Versions Compared

Old Version 13

changes.mady.by.user Arun Raman

Saved on

compared with

New Version 14

changes.mady.by.user Arun Raman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

This document describes the steps needed to deploy Traffic Mirroring solution with Blue Hexagon (BH) Amazon Machine Image (AMI) and to set up integrations with AWS Security Hub and AWS Lambda. The solution described in this document utilizes many in-built features of AWS to make the deployment easier for AWS customers. For example, in this solution AWS services such as Network Load Balancer( NLB), Auto-Scaling Group (ASG) and AWS Console are used. AWS Console, for instance, is used for setting up Traffic Mirror targets , and for setting up Traffic Mirror Sessions in a given AWS account.

Customers can however chose to use other solutions available from various 3rd party providers. Please note, : a Blue Hexagon representative can assist you to deploy the solution. 

Deployment Procedure

Here are the steps to deploy the Blue Hexagon with Amazon Traffic Mirroring. 

  • Blue Hexagon AMI is available as a private AMI. Therefore, customer has to provide the Blue Hexagon representative with their relevant AWS account, and region information 
  • Blue Hexagon will then share the BH AMI with the Customer AWS Account
  • Customer can then provision the stack using the CloudFormation Template (provided via S3)
  • Setup Traffic Mirror Target in their AWS console

Step-1 Information Gathering

Provide the following information to your Blue Hexagon representative:

  • AWS Account ID
  • VPC Region where the solution will be deployed

Step-2 Provisioning of Stack

A Blue Hexagon representative can assist you with the following steps.

...

The deployment should be done in 15 minutes.

Step-3 Setting up Traffic Mirror Target

  • Once Step 2 finishes, go to VPC Dashboard. Scroll all the way down, and on the left menu, click on "Mirror Targets"
  • To create a Target, choose "Network Load Balancer" from the "Target Type" drop-down list
  • And now, choose the "Target", which will be the "Stack Name" used in Step-2.6.
  • Other tag details is up to your discretion 

...

          Creating traffic mirror target


          

Reference Architecture

Traffic Mirroring in AWS is a virtual TAP that provides direct access to all the raw packets flowing in a VPC. This traffic will be forwarded to Blue Hexagon Virtual Appliance deployed in the customer VPC, to perform traffic analysis.  

...

  •  A Network Load Balancer (NLB) is deployed in a private subnet of a VPC. The NLB will not be internet-facing.
  • An Auto Scaling Group (ASG) is deployed, which is responsible for auto deployment, and scaling of the BH virtual appliance (AMI).
    • Minimum of 1 instance is deployed
    • Maximum is set at 6
    • Running Instances are increased by 1, when Average Network Bytes In exceeds 500 MB in a 10 minute window
    • Running Instances are decreased by 1, when Average Network Bytes In stays below 500 MB in a 10 minute window
    • Running Instance count can never be 0
  • Instances are associated with an Instance Profile, which have the following policies attached to them:
    • arn:aws:iam::aws:policy/SecurityAudit
    • arn:aws:iam::aws:policy/ViewOnlyAccess
  • The NLB FQDN will be registered as Traffic Mirror Target.


Integrations

Blue Hexagon can be configured to publish its findings to an AWS SNS topic in your account. A finding received on the topic triggers an AWS Lambda to either:

...