Royal Holloway: Security evaluation of network traffic mirroring in public cloud

Table Of Contents

• To evaluate security and to determine the reliability of network traffic mirroring an experiment was carried out on two public cloud environments.
• The experiment involved looking at the weaknesses of the techniques used on public cloud to carry our network traffic mirroring.
• The experiment focused on three most used protocols (ICMP, HTTP and DNS) and was carried out in three separate scenarios.
• The main observations made and potential weaknesses discovered in the experiment were an inability to mirror DNS traffic; challenges with autoscaling of the mirror source node; and challenges with the addition of a new virtual network interface.
• The experiment found that network traffic mirroring in public cloud is a relatively new technology and while it offers various advantages for analysing and monitoring network traffic, it is not yet a mature technology and has some major flaws, including the inability to mirror DNS traffic.
• In the experiment this flaw was exploited to carry out data exfiltration thus highlighting this serious security drawback. We also suggested ways in which this situation can be addressed. However, they come with some restrictions and needs to be evaluated based on individual requirement.
• Further improvements in the design and implementation of network traffic mirroring in public cloud are required to ensure that mirroring technique mirrors all required network data reliably.