Use traffic mirroring to perform security audit on VPC traffic - Virtual Private Cloud

Network security is often a primary concern when users deploy key business operations on the cloud. You can use the traffic mirroring feature in virtual private clouds (VPCs) to monitor and analyze the network traffic security in real time.

Scenario

A company deploys its core business on the cloud. While ensuring the operation of cloud services, the company requires efficient, non-intrusive monitoring of ECS instance traffic to identify and record potential threats for security audits.

In this example, traffic mirroring is utilized to copy the network traffic from one ECS instance to another that is equipped with a threat detection system. This allows you to monitor the mirrored traffic in real time after configuring security rules.

Traffic mirroring: Duplicates network traffic from the elastic network interface (ENI) of the source Elastic Compute Service (ECS) instance and forwards to the designated ENI. This feature is commonly used in content inspection, threat monitoring, and troubleshooting.
Traffic audit: Suricata is used in this example for message reception and anomaly detection. It offers features VXLAN encapsulation and decapsulation, intrusion detection service (IDS), intrusion prevention service (IPS), and network security monitoring. Suricata identifies malicious traffic patterns and integrates seamlessly with the visual analytics system Elasticsearch. You can also choose other security analysis tools from Alibaba Cloud Marketplace.
Log processing and storage: After Filebeat collects Suricata logs, the logs are stored in Elasticsearch by indexes and visualized in Kibana, where you can query, analyze, and view the logs.
Index file storage: Store the indexed traffic records in Alibaba Cloud Object Storage Service (OSS) after you configure Elasticsearch. This ensures data is securely stored and accessible over the long term.

Prerequisites

Two VPCs are created with one ECS instance in each.
- An elastic IP address (EIP) can be associated with ECS1 for Internet access if necessary.
- An EIP is assigned to ECS2, the traffic mirror destination, for Internet access and Suricata deployment.
- The servers run Alibaba Cloud Linux 3.2104 LTS 64-bit as the operating system in this example.
- The security group for ECS2 permits inbound traffic on UDP port 4789. The port can be accessed by the UDP messages encapsulated by ECS1 and therefore receive mirrored traffic from ECS1.
Enable the traffic mirroring feature as prompted if you have not activated it.
Two VPCs need to be connected if the traffic mirror source and destination are in different VPCs. In this example, the two VPCs are connected through a VPC peering connection.
An Elasticsearch instance is created with Kibana Public Network Access enabled. Add the public IP address to Kibana whitelist.

Procedures

Step 1: Configure Suricata

You need to deploy Suricata on ECS2 to receive network traffic and conduct security audits.

Log on to ECS2 and run the following commands to install Suricata.

# Install dependencies
sudo dnf install -y gcc libpcap-devel pcre-devel libyaml-devel file-devel \
                     zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel

# Install suricata
sudo dnf install suricata -y

# Ensure suricata starts automatically
sudo systemctl enable suricata
sudo systemctl start suricata

Configure Suricata.
The configuration of Suricata is in /etc/suricata/suricata.yaml. You can stick with the default settings.
Update the security rules.
Run suricata-update to refresh the rule files, which are stored in /var/lib/suricata/rules/suricata.rules by default.
Run sudo service suricata restart to reboot Suricata.

Step 2: Configure traffic mirroring

Set up a filter.
1. Log on to the VPC console. In the left navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
2. On the Filter page, click Create Filter. In the Rule Configuration section, click the Outbound Rules tab and choose Create Rule. Keep the settings as their default values and capture all traffic. Click Save.
Create and activate a traffic mirror session.
1. In the left navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
2. On the Traffic Mirror Session page, click Create Traffic Mirror Session. Maintain the default Basic Configuration. For Associate Filter, select the rule created in Step 1. Then, choose the ENI of ECS1 as the Traffic Mirror Source, and the ENI of ECS as the Traffic Mirror Destination.
3. On the Traffic Mirror Session page, find the session you just configured and click Start in the Actions column.

When you complete the traffic mirroring and Suricata functions properly, the following log files are generated in the /var/log/suricata/ directory.

