and create a filter for inbound traffic, as shown in the figure below, and click ‘Create.’
5. The final step is to create the Mirror Session. In the VPC console, from the left pane under Traffic Mirroring, select the option ‘Mirror sessions’ and then click ‘Create traffic mirror session.’ now configure and create the mirror session as shown in the figure below and then click ‘Create.’

   This step will create the Mirror session, and all the TCP and ICMP traffic gets mirrored from the source instance network interface to the target instance network interface, where it is monitored using the open-source tool Suricata or by monitoring port 4789.

   Important that ingress UDP traffic (port 4789) should be allowed in the security groups for source and target instances.

Tests and Results

Let us do some testing and see the results.

 The screenshot below is for the Client machine and Web Server.

Test-1

Now, let’s curl the Server IP address from the Client machine and check the mirroring of the packets on the monitoring instance. The figure below shows the curl command execution and the mirror target instance output. Run the below command before curling from the client machine.

sudo tcpdump -nnni eth0 udp port 4789

Test-2

Now, you will ping the Web Server from the Client machine and check the packets captured on the Target or Monitoring instance. The below figure shows the same.

You can also view the logs that are generated for the above Tests from the target instance within “/var/log/suricata/fast.log”

Conclusion

AWS VPC Traffic Mirroring emerges as a game-changer, providing unparalleled insights into network activities. Its robust features, seamless integration with open-source tools, and a focus on enhanced security empower users to navigate the cloud confidently, optimize performance, troubleshoot efficiently, and fortify network defenses.

Reference links

https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-getting-started.html

About CloudThat