Thank you for joining!
Access your Pro+ Content below.
Royal Holloway: Security evaluation of network traffic mirroring in public cloud
This article in our Royal Holloway security series examines the network monitoring technique called network traffic mirroring, demonstrating how the technique is being implemented in public cloud and the challenges the technique faces due to the inherent characteristics of the public cloud – security challenges that, if not addressed, can be detrimental to the security posture of an enterprise.
Table Of Contents
- To evaluate security and to determine the reliability of network traffic mirroring an experiment was carried out on two public cloud environments.
- The experiment involved looking at the weaknesses of the techniques used on public cloud to carry our network traffic mirroring.
- The experiment focused on three most used protocols (ICMP, HTTP and DNS) and was carried out in three separate scenarios.
- The main observations made and potential weaknesses discovered in the experiment were an inability to mirror DNS traffic; challenges with autoscaling of the mirror source node; and challenges with the addition of a new virtual network interface.
- The experiment found that network traffic mirroring in public cloud is a relatively new technology and while it offers various advantages for analysing and monitoring network traffic, it is not yet a mature technology and has some major flaws, including the inability to mirror DNS traffic.
- In the experiment this flaw was exploited to carry out data exfiltration thus highlighting this serious security drawback. We also suggested ways in which this situation can be addressed. However, they come with some restrictions and needs to be evaluated based on individual requirement.
- Further improvements in the design and implementation of network traffic mirroring in public cloud are required to ensure that mirroring technique mirrors all required network data reliably.