Darktrace vSensors and Amazon VPC Mirroring

vSensor v5.1

Last Updated: April 1 2021

DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 2

Darktrace vSensors and Amazon VPC Mirroring

vSensor v5.1

Integrating vSensors with AWS VPC Mirroring 3

Considerations 3

Deploying the vSensors for AWS VPC Mirroring 4

Sizing the vSensor 4
Create a Security Group for the vSensor(s) 4
Configure the vSensor(s) 4

Configuring the AWS Network Load Balancer 6

Set up the NLB 6
Set up the Target Group 6
Review the NLB and Target Group 7
Add a Traffic Filter 7
Add a Traffic Mirror Target 8

Configuring the AWS VPC Mirror Session 9

Automating the Mirror Session Creation 9
Initial Creation of a Mirror Session 9
Apply Mirroring Session to Multiple Existing Instances 9
Configure a Lambda Function to Apply Mirroring to New Instances 10

Optional Cross-Account AWS VPC Mirroring 13

Configuring Cross-Account VPC Traffic Mirroring (if desired) 13
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 3

Integrating vSensors with AWS VPC Mirroring

Darktrace vSensors can integrate with Amazon VPC traffic mirroring to receive a copy of inter-cloud traffic without the
implementation of osSensors. With VPC Traffic Mirroring, Darktrace Cloud customers can benefit from real-time threat
detection across AWS, without relying on host-based agents, sensors, or logs.

Considerations
• All microservices configured in AWS will incur additional costs including the elements required for these
processes such as traffic mirroring sessions, network load balancers and lambda function invocations. These
costs will be proportional to the infrastructure and level of traffic mirrored.

• In VPC traffic mirroring scenarios, osSensors are required to take autonomous actions.

• This method is only compatible with new nitro generation AWS EC2 instances (c5/m5/r5 or t3) and select
older instances. Older instances like t2.micro do not allow traffic mirroring and will require osSensors for
traffic monitoring.

Please see the relevant AWS documentation for more information.

• If multiple vSensors are required, we recommend creating a new subnet in a different availability zone(s) to
allow for redundancy - e.g.,a vSensor in eu-west-1a and eu-west-1b.

• A NAT gateway must be configured for the route association for each subnet. As this is dependent on your
environment, we recommend consulting AWS documentation.

• The following steps must be performed by a user with access to the AWS Management Console and the
following permissions:

◦ Create and manage instances (EC2)

◦ Create and change Security groups and rules (EC2 - Security Groups)

◦ Create Load Balancers, filters, and Targets (EC2)

◦ Create Traffic Mirror Sessions (VPC)

◦ Create Cloudwatch events (Cloudwatch)

◦ Create Lambda functions (Lambda)

◦ Create an IAM Policy and Role (IAM)

• For configuration steps that use the AWS CLI, the describeinstances and createtrafficmirrorsession
permissions are required as a minimum.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 4

Deploying the vSensors for AWS VPC Mirroring

Sizing the vSensor
Recommended sizing for vSensor instances are as follows. Instance size is dependent on the type and volume of
ingested traffic.

T3.LARGE T3.XLARGE T3.2XLARGE M5.4XLARGE M5.8XLARGE

CPUs 2 4 8 16 32

Ram 8GB 16GB 32GB 64GB 128GB

Hard Drive 50GB 100GB 200GB 400GB 800GB

Estimated Devices 50 100 200 400 800

Traffic 100 Mbps 250 Mbps 500 Mbps 1000 Mbps 2000 Mbps

As instance size can be easily modified, it may be preferable to start on a lower spec and scale up only if needed. More
information about vSensor requirements and sizing can be found in the vSensor Setup.

Create a Security Group for the vSensor(s)

1. In the AWS Management console, select EC2 -> Security Groups -> Create Security Group.

2. Enter a name and description for your security group, and select your VPC.

3. Add the Inbound rule Custom UDP Rule, Port Range 4789, and an appropriate source. This source must allow
VXLAN traffic sent from the mirror target (in these instructions a Network Load Balancer) to reach the
vSensor(s).

The vSensor requires 4789/UDP inbound for the load balancer to send traffic on. Note that mirrored traffic on
an instance is not subject to outgoing security group evaluation, but packets dropped by incoming security
group rules, or by network ACL rules at the traffic mirror source, do not get mirrored.

