How to Monitor Threat Traffic in Cloud Environment ?

How to Monitor Threat Traffic in Cloud Environment ?

março 22, 2022 | Jie Ji


The public cloud has become the hardest hit by cyberattacks. This article gives you an effective threat monitoring proposal by using VPC traffic mirror.

Traffic Mirror

In the traditional network environment, the data communications between devices are realized via cables or wireless networks. We can completely divert the traffic to the bypass monitoring device through dispersion or mirror technique, such as NSFOCUS’s Unified Threat Analysis System (UTS), which can use both signature matching technology and artificial intelligence analysis technology to accurately and efficiently detect threat traffic in the flow. However, in the cloud, all traditional devices are virtualized. How to find the threat traffic between various virtual devices? Especially in the public cloud, tenants are usually unable to obtain network traffic from underlying networks that they cannot control directly, which leads to invisibility to fundamental devices and difficulty of risk. NSFOCUS has a deep understanding of customers’ needs for public cloud services and has realized the virtualization encapsulation of the UTS. Combined with the “traffic mirroring” service of the public cloud, it can effectively solve the tenants’ requirements above on threat traffic monitoring in the public cloud. Let’s see how we do it:

Traffic mirroring is a function of Virtual Private Cloud (VPC).  As the name indicates, it is used for network traffic mirroring of virtual machines. Its implementation is not complicated. Let’s take AliCloud as an example. (Refer to AliCloud or Tencent Cloud for specific operation process)

Figure 1. Traffic mirror
  • Composition: includes mirror source and mirror destination. The mirror source is the elastic network interface of virtual machine that plans to obtain mirror traffic; The purpose of mirroring is to receive the network interface or load balancing SLB of the mirrored traffic.
  • Mirror condition (filter condition): filter network traffic to be mirrored, including inbound and outbound rules with which traffic is collected based on five tuples information.  
  • Mirroring process: after creating filtering conditions for the virtual machine, once the network traffic matches the conditions, the mirrored traffic will be obtained from the elastic network interface of the virtual machine; Then it is encapsulated by vXLAN and sent to the mirror destination, which will process it according to its purpose.

Threat Monitoring

NSFOCUS, as a network security vendor, provides the virtualized UTS as the target of to receive and analyzes traffic mirror, quick and effectively locates threat traffic with attempts at brute force, vulnerability exploitation, Web attacks, etc. In addition, consistent with the CARTA security concept proposed by Gartner, we can also send the logs processed by the UTS into NSFOCUS’s intelligent security operation platform (ISOP), a comprehensive analysis and operations platform, for threat detection, one click settle all, attack source traceback, security audit and much more.

Figure 2: UTS deployment
  • Deployment recommendations:UTS can be deployed in two ways: stand-alone and load balancing. Using the stand-alone deployment requires us to determine how many devices are needed to share the traffic load according to the traffic size while the load balancing mode is relatively simple because it uses SLB for load balancing. The downside of load balancing deployment is the SLB cost. If you want to get traffic mirror from multiple VPCs at the same time, it is recommended to deploy one UTS in each VPC, and collect all the analysis results onto a central UTS. Because there are massive mirrored traffic, the cost will be higher.
  • Cost of public cloud: The total cost includes cost of UTS (UTS bandwidth is not calculated) plus traffic mirroring cost. Among them, the traffic mirroring cost could directly refer to the example of AliCloud. In the availability zone B of the United States (Silicon Valley), five ENIs (elastic network interface) in a VPC have enabled the mirroring session. The active time of the mirroring session is 30 days, 24 hours a day. The total amount of mirrored traffic is 10 GB and the total price is CNY 360.5. When the cost of one UTS (ecs.se1.4xlarge (16 vCPU 128 GB, memory type (original exclusive) se1)) is CNY 4120.52 per month, the total cost of will be about CNY 4481 for one month.
Table 1. Cost of traffic mirror

When sending logs from the UTS to a on-premises ISOP, new costs for elastic IP and traffic may incur. In a word, as long as you use the public cloud services, you have to pay. The more you use and the longer it takes, the more you will pay.


Through the deployment modes mentioned, the network traffic in the tenant’s VPC can be mirrored and analyzed to detect and mitigate threats in the VPC that impact the customer’s business most leveraging different virtual security devices, further to improve tenants’security posture and visibility on attacks in the public cloud.