Getting Started

Logging in

To get started with Nubeva Prisms, start by creating an account and log in on the Prisms Cloud Console:

  1. Navigate to www.nubeva.com and select ‘Login’ from the main menu.
  1. First-time users will be prompted to create an account. Go ahead and use one of the OAuth partners to log in.
  2. When you log in to Nubeva Prisms for the first time, you will see a helper block which provides useful links to videos, on-line guides and requesting to speak with a person. You can revisit this information on the Help page.

When you log in a ‘Default Project’ is created automatically for you. As part of creating a project, Prisms also creates a DynamoDB table to store session keys which the Cloud Agents extract.

Tip

You should replaced the default DynamoDB table with one in your own account when going to production. Instructions are provided in the next tip later in this section.

../_images/GettingStarted001.png

Nubeva Prisms TLS Decryption architecture

Decrypting a workload requires creating the five elements depicted in above. This is done in five simple steps:

../_images/GettingStarted002.png

Five steps required to decrypt your workloads

The first step is to install Key Extractor Agents.

1. Installing Key Extractor Agents

As shown in figure 1 above Key Agents mirror traffic as well as extract session keys from encrypted traffic. Key Agents are available for Linux. A Windows version will be available shortly. The Linux agent is supported on Centos, Ubuntu, RHEL, Amazon AMI. Windows agents support Windows 10 and Server 2012 R2 or higher.

  1. Docker is a prerequisite to running containers. You can skip this step If your instance is already running the required version of Docker. The Key Agent for Linux is a container. Please refer too Docker Installation for instructions.

Note

Nubeva supports Kubernetes versions 1.11 or greater, which you can install with kops versions 1.11 or greater

../_images/CatapultAgent.png
  1. Click on the “Catapult” icon in the left corner of the Source Group box.
  2. This will pop up a box similar to the figure below. Select ‘Linux Agent’ from the dropdown menu. Click the button on the right to copy the installation command.
../_images/LinuxAgent.png
  1. Paste this command into a command shell on the cloud instance. The Prism container will automatically download and install.
  2. About 10-20 seconds after installation, the sensor counter in the Source Groups box will increase by 1 indicating that the sensor is active.
  3. To launch a Windows Sensor, select “Windows Agent” from the drop-down.
../_images/WindowsAgent.png
  1. Paste this command into a command shell on the cloud instance. The Prism container will automatically download and install from Docker Hub.

Note

Windows sensors with key extraction capabilities will be available soon.

The next step is to configure source groups.

2. Creating Source Groups

Source groups are policies for grouping Cloud Agents based on their metadata and custom tags. The following links provide additional information: AWS Metadata, AWS Custom Tags, Azure Metadata, Azure Custom Tags.

Note

Source group policies also determine whether the agents should extract and store session keys in a DynamoDB table.

These are the steps to create a source group:

  1. Click on the “+” icon at the top right of the “Source Group” box. This will load the Source Group editing window.
../_images/TLSSGPrivateKDB.png

Tip

Nubeva TLS supports AWS, Azure and GCP. The key database is a DynamoDB table in AWS.

This step is not required for POC but recommended when you go to production.

The source group dialog (above) indicates which DynamoDB table is being used. The figure shows that the table is in Nubeva’s account. To replace the default table with a table in your own account, click the Create Private KeyDB button in the upper left corner.

../_images/TLSCreateKeyDB.png

Select the region and click Launch DB. This will launch a Cloud Formation template. The template create IAM resources for writing and reading from the KeyDB. Acknowledge that you allow these roles to be created:

../_images/SSLKeyDB-002.png

When the template is done select the Outputs tab and click the URL in the field SendtoNubeva:

../_images/SSLKeyDB-003.png
  1. The Enable TLS key extraction in the upper left corner should be checked to set a policy that instructs the agents to extract keys.
  1. Name the new source group.
  2. Click on the ‘Filter Type’ (leftmost) drop down to select either ‘Metadata’ and ‘Custom Tags’.

Note

On AWS permission has to be given to describe all instances because the scope of DescribeInstances cannot be limited to a single instance. Creating an AWS IAM role for custom tag support

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        }
    ]
}
  1. Click on the Metadata Category in the “Source Inclusion Policy” and choose something. Select the condition and select the values. Then click the ‘+’ button.
  2. You can add multiple conditions.
  3. Select save. This will return you to the dashboard.

