My team of SOC analysts is looking at captured internet traffic to provide cyber defense on behalf of several of our enterprise clients. Each client has a non-intrusive tap (usually a gigamon or something similar). The gigamon is situated outside the enterprise perimeter router just before the enterprise's public demark. Therefore the tap passes thru all inbound and outbound WAN traffic. To the analysts, the tap it is sending a copy of the traffic (some filtered, as in Netflow or IPFIX, and some as full PCAP) for monitoring and analysis. If the enterprise is connected directly to the internet via an ISP, the analysis is relatively easy, as the analysts are looking directly at the internet traffic for behaviors and signatures that would indicate an attack or malware of some kind. This first situation is shown here. (with a downstream feed from the gigamon to the SOC not shown here):
Enterprise LAN<----->Perimeter Router<------>gigamon tap<-------public demark<----->ISP<------>INTERNET
NOW THE QUESTION:
The question arises when a client is not directly connected to the internet via an ISP, but rather is connected thru another provider before it gets to the internet.
This second situation is shown here where the enterprise access to the outside world is through another provider before actually hitting the internet. This makes the monitoring of internet traffic more complicated because there is extra encapsulation. Here is that scenario:
Enterprise LAN<----->Perimeter Router<------>gigamon tap<-------public demark<----->Service Provider (MPLS, VXLAN, SDWAN, cloud provider)<------>INTERNET
I'd like to get some detail as to how the tapped downstream data that is going to the analysts would be different. Four different cases here: 1. cloud provider (AWS, Azure, etc.); 2. SDWAN provider; 3. VXLAN provider; 4. MPLS provider. For all four cases the traffic is encapsulated with the service provider's headers,
Questions for all four cases:
1. How does the analyst know the traffic is going through the service provider and be able to identify that (is it AWS?, is it SDWAN? is it VXLAN?etc…)?
2. With that, can the analyst still be able to identify/analyze the raw user traffic as if they are looking at the actual internet traffic?
Hope I explained this right.