For most conventional environments, an appropriate source will be the subnet(s) that are producing the traffic
to be mirrored, or the subnets containing the NLB(s) sending traffic to the vSensor(s). However, this will
depend on your organization infrastructure.

4. 22/TCP is also required from expected IP addresses (for example, your office) for SSH access, and 443
inbound from your internal CIDR range for health checking. Either add these conditions to one rule or if
preferred, create multiple.

Configure the vSensor(s)

Set up one or more vSensors - different availability zones are recommended if using multiple vSensors - with an Ubuntu
20.04 AMI (for vSensor v4.0.8 and below, Ubuntu 16.04 LTS). If multiple vSensors, this process must be repeated for each
vSensor.

1. Navigate to EC2 -> Instances -> Launch Instance.

2. Use an Ubuntu 20.04 AMI to create the instance. Ensure you select one of the nitro generation or other
supported instances (see Considerations).

3. Apply the security group created for the vSensors and an appropriate hard drive. Darktrace vSensors of
v4.0.7 and above support Packet Mirroring, therefore a minimum of 50GB hard drive is recommended.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 5

4. Install the vSensor on the Ubuntu 20.04 instance with the following command:

bash <(wget https://packages.darktrace.com/install -O -) --updateKey yourupdatekey

yourupdateKey can be found on the “Product Updates and Documentation” page of the Darktrace Customer
Portal alongside the vSensor download. If you do not have access to the Customer Portal, the Update Key
can be supplied by your Darktrace representative or a member of Darktrace support.

Communication Mode

The vSensor must now be configured to communicate with the Master instance in an approved mode. Pull mode and Push
Token mode use an extra layer of symmetric encryption using a shared token and are appropriate for use over untrusted
networks such as the internet.

The following guide will configure Push Token Mode to a virtualized Enterprise Immune System deployment which has a
highly available public IP. Customers with on-premises Enterprise Immune System deployments may prefer to use Pull
mode as it does not require the Darktrace instance to have a public IP - alternative modes can be found in the
vSensor guide.

1. Log into the Darktrace Master instance UI and navigate to the System Config page from the main menu. Locate
the Push Probe Tokens section.

2. Enter a label for the vSensor and click Add - a token will generate in the form of [label:string] . This
token will be shown only once and must be entered into the vSensor. A unique token must be generated for
each vSensor.

The vSensor label is part of the token - to change the label, the token must be fully regenerated.

3. Return to AWS and SSH into the vSensor, run:

set_pushtoken.sh [pushtoken] [master-hostname] [proxy]

Where [push-token] is the token generated on the Darktrace Master instance, [master-hostname] is the
hostname or IP of the Darktrace Master instance (hostname required for Cloud Masters) and [proxy] is an
optional parameter available if a proxy is required for the vSensor to access the Master.

4. Ensure network connectivity has been set up for master to vSensor communication. In this example (Push
Token mode), the vSensor must be able to access the IP or hostname of the connected Darktrace instance
outbound TCP/443.

For virtualized Enterprise Immune System deployments, connections are NAT’d outbound via the relevant
regional host. A full list of regions and their associated IP addresses/hostnames is available in the
Cloud Master documentation.

Please refer to the vSensor Setup Guide if you require more information on configuring vSensors,
networking, and basic troubleshooting.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 6

Configuring the AWS Network Load Balancer

Set up the NLB
1. Navigate to EC2 -> Load Balancers -> Create Load Balancer.

2. Choose Network Load Balancer.

3. Name your balancer and set the scheme as internal for mirroring traffic within your AWS deployment.

4. Set Load Balancer Protocol as UDP and the Load balancer Port as 4789.

5. Select your VPC and tick the availability zone your vSensors are in. Where multiple zones are used for
redundancy, tick all zones.

You may wish to apply tags to your NLB at this point.

6. The NLB will not require a secure listener in the Configure Security Settings step as NLB and traffic from
instances should only be internal.

Set up the Target Group

1. Continuing the NLB configuration, for the step Configure Routing, ensure the target group has New target
group selected.

2. Name your target group.

3. Set target type to instance.

4. Set protocol to UDP, and port to 4789.

5. For the Health check section select HTTPS in the dropdown.

6. Set Path as / .

7. Click Advanced health check settings and select Override for Port. Set this to 443.

8. Leave the healthy threshold as 3, and set the interval to 30 seconds.

9. Move onto Register Targets and select your vSensors using the checklist on the screen.

When all vSensor(s) are selected, click Add to registered.

DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 7

Review the NLB and Target Group

1. Continuing the NLB configuration, for the step Review a config should be visible that resembles the example
below:

Load balancer

Name: Test-Balancer
Scheme: internal
Listeners: Port:4789 - Protocol:UDP
VPC: vpc-1111111 (My VPC)
Subnets: subnet-01aaa010 (vSensor subnet 1), subnet-0a11111aaa11a111a (vSensor subnet
1b)
Tags:

Routing

Target group: Test Target Group

Target group name: target-group
Port: 4789
Target type: instance
Protocol: UDP
Health check protocol: HTTPS
Path: /
Health check port: 443
Healthy threshold: 3
Unhealthy threshold: 3
Interval: 30
Success codes: 200-399

2. Click Confirm if everything is correct.

3. Ensure that port 443 inbound is allowed to the network load balancers, or health check will fail and no traffic
will be sent to the vSensor.

Check this by navigating to EC2 -> Target groups, selecting your target, then clicking the Targets tab in the
info pane displayed below your target group(s). The Status column will display “healthy”" if this is correctly
configured.

4. After creation, we recommend that Cross-Zone Load Balancing is enabled to ensure that packets continue to
be mirrored even if all targets in an Availability Zone are not healthy. Please note, this may incur additional
charges from AWS depending on the amount of cross zone traffic.

This can be done by going to EC2 -> Load Balancers then right clicking on your load balancer. Select Edit
Attributes, then ensure Cross-Zone Load Balancing is selected. Then click Save.

Add a Traffic Filter

A traffic mirror filter must be added to ensure that all of the traffic is mirrored to the network load balancer, and therefore
the vSensors.

1. Navigate to VPC -> Mirror Filters and click Create traffic mirror filter.

2. Name your filter and provide a brief description for it.

3. Network services such as “amazon-dns” should be left un-ticked.

4. Click Add rule in the Inbound section.

5. Set Rule action to Accept, Protocol to All protocols, Source CIDR block to “0.0.0.0/0”, Destination CIDR
block to “0.0.0.0/0”, and provide a brief description for reference.

6. Add the same rule in the Outbound rules section or vSensors will only receive unidirectional traffic.

7. Add any tags if desired.

8. Click Create.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 8

Add a Traffic Mirror Target

The traffic mirror target is the destination for a traffic mirror session (in this case a load balancer), and needs to be
configured before setting up the mirror sessions.

1. Navigate to VPC -> Mirror Targets and click Create traffic mirror target.

2. Name your target and provide a brief description.

3. Select a Target type of Network Load Balancer

4. Select the network load balancer configured earlier as the target

5. Add tags if desired.

6. Click Create

Everything should now be in place to create mirror session(s) to send traffic from your instances to the vSensor(s) via the
Network Load Balancer.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 9

Configuring the AWS VPC Mirror Session

Automating the Mirror Session Creation
A mirror session must be added for every individual instance that you wish to monitor. Darktrace Support can provide an
example bash script for setting a mirror session on existing instances using the AWS CLI.

Darktrace Support can also provide an example Lambda script to apply the mirror to newly created instances by matching
a certain tag key value pair. The script applies the mirror automatically by triggering on a cloudwatch event configured to
fire when new instances are created. The script and lambda assume a correctly configured AWS CLI is already available
and that the same key:value tag exists on every instance to be mirrored.

To run these scripts, a mirror session must first be created manually in order to gather key parameters required by the
automated scripts. This section assumes that instances to be monitored have a single interface - instances with multiple
interfaces will require further configuration.

Initial Creation of a Mirror Session

1. Navigate to VPC -> Mirror Sessions. Click Create traffic mirror session.

2. Set a name and description for your mirror session.

3. Select the interface of a desired mirror source.

To find an appropriate interface, navigate to EC2 -> Instances. Select an instance you wish to mirror, find
Network Interfaces in the details pane, click the interface (e.g.,eth0), and copy the interface ID.

4. For the Mirror target, select the target that was configured earlier as part of the Add a Traffic Mirror Target
step. Clicking in the field for this option should provide a dropdown list of previous options, including the
session configured earlier.

5. Session number can be any value between 1 and 32766 - we recommend using same value across all mirror
sessions configured here. This prevents duplicate mirrors and ensures that all traffic is prioritized in the
same manner.