As new agents with matching metadata and/or custom tags appear, they are automatically added to the source group. This is a very powerful adaptation to the elastic nature of cloud environments. For instance, if you routinely spin up/down instances with web scaling events, selecting filters such as AMI type, VPC, subnet, or custom tag values, will ensure that any new Cloud Agents that appear will be immediately added to the source groups and start mirroring traffic to tools based on the existing connections defined.

Next, you’ll create destinations to consume the data.

3. Launching Cloud Decryptors

  1. Docker is a prerequisite to running containers. You can skip this step If your instance is already running the required version of Docker. Please refer too…
../_images/DecryptCatapult.png
  1. Click on the “Catapult” icon on the top left of the Destination Group box.
  2. This will pop up a box similar to the figure below. Select ‘Linux Rx’ from the dropdown menu. Click the button on the right to copy the installation command.
../_images/TLSRCVDialog.png
  1. Paste this command into a command shell on the destination cloud instance. The decryptor container will automatically download and install.
  2. About 10-20 seconds after installation, the decryptor counter in the Destination Groups box will increase by 1 indicating that the decryptor is active.

The final step is to define a connection between your source group and your destination.

4. Creating Destinations

There are many packet inspection and processing tools in the open source community as well as many vendor offerings. Before we create a destination in the UI, we need to have an actual tool. If you already have something running, skip ahead to the next section. Otherwise, here are some steps for setting up a few simple tools.

  1. One of the simplest tools you can use is tcpdump. This is a simple Unix command that takes all data received on an interface and displays it on the screen. You also use it to write this traffic to a file.
  2. Create a Unix instance in your cloud provider. Connect to it and issue the command:
tcpdump -na -i eth0 port 4789
  1. This will start a tcpdump session which will display all traffic on your default interface but it will not show your SSH session traffic.

Note

If you want a tool with a little more sizzle, look at NTOPNG. NTOP is a network traffic analysis solution that can be deployed in many forms.

These are the steps to create a destination that points to a tool:

  1. Click on the “+” icon at the top right of the “Destinations” box.
  2. The next screen allows you to define the properties of this new destination group.
../_images/image_8.png
  1. Name the destination.
  2. Choose between a single tool or a set of tools that you want to load share against. For a load share environment, insert multiple comma-separated IP addresses into the field and the traffic will be load-shared among the defined tools.

Note

If you need more advanced load-balancing, you can use the front-end IP address of a cloud load balancer as the IP and configure this LB via the cloud portals.  To enable VXLAN traffic to your destination inbound traffic should be enabled on UDP port 4789.

../_images/UDPVxlan.png
  1. Click ‘save’ when finished. This will return you to the dashboard.

5. Creating Direct Connections

At this point, you can have one or more source groups and one or more tool destinations.

../_images/AddConnection.png
  1. To connect a source group to a destination/tool, simply click on the source and drag the connection line to the required destination and drop it. This will popup the following connection profile window, with the ‘Source Group’ and ‘Destination Group’ values preset.
../_images/image_10.png
  1. You can also click on the “+” icon on the Connections box and it will take you to the same screen, but you will have to choose the Source Group and Destination Group from their dropdown.

    ../_images/image_11.png
  2. You can use VXLAN tunnel encapsulation to send traffic to the destination. The VNI ID should be a unique number for the source group.

  3. Berkeley Packet Filter (BPF) is where you enter the data filters you want to apply to this connection.

  4. Click save to return to the dashboard.

If you generate encrypted traffic on your source instance:

# run some https traffic on the client
curl https://example.com

You can see the decrypted traffic on your destination by issuing the command:

tcpdump -Ani nurx0 port 80

Decrypting Amazon VPC Traffic Mirroring

To decrypt Amazon VPC traffic mirroring follow the first four steps described above:

  1. Install a Key Agent
  2. Create a source group
  3. Launch a Decryptor

Since the AWS VPC traffic mirror is generating the packet flow, there is no need to create a connection. Instead, setup an AWS VPC traffic mirroring session between your source where the key extractor agent is running, and the destination where you installed the decryptor.

To set up a traffic mirroring session please review Working With AWS Traffic Mirroring. Additional information is available on the AWS News Blog.