kentoh - Fotolia

How security teams benefit from traffic mirroring in the cloud

Enterprises with the resources to deploy traffic mirroring are gaining security benefits. Frank Siemons explains how traffic mirroring has adapted to new and evolving cyber-risks.

Network and security engineers will inevitably run into the concept of traffic monitoring during their professional career. Traffic mirroring enables a single source of traffic to be sent to multiple destinations in real time.

There are numerous reasons why organizations would want to mirror traffic as it traverses certain parts of their networks. The ability to debug, analyze and enable specific security controls are the primary use cases. In the case of hard-to-find outages, mirrored traffic that is captured to disk or analyzed in real time can be used to pinpoint the reason for the outage, such as a bad firewall block rule or an issue with routing protocols.

The main benefit of traffic mirroring in the cloud is its ability to be analyzed without interfering with the flow itself. Companies often cannot afford the hardware and licenses that real-time traffic throughput requires for a sandbox or intrusion detection system (IDS), and they potentially risk delays in the traffic flows. A mirrored traffic stream resolves these issues. It also adds the ability to test controls without affecting production traffic. Finally, security professionals can use packet capture technology for security analysis and to meet compliance regulations. This is accomplished by writing network traffic to a disk, which requires a point to tap into the network traffic and to listen in on.

How traffic mirroring adapted to changing demands

Many primarily hardware-based options are available to create a mirrored traffic feed within a network. Options range from small devices for copper or fiber -- literally, a mirror -- all the way up to dedicated switch ports using the Switched Port Analyzer feature and hardware devices. It is also possible to use the Linux OS to dedicate a network interface card to effectively create a mirrored port.

This worked fine in the past when organizations still had full control over their networks and their hardware. With the migration to the cloud, however, many vendors were not too excited to give this physical layer access to their often shared virtual infrastructure. Not only were there technical challenges to overcome -- VM agents were often needed -- security and privacy concerns were raised as well.

To help, Microsoft created Azure Network Watcher, which enabled data to be captured to files. Though it was a step in the right direction, this technology was hard to use for large-scale, continuous security monitoring, like those used in IDSes. Customers simply needed more flexibility.

Amazon VPC traffic mirroring features

Amazon Virtual Private Cloud (VPC) is widely used by companies that want to be completely flexible within their own cloud instance. Network resources and connectivity can be designed and scaled as required. In June, Amazon officially launched VPC Traffic Mirroring as a new feature. Traffic flowing through network resources can be mirrored and redirected to elastic network interfaces or a network load balancer. Filters can be applied to capture only the traffic of interest. For example, customers can ignore all encrypted HTTPS traffic. This keeps storage and throughput costs under control.

The VPC platform not only enables custom-built packet capture and security monitoring solutions; it also opens up a broad range of new vendor products ready to be deployed within the environment.

The VPC platform not only enables custom-built packet capture and security monitoring solutions; it also opens up a broad range of new vendor products ready to be deployed within the environment.

Third-party products on the market

New vendors have had access to a prelaunch version of the VPC Traffic Mirroring service. They used this time to provide feedback and to develop compatible virtual applications and devices. They include Cisco Stealthwatch Cloud, Palo Alto VM-Series Virtualized Next-Generation Firewall and ExtraHop Reveal(x) Cloud, as well as the deep learning-powered Blue Hexagon Threat Protection.

Many vendors have adapted existing products or built new products using this new traffic mirroring feature, and it is likely many more will follow. These product developments make it possible for customers to use the new functionality immediately.

How the competition stacks up

Microsoft launched its virtual network Terminal Access Point this year as well. Its flexibility and associated products are quite similar to what Amazon offers, but most other cloud service providers (CSPs) still hang on to the need to deploy local agents. This shows that it is difficult -- and costly -- to develop a better approach, or maybe it's just that their customer base doesn't need the option that badly. Most customers are likely committed to a certain platform by the time they get to the more advanced features, such as traffic mirroring in the cloud. Alternatively, customers who need traffic mirroring features may already be committed to a different platform or have already chosen larger CSPs for other desired features.

Another benefit of traffic mirroring in the cloud is that it often can be used to ensure organizational compliance. Packet capture techniques provide a treasure trove of security and compliance information, but packet capture poses certain challenges. For example, roadblocks may include the need for large amounts of reasonably fast storage, the ability to capture large amounts of data during business hours -- but scale this back during quiet times -- and the development of a reliable system to do so.

The good news is that a cloud platform can provide all of these prerequisites, as long as the budget allows. Coupled with the deployment of these flexible port mirroring options, nothing will stand in the way to rolling out this technology.

Dig Deeper on Network security