Are you ready to unlock the full potential of Cisco Multicloud Defense (MCD)? This tutorial will guide you step by step on how to leverage its powerful capabilities—including enhanced visibility and intrusion prevention and detection systems (IPS and IDS)—to protect your Amazon Web Services (AWS) cloud network. Get ready to take your cloud security to the next level!

Note: This tutorial is designed to complement the Secure Your AWS Infrastructure by Taking These Few Steps hands-on session at Cisco U. Spotlight 2024.

What You’ll Learn

• How to set up a Cisco MCD sandbox lab in your AWS account
• How to set up a Cisco Defense Orchestrator tenant for MCD
• How to connect your AWS account to MCD and enable the Traffic Visibility feature
• How to configure an MCD Gateway for ingress, east-west, and egress IPS and IDS traffic inspection from your virtual private cloud (VPC)
• How to test your visibility and IPS/IDS for threat detection

What You’ll Need

• AWS cloud familiarity
• An AWS account
• Install the AWS CLI
• Install the Session Manager plug-in for the AWS CLI
• Install Terraform

Have fun!

In this task, you will learn how to prepare a sandbox environment in your AWS account. The environment consists of two types of resources:

• 🛡️ Defender: This VPC hosts an Amazon Elastic Compute Cloud (EC2) instance running the web server on port 80/TCP. We’re going to protect this VPC using Cisco MCD.

• ⚔️ Attacker: This VPC hosts an EC2 instance from which we’re going to launch simulated attacks against the Defender VPC to test threat detection capabilities.

The VPCs will be deployed in the us-east-1a availability zone of the US East (N. Virginia) us-east-1 AWS region.

Prerequisites

• AWS Account
• AWS CLI
• Session Manager plug-in for the AWS CLI
• Terraform

Deploying the Sandbox Infrastructure

1. Ensure that your AWS account is configured to be used by the AWS CLI.

   The following command should return your account details if it is configured correctly:

   aws sts get-caller-identity
   

2. Create a directory to host the Terraform code.

   mkdir mcd-sandbox && cd ./mcd-sandbox
   

3. Download the Terraform code and save it into the previously created directory.

   Download link

4. Deploy the Terraform code.

   Run the following commands from the directory where the main.tf file has been downloaded:

   terraform init
   terraform plan
   terraform apply
   

   You should receive an “Apply complete!” message once it has successfully completed.

5. Take note of the resource details provided in the Terraform output.

   • attacker_instance_id
   • attacker_instance_public_ip
   • defender_instance_id
   • defender_instance_private_ip
   • defender_instance_public_ip

   Those values will be used later during the Testing IPS and IDS task of this tutorial.

Your sandbox lab in AWS account is ready!

Cisco MCD comes as a built-in feature within Cisco Defense Orchestrator, so you need a configured Defense Orchestrator tenant before enabling it.

Note: Please skip this setup procedure if you already have an established Defense Orchestrator tenant. Otherwise, please use the following instructions, which will allow you to enroll in a 30-day free trial of Defense Orchestrator.

Defense Orchestrator Setup Procedure

1. Visit http://www.getcdo.com/.

   Read through the instructions.

   

2. Select the region, and click the Sign Up button.

   Note: In most cases, selecting the region nearest to the region of your cloud infrastructure that you’re going to protect is the best option. The lab infrastructure is located in us-east-1 (North Virginia), so in this instance, select North America.

   

3. Log in to your existing Cisco account, or create a new one.

   

4. (Optional) Enable multifactor authentication (MFA).

   

5. Name your Defense Orchestrator tenant. Click the Create new account button.

   Note: Mind the name restrictions.

   

6. Wait until the tenant becomes ready.

   Note: The process can take a minute.

   

7. Read the End User Agreement, and click the Accept button.

   

8. Congratulations! Your Defense Orchestrator tenant is ready.

   • You should see Multicloud Defense in the left menu.
   • Your free trial of Defense Orchestrator is active.

