The ExtraHop system can decrypt SSL/TLS traffic on your network with forwarded session keys from your servers deployed in AWS. Session key forwarding must be enabled on each ExtraHop-managed sensor, and you must create a VPC endpoint on each VPC that includes the servers that you want to forward encrypted traffic from.
Communication between the key forwarder and the sensor is encrypted with TLS 1.2.
Learn more about SSL/TLS decryption.
Session key forwarding can be enabled when you deploy ExtraHop-managed sensors from Reveal(x) 360. You must enable session key forwarding for each sensor.
- Log in to the Reveal(x) 360 Console.
- Click System Settings and then click All Administration.
- Click Deploy Sensors. Select the Enable session key forwarding on this sensor checkbox as you complete the deployment process.
- From the Sensors page, wait for the Status column to display Enabled and the Key Forwarding Endpoint column to display the endpoint string.
- Copy the endpoint string. The string is required when you create an endpoint in your VPC.
Security groups determine which servers can forward session keys to the VPC endpoint as well as which session keys are accepted by the VPC endpoint. The following steps describe how to create the security group that permits inbound traffic to your VPC endpoint.
|Note:||Your AWS instances that are forwarding session keys must be configured with a security group that allows outbound traffic to the VPC endpoint.|
- Log in to the AWS Management Console.
- In the All services section, under Compute, click EC2.
- In the left pane under Network & Security, click Security Groups.
- Click Create Security Group.
- Type a name for the security group.
- Type a description about the security group.
- From the drop-down list, select the VPC that you want to forward traffic from. You must create a security group for each VPC that you need an endpoint for.
In the Inbound rule section, click Add
rule, and complete the following fields:
Type: Custom TCP
Port range: 4873
Source: Select Custom from the drop-down list and in the next field select one or more options, such as the CIDR block for the VPC, a CIDR block for the range of IP addresses that includes all of the servers that you want to forward secrets from, or an existing security group that is associated with both the instances and the endpoint—the security group must allow outbound traffic to TCP:4873.
- Click Create security group.
Create an endpoint for each VPC that can accept forwarded session keys from your servers and send them to the VPC Endpoint Service in the Reveal(x) 360 system.
- Return to the AWS Management Console.
- In the All services section, under Network & Content Delivery, click VPC.
- In the left pane, under Virtual Private Cloud, click Endpoints. (Do not click Endpoint Services.)
- Click Create Endpoint.
- For the Service category, select Find service by name.
- Paste the endpoint string you copied from Reveal(x) 360 into the Service Name field.
- Click Verify.
- From the VPC drop-down list, select the VPC that has the ENIs that are mirroring traffic to the sensor.
Make sure that the Enable DNS name checkbox is
Important: You must select Enable DNS hostnames and Enable DNS Support in the VPC settings.
- Select the security group you configured in the previous procedure.
- Click Create endpoint.
- Repeat these steps to create an endpoint for each target ENI that is a different VPC.
The following steps describe how to install and configure the ExtraHop session key forwarder software on supported Windows and Linux servers.
Before you begin
- Server instances must have an instance profile with an IAM role that grants permission to describe traffic mirror sessions (DescribeTrafficMirrorSessions) and traffic mirror targets (DescribeTrafficMirrorTargets). For more information about creating an instance profile, see the AWS documentation, Using an IAM role to grant permissions to applications running on Amazon EC2 instances.
- Log in to the Windows server.
- Download the latest version of the session key forwarder software.
- Double-click the ExtraHopSessionKeyForwarder.msi file and click Next.
- Select the box to accept the terms of the license agreement and then click Next.
- On the sensor hostname screen, leave the hostname field empty and then click Next.
- Accept the default TCP listen port value of 598 (recommended), or type a custom port value and then click Next.
- Click Install.
- When the installation completes, click Finish, and then click No to skip the server reboot.
- Open the Windows Registry Editor.
- In the Software section of HKEY_LOCAL_MACHINE, click ExtraHop.
