Visibility for NetOps and SecOps with cPacket and VPC Traffic Mirroring

Introduction to network visibility for NetOps and SecOps

The Rising Need for NetOps

Over the past year, organizations have responded to a massive shift towards digital transformation as consumers and businesses rely heavily on digital first services. These growing online transactions have created an unprecedented amount of data. This increased demand and immense volume of data has added new challenges to the workloads of IT teams and exposed organizations that are not equipped to quickly adapt and thrive in the cloud.

The mandate of the IT network operations (NetOps) team is to keep the business network running reliably and with a high level of performance for applications and end user experience. Today’s NetOps team uses comprehensive network visibility to maintain a reliable and secure network. This requires high resolution and accurate system monitoring that can inspect every single packet at any node, thus enabling network operators with access to the right data from increasingly complex hybrid and cloud networks to quickly identify an incident and resolve it.

The Rising Need for SecOps

Securing the modern enterprise means getting full visibility into a complex web of workloads consisting of distributed services, applications, and data spread across edge, core, and multi-cloud deployments. Organizations are now understanding the true value that SecOps teams can bring to a business success by improving the overall security posture and reducing the risk of breaches, gaining visibility in the cloud, and providing advanced security analytics to enable decision makers to make confident decisions in order to reduce risks. 

Introduction to cPacket’s cCloud product 

cPacket’s cCloud® solution provides a complete cloud-native and hybrid-cloud visibility suite that creates consistent visibility for application experience and security. Fully integrated with AWS, the cCloud solution enhances cloud-native services by adding packet data management, delivery, replication, and provides feeds for stateful and real-time security analysis.

Product overview diagram: cCloud and VPC Traffic Mirroring for NetOps

Referring to the above diagram, cCloud provides three virtual appliances that are deployed to the customer’s AWS account and leverage the Amazon VPC Traffic Mirroring capability. AWS recently expanded support for VPC Traffic Mirroring to more compute instances.

  1. A packet brokering appliance – cVu-V – which handles receiving packets from the infrastructure and then replicating them to multiple downstream tools
  2. A packet storage and analytics appliance – cStor-V – which receives packets from either a packet broker (i.e. cVu-V) or directly from the infrastructure. cStor-V stores both raw packets and meta-data from real time protocol analysis
  3. A management and analytics appliance – cClear-V – which provides a single pane of glass for managing cPacket’s appliances and visualizing network analysis in customizable dashboards

How it works: NetOps with cPacket’s cCloud and Amazon VPC Traffic Mirroring

Solution Diagram: cCloud and VPC Traffic Mirroring for NetOps

cPacket Networks and Amazon Web Services (AWS) together provide visibility into cloud workloads running in Amazon Virtual Private Cloud (VPC) environments. Amazon VPC Traffic Mirroring forwards a copy of network traffic from each Elastic Network Interface (ENI) attached to an Elastic Compute Cloud (EC2) VM to a virtual appliance which can then be used for content inspection, performance monitoring, and troubleshooting.  

In the diagram above, we’ve connected cPacket’s cStor-V appliances to a topology that leverages AWS Network Load Balancer as a traffic mirroring target. This allows us to create a cluster of cStor-V’s behind the load balancer to handle increased traffic loads and support NetOps use cases for analyzing connections between nodes. 

Our goal in the NetOps scenarios here is to monitor performance and find where problems exist between nodes that have traffic mirroring enabled. 

For NetOps, cPacket’s cCloud extends Amazon VPC traffic mirroring in the following ways:

  • Provides real time network analysis – with TCP timing data and granularity that is not available through other means (ex. VPC Flow Logs). This is helpful in understanding where bottlenecks may exist; be they network resources or VM/Application level resources.
  • Provides the ability to search through raw packets – across large raw packet data sets – creating aggregated packet captures that are reduced to the search criteria. This is useful for in depth analysis of failure for cases where having a full packet capture is required. For instance, a full packet capture of a web request that has traversed a complex topology from a public front end, through reverse proxies and finally to a custom RESTful web service.

Revisit the diagram for more information on cCloud appliances

cStor-V: Storage, Forensic Analysis, and Compliance Platform

Packets flow from the VPC Traffic Mirroring session via the load balancer to a cluster of cStor-V appliances. Each cStor-V appliance both stores the raw packets and also performs real time analysis on packets for various protocols (ex. TCP). The analysis output is then saved and made available via APIs to other applications, specifically cClear-V.

cClear-V: Analytics and Visualization Platform

cClear-V defines a set of network monitors each with their own search criteria and target cStor-V appliances. Analytics data is then pulled from cStor-Vs and made available to dashboards for query and visualization. Dashboards can be created to visualize timing data for a specific set of nodes or present higher level “speeds & feeds” style information from across the network. 

Screenshot: Timing information extracted from real-time analytics done on cStor-V and visualized in cClear-V

Screenshot: Dashboard customization – the operator can customize dashboards with queries to focus on specific areas of interest in the network topology

How it works: SecOps with cPacket’s cCloud and Amazon VPC Traffic Mirroring

Diagram: cCloud and VPC Traffic Mirroring for SecOps

For SecOps, cPacket’s cCloud extends Amazon VPC Traffic Mirroring in the following ways:

  • Provides the ability to replicate traffic to multiple downstream tools – each having its own objectives in terms of analyzing raw network traffic. Downstream tools examples include products from companies such as Vectra, Corelight, and Fortinet
  • Provides the ability to search through raw packets, across large raw packet data sets, creating aggregated packet captures that are reduced to the search criteria
  • Provides real time network analysis – this allows security tools to work with analyzed data vs raw packet data 

Referring to the diagram above, the cVu-V packet broker is configured to receive packets from VPC Traffic Mirroring. It then consolidates, processes, and replicates these packets to multiple downstream tools for the threat analysis. In this scenario, the security tools have the ability to process packets in real time, and therefore detect threats as they appear on the network. In addition, we’ve added a cStor-V to store and analyze packets. This allows security tools to access a historical window of both the raw packet data and analytics meta data for threat detection. For instance, a security tool may be updated to be aware of newly discovered threats and then go analyze historical data from the cStor-V cluster to determine how long those threats have existed on the infrastructure.

cVu-V also provides advanced processing features such as filtering to further narrow the flow of packets that are of more interest, thereby, reducing bandwidth and maximizing traffic mirroring investment.

cClear-V, in the SecOps scenario, provides the ability to access analytics output in a query able form. This can be ideal for security analysis that does not require raw packets.

Diagram: Packets brokered by cCloud for real time threat detection by Vectra’s Cognito Platform

Host Dashboard

Host Detail

Summary 

Amazon VPC Traffic Mirroring creates the essential packet mirroring source required to monitor virtual machines running in AWS. cPacket’s cCloud solution extends this to provide organizations with a scalable and highly available cloud visibility solution that provides critical real-time analytics, network data search platform, and access to historical data for NetOps and SecOps workflows. All are critical to ensure that IT teams can ensure excellent application level experiences and ensure threats to their businesses are detected and prevented.