IBM Security QRadar

VXLAN support for Network Interface traffic is a great new feature in QRadar 7.3.2 Patch 3. This feature allows deep visibility into your Azure and AWS environments, with Azure vTap and AWS VPC Network Mirroring. Leveraging these integrations allows you to detect and stop advanced threats in the cloud – with unparalleled visibility into the raw traffic going to and from your instances, without the need to deploy additional hardware. This article discusses the steps required to configure Azure vTap and AWS VPC Traffic Mirroring, and then perform threat hunting in your cloud traffic using QRadar.

Azure vTap and VPC Traffic Mirroring are the first native network TAP functionalities available in the public cloud. Each of these solutions do a deep copy of the inbound and outbound VM network traffic. This traffic can then be mirrored to any QRadar endpoint with flow processing capabilities, such as a Data Gateway or All-In-One console.

This deep visibility allows you to write rules and generate offenses on any traffic coming and going from your cloud instance. You now have the ability to detect a whole range of previously invisible threat vectors – such as APT beaconing, network scans, port scans, DDoS attacks, large file transfers and more.

Configuring vTap in Azure:

Below is an example deployment making use of a QRadar Data Gateway and leveraging this capability in Azure:

In order to enable Azure vTap preview functionality, you will first need to request access to the preview feature by following the instructions at the Microsoft Azure website: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview. Once receiving confirmation from Azure, you will need to follow the following instructions to enable the virtual network TAP: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-tap-virtual-network-cli. At step 4, ensure that the configured virtual network interface is that of your QRadar console or data gateway endpoint.

 

 

Configuring VPC Traffic Mirroring in AWS:

 

Below is an alternative example deployment where QRadar has been deployed in AWS and has VPC Traffic Mirroring configured:

To configure VPC Traffic Mirroring, follow the instructions here: https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/. If you are not inspecting the full packet in your deployment (i.e. you are not sending the mirrored traffic to QNI) you may opt to save bandwidth and specify a packet length to mirror. In this case, you should set this to match the "Maximum Data Capture/Packet" setting for the respective host in QRadar.

 

Configuring QRadar:

 

You will then need to configure a flow source in QRadar to process this mirrored traffic. Access the Flow Sources admin tool and click Add. Select the “Network Interface” flow source type and select the correct Flow Interface. Click Save and then deploy your changes.

Heading over to the Network Activity screen you can now see all of the inbound and outbound traffic from your Azure or AWS instance within QRadar. This mirrored traffic can easily be identified by searching for the matching Flow Source/Interface field you specified above. As both Azure vTap and VPC Traffic Mirroring export this traffic using VXLAN, you can also see this VXLAN Network Identifier has been extracted from all of these flows and appears as a new flow field “VXLAN Network Identifier”. What's more, you even have access to the traffic payload, which is used to do advanced application determination and can be used in your Custom Flow Properties and rule sets.

You can query, write rules and create offenses with this traffic, and utilise all the usual QRadar functionality. For example, you could write a rule to detect when a user is accessing assets outside of normal working hours, or when your instances are experiencing a DDoS attack.

As an analyst, you now have the power to perform advanced threat hunting in the cloud, securing your applications running in Azure or AWS through the power of deep network analysis.