   

In this task, you will add your AWS account to Cisco MCD and enable the Traffic Visibility feature on the VPC that you’re going to protect.

Connecting Your AWS Account

1. Access the Defense Orchestrator home page.

   Note: If your Defense Orchestrator session has timed out, visit https://defenseorchestrator.com/ and log in again.

2. Select Multicloud Defense from the left menu.

   Note: You should see a “Welcome to Multicloud Defense!” wizard pop-up.

   

3. Go through all the instructions by clicking Next several times and then Begin.

   

   Multicloud Defense will start initializing. This may take a couple of minutes to complete.

   

4. From the Connect a Cloud Account page, select AWS.

   

   You will be redirected to a wizard that asks you to launch a CloudFormation template.

   

5. From a separate tab in your web browser, sign in to the AWS Management Console using your AWS account with admin permissions.

   • Access URL: https://us-east-1.console.aws.amazon.com/console/home?region=us-east-1#

   • Make sure that the N. Virginia (us-east-1) region is selected.

   

6. Switch back to the Multicloud Defense wizard, and click Launch Stack.

   Read through the Cloud Cost Notice. Click Launch Stack again if you accept the AWS cloud service provider charges associated with creating the resources.

   

   You should be redirected to the CloudFormation service page in the AWS Management Console.

7. Create a stack in AWS using the loaded CloudFormation template.

   Note: In most cases, you can use the default values.

   

   Adjust the S3 Bucket Name to ensure that:

   • All underscore (or other forbidden) characters have been removed.
   • The name is globally unique.

   Note the S3 Bucket Name value. The name will be needed in a later step.

   

   Acknowledge the information under the Capabilities section if you accept the conditions.

   

   Click Create stack.

   

   Wait until the stack deployment completes.

   You should get CREATE_COMPLETE status. If the stack creation fails, then try again with a changed S3 Bucket Name.

   

   From the Outputs tab, copy and note down the following values:

   • AccountNumber
   • MCDControllerRoleArn
   • MCDInventoryRoleArn

   

   These values will be required in the subsequent steps.

8. Navigate back to the Multicloud Defense wizard, and click Next.

   

9. Provide the account number and account name; you noted the AccountNumber value earlier during the stack deployment. Click Next.

   

10. In the Controller IAM Role and Inventory Monitor Role fields, enter the respective Amazon Resource Names (ARNs). You noted the MCDControllerRoleArn and MCDInventoryRoleArn values earlier during the stack deployment. Click Done.

    Note: The External ID field doesn’t need to be changed.

    

Your account is now connecting to Defense Orchestrator.

Enabling Traffic Visibility

11. Click Enable Traffic Visibility. You will be redirected to a new wizard, from where you can enable the Traffic Visibility feature.

    

12. In the Enable Traffic Visibility wizard, define the following from the list:

    • CSP Account: Set to the name of your AWS account where the CloudFormation stack and the sandbox lab have been deployed.
    • Region: Set to US East (N. Virginia) us-east-1.
    • VPCs: Set to Defender VPC.
    • S3 Bucket: Match the name of the bucket that you defined during the CloudFormation stack deployment.

    Click NEXT.

    

13. After a while, you should see a “Success!” message.

    

    You can click CLOSE to quit the wizard.

Congratulations! You have successfully configured the Traffic Visibility feature for your AWS account.

In this task, you will create an MCD Gateway with IPS and IDS feature. The gateway will be used to detect attacks aimed at the Defender VPC, which was created as part of the sandbox lab.

Establishing an MCD Gateway

1. Create an EC2 key pair using the AWS CLI.

   aws ec2 create-key-pair --key-name mcd-demo --query 'KeyMaterial' --output text > ~/.ssh/mcd-demo.pem
   

   Note: The Secure Shell (SSH) key is used for accessing the MCD Gateway for troubleshooting purposes. Having the key established is required during the MCD Gateway setup, but it won’t be used during the lab exercises.

