Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Packet Capture on AWS

8,758 views

Published on

Packet Capture on AWS. Simple explanation of why security people like to capture packets, how it can be done, potential architectures, and a POC using a WatchGuard Firebox Cloud, the CLI, a bucket, bucket policy, etc. and a lambda function to show that packet capture is possible. Next steps for an actual production solution.

Caveat: these slides were written in about one hour. Please refer to the paper for details.

Published in: Technology
  • I have always found it hard to meet the requirements of being a student. Ever since my years of high school, I really have no idea what professors are looking for to give good grades. After some google searching, I found this service ⇒ www.HelpWriting.net ⇐ who helped me write my research paper. The final result was amazing, and I highly recommend ⇒ www.HelpWriting.net ⇐ to anyone in the same mindset as me.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Ich kann eine Website empfehlen. Er hat mir wirklich geholfen. ⇒ www.WritersHilfe.com ⇐ Zufrieden und beeindruckt.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • See how I make over $7,293 a month from home doing REAL online jobs!  http://scamcb.com/ezpayjobs/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ♥♥♥ http://bit.ly/369VOVb ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Packet Capture on AWS

  1. 1. Packet Capture on AWS Teri Radichel | @teriradichel https://www.sans.org/reading-room/whitepapers/detection/packet-capture-aws-37905 (A SANS Gold Paper)
  2. 2. Largest Security Training Organization in World… SANS.org
  3. 3. What’s a packet? • Data is split into packets or small pieces to send over the network • Follows a protocol – the devices on both ends must understand • Packets are reassembled at the destination, if protocol requires • Some protocols resend failed packets (TCP) others do not (UDP) Source DestinationNetwork
  4. 4. What Is Packet Capture? • Capture the details about packets as they traverse the network. • For example, if you have tcpdump installed can run this on mac/linux: sudo tcpdump –x -n • You’ll get a number of packets rolling by on your screen like this: 23:56:50.183837 ARP, Reply 192.168.1.95 is-at f4:5c:89:b6:7b:7f, length 28 0x0000: 1491 829a 0b62 f45c 89b6 7b7f 0806 0001 0x0010: 0800 0604 0002 f45c 89b6 7b7f c0a8 015f 0x0020: 1491 829a 0b62 c0a8 0101 • That’s a packet displayed in hex format (-x), and with IPs instead of domain names (-n) • http://www.tcpdump.org/tcpdump_man.html
  5. 5. Network Layers and Headers • OSI or TCP model – network layers • Different headers for each layer • Example – IPv4 header • Devices at source wrap the packet in a headers • Devices at the destination unwrap the headers http://websitenotebook.blogspot.com/2014/05/decoding-ip-header-example.html
  6. 6. Decoding Packets • Packets are sent over the network in hex • Decoding a packet header: http://websitenotebook.blogspot.com/2014/05/decoding-ip-header- example.html • Hex to Binary Cheat Sheet: • http://websitenotebook.blogspot.com/2014/05/hexadecimal-to- binary-to-decimal-cheat.html • Note that on AWS there are some AWS specific headers you don’t see • https://www.youtube.com/watch?v=St3SE4LWhKo
  7. 7. Why do we care about packets? • VPC Flow Logs only capture source, destination, protocol, timestamp and a few other things; Web traffic logs only capture certain details pertaining to web requests. • A full packet has much more data that a other types of network logs • Sometimes the full packet is required to resolve network issues • Attackers obfuscate packet data to pass through security appliances undetected – some of these attacks are only visible at packet level • Data hidden in unused packet fields can exfiltrate data on channels in undetected manner only visible when looking at raw packets
  8. 8. Captured packets can be stored and analyzed • Many programs store packets in a format call “pcap” files • Programs such as Wireshark can read these files and help security professionals analyze the data • An IDS/IPS can alert on or block packets that match nefarious patterns (Snort, Bro, Suricata) • Yara files can be used to match packet capture patterns and alert or block malicious traffic • Some devices like a WatchGuard Firebox with security services provide this service so you don’t have to do it yourself
  9. 9. Typical Way to Capture Packets • Span port on switch “mirrors” the data • Send packets to IDS/IPS and/or logs • So…how do we do this on AWS? • Can’t plug into the switch… https://wiki.wireshark.org/CaptureSetup/Ethernet
  10. 10. Tcpdump on every machine <  instances bucket
  11. 11. A better way… • Route All the Packets Through Packet Capture Host(s) • Capture host(s) must be able to receive the traffic, log it, and forward the traffic to the destination • Network configuration must force all packets through the capture host(s) • Any extraneous routes let packets bypass capture host(s)
  12. 12. AWS NAT Example http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html Note that the web server traffic would not pass through the NAT instance and this is typically only for outbound traffic. We want to capture all traffic…
  13. 13. NAT Architecture Security groups and route tables can force all traffic through the NAT. NAT instance can be modified to handle all traffic, in and out.
  14. 14. Proxy Architecture with Load Balancing This shows architecture for Squid proxy. Squid proxy would only handle layer 7 traffic but we could modify these instances to capture all traffic. Load balancing provides scaling. Would need to handle inbound and outbound. https://aws.amazon.com/articles/6463473546098546
  15. 15. Proxy Architecture – Peered VPCs Instances can only talk to other instances in a directly peered VPC. A proxy will allow traffic to pass through one VPC to another. This can be used for nefarious purposes but in our case we can leverage this to capture as it crosses network boundaries, which could be useful. More on that in an upcoming slide.
  16. 16. Packet Capture Via Security Appliance A security appliance designed to capture and pass through network traffic after analyzing it might be a good way to capture packets as they traverse network boundaries. Noticed the network design which separates the packet capture functionality and storage from the rest of the network.
  17. 17. Transit VPC We could use a transit VPC to capture all traffic coming into and leaving AWS, or traversing the network from one account to another. This is a very interesting idea because not only does it make managing connections between different networks easier, it provides a way to ensure all packets must pass through our packet capture architecture. https://aws.amazon.com/blogs/aws/aws-solution-transit-vpc/
  18. 18. POC – Capture Packets in Lambda Function https://github.com/tradichel/PacketCaptureAWS Here’s the POC using WatchGuard Firebox Cloud’s CLI command to capture packets. Clone the code, execute the run file and it will ask a couple questions. You will get this… Note the protection of the key in S3 with stringent bucket policy. Could make it even more stringent by creating the key on the fly in AWS with no access to it outside the AWS network.
  19. 19. Packets! Please read the paper for details. Must have packets flowing when you run the lambda to capture.
  20. 20. What Next? Suggestions? • This was a POC Only! • Lambda is short lived – would want a source that stays online • Need to test performance over time of this solution and others • Scalability • Storage • Potentially set up an open source IDS/IPS to analyze packets • Store as PCAP • Or store to CloudWatch and use some other type of parser to pull the data out into PCAP or desired format
  21. 21. Teri Radichel |@teriradichel https://secplicity.org

×