Nubeva TLS Overview

Welcome to Nubeva’s TLS, a complete cloud traffic visibility solution for AWS, Azure and GCP.

Traffic visibility is a crucial component in securing the business and keeping systems operational. However, network monitoring has been blinded in the cloud. Not only is the infrastructure used for monitoring unaccessible in the cloud, more than 75% of cloud traffic is encrypted. Traditional encryption services cannot adapt and cannot support the ephemeral nature of cloud workloads, and the newer encryption standards which enforce perfect forward secrecy and preclude ‘man in the middle’ encryption techniques. IT teams are no longer able to acquire, process and distribute decrypted packet-level cloud traffic to their selected tools. Consequently, the move to the cloud creates significant blind-spots and loss of ROI on vital tools that are powerless without access to packet-level cloud data.

Nubeva’s TLS Visibility Solution is a Software as a Service (SaaS) offering that provides complete packet visibility into any public cloud with breakthrough TLS decryption capabilities that have been designed specifically for the cloud. Nubeva TLS Visibility Solution’s architecture is comprised of three building blocks: a Nubeva Manager (console), Nubeva Sensors (or Sensors) and Nubeva Decryptors (or Decryptors). The architecture is scalable, secure, and traffic visibility is achieved without sending decrypted packets across the network. Nubeva Sensors discover TLS/SSL session keys and forward them to secure storage. Sensors also mirror packets within a cloud instance and forwards them to Nubeva Decryptors running on security and analysis tool instances. Nubeva TLS Decrypt works with any cloud packet broker solution including AWS VPC Traffic Mirroring. Nubeva Decryptors retrieve session keys from the secure storage, based on the session identifiers in the packet flows they receive, and produce both encrypted and decrypted traffic flows on an interface which a security tool running on the same cloud instance can access.

../_images/TLSArchAWSMirrors.png

Figure 1: TLS Visibility Solution architecture with AWS VPC Traffic Mirroring

Figure 1 depicts a sample deployment in an AWS cloud using AWS VPC Traffic Mirroring. Dotted lines represent control messages, dashed line represent session keys, and solid lines represent mirrored traffic.

../_images/TLSArchPCAP.png

Figure 2: TLS Visibility services architecture with Nubeva Sensors discovering keys and mirroring traffic.

Note

Nubeva Decryptors handle the synchronization of keys with packet flows, assuring that all the traffic received is matched with keys, and is fully decrypted.

When any instance containing a Nubeva Sensor or a Nubeva Decryptor launches, the sensor/decryptor will automatically connect to the Nubeva Manager (console) and register itself, obtain configuration updates and automatically install software updates when upgrades are available. Sensors and Decryptors use HTTPS to make REST API calls to the Cloud Console. Control traffic always originates at sensors and decryptors. Data plane traffic (mirrored traffic) is routed based on the users’ network configurations. Mirrored packets are never sent to the Cloud Console. The control plane does not directly modify, nor does it require the user to modify networks or security setting, save for allowing outbound HTTPS (TCP port 443) from subnets containing sensors or decryptors.

The following URLs and IP addresses should be accessible for the sensors/decryptors to connect:

https://i.nuos.io/api/1.1/wf
https://rvs.nuos.io
13.248.140.181
52.183.93.152

Note

To set up AWS VPC traffic mirroring sessions please review Working With AWS Traffic Mirroring. Additional information is available on the AWS News Blog.