For the following examples we will use 10.

6. The VNI and Packet length fields can be left blank.

7. For Filter select the mirror filter created above that allows all traffic.

8. Optionally apply any tags for the mirror session.

9. Click Create.

Apply Mirroring Session to Multiple Existing Instances

Now that a mirror session has been manually created, we can re-use the parameters with a bash script to apply the mirror
session to all required instances.

1. Ensure your AWS CLI is updated (with sudo pip install --upgrade awscli for example).

2. Run aws ec2 describe-traffic-mirror-sessions and find the mirror session created above.

3. Record the following parameters - TrafficMirrorTargetId , SessionNumber , TrafficMirrorFilterId ,

VirtualNetworkId .

4. Edit the example mirror-adder.sh script provided by Darktrace Support to include these values.

In the config section , replace the corresponding <value> with the parameter recorded in step 3.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 10

5. Specify a key:value pair in the script to use as an identifier for mirroring. Add the key as the
keytag='<value>' and the value as valuetag='<value>' in the config section of the script.

If this method is not suitable for your environment, modify the filtering as you see fit by editing the code.
Ensure each variable uses the same filter.

The mirror sessions will have the description mirror session for ${name-of-instance}, and will have the name
of the instance that it was generated for.

6. Run the command in the listofinstances variable to ensure that the instances you wish to create mirror
sessions for are returned correctly. Ensure you specify the tag key and tag value set in the config.

aws ec2 describe-instances --filters 'Name=tag:<Key>,Values=<value>' --query

'Reservations[*].Instances[*].[Tags[?Key==`Name`].Value]' | sed 's/[],"[]//g' | sed '/
^[[:space:]]*$/d' | sed -e 's/^[ \t]*//'

If this returns as expected, run the bash script to apply mirroring to the desired instances.

Configure a Lambda Function to Apply Mirroring to New Instances

Create an IAM Role for the Lambda Function

1. Navigate to IAM -> Policies.

2. Click Create policy.

3. Switch to the JSON tab. Paste in the following to provide the permissions required for the lambda role.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:CreateTrafficMirrorSession",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}

4. Click Review Policy and give the policy a name and description. We recommend something descriptive like
“Mirror-Lambda-Minimal-Permissions”.

Click Create Policy.

5. Navigate to IAM -> Roles.

6. Click Create Role.

7. Select Lambda, click Next to go to Permissions.

8. In the policies, search for the policy just created (here, “Mirror-Lambda-Minimal-Permissions”) and apply the
role by selecting the check box.

9. Click Next and optionally add tags.

10. Click Next to go to the review stage where this role can be assigned a name. We recommend something
descriptive like “Mirror-Lambda-Permissions-Role”.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 11

Create the Lambda Function

1. Navigate to Lambda, click Create function. Select Author from scratch.

2. Name your function, and select Node.js 10x in the Runtime dropdown.

3. Expand the Permissions section by clicking Choose or create an execution role, select Use an existing role
for the Execution role, then select the role created earlier (here, “Mirror-Lambda-Permissions-Role”).

4. Do not configure a trigger - this will be done later.

5. Click the lambda function in the designer pane (above the Layers button)

6. Scroll down to the Function code section.

7. Select Upload a .zip file in the Code entry type dropdown. Ensure that the runtime is Node.js 10.x and the
Handler is “ index.handler ”.

8. Click Upload under the Function package text and select the “mirror-function.zip” provided by Darktrace
Support.

Click Save in the top right.

9. If you wish to review or modify the script, the zip file must be uncompressed before editing. If any changes
are made, the files must be re-zipped and uploaded as above.

The zip and upload to lambda can be performed on the command line by running the following from within the
folder, after changing the "--function-name" parameter to the name given to the function.

zip -q -r9 ../mirror-function.zip index.js node_modules package.json && aws lambda update-
function-code --function-name <Function-name> --zip-file "fileb://../mirror-function.zip"

10. Enter the following environment variable Keys and the corresponding values - these values should
correspond to the values acquired earlier for the bash script.

SESSION_NUMBER

TAG_KEY

TAG_VALUE

TRAFFIC_MIRROR_FILTER_ID

TRAFFIC_MIRROR_TARGET_ID

VIRTUAL_NETWORK_ID

The TAG_KEY variable should be the key of the tag pair to apply a mirroring session to, and the TAG_VALUE
should be the value.