- Right-click anywhere in the right pane and select .
- Type EDAHostedPlatform in the name field.
- Double-click EDAHostedPlatform to edit the string value.
Type aws in the Value data
field and then click OK.
The registry should appear similar to the following figure.
- Reboot the server.
- Log in to your Debian or Ubuntu Linux server.
- Download the latest version of the ExtraHop session key forwarder software.
Open a terminal application and run the following command.
sudo dpkg --install <path to installer file>
- Select hosted.
- Select Ok, and then press ENTER.
Type the following command to ensure that the
extrahop-key-forwarder service started:
sudo service extrahop-key-forwarder statusThe following output should appear:
Extrahop-key-forwarder.service - ExtraHop Session Key Forwarder Daemon Loaded: loaded (/etc/rc.d/init.d/extrahop-key-forwarder; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-02-03 10:55:47 PDT; 5s ago
If the service is not active, start it by running this command:
sudo service extrahop-key-forwarder start
- Log in to your RPM-based Linux server.
- Download the latest version of the ExtraHop session key forwarder software.
Open a terminal application and run the following command:
sudo EXTRAHOP_CONNECTION_MODE=hosted rpm --install <path to installer file>
Type the following command to ensure the extrahop-key-forwarder service
sudo service extrahop-key-forwarder status
|EXTRAHOP_CONNECTION_MODE||Specifies the connection mode to the session key receiver. Options are direct for self-managed sensors and hosted for ExtraHop-managed sensors.||sudo EXTRAHOP_CONNECTION_MODE=hosted rpm --install extrahop-key-forwarder.x86_64.rpm|
|EXTRAHOP_EDA_HOSTNAME||Specifies the fully qualified domain name of the self-managed sensor.||sudo EXTRAHOP_CONNECTION_MODE=direct EXTRAHOP_EDA_HOSTNAME=host.example.com dpkg --install extrahop-key-forwarder_amd64.deb|
|EXTRAHOP_LOCAL_LISTENER_PORT||The key forwarder receives session keys locally from the Java environment through a TCP listener on localhost (127.0.0.1) and the port specified in the LOCAL_LISTENER_PORT field. We recommended that this port remain set to the default of 598. If you change the port number, you must modify the -javaagent argument to account for the new port.||sudo EXTRAHOP_CONNECTION_MODE=direct EXTRAHOP_EDA_HOSTNAME=host.example.com EXTRAHOP_LOCAL_LISTENER_PORT=900 rpm --install extrahop-key-forwarder.x86_64.rpm|
|EXTRAHOP_SYSLOG||Specifies the facility, or machine process, that created the syslog event. The default facility is local3, which is system daemon processes.||sudo EXTRAHOP_CONNECTION_MODE=direct EXTRAHOP_EDA_HOSTNAME=host.example.com EXTRAHOP_SYSLOG=local1 dpkg --install extrahop-key-forwarder_amd64.deb|
|EXTRAHOP_ADDITIONAL_ARGS||Specifies additional key forwarder options.||sudo EXTRAHOP_CONNECTION_MODE=hosted EXTRAHOP_ADDITIONAL_ARGS="-v=true -libcrypto=/some/path/libcrypto.so libcrypto=/some/other/path/libcrypto.so" rpm --install extrahop-key-forwarder.x86_64.rpm|
To validate that the ExtraHop system is able to receive forwarded keys, create a dashboard that identifies messages successfully received.
- Create a new dashboard.
- Click the chart widget to add the metric source.
- Click Add Source.
- In the Sources field, type Discover in the search field and then select Discover Appliance.
- In the Metrics field, type received messages in the search field and then select Key Receiver System Health - Received Messages Containing Keys.
- Click Save.
The ExtraHop system provides metrics that you can add to a dashboard to monitor session key forwarder health and functionality.
To view a list of available metrics, click the System Settings icon and then click Metric Catalog. Type key receiver in the filter field to display all available key receiver metrics.
Learn how to Create a dashboard.