Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
224
Views
10
Helpful
0
Comments

Deploying Cisco Secure Cloud Native Security using GitOps

vinagend
Cisco Employee
Cisco Employee

on ‎12-14-2022 11:15 PM - edited on ‎12-14-2022 11:46 PM by Cisco Employee

DevOps practices and tools help increase an organization’s ability to deliver reliable applications and services at rapid speed, and scale while supplying built in security controls and compliance. This article explores “GitOps and Infrastructure as Code”.

GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD tooling, and applies them to infrastructure automation.

vinagend_0-1671088307198.png

Let’s say you are going to deploy an application on AWS using services like a couple of EC2 instances and a VPC with public subnet. First EC2 instance will be like an Edge firewall and then will have some EKS worker nodes where micro services like Kubernetes can be setup. you will be using Jenkins and GitHub as the pipeline tools. Then, for most of the infrastructure as code application, we will be using Terraform which is super popular for config management. We’ll deploy the following application using the tools mentioned below:

  • Security Analytics and Threat Detection
  • Secure Cloud Analytics
  • Secure Cloud Insights
  • Workload Protection
  • Secure Workload
  • Cloud Native Application Protection
  • Panoptica “The Secure Application Cloud”
  • Application Security
  • Secure Application (AppD)

 

vinagend_1-1671088307209.png

For setting up the Development Environment what you need is a Source Code Repository with CI/CD Pipeline and Infrastructure as Code. The tools which we are going to use are mentioned below.

  • Source Code Repository
  • GitHub: Source Code Management and Version Control
  • CI/CD Pipleline
  • Jenkins Multibranch Pipeline Project
  •   Jenkins will automate and orchestrate the build and deployment of the environment
  • Jenkinsfile (aka Pipeline as Code) – Select the Cloud Native Security Pipeline
vinagend_2-1671088307268.png

 

This cloud Native Security is a multi-branch pipeline where all the branches are pulled in.

 

vinagend_3-1671088307293.png

 

If we click on the Configure Button, we can see the GitHub repo URL.

vinagend_4-1671088307299.png

 

If you scroll down can also see the interval which is been set to 1 minute duration.

  

vinagend_5-1671088307306.png
  • Infrastructure as Code
  • Terraform Modules to provision infrastructure

Inside the infrastructure module you have a VPC, FTD, EKS and all these terraforms doing little things. The idea is to have the EC2 instance is install the image of terraform on it. Then link it to the subnet and VPC network we have.  That’s the Day-0 deployment.

vinagend_6-1671088307323.png

Walking through the code can see the environmental setup.

 

vinagend_7-1671088307341.png

If you navigate to main.tf file can see a bunch of modules. The idea is to pass all the variable into the module.

 

vinagend_8-1671088307364.png

And you can see the provider details while scrolling down.

 vinagend_9-1671088307396.png

We also have a file “ftdv_ansible_deply.tf” which is going to check the firepower is talking to the management interface. If it’s a new deployment it will run all the initial stuffs.

 

vinagend_10-1671088307423.png

 

  • Ansible Playbooks and Docker Image to configure Policy

 If you navigate into Open Bule Ocean on Jenkins.

vinagend_11-1671088307425.png

 A window as shown below will be opened

 

vinagend_12-1671088307430.png

 

And once you click on Cloud Native Security, you can see a pipeline named as Infrastructure.

 

vinagend_13-1671088307441.png

If you click and drill down into it, you can see a Build configuration where 48 resources are utilized to build the infrastructure.

vinagend_14-1671088307446.png

As you got the infrastructure ready let’s see Security Analytics and Threat Detection.

Secure Cloud Insights gives us complete visibility into cloud security posture while continually monitoring, detecting policy violations and mapping relationships between all assets to understand the entire attack surface. What you are going to do is to:

  • Deploy Cloud Native Application
  • Deploy Cisco Secure Cloud Analytics
  • Dive into visibility, threat detection and alerting

 Let’s dive into an already built Microservice Application named Yelb. Yelb allows users to vote on a set of alternatives (restaurants) and dynamically updates pie charts based on number of votes received.

 

vinagend_15-1671088307451.png

You can deploy the application using the kubectl command

vinagend_16-1671088307464.png

When you deploy an application then you need to consider the following:

  • Identify all assets in cloud and on-prem
  • Visibility into all flows and connections
  • • Baseline normal activity
  • Alert based of Anomalies
  • Respond to threats quickly
  • Deployed using Terraform

 You have all the tools that are needed for the above tasks installed on a Kubernetes cluster.

vinagend_17-1671088307472.png

Here we are going for agentless which uses the service mesh. Similar to the deployment done for infrastructure we are going to do the same for Secure Cloud Analytics.

 

vinagend_18-1671088307491.png

What you are doing here is you are using the Kubernetes provider and loading the modules mentioned below like Service Account, Cluster Role Binding, and Damen set which is going to install agent to the worker node.

vinagend_19-1671088307503.png

 Once merging of the code is done you can see another pipeline named secure_cloud_analytics on Jenkins.

vinagend_20-1671088307511.png

 

Once you click on the pipeline secure_cloud_analytics , the following page will be opened.

