AWS Partner Network (APN) Blog
Securing Dynamic Workloads with Arista Network Detection and Response and AWS Traffic Mirroring
By Juliano Forti and Gokul Parthasarathy, Sr. Solutions Architects – AWS
By Salman Zahid, Systems Engineering Sr. Manager – Arista
By Rudolph Araujo, Marketing Sr. Director – Arista
By Soumya Bhattacharjee, Product Manager – Arista
Arista Networks |
For organizations seeking robust cloud-based network security solutions, the combination of Arista Network Detection and Response (NDR) and traffic mirroring on Amazon Web Services (AWS) provide deep packet analysis for enhanced threat monitoring and content inspection without impacting live traffic flow.
Arista NDR is an artificial intelligence (AI)-driven network detection and response platform that analyzes network traffic to autonomously discover, profile, and classify every device, user, and workload across a variety of customer networks—perimeter, core, Internet of Things (IoT), and cloud.
This process maps out an organization’s attack surface and sets the foundation for the platform to detect threats to and from these entities. It also provides the necessary context and actionable insights for security teams to respond effectively.
The analysis begins with sensors that can be deployed on both the on-premises network and on AWS. These sensors process the full packet to perform deep packet inspection, and output security-specific context (“activity data”) into the Nucleus, which is the analytics hub of the NDR solution.
The Nucleus, which can also be deployed on AWS, uses a multi-dimensional AI approach to detect complex adversarial behaviors and connect the dots across entities, time, protocols, and attack stages. It also integrates with other IT and security solutions within the environment and can thus provide automated response and remediation.
Arista Networks is an AWS Partner and AWS Marketplace Seller that provides software-driven cloud networking solutions for large data center and high-performance computing environments.
Arista NDR Deployed on AWS
For organizations that have workloads in the cloud and want to deploy a network detection and response solution in such an environment, the cloud-based form factors of the Arista NDR sensors and the Nucleus are go-to options.
To achieve deep packet analysis in the cloud, Arista NDR sensors and AWS traffic mirroring provide an ideal combination. Leveraging the traffic mirroring feature of AWS, network traffic can be copied and forwarded to out-of-band security and monitoring appliances, including Arista NDR sensors.
Key benefits of traffic mirroring include:
- Content inspection: By providing a copy of network traffic, traffic mirroring enables robust content inspection. Organizations can thoroughly analyze data packets for potential security threats and policy violations without disrupting live traffic flow.
- Threat monitoring: The Arista NDR sensors, powered by AWS traffic mirroring, offer real-time threat monitoring capabilities. Security teams can quickly detect and respond to anomalies and potential attacks within their cloud infrastructure.
- Troubleshooting: With traffic mirroring, network administrators gain the ability to troubleshoot performance issues effectively. The captured traffic data allows them to identify and resolve network bottlenecks or misconfigurations swiftly.
Figure 1 – Arista NDR platform.
Traffic mirroring on AWS provides the flexibility to apply filters and packet truncation, allowing organizations to extract and forward only the relevant traffic for analysis. This ensures efficient utilization of resources and reduces the processing overhead.
Arista NDR sensors can be seamlessly deployed in an AWS cloud environment as individual instances or as a cluster of instances. These sensors are placed behind either a Network Load Balancer or Gateway Load Balancer, equipped with a user datagram protocol (UDP) listener to receive the mirrored traffic from AWS traffic mirroring.
Enabling Traffic Mirroring in Highly Dynamic Environments
In today’s rapidly evolving cloud landscape, the need for seamless network detection and response capabilities is paramount for organizations, especially those in the financial services sector.
To extend their on-premises NDR capabilities to their AWS footprint, customers face a unique challenge, as they want to enable traffic mirroring in a highly dynamic environment, where Amazon Elastic Compute Cloud (Amazon EC2) instances could spin up or down within minutes.
Traffic mirroring on AWS is a valuable virtual private cloud (VPC) feature that operates at the elastic network interface (ENI) level. While this feature allows for enabling or disabling traffic mirroring on instances with associated ENIs, it becomes complex to manage in highly dynamic environments with rapidly changing workloads.
To address this challenge, the Arista team collaborated closely with the AWS Solution Architecture team. Together, they explored various options to automate the process of enabling traffic mirroring at the instance level and ensure seamless monitoring of network traffic.
- Initiating traffic mirroring at the VPC level: Initially, the team considered initiating traffic mirroring at the VPC level, which would enable mirroring for all instances within that VPC as they came up. However, despite being a VPC-level feature, traffic mirroring can only be toggled on/off at the instance level, making this option unfeasible.