2. Click the Secure Account button from the Setup page. The Setup page can be accessed from the Favorites section in the left menu.

   

3. Choose Centralized, and click NEXT.

   Note: In this scenario, all the network orchestration is done by Cisco MCD itself.

   

4. Provide the details of the Service VPC. The Service VPC is where the MCD Gateway is going to be deployed.

   • Name: Use the name indicating the purpose of that VPC—for example, inspection-vpc.
   • CSP Account: Select the AWS account that you earlier attached to Cisco MCD.
   • Region: Select US East (N. Virginia) us-east-1.
   • CIDR Block: Select any available private Classless Inter-Domain Routing (CIDR) range.
   • Availability Zones: Select us-east-1a.
   • Transit Gateway: Select create-new.
   • Transit Gateway Name: Leave as suggested.
   • Auto accept shared attachments: Leave unchecked.
   • Use NAT Gateway: Leave unchecked.

   Click NEXT.

   

   

   Note: If the field is empty, click the refresh icon (🔄) next to the field.

5. Provide the details of the MCD Gateway, and then click Next

   • Account: Select the AWS account that you earlier attached to Cisco MCD.
   • Service VPC/VNet: Select the name that was defined in the preceding step.
   • Instance Type: Select AWS_M5_LARGE.
   • Multicloud Defense Gateways: Check both Ingress and East-West & Egress.
   • Ingress Gateway Name: Use the proposed name.
   • Ingress Gateway Policy Ruleset: Choose ciscomcd-sample-ingress-policy-ruleset.
   • East-West & Egress Gateway Name: Use the proposed name.
   • East-West & Egress Gateway Policy Ruleset: Choose ciscomcd-sample-egress-policy-ruleset.
   • Gateway IAM Role Name: Choose mcd-gateway-role.
   • SSH Key Pair: Choose the key that was defined in the first step.

   Click NEXT.

   

   

   Note: If the field is empty, click the refresh icon (🔄) next to the field.

6. After a while, you should see a “Success!” message.

Now, let’s point the newly created ingress MCD Gateway to our test application residing in the Defender VPC.

7. From the upper menu, go to Manage > Addresses > ciscomcd-sample-backend-app. Click Edit.

   

8. In the Value field, enter defender_instance_private_ip. Click Save.

   

Now, it’s time to enable the IPS and IDS feature on the MCD Gateway.

Enabling IPS and IDS

9. From the upper menu, go to Manage > Rule Sets > ciscomcd-sample-ingress-policy-ruleset > ciscomcd-sample-ingress-allow. Click Edit.

   

10. Scroll down to Profiles, and select the Network Intrusion sample profile; it should be set to ciscomcd-sample-ips-balanced-alert. Click Save.

    

11. Click Save Changes and Save again on the Save Rules Confirmation page.

    

The last task is to attach Cisco MCD with IPS and IDS to our Defender VPC.

Attaching MCD to Protect the VPC

12. From the upper menu, go to Manage > Cloud Accounts > Inventory > VPCs/VNets. In the Defender VPC field, click Secure Now.

    

13. Define the following:

    • Service VPC: Set to inspection-vpc.
    • Route Table: All are checked.

    Click Save.

    

14. Confirm the default route modification by clicking Yes.

    

    You should receive “SUCCESS!” and “Spoke VPC Updated” messages once completed, and see status “Secured” for the Defender VPC.

    

Congratulations! You have successfully configured the MCD Gateway for east-west and egress traffic inspection with IPS and IDS.

In this task, we are going to test whether visibility and IPS and IDS are detecting and informing on threats. The following three items will be tested:

• Security group misconfigurations (visibility)
• Malicious traffic identification (visibility)
• Detection of Shellshock (CVE-2014-6271 and CVE-2014-7169) vulnerability exploitation (IPS and IDS)

Finding Security Group Misconfigurations

1. From the upper menu, go to Discover > Inventory > Security Group. In the Defender Security Group row, click 2 in the Medium column.

