vpcshark

Technical Details

vpcshark is an open-source Wireshark extcap plugin designed to automate the process of VPC traffic mirroring in AWS.

Core Capabilities and Implementation Mechanisms

• Traffic Mirroring Automation: The tool automates the creation of necessary AWS resources for traffic mirroring, including an EC2 instance to receive mirrored traffic, a traffic mirror target, a traffic mirror filter, and a traffic mirror session.
• EC2 Instance Management: It launches a temporary EC2 instance based on a specified launch template and terminates the instance after the Wireshark capture session is stopped, although this termination is currently not fully implemented.
• Integration with Wireshark: The tool integrates with Wireshark by creating a new capture interface named "AWS VPC Traffic Mirroring: awsvpc" that allows users to select AWS profiles, VPCs, ENIs, and EC2 launch templates.

Deployment Architecture and Requirements

• AWS Resources: Requires an AWS account with the necessary permissions to create EC2 instances, traffic mirrors, and other related resources.
• EC2 Launch Template: The launch template must include an AMI based on Amazon Linux 2, an instance type, a subnet within the VPC being mirrored, a security group with specific rules (e.g., UDP port 4789 open to the VPC CIDR and SSH open to the user's IP), and an ENI with an auto-assigned public IP address.
• Local Environment: The vpcshark binary needs to be built and copied into the Wireshark extcap directory. The remote tool must also be built and included in the vpcshark binary.

Integration Points and APIs

• AWS APIs: The tool interacts with AWS APIs to manage EC2 instances, traffic mirrors, and other resources.
• Wireshark Integration: It integrates directly with Wireshark through the extcap interface, providing a new capture interface within the Wireshark application.

Key Technical Features and Limitations

• Automated Traffic Mirroring: Simplifies the process of setting up traffic mirroring in AWS.
• Resource Cleanup: Currently, the automatic destruction of traffic mirror sessions is not implemented, requiring manual cleanup using the --cleanup option.
• Dependency on EC2 Instance Types: The functionality may become less useful as newer EC2 instance types without traffic mirroring support become more prevalent.

Security Controls and Mechanisms Implemented

• Security Group Configuration: Requires a security group with specific rules to ensure only necessary traffic is allowed (e.g., UDP port 4789 open to the VPC CIDR and SSH open to the user's IP).
• Access Control: Uses AWS profiles and requires appropriate permissions to manage AWS resources.

ISO 27001:2022 Relevance

Implementation of ISO Controls

• Network Security: Helps implement controls related to network security by providing a mechanism for monitoring and analyzing network traffic within AWS VPCs.
• Resource Management: Assists in managing AWS resources securely by automating the setup and teardown of traffic mirroring sessions, although manual cleanup is currently required.

Evidence/Artifacts for Audits

• Logs: Provides logs in /tmp/vpcshark.log that can be used as evidence of traffic mirroring activities.
• AWS Resource Creation: The tool's activities can be audited through AWS CloudTrail logs, providing a record of all resource creations and modifications.

Integration Considerations for Compliance

• Permissions and Access Control: Ensures that only authorized users with the necessary AWS permissions can set up and manage traffic mirroring sessions.
• Resource Cleanup: Manual cleanup of resources is necessary to ensure compliance with resource management policies.

Monitoring and Measurement Capabilities

• Traffic Analysis: Enables detailed analysis of network traffic within AWS VPCs using Wireshark.
• Resource Monitoring: While the tool does not provide built-in monitoring, the logs and AWS CloudTrail can be used to monitor and measure the effectiveness of the traffic mirroring setup.

Required Skills and Training Considerations

• AWS Knowledge: Users need to have a good understanding of AWS services, including EC2, VPCs, and traffic mirroring.
• Wireshark Skills: Familiarity with Wireshark and network traffic analysis is necessary to effectively use the tool.
• Security Best Practices: Understanding of security best practices for managing AWS resources and network traffic.

Pricing & Deployment

Available Pricing Tiers and Models

• Open Source: vpcshark is an open-source tool, meaning it is free to use and does not have any pricing tiers or models.

Free/Community vs Enterprise Features

• Since it is open-source, there are no enterprise features or distinctions; all features are available to all users.

Deployment Options and Requirements

• Build and Installation: Users need to build the vpcshark binary and the remote tool, then copy the vpcshark binary into the Wireshark extcap directory.
• AWS Environment: Requires an AWS account with the necessary resources and permissions.

Support and Maintenance Details

• Community Support: As an open-source project, support is primarily through community contributions and the project's GitHub repository.
• Maintenance: Users are responsible for maintaining and updating the tool, although the project's author may provide updates or fixes based on community feedback.