Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Introduction

This document describes the steps needed to

Note

To complete the steps below, you must have a valid Blue Hexagon SaaS license. Please contact your Blue Hexagon representative to obtain a license. You can request a free trial license here.

Blue Hexagon Setup

GCP Security Audit Setup

The first step to protecting your cloud with Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI is to connect Blue Hexagon with your GCP project(s). Follow the steps here:

Connect GCP Account with Blue Hexagon

Blue Hexagon Network Threat Defense Setup

This following steps deploy the Blue Hexagon for GCP solution with GCP Packet Mirroring. Blue Hexagon inspects network traffic generated by GCP Compute Engine and GCP Kubernetes Engine workloads to uncover and respond to threats in real-time.

A Blue Hexagon representative can assist you to deploy the solution.

Deployment

Getting Started

Share your GCP project or Compute Engine service account email address with your Blue Hexagon representative. Blue Hexagon will in turn share a custom Compute Engine image and add the provided email address as an Image User, as described here.

Prerequisites
  • You must have a GCP project with a VPC containing at least one private subnet.

  • The VPC must be configured for Cloud NAT to allow Blue Hexagon virtual appliances deployed in the private subnet to reach out to the Blue Hexagon cloud.

  • The Blue Hexagon deployment manager template creates a 0.0.0.0/0 outbound firewall rule to allow outbound communications with the Blue Hexagon cloud - do not remove this.

  • [Preferred] The gcloud command line tool to deploy the Blue Hexagon for GCP Deployment Manager package. Follow instructions here to install. The following command may be useful.

    Code Block
    curl https://sdk.cloud.google.com | bash

GCP Security Audit Setup

Step 1: Enable API

Login to the GCP account you wish to connect with Blue Hexagon and enable (e.g. via cloud shell) the following APIs.

Code Block
gcloud services enable appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com compute.googleapis.com container.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com iam.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com recommender.googleapis.com monitoring.googleapis.com logging.googleapis.com serviceusage.googleapis.com 

Step 2: Create Service Account

Name the service account, e.g. bluehexagonsecurity

Grant the service account the following permissions:

  • Viewer

  • Security Reviewer

  • Storage Object Viewer

Step 3: Create and Export JSON Key File

...

Share the JSON key file with your Blue Hexagon representative, who will complete the registration for you.

Deploying Blue Hexagon Network Threat Defense

...

Deployment

Blue Hexagon is deployed as an autoscaling managed instance group behind an internal load balancer in a subnet in your VPC.

  1. You will receive a welcome email from Blue Hexagon with the following information:

    1. Blue Hexagon for GCP license key

    2. Password to decrypt the Blue Hexagon for GCP Deployment Manager solution package

  2. Download the Blue Hexagon for GCP Deployment Manager package here. Your welcome email should have the password to decrypt the package; if not, ask your Blue Hexagon representative for the same.

  3. Unzip the downloaded package - enter the password when prompted.

    Code Block
    $ unzip bluehexagon_gcp.zip
    Archive:  bluehexagon_gcp.zip
    [bluehexagon_gcp.zip] password: 
      inflating: bluehexagon/bluehexagon-instance-template.jinja  
      inflating: bluehexagon/README.md   
      inflating: bluehexagon/bluehexagon-instance-template.jinja.schema  
      inflating: bluehexagon/bluehexagon.jinja  
      inflating: bluehexagon/bluehexagon.jinja.schema  
  4. Deploy using the gcloud command line tool. Replace the following in the gcloud command line to suit your needs:

    1. bhdemo with the desired name of your GCP Deployment Manager stack

    2. projects/

...

    1. {project id}/global/networks/dev1 with the name of the VPC in which you want to deploy Blue Hexagon.

    2. regions/us-west2/subnetworks/private with the name of the subnet in which you want to deploy Blue Hexagon

    3. us-west2 with the region in which you want to deploy Blue Hexagon

    4. YOUR_LICENSE_KEY with the Blue Hexagon for GCP license key in your welcome email

      Code Block
      languagebash
      $ cd bluehexagon
      $ gcloud deployment-manager deployments create bhdemo
        --template bluehexagon.jinja
        --properties network:projects/

...

    1. {project id}/global/networks/{vpc network name},
        subnet:regions/us-west2/subnetworks/{private subnet name},
        region:{region},
        bluehexagonLicenseKey:{BLUE HEXAGON THREAT LICENSE},
        vmImage:projects/bh-assets-289216/global/images/bh-gcp-3-0-0-bhap-1241

An example command would look like

Code Block
$ cd bluehexagon
$ gcloud deployment-manager deployments create bhdemo
  --template bluehexagon.jinja
  --properties network:projects/{project id}/global/networks/dev1,
  subnet:regions/us-west2/subnetworks/private,
  region:us-west2,
  bluehexagonLicenseKey:{API-KEY},
  vmImage:projects/bh-assets-289216/global/images/bh-gcp-3-0-0-bhap-1241

Tip

On success, you can check to see that the internal load balancer has been created along with a healthy backend managed instance group, as shown in the screenshots below.

Image ModifiedImage Modified

Packet Mirroring Configuration

Info

The following steps describe how to configure GCP Packet Mirroring to direct traffic from your source workloads to Blue Hexagon for inspection. For more details and troubleshooting, refer to the GCP Packet Mirroring documentation.

...

  • You can choose to mirror all traffic (default and recommended) or mirror only specific protocols / IP ranges as shown below.

...

Mirror Only Internet Traffic

GCP Packet Mirroring currently does not support negative filters supporting the “not” condition, e.g. not 10.0.0.0/8. To work around this and mirror only internet traffic, specify a filter that includes public CIDR blocks and excludes 10.0.0.0/8 internal traffic. IP ranges to use:
128.0.0.0/1 , 64.0.0.0/2 , 32.0.0.0/3 , 16.0.0.0/4 , 0.0.0.0/5 , 12.0.0.0/6 , 8.0.0.0/7 , 11.0.0.0/8

NOTE: Each CIDR block needs to be added one by one for GCP to recognize it. The whole string above cannot be cut and pasted.

Image Modified

Cross-VPC Packet Mirroring

You can set up cross-VPC (and cross-project) Packet Mirroring by following the steps described in the GCP Packet Mirroring documentation.

Peering needs to be setup both ways from network1 to network2 and vice-versa

...

Shared VPC Packet Mirroring

You can set up packet mirroring in a Shared VPC setting by following the steps described in the GCP Packet Mirroring documentation.

Intranode visibility

You can setup packet mirroring to show intranode visibility (internal to containers)

https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility?hl=en

Verify Setup

If Blue Hexagon and Packet Mirroring are setup correctly, you will see observations in the Blue Hexagon portal from the gcp appliance in the Discover view as shown below.

...