11. Click Save in the top right after entering the variables.

Create a Cloudwatch Event for the New Instances Lambda Function to Fire On

1. Navigate to CloudWatch -> Rules (under Events).

2. Click Create rule.

3. Select Event Pattern for the Event Source.

DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 12

4. Click Edit to the right of Event Pattern Preview and paste in the following:

{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"running"
]
}
}

5. Click Save.

6. Expand Show sample event(s), copy this to use later for testing.

7. In the Targets section select the Lambda function created earlier.

8. Click Configure Details, name the rule and add a description.

Leave Enabled ticked to enable the trigger for the Lambda event firing.

Testing the Lambda Function

1. Navigate to Lambda -> Functions -> the name of your function.

2. Click Select a test event to open the dropdown and click configure test events.

3. Paste in the sample event acquired earlier and name the test event.

4. In both the resources section and the Instance ID section, replace the instance ID with the ID of an
existing instance where this lambda task would run if the instance were newly created now.

Optionally, try other instance IDs that would not expect this to run on to verify the lambda task it is working as
expected.

5. Once configured, click test.

If no mirror session exists, it will return success and create the mirror session.

If a mirror session already exists, it will fail with the error

"SessionNumber xx already in use for eni-xxxxxxxxxxxxxx by tms-xxxxxxxxxxxxx" .

If the instance is not tagged appropriately the execution result will be Succeeded but the result returned will
start Not configuring mirror session and no mirroring session will be applied.
DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 13

Optional Cross-Account AWS VPC Mirroring

Configuring Cross-Account VPC Traffic Mirroring (if desired)
Mirror sessions can be configured to be sent to another AWS account as long as certain pre-requisites are met. This
requires:

• Peered VPCs

• Appropriate subnet connectivity

• Appropriate route tables

• Appropriate security rules

AWS traffic mirroring is sent on the UDP port 4789 as VXLAN packets and will appear to originate from the interface that
sent the original traffic. Using a network load balancer as a target is recommended.

Peered VPCs

The following explanation will use the example Account A (the recipient of the mirroring) and Account B (the mirrored
traffic) for ease of explanation.

The VPC that the mirror target (Account A) is in and the VPC of the mirror session (Account B) must be peered. This
requires non-overlapping CIDR ranges for each VPC. It also requires route table changes so that packets from Account B
VPC can reach Account A’s VPC through the VPC peering connection.

VPCs can be peered in the AWS management console by navigating to VPC -> Peering connections. This will also
require the account receiving the request to also approve it in Peering connections.

Route tables for the example peered VPCs are shown below.

Account A

DESTINATION TARGET STATUS PROPAGATED

172.30.0.0/16 local active No

0.0.0.0/0 igw-05527135654 active No

172.31.0.0/16 pcx-0cae6d87981e9a374 active No

Account B

DESTINATION TARGET STATUS PROPAGATED

172.31.0.0/16 local active No

0.0.0.0/0 igw-98234567928 active No

172.30.0.0/16 pcx-0cae6d87981e9a374 active No

Where:

• Account A (target receiving account)

• Account B (where mirroring occurs)

• igw- the internet gateway

• pcx- the peered subnet

DARKTRACE VSENSORS AND AMAZON VPC MIRRORING 14

• Account A VPC CIDR range is 172.30.0.0/16, Account B VPC CIDR range is 172.31.0.0/16

If VPCs are peered then Account A (the account receiving the traffic mirror) can create a mirror target on their account,
and share it with Account B.

Example Setup Process

1. Create a mirror target by navigating to VPC -> Traffic mirror targets. This can be configured to send to an
interface or a network load balancer within Account A.

2. Share this mirror target with Account B by navigating to Resource Access Manager -> Resource shares ->
create resource share.

Select resource type traffic mirror targets

Select the configured mirror target

3. Check Allow external accounts, and add the account number of account B that you wish to share the target
with.

Once configured, click Create resource share

4. Account B can accept this resource share by navigating to Resource Access Manager and accepting the
request in Shared with me -> Resource shares

5. Once this configuration is complete, Account B can set up any traffic mirror sessions as required and select
the mirror target shared by Account A. This will result in mirrored traffic being sent to the traffic mirror target
on Account A, as long as the requirements stated above are met.
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com