Add-On Pack: NG-NDR
- 1 Introduction
- 2 Deployment
- 2.1 Overview
- 2.2 Deploy Blue Hexagon Virtual Appliance(s)
- 2.3 Configure Traffic Mirroring
- 2.3.1 Azure VTAP
- 2.3.2 IXIA CloudLens
- 2.3.3 Gigamon GigaVue
Introduction
This document describes the steps needed to deploy the Blue Hexagon for Azure solution with Azure VM Image. Blue Hexagon inspects traffic within Azure workloads collected by various means like Azure VTAP, IXIA CloudLens, or Gigamon GigaVue. This stream of traffic is inspected in real-time to uncover and respond to threats. The solution described in this document utilizes many in-built features of Azure to make the deployment easier for Azure customers. Please note: a Blue Hexagon representative can assist you to deploy the solution.Â
Deployment
Overview
Here are the steps to deploy the Blue Hexagon for Azure.Â
Customer will provide Blue Hexagon a list of regions where they intend to deploy Blue Hexagon.
Blue Hexagon will share the private Azure VM Image in a Shared Image Gallery (SIG).
Customer can then provision the Blue Hexagon virtual appliance(s) using the shared image.
Configure traffic mirroring to Blue Hexagon virtual appliance(s).
The above steps are elaborated below.
Deploy Blue Hexagon Virtual Appliance(s)
Azure CLI required
Grant customer access to the Blue Hexagon Shared Image Gallery (SIG) by requesting a sign-in using a browser. Customer replaces <customer tenant ID> with their tenant ID.
az account show --query "tenantId"
https://login.microsoftonline.com/<customer tenant ID>/oauth2/authorize?client_id=6bbf8a78-f0f1-4d28-8467-18fc0feb6ae4&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
In the Azure portal sign-in, give the app registration access to the resource group where you want to create the VM.
Select the resource group and then select
Access control (IAM)
. UnderAdd role assignment
selectAdd
.Under
Role
, typeContributor
.Under
Assign access to:
, leave this asAzure AD user, group, or service principal
.Under
Select
typeBlueHexagonGalleryApp
then select it when it shows up in the list. When you are done, select Save.
Create VM.
App Secret
and image version
to be provided
az account clear
az login --service-principal -u '6bbf8a78-f0f1-4d28-8467-18fc0feb6ae4' -p '<App Secret>' --tenant 'ed76c3e7-e39a-4202-b502-81e791454b03'
az account get-access-token
az login --service-principal -u '6bbf8a78-f0f1-4d28-8467-18fc0feb6ae4' -p '<App Secret>' --tenant '<customer tenant ID>'
az account get-access-token
az vm create \
--resource-group <customer resource group> \
--name <name for VM> \
--image "/subscriptions/cbca359b-528a-4270-8bb3-415466b74116/resourceGroups/AzureBlueHexagon/providers/Microsoft.Compute/galleries/BlueHexagonGallery/images/bh-appliance-master/versions/<image version>" \
--size Standard_D8s_v3 \
--location <region(s)> \
--admin-username ubuntu \
--ssh-key-value <ssh public key>
Configure Traffic Mirroring
The Blue Hexagon virtual appliances can receive mirrored traffic from Azure VTAP or from packet brokers such as IXIA CloudLens or Gigamon GigaVue.
Azure VTAP
For instructions on how to configure Azure VTAP, refer to https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
IXIA CloudLens
IXIA CloudLens deploys agents in the workloads that are monitored. An agent forwards copies of packets from Source Instances (i.e. workload instances) to Monitoring Tool Group Instances (i.e. Blue Hexagon Virtual Appliances). Horizontal scaling is supported for additional capacity.
Ixia CloudLens Agents send metadata about the Cloud Instances to the Ixia CloudLens Management Portal. Metadata is used to identify source and monitoring tool instances so that traffic flow can be managed from the Portal. Note that application workload packet data itself is NOT sent up to the Management portal. Rather the customer's application packet data is sent over encrypted tunnels directly from the source instances to the monitoring tool instances in Azure; thus the customer data remains under the scope of their existing cloud security controls. To mirror traffic to Blue Hexagon:
Configure and Launch the Blue Hexagon Virtual Appliance instance(s) as described previously.
Create an Ixia Project to obtain Project Key. See IXIA CloudLens documentation for more details.
Install Ixia CloudLens Agent Key on Blue Hexagon Virtual Appliance instance(s). A Blue Hexagon representative will help install the agent license Key.
Install Ixia CloudLens Agent on source workload instances. See IXIA CloudLens documentation for more details.
Route Traffic to the Blue Hexagon Virtual Appliance Instance(s) as described below.
Route Traffic to the Blue Hexagon Monitoring Tool Group
Once the Agents are installed on the systems to be monitored, you will need to logon to the CloudLens Management Portal https://ixia.cloud/login to define a Monitoring Tool Group, Source Instance Monitoring Group(s), and Connections.
To begin, double click the Project created earlier (to obtain the Project Key) and click on either the Define A Group Button or Instances on the upper right of the screen.
Create a Monitoring Tool Group
The Monitoring Tool Group will only contain the Blue Hexagon Virtual Appliance. Use the Filters to select this Instance. Filters include: Tag, Instance Id, or any other options that. The filters control the table of instances on the right side of the screen, ensure that only the Blue Hexagon Virtual Appliance is displayed, then click Save Group.
Choose Save as a Tool, give it a Name, leave the Aggregation Interface as cloudlens0 (unless you have explicitly modified this on the Blue Hexagon Virtual Appliance), then click OK.
Â
Create a Source Instance Monitoring Group
The Source Instance Monitoring Group will contain all the systems to be monitored. Follow the previous step but this time choose any or all of the Source Instances you wish to monitor. Choose the applicable filters, then click on Save Group. Choose Save as instance group, give it a Name, then click OK and Close
Connect the Instance Groups and Monitoring Tool Groups
To connect the Source and Monitoring groups, drag a connection between the Instance Group, and Tool Group. Copies of the Source Instance traffic will now be copied over to the Blue Hexagon Virtual Appliance (traffic is securely forwarded over an Encrypted Peer to Peer Tunnel established by CloudLens).
Verify and View Data in the Blue Hexagon Portal
Once Installed, you can view the Blue Hexagon Virtual Appliance findings in the Blue Hexagon UI.
Gigamon GigaVue
For instructions on how to configure Gigamon GigaVue, refer to the GigaVue documentation.
Blue Hexagon Proprietary