- Automating instance-level traffic mirroring: Given the limitations of VPC-level implementation, the team focused on automating traffic mirroring at the instance level. The goal was to devise a solution that dynamically toggled traffic mirroring when EC2 instances spun up or down, eliminating the need for manual intervention.
VPC Traffic Mirroring Source Automation Application
After careful consideration, the team found that automating the traffic mirroring toggle when Amazon EC2 instances came up or went down was the most logical and viable solution. Leveraging Arista NDR’s capabilities and collaborating with AWS services, the team decided on a robust automation system that seamlessly handles traffic mirroring in the highly dynamic AWS environment.
The team deployed a serverless application that automates the setup of traffic mirroring based on VPCs, subnets, and tags as input. This application, based on the AWS Serverless Application Model (SAM) framework, uses AWS CloudFormation to set up the infrastructure and supported three key use cases:
- Set up traffic mirroring on existing EC2 instances.
- Set up traffic mirroring on newly-launched EC2 instances.
- Set up traffic mirroring on EC2 instances which trigger an Amazon GuardDuty event.
Each of these can be configured independently or in combinations using parameter-overrides while deploying the CloudFormation stack using the AWS SAM command line interface (CLI). Based on the parameters provided during deployment, CloudFormation spins up the following infrastructure to run the application.
Figure 2 – VPC traffic mirroring source automation application.
The application infrastructure consists of three different AWS Lambda functions:
- BackfillInitiator: This Lambda function and its associated resources are created to automate the backfilling of existing EC2 instances based on user-defined configuration. This function is invoked at the time of stack creation with the help of a custom CloudFormation resource and sends an Amazon Simple Notification Service (SNS) message to the TrafficMirroringBackfill Lambda function that initiates the backfill.
- TrafficMirroringBackfill: This Lambda function is responsible for describing EC2 instances in the account and matching the attributes of the EC2 instances to the user-defined configuration based on VPCs, subnets, or tags. If a match is found, the function proceeds to set up traffic mirroring. AWS users often have thousands of EC2 instances in their accounts. However, Lambda functions are limited by a specific execution timeout, so you need to optimize. This function, therefore, describes a page of 200 instances at a time and then sends an SNS message with the next token of the describe-instances call. The SNS message is consumed by another invocation of the same Lambda function, and it continues backfilling until it has processed all the existing EC2 instances in the account.
- CloudWatchEventHandler: This Lambda function is responsible for listening to Amazon CloudWatch events for either Amazon GuardDuty findings or EC2 instance launch events. When an event of interest occurs, the function gets the attributes of the EC2 instances and similar to the function above uses a user-defined configuration to set up traffic mirroring.
Once the application gets the attributes of an EC2 instance (existing or new instances), the applicable Lambda function loads the user-defined configuration to determine if the instance involved in the event should be configured with traffic mirroring.
Next, the application configures the primary ENI of the instance as the source and traffic mirror target defined in the user-defined configuration as the destination of the traffic mirroring. If a target is not defined, the Lambda function creates and reuses traffic mirror targets as needed.
The TrafficMirroringBackfill Lambda function is the most appropriate to meet the challenge to enable traffic mirroring in a highly dynamic environment, where EC2 instances could spin up or down within minutes.
However, the TrafficMirroringBackfill Lambda function does not automatically trigger the clean-up of terminated instances. To overcome this limitation, another Lambda function has to be deployed to terminate EC2 instances by setting a utilization threshold.
Benefits of the Automated Solution
- Always-on protection: With the automated traffic mirroring toggle, the financial services customer could ensure that instances had network detection and response capabilities immediately upon spinning up, enabling real-time threat monitoring and rapid response.
- Reduced manual overhead: The automated solution eliminates the need for manual tracking and enabling/disabling of traffic mirroring, saving valuable time and effort for the customer’s IT and security teams.
- Seamless scalability: As the customer’s AWS footprint expanded and contracted based on dynamic workloads, the automated system effortlessly adjusted traffic mirroring, ensuring continuous network security coverage.
Summary
The collaborative efforts of Arista Network Detection and Response (NDR) and AWS resulted in a cutting-edge solution for automating traffic mirroring in highly dynamic environments.
By streamlining traffic mirroring at the instance level, financial services customers can achieve enhanced network detection and response capabilities within their AWS infrastructure. This successful collaboration showcases the power of innovation and cooperation in solving complex challenges in the ever-evolving cloud ecosystem.
With automated traffic mirroring, organizations can confidently embrace the benefits of dynamic cloud environments while maintaining robust network security.
Arista Networks – AWS Partner Spotlight
Arista Networks is an AWS Partner that provides software-driven cloud networking solutions for large data center and high-performance computing environments.