AWS Deploy: Configure Packet Capture

Document created by RSA Information Design and Development on Feb 6, 2018Last modified by RSA Information Design and Development on Sep 12, 2018
Version 5Show Document
  • View in full screen mode
 

You can integrate any of the following Third-Party solutions with the Network Decoder to capture packets in the AWS cloud:

Integrate Gigamon GigaVUE with the Network Decoder

There are two main tasks to configure the Gigamon® third-party Tap vendor packet capture solution:

Task 1. Integrate the Gigamon Solution

Gigamon® Visibility Platform on AWS is available through the AWS Marketplace and activated by a BYOL license. A thirty-day free trial is also available.

For more information on the Gigamon® solution refer to the "Gigamon® Visibility Platform for AWS Data Sheet" (https://www.gigamon.com/sites/default/files/resources/datasheet/ds-gigamon-visibility-platform-for-aws-4095.pdf ).

For deployment details, see the "Gigamon® Visibility Platform for AWS Getting Started Guide" (https://www.gigamon.com/sites/default/files/resources/deployment-guide/dg-visibility-platform-for-aws-getting-started-guide-4111.pdf).

After the “Monitoring Session” is deployed within the Gigamon GigaVUE-FM, you can configure the Network Decoder Tunnel.

Task 2. Configure Tunnel on the Network Decoder

  1. SSH to the Decoder.
  2. Enter the following command strings.

    $ sudo ip link add tun0 type gretap local any remote <ip_address_of_VSERIES_NODE_TUNNEL_INTERFACE> ttl 255

    $ sudo ip link set tun0 up mtu <MTU-SIZE>

    $ sudo ifconfig (to verify if the tunnel tun0 is being listed in the list of interfaces)

    $ sudo lsmod | grep gre ( to make sure if the below kernel modules are running:

    ip_gre 18245 0

    ip_tunnel 25216 1)

    If they are not running then execute the below commands to enable the modules

    $ sudo modprobe act_mirred

    $ sudo modprobe ip_gre

  3. Create a firewall rule in the Network Decoder to allow traffic through the tunnel.
    1. Open the iptables file.
      vi /etc/sysconfig/iptables
    2. Append the line -A INPUT -p gre -j ACCEPT before the commit statement
    3. Restart iptables by executing the following commands.
      service iptables restart
  4. Set the interface in the Network Decoder.
    1.  Log in to NetWitness Platform, select the decoder/config node in Explorer view for the Network Decoder service.
    2. Set the capture.selected = packet_mmap_,tun0.

  5. (Conditional) - If you have multiple tunnels on the Network Decoder.
    1. Restart Decoder service after you create the tunnel in Network Decoder.
    2. Log in to NetWitness Platform, select the decoder/config node in Explorer view for the Network Decoder service, and set the following parameters.

      capture.device.params = interfaces=tun0,tun1,tun2

      capture.selected = packet_mmap_,All


  6. Restart decoder service.
    $ sudo restart nwdecoder
    The user should be all set to capture the network traffic in Decoder.

Complete the following steps to create a new project and get your project key.

Integrate f5® BIG-IP with the Network Decoder

IG-IP Virtual Edition (VE) is an inline virtual server and load balancer. A common use case would be for the f5® box to be a virtual web server that presents a single IP address and host name that manages requests to a pool of web servers in the cloud.

All traffic to RSA NetWitness® Platform flows through the f5® BIG-IP VE virtual server.

The virtual server functions of the BIG-IP clone all traffic to a designated computer by re-writing mac addresses and loading them into a subnet shared with the destination sniffer. This section describes how to set up the Decoder as the sniffer.

f5® BIG-IP VE Deployment Information

f5® BIG-IP VE on AWS is available through the AWS Marketplace and activated by a BYOL license. A thirty-day free trial is also available.

For more information on this solution refer to the f5® BIG-IP DNS Data Sheet (https://www.f5.com/pdf/products/big-ip-dns-datasheet.pdf).

Task 1: Set Up a BIG-IP VE Virtual Server Instance

Set up a BIG-IP VE Virtual Server Instance according to the instructions in the "BIG-IP Virtual Edition 12.1.0 and Amazon Web Services: Multi-NIC Manual" ( https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-multi-nic-setup-amazon-ec2-12-1-0.html). Complete all the steps through the last steps, "Creating a virtual server."

This virtual server performs packet capture. You may need to create multiple virtual servers to depending on your volume.

As part of creating the virtual server, you must have at least one server in your NetWitness Platform domain to handle the traffic routed by the virtual server (for example, you can create another instance in AWS to host the internal server).

Task 2: Create a Clone Pool

  1. Make sure that your Decoder has a network interface on the same subnet as one of the network interfaces on the BIG-IP VE instance.
    The clone pool sends packets to the Decoder by rewriting MAC addresses and sending them out a network interface. MAC address rewriting can be used to route packets to another subnet.
  2. Set up the clone pool within the BIG-IP VE virtual server according to the instructions in "K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 13.x)" article (https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13392.html).
    This document explains how to create the clone pool, and how to make an existing virtual server copy traffic to the clone pool. In this case, we will place the Decoder instance in the clone pool.

Guidelines

The following guidelines help you to configure packet capture correctly using BIG-IP VE.

  • The Decoder instance must have its own IP address on one of the same subnets as BIG-IP VE. BIG-IP uses that IP address to identify the Decoder as being part of the clone pool.
  • When adding the Decoder instance to the clone pool, BIG-IP asks for a port number in addition to the IP address. This port number does not matter for the cloned traffic. The Decoder will receive all the cloned traffic, regardless of what port number was used here.
  • By default, the AWS subnet shared by the Decoder and BIG-IP VE does not allow the cloned traffic to travel from the BIG-IP VE interface to the Decoder interface. You must disable the source/dest. check on both the Decoder and BIG-IP VE network interfaces in AWS.
  • The Decoder instance must have a single network interface, eth0, by default. The Decoder captures traffic on this interface, but it may also receive administrative traffic on this interface. RSA recommends using network rules to filter out ssh and nwdecoder traffic from the capture stream. These are ports 22 (ssh) and 50004/56004 (nwdecoder).

Troubleshooting Tips

There are areas to troubleshoot if packets are not being accepted by the Decoder.

  • Make sure that the BIG-IP VE is sending the packets out of the correct interface.
    The BIG-IP VE instance contains tcpdump. Use it to verify the cloned packets are being sent out the expected interface. If they are not, there is a problem in the setup of the clone pool or the virtual server.
  • Make sure that the Decoder is receiving packets.
    The Decoder has tcpdump installed on it. Use it to verify that the Decoder is receiving packets. If the Decoder is not capturing packets, make sure that:
    • The AWS source/dest. check is turned off.
    • The Decoder is on the same subnet as the interface the BIG-IP VE is using to clone packets.
You are here
Table of Contents > AWS Deployment > Step 5. Configure Packet Capture

Attachments

    Outcomes