/var/log/suricata/
├── certs
├── core
├── eve.json            ## All captured flow, alert, stats, and HTTP logs in JSON format
├── fast.log            ## Alert logs from detection and analysis
├── files
├── stats.log           ## Detailed statistics on captured and processed packets
├── suricata.log        ## Detailed runtime logs
└── suricata-start.log  ## Detailed startup logs

Step 3: Collect and store Suricata logs

You can use Filebeat to transfer Suricata logs to Elasticsearch for indexing and storage and utilize Kibana for log visualization.

Log on to ECS2 and run the following command to install Filebeat.

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-x86_64.rpm
sudo rpm -vi filebeat-7.10.0-x86_64.rpm

Adjust the Suricata configuration to specify the traffic log files to be collected.
1. Enable the Suricata module by running sudo filebeat modules enable suricata.
2. Change the Suricata configuration by running sudo vim /etc/filebeat/modules.d/suricata.yml.
```
- module: suricata
  # Specify traffic log files for collection
  eve:
    enabled: true
    var.paths: ["/var/log/suricata/eve.json"]
```
3. Press Esc, type :wq, and press Enter to save changes and exit.
Configure the filebeat.yml file by running sudo vim /etc/filebeat/filebeat.yml and complete the connection settings.
1. Modify the configuration of Filebeat modules.
```
filebeat.config.modules:
  # Globally load configuration files
  path: /etc/filebeat/modules.d/suricata.yml

  # Enable dynamic reloading and application of new configurations
  reload.enabled: true

  # Check for configuration changes at the specified interval
  reload.period: 1s
```
2. Modify the Kibana configuration.
```
setup.kibana:
  host: "https://es-cn-8l**********2r7ln-kibana.cn-hangzhou.elasticsearch.aliyuncs.com:5601"
```
  host: This is the address for Kibana with a format of <Kibana public address>:5601. For more information, see Kibana configuration.
3. Adjust the Elasticsearch output settings.
```
output.elasticsearch:
  # Specify the Elasticsearch instance for log storage
  hosts: ["http://es-cn-8ly**********r7ln.elasticsearch.aliyuncs.com:9200"]
  username: "elastic"
  password: "<your_password>"
```
  host: The address for Elasticsearch with a format of <private or public address of the instance>:9200. For more information, view the basic information of a cluster.
  username: The default username for Elasticsearch is elastic.
  password: The password that is set in instance creation. If you forget the password, you can reset the access password for an Elasticsearch cluster.
4. Press Esc, type :wq, and press Enter to save the changes and exit.
5. Run the following command to upload resources such as Dashboard to Elasticsearch and Kibana and start Filebeat.
```
sudo filebeat setup
sudo service filebeat start
```

Step 4: Visualize VPC traffic

Log on to the Kibana console of the Elasticsearch instance. In the left navigation pane, click Kibana > Discover and change the Index Pattern to filebeat.
You can add the alert filter and select a time range in the top right corner to see potential threats in VPC traffic in the specified period.

Step 5: Verify alerts

Log on to ECS1 and run curl http://testmynids.org/uid/index.html to simulate the output of an ID command and trigger an alert.
Note
The Suricata rule set includes the following rule that drops the packet and generates an alert when a packet contains the string uid=0|28|root|29| and the traffic is classified as unknown.
```
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
```
In the Kibana interface, apply the GPL filter to view alerts corresponding to the Suricata IDS signature rule, GPL ATTACK_RESPONSE id check returned root.

What to do next: Data backup

You can back up the Elasticsearch index files to secure and maintain long-term access to data. Data automatic backup is enabled for Elasticsearch by default. You can store automatic backup snapshots in an Alibaba Cloud OSS repository.

FAQ

What do I do for the changes to Filebeat configuration to take effect?
Restart the service after modifying the configuration file. You can run the following command to restart Filebeat.
```
sudo systemctl restart filebeat
```
How do I verify that traffic is forwarded to the traffic mirror destination after configuring traffic mirroring?
Log on to ECS2, the traffic mirror destination, and run the following command to verify if the packet data is received.
```
tcpdump -i eth0 udp port 4789 -nne
```
The identifier vni 1 indicates that the destination receives packets and the traffic mirror session is successful.