   

   You should see security findings that are specific to the affected security group.

   

Malicious Traffic Identification

2. From the upper menu, go to Discover > Traffic > Topology. Click the red-highlighted Virginia region.

   

   You should see details on the malicious traffic, such as the attacking country.

   

   You can further deep-dive from this point to investigate the attacks.

IPS/IDS and Shellshock Attack Simulation

3. From the local PC, connect to the attacker instance. The value for the target is attacker_instance_id.

   aws ssm start-session --target "i-0XXXXXXXXXXXXXXXX"
   

4. Return to Cisco MCD, and from the upper menu, go to Manage > Gateways > ingress-us-east-1-gw-01. Copy the gateway endpoint next to the Defender VPC.

   

   We’re going to run a simulated attack against that endpoint (hostname).

5. Launch the simulated Shellshock attack against the MCD-protected application. The Nmap tool is used for the attack simulation.

   Note: Remember to adjust ciscomcd-l-xxxxxxxxxxxx-xxxxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com to match your ingress MCD Gateway endpoint.

   nmap -p 443 -Pn --script=/usr/share/nmap/scripts/http-shellshock.nse ciscomcd-l-xxxxxxxxxxxx-xxxxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com
   

6. From the upper menu, go to Investigate > Network Threats.

   You should see the event “OS-OTHER Bash CGI environment variable injection attempt” generated as the result of the simulated Shellshock attack.

   

   You can click the event to investigate the attack details.

   

Congratulations! You have successfully tested the visibility and IPS/IDS capabilities.

Once you are done with your lab, it is recommended that you clean up the lab resources to avoid incurring cloud-related charges and minimize the risk of exposing the lab environment.

Detach the Defender VPC from the MCD Inspection VPC

1. From the upper menu, go to Manage > Service VPCs/VNets. Check inspection-vpc, click Actions, and then click Manage Spoke VPC/VNet.

   

2. Choose the Defender VPC check box, and click Remove.

   

3. Click Yes to confirm.

   

Delete the MCD Gateways

4. From the upper menu, go to Manage > Gateways. Choose both the egress and ingress gateway check boxes, click Actions, and then click Disable.

   

5. Click Yes to confirm.

   

6. Choose both the egress and ingress gateway check boxes again, click Actions, and then click Delete.

   

7. Click Yes to confirm.

   

Delete the Inspection VPC

8. From the upper menu, go to Manage > Service VPCs/VNets. Check inspection-vpc, click Actions, and then click Delete.

   

9. Click Yes to confirm.

   

Detach the AWS Account from MCD

10. From the upper menu, go to Manage > Accounts. Check lcp-ciscou-spotlight, click Actions, and then click Delete.

    

11. Click Yes to confirm.

    .

Delete MCD Resources in AWS

12. From the AWS Management Console, delete the inspection-vpc-tgw transit gateway.

    

    

13. Delete the VPC flow logs configuration for the Defender VPC.

    

    

14. Delete the query logging configuration for the Defender VPC.

    

    

15. Delete CloudTrail.

    

    

16. Empty the MCD S3 Bucket that was defined during the CloudFormation stack deployment.

    

17. Delete the mcd-resources CloudFormation stack.

    

    

Destroy the Sandbox Lab Resources

18. Run the following command from the directory where you deployed the lab resources in the Prepping the Sandbox task of this tutorial:

    terraform destroy
    

Congratulations! You have successfully cleaned up your environment from MCD-related resources.

Congratulations! You have successfully completed this lab.

Learn More

• Designing and Implementing Secure Cloud Access for Users and Endpoints | SCAZT
• Implementing and Operating Cisco Security Core Technologies | SCOR
• Understanding Cisco Cybersecurity Operations Fundamentals | CBROPS