  

vinagend_21-1671088307521.png

 

vinagend_22-1671088307540.png

 

And once the terraform deployment is done, open the dashboard of the Secure Cloud Analytics.

 

vinagend_23-1671088307542.png

It’s going to provide all the visibility needed as you scroll down the screen.

 

vinagend_24-1671088307557.png

 

On scrolling down, select the Session Traffic

 

vinagend_25-1671088307582.png

 

vinagend_26-1671088307586.png

If will give the information of the cluster, as shown below.

 vinagend_27-1671088307597.png

Also, it provides alerts with some monitor tactics to analyze what happens based on the triggers that are being set.

vinagend_28-1671088307601.png

If we click on Internal Connection Watchlist Hit, it will open up a window as shown below.

 

vinagend_29-1671088307608.png

Once you have the visibility, the next agenda is you can load the workload protection using daemon set and provide Micro-segmentation between the pods for Microservice Applications. To achieve this, you are going to deploy policy as code which means Unified Policy across host, network and cloud.

vinagend_30-1671088307614.png

AWS Connector consolidates: - VPC flow logs ingestion, Context gathering (AWS tags and labels), AWS cloud-managed Kubernetes orchestration (Kubernetes object labels and annotations), and Agentless Enforcement that Enforce segmentation using AWS Security Groups.

vinagend_31-1671088307619.png

 

vinagend_32-1671088307634.png

On Cisco Secure Workload Under Manage -> Agents we can see for EC2 instance on which an agent is deployed.

 vinagend_33-1671088307649.png

 

Also, if you click on connectors, you can see the options as shown below.

vinagend_34-1671088307664.png

When you select AWS as the connector you pull in all VPC and EKS instance where all labels come from Kubernetes.

 

vinagend_35-1671088307677.png

 

Your next step will be to find policies for those labels. But before that if you navigate to the code of Secure Workload module.

vinagend_36-1671088307691.png

Navigate to the file secure_workload.tf under the secure_workload module

 vinagend_37-1671088307708.png

 You can see how policy as a code is going to work. Here everything in Cisco Secure Workload is a scope. For example, you can see how Yelb App Scope has been setup. Code is written as a simple query that whatever be the cluster name a label is going to be created for it.

 

vinagend_38-1671088307721.png

The code will be having full Micro Segmentation in the cloud environment. Once the code is merged you will be able to see the pipeline on Jenkins.

 

vinagend_39-1671088307759.png

Next you will be exploring the Kubernetes environment where you need to have the Cloud Native Application Protection by Securing Kubernetes, Containers, Pods and APIs. The steps followed to accomplish Cloud Native Application Protection are mentioned below.

  • Deploy Panoptica
  • Terraform – Istio Service Mesh and Secure App Cloud Controller
vinagend_40-1671088307764.png
  • CI/CD Plugins
  • CI – Jenkins
  • CD - Terraform
  • Runtime Policies
  • Deployment, Connection, Event, and API
  • Risk Assessment
  • K8Shield – Mapping to MITRE

 On code walkthrough you can find that first you have to deploy the cluster where the connection rules are coded.

 

vinagend_41-1671088307773.png

If you navigate into Panoptica interface, you will see:

 

vinagend_42-1671088307788.png

And navigate to Runtime so you can see the vulnerabilities related to the Yelb app by checking the Workloads, Connections, Events and Workspaces Menu.

vinagend_43-1671088307801.png

Then under the Policies menu, you can see the rule which the Policy Adviser recommends.

 

vinagend_44-1671088307815.png

Last but not the least, Deploy Cisco Secure Application (AppD) to secure applications at runtime:

vinagend_45-1671088307831.png

Application Performance Monitor (APM) on Java Virtual Machine (JVM) 

  • Security Visibility in Application Native Context
  • • Full map of Application
  • Vulnerability Assessment and Remediation
  • • Vulnerable libraries and Remediation versions
  • Policy rules to dynamically patch
  • Attack Detection and Protection
  • Attack types, Event triggers, Commands and Stack Traces

 Cisco Secure Application

vinagend_46-1671088307839.png

If you think of security up the stack, Cisco has a cloud native platform with all the pieces in place and all you have to do is to bring it all together, with the features using the tools as mentioned below.

  • Built cloud native infrastructure using GitOps
  • DevOps tools – Jenkins, GitHub, Terraform, Ansible, Kubectl, AWS CLI
  • Security Analytics and Threat Detection
  • Cisco Secure Cloud Analytics – Visibility, detection and alerting
  • Workload Protection
  • Cisco Secure Workload – Micro-Segmentation and visibility
  • Kubernetes and Container Security
  • Cisco Secure Application Cloud – CI/CD integration, container and API policies
  • Application Security
  • Cisco Secure Application (AppD) – App visibility, vulnerabilities, attacks and events

 Resources

Github url :https://github.com/emcnicholas/BRKSEC-2353_Deploying_Cisco_Secure_Cloud_Native_Security_using_GitOps

 

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


New to DevOps? These resources can help:

DevOps Resources
LCA WEBSITE.png 
LCA CALENDAR.png 
LCA JOURNEY.png 
Ask the Experts.png 
Customers Also Viewed These Support Documents