Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »

Introduction

This document describes the steps needed to deploy the Blue Hexagon for GCP solution with GCP Packet Mirroring. Blue Hexagon inspects network traffic generated by GCP Compute Engine and GCP Kubernetes Engine workloads to uncover and respond to threats in real-time.

A Blue Hexagon representative can assist you to deploy the solution.

Deployment

Getting Started

Share your GCP project or Compute Engine service account email address with your Blue Hexagon representative. Blue Hexagon will in turn share a custom Compute Engine image and add the provided email address as an Image User, as described here.

Prerequisites

  • You must have a GCP project with a VPC containing at least one private subnet.

  • The VPC must be configured for Cloud NAT to allow Blue Hexagon virtual appliances deployed in the private subnet to reach out to the Blue Hexagon cloud.

  • The Blue Hexagon deployment manager template creates a 0.0.0.0/0 outbound firewall rule to allow outbound communications with the Blue Hexagon cloud - do not remove this.

  • [Preferred] The gcloud command line tool to deploy the Blue Hexagon for GCP Deployment Manager package. Follow instructions here to install. The following command may be useful.

    curl https://sdk.cloud.google.com | bash

GCP Security Audit Setup

Step 1: Enable API

Login to the GCP account you wish to connect with Blue Hexagon and enable (e.g. via cloud shell) the following APIs.

gcloud services enable appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com compute.googleapis.com container.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com iam.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com recommender.googleapis.com monitoring.googleapis.com logging.googleapis.com serviceusage.googleapis.com 

Step 2: Create Service Account

Name the service account, e.g. bluehexagonsecurity

Grant the service account the following permissions:

  • Viewer

  • Security Reviewer

  • Storage Object Viewer

Step 3: Create and Export JSON Key File

Step 4: Register JSON Key File with Blue Hexagon

  • Download the Blue Hexagon for GCP Deployment Manager package here.

  • Your welcome email should have the password to decrypt the package; if not, ask your Blue Hexagon representative for the same. Unzip the package using unzip or equivalent.

  • Run the following command (requires python3 – use GCP Cloud Shell if necessary)

    cd bluehexagon
    ./bh_gcp_registration.py -l <YOUR-BLUEHEX-SAAS-LICENSE> -k <PATH-TO-DOWNLOADED-JSON-KEYFILE>

If you are unable to complete the above steps, you can alternatively share the JSON key file with your Blue Hexagon representative, who will complete the registration for you.

Deploying Blue Hexagon Network Threat Defense

Blue Hexagon is deployed as an autoscaling managed instance group behind an internal load balancer in a subnet in your VPC.

  1. You will receive a welcome email from Blue Hexagon with the following information:

    1. Blue Hexagon for GCP license key

    2. Password to decrypt the Blue Hexagon for GCP Deployment Manager solution package

  2. Download the Blue Hexagon for GCP Deployment Manager package here. Your welcome email should have the password to decrypt the package; if not, ask your Blue Hexagon representative for the same.

  3. Unzip the downloaded package - enter the password when prompted.

    $ unzip bluehexagon_gcp.zip
    Archive:  bluehexagon_gcp.zip
    [bluehexagon_gcp.zip] password: 
      inflating: bluehexagon/bluehexagon-instance-template.jinja  
      inflating: bluehexagon/README.md   
      inflating: bluehexagon/bluehexagon-instance-template.jinja.schema  
      inflating: bluehexagon/bluehexagon.jinja  
      inflating: bluehexagon/bluehexagon.jinja.schema  
  4. Deploy using the gcloud command line tool. Replace the following in the gcloud command line to suit your needs:

    1. bhdemo with the desired name of your GCP Deployment Manager stack

    2. projects/foo-bar/global/networks/dev1 with the name of the VPC in which you want to deploy Blue Hexagon

    3. regions/us-west2/subnetworks/private with the name of the subnet in which you want to deploy Blue Hexagon

    4. us-west2 with the region in which you want to deploy Blue Hexagon

    5. YOUR_LICENSE_KEY with the Blue Hexagon for GCP license key in your welcome email

      $ cd bluehexagon
      $ gcloud deployment-manager deployments create bhdemo
        --template bluehexagon.jinja
        --properties network:projects/{project}/global/networks/dev1,
        subnet:regions/us-west2/subnetworks/private,
        region:us-west2,
        bluehexagonLicenseKey:{API-KEY},
        vmImage:projects/bh-assets-289216/global/images/bh-gcp-3-0-0-bhap-1241

On success, you can check to see that the internal load balancer has been created along with a healthy backend managed instance group, as shown in the screenshots below.

Packet Mirroring Configuration

The following steps describe how to configure GCP Packet Mirroring to direct traffic from your source workloads to Blue Hexagon for inspection. For more details and troubleshooting, refer to the GCP Packet Mirroring documentation.

Follow the steps below in the GCP console to configure GCP Packet Mirroring to direct traffic from your source workloads in GCP Compute Engine and GCP Kubernetes Engine to Blue Hexagon deployed in the previous steps.

  • Go to VPC network > Packet mirroring.

  • Create a new Packet Mirroring policy.

  • Define policy overview.

  • Select VPC network containing workloads to mirror.

The VPC containing workloads to mirror may be different from the VPC in which the Blue Hexagon collector is deployed. If so, set up VPC peering between the mirrored source and collector VPCs.

  • Specify the traffic source that will be mirrored. You can specify the source by selecting:

    • one or more subnets (as shown in this example),

    • instances with matching tags, or

    • individual instances (VMs).

  • Select the newly created internal load balancer (forwarding rule) as the destination of packet mirroring.

  • You can choose to mirror all traffic (default and recommended) or mirror only specific protocols / IP ranges as shown below.

Mirror Only Internet Traffic

GCP Packet Mirroring currently does not support negative filters supporting the “not” condition, e.g. not 10.0.0.0/8. To work around this and mirror only internet traffic, specify a filter that includes public CIDR blocks and excludes 10.0.0.0/8 internal traffic. IP ranges to use:
128.0.0.0/1, 64.0.0.0/2, 32.0.0.0/3, 16.0.0.0/4, 0.0.0.0/5, 12.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8

Cross-VPC Packet Mirroring

You can set up cross-VPC (and cross-project) Packet Mirroring by following the steps described in the GCP Packet Mirroring documentation.

Shared VPC Packet Mirroring

You can set up packet mirroring in a Shared VPC setting by following the steps described in the GCP Packet Mirroring documentation.

Intranode visibility

You can setup packet mirroring to show intranode visibility (internal to containers)

https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility?hl=en

Verify Setup

If Blue Hexagon and Packet Mirroring are setup correctly, you will see observations in the Blue Hexagon portal from the gcp appliance in the Discover view as shown below.

To delete the stack, assuming you named it bhdemo, run the following command:

gcloud deployment-manager deployments delete bhdemo

  • No labels