Enterprises face multiple cybersecurity threats on a daily basis, and with attackers employing more complex techniques, thwarting attacks has become a major challenge. These security incidents have to be detected and analyzed quickly so that remedial action can be taken. In order to do this, network activities need to be logged and examined constantly for any suspicious events.
To detect and contain these incidents, the various components of Virtual Private Cloud (VPC) need to be monitored and analyzed using native monitoring tools offered by Amazon Web Services like NAT Gateway Monitoring and VPC Flow Logs.
A Network Address Translation (NAT) gateway is a device that allows the instances in a private subnet to establish a connection with and send traffic to the internet or other AWS services. However, it does not allow the inbound traffic coming from the internet to reach the instance.
When the NAT gateway forwards the data sent by the instance to the internet, it replaces the private subnet IPv4 address with the NAT device address. Once a response is received, the NAT device address is replaced with the IPv4 address before forwarding the response to the instance. NAT gateways do not support IPv6 traffic.
The NAT gateway service is completely managed by Amazon and does not require any effort on the part of the administrators.
Amazon CloudWatch—a service that is used to monitor and collect data from Amazon Web Services (AWS) resources as well as applications to provide actionable insights in real time—can be used for monitoring NAT gateways.
CloudWatch first collects data present in the form of logs, events, and metrics from AWS resources, applications, and services hosted on the AWS infrastructure. It also monitors the resources and provides key information related to various metrics such as CPU utilization, latency, and disk storage.
It provides standard reports and displays information on dashboards that can be used to analyze various trends, correlate data, and monitor the performance of resources. If any issues are detected, troubleshooting can be done immediately. Users can also configure alarms to trigger actions by setting thresholds for chosen metrics and enabling notifications that will be sent to the user if there are any changes.
The metric data from NAT gateways is provided to CloudWatch at one-minute intervals. CloudWatch collects data such as active connections, bytes transmitted, and number of packets and uses it to monitor the gateways. If any issues arise, you can troubleshoot them instantly. CloudWatch metric data is recorded and retained for a period of 15 months at no extra charge, after which the data points expire and are dropped on a rolling basis as new data points come in.
A flow log collects information about the network traffic that is entering or leaving the network interfaces in a VPC. It can be created for a VPC subnet, a VPC, or a network interface. When a flow log is created for a subnet or a VPC, all the network interfaces in the subnet or the VPC will be monitored.
These VPC flow logs help security teams monitor the flow of traffic in the entire virtual network, detect anomalies, take action if there are any suspicious activities taking place, and identify excessively restrictive rules in security groups.
The different information types collected by flow logs include source and destination IP addresses, port numbers and protocols used, packets and bytes transferred, network traffic allowed and denied by security groups, network access control lists, and more. They are recorded as flow log records. Each flow log record consists of values of the various components of the IP traffic flow occurring within an aggregation interval (capture window).
The default format for the flow log record consists of the following fields in the same order:
<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
The default format only records information for a subset of all the available fields of a flow log record. If you want to record information for all the available fields or for a different subset of the fields, you can choose a custom format. Custom formats will help you create flow logs as per your requirements.
Here's an example of a flow log record. In this instance, SSH traffic was allowed to enter the network interface eni-1235b8ca134556889 in the account 12456788010.
2 12456788010 eni-135b8ca1234556889 172.31.16.139 172.31.16.21 20641 22 6 20 4229 1417630010 1418530070 ACCEPT OK
These flow logs provide various insights to users, helping them not only detect abnormal activities, security and connectivity issues, and performance issues, but troubleshoot them as well. They also help in making sure that the network access rules are working as expected.
Zoho Corporation Pvt. Ltd. All rights reserved.
