As an AWS Advanced Technology Partner, we recently worked with Miguel Cervantes and James Wenzel (both Partner Solutions Architects at AWS) to write an article for the AWS Partner Network. The article features details about how to use Nubeva with Amazon VPC traffic mirroring to get decrypted visibility of your network traffic. Click here to read the full post.
In summary, our blog covers the following:
Amazon VPC traffic mirroring allows you to capture and mirror network traffic for AWS Nitro System-based instances. The key benefit of Amazon VPC traffic mirroring is its relationship to the Elastic Network Interface (ENI) of the Amazon Elastic Compute Cloud (Amazon EC2) instance you want to enable a traffic mirroring session on.
These traffic mirroring sessions allow you to choose to capture all of the network traffic flowing over the ENI, or you can use traffic mirroring filters to capture the packets that are of particular interest to you. You also have the option to limit the number of bytes captured per packet.
Keeping traffic mirroring costs low is critical when companies begin to look at comprehensive monitoring solutions, such as cases where forensic analysis is required. In the case of incident response, there are many facets to it.
Let’s look at a few different techniques you can execute when using Amazon VPC traffic mirroring in practice.
On-Demand - This is the traditional “something happened” button. A company’s security team identifies a potential threat inside their environment, and they start their incident response procedures.
Constant - This is similar to the option above, except the monitoring is in a constant state. Constant capture is what most security organizations do on-premises today, but it has not been possible to easily replicate this in the cloud until now.
Sampled - The on-demand use case is often too late for many organizations, while the constant approach is often too much. Because of this, many AWS customers choose sampling as a unique and effective approach to monitoring.
More than 70 percent of all network traffic is currently encrypted. Enterprises need to monitor their applications across Amazon VPCs for both security, compliance, application performance and diagnostics reasons.
While modern encryption protocols provide the highest levels of security, they also limit visibility due to the packet’s encryption. Nubeva integrates with Amazon VPC traffic mirroring to enable decryption and visibility for mirrored encrypted packets.
Nubeva’s born-in-the-cloud architecture works great for TLS 1.3, Elliptic Curve Diffie-Hellman Ephemera (ECDHE), perfect forward secrecy (PFS), and pinned certificates. This allows customers to promote encryption in transit practices in their AWS environment, while providing a solution to securely decrypt the mirrored traffic for additional visibility.
Nubeva applies a unique out-of-band decryption approach without software or hardware man-in-the-middle (MITM) components. This architecture uses a key-extraction plane independent of the encrypted traffic plane. Nubeva stores encryption keys securely in Amazon DynamoDB tables in the customer’s own AWS account.
Nubeva’s decryption agents merge keys with encrypted traffic and sends the original encrypted packet, as well as the decrypted packet, to the attached tool. This process ensures that decrypted traffic never traverses the customers Amazon VPC network environment.