AWS account
Have fun!
In this task, you will learn how to prepare a sandbox environment in your AWS account. The environment consists of two types of resources:
🛡️ Defender: This VPC hosts an Amazon Elastic Compute Cloud (EC2) instance running the web server on port 80/TCP. We’re going to protect this VPC using Cisco MCD.
⚔️ Attacker: This VPC hosts an EC2 instance from which we’re going to launch simulated attacks against the Defender VPC to test threat detection capabilities.
The VPCs will be deployed in the us-east-1a availability zone of the US East (N. Virginia) us-east-1 AWS region.
Prerequisites
Deploying the Sandbox Infrastructure
Ensure that your AWS account is configured to be used by the AWS CLI.
The following command should return your account details if it is configured correctly:
aws sts get-caller-identity
Create a directory to host the Terraform code.
mkdir mcd-sandbox && cd ./mcd-sandbox
Download the Terraform code and save it into the previously created directory.
Deploy the Terraform code.
Run the following commands from the directory where the main.tf file has been downloaded:
terraform init
terraform plan
terraform apply
You should receive an “Apply complete!” message once it has successfully completed.
Take note of the resource details provided in the Terraform output.
attacker_instance_id
attacker_instance_public_ip
defender_instance_id
defender_instance_private_ip
defender_instance_public_ip
Those values will be used later during the Testing IPS and IDS task of this tutorial.
Your sandbox lab in AWS account is ready!
Cisco MCD comes as a built-in feature within Cisco Defense Orchestrator, so you need a configured Defense Orchestrator tenant before enabling it.
Note: Please skip this setup procedure if you already have an established Defense Orchestrator tenant. Otherwise, please use the following instructions, which will allow you to enroll in a 30-day free trial of Defense Orchestrator.
Defense Orchestrator Setup Procedure
Visit http://www.getcdo.com/.
Read through the instructions.
Select the region, and click the Sign Up button.
Note: In most cases, selecting the region nearest to the region of your cloud infrastructure that you’re going to protect is the best option. The lab infrastructure is located in us-east-1 (North Virginia), so in this instance, select North America.
Log in to your existing Cisco account, or create a new one.
(Optional) Enable multifactor authentication (MFA).
Name your Defense Orchestrator tenant. Click the Create new account button.
Note: Mind the name restrictions.
Wait until the tenant becomes ready.
Note: The process can take a minute.
Read the End User Agreement, and click the Accept button.
Congratulations! Your Defense Orchestrator tenant is ready.
In this task, you will add your AWS account to Cisco MCD and enable the Traffic Visibility feature on the VPC that you’re going to protect.
Connecting Your AWS Account
Access the Defense Orchestrator home page.
Note: If your Defense Orchestrator session has timed out, visit https://defenseorchestrator.com/ and log in again.
Select Multicloud Defense from the left menu.
Note: You should see a “Welcome to Multicloud Defense!” wizard pop-up.
Go through all the instructions by clicking Next several times and then Begin.
Multicloud Defense will start initializing. This may take a couple of minutes to complete.
From the Connect a Cloud Account page, select AWS.
You will be redirected to a wizard that asks you to launch a CloudFormation template.
From a separate tab in your web browser, sign in to the AWS Management Console using your AWS account with admin permissions.
Access URL: https://us-east-1.console.aws.amazon.com/console/home?region=us-east-1#
Make sure that the N. Virginia (us-east-1) region is selected.
Switch back to the Multicloud Defense wizard, and click Launch Stack.
Read through the Cloud Cost Notice. Click Launch Stack again if you accept the AWS cloud service provider charges associated with creating the resources.
You should be redirected to the CloudFormation service page in the AWS Management Console.
Create a stack in AWS using the loaded CloudFormation template.
Note: In most cases, you can use the default values.
Adjust the S3 Bucket Name to ensure that:
Note the S3 Bucket Name value. The name will be needed in a later step.
Acknowledge the information under the Capabilities section if you accept the conditions.
Click Create stack.
Wait until the stack deployment completes.
You should get CREATE_COMPLETE status. If the stack creation fails, then try again with a changed S3 Bucket Name.
From the Outputs tab, copy and note down the following values:
AccountNumber
MCDControllerRoleArn
MCDInventoryRoleArn
These values will be required in the subsequent steps.
Navigate back to the Multicloud Defense wizard, and click Next.
Provide the account number and account name; you noted the AccountNumber value earlier during the stack deployment. Click Next.
In the Controller IAM Role and Inventory Monitor Role fields, enter the respective Amazon Resource Names (ARNs). You noted the MCDControllerRoleArn and MCDInventoryRoleArn values earlier during the stack deployment. Click Done.
Note: The External ID field doesn’t need to be changed.
Your account is now connecting to Defense Orchestrator.
Enabling Traffic Visibility
Click Enable Traffic Visibility. You will be redirected to a new wizard, from where you can enable the Traffic Visibility feature.
In the Enable Traffic Visibility wizard, define the following from the list:
Click NEXT.
After a while, you should see a “Success!” message.
You can click CLOSE to quit the wizard.
Congratulations! You have successfully configured the Traffic Visibility feature for your AWS account.
In this task, you will create an MCD Gateway with IPS and IDS feature. The gateway will be used to detect attacks aimed at the Defender VPC, which was created as part of the sandbox lab.
Establishing an MCD Gateway
Create an EC2 key pair using the AWS CLI.
aws ec2 create-key-pair --key-name mcd-demo --query 'KeyMaterial' --output text > ~/.ssh/mcd-demo.pem
Note: The Secure Shell (SSH) key is used for accessing the MCD Gateway for troubleshooting purposes. Having the key established is required during the MCD Gateway setup, but it won’t be used during the lab exercises.
Click the Secure Account button from the Setup page. The Setup page can be accessed from the Favorites section in the left menu.
Choose Centralized, and click NEXT.
Note: In this scenario, all the network orchestration is done by Cisco MCD itself.
Provide the details of the Service VPC. The Service VPC is where the MCD Gateway is going to be deployed.
Click NEXT.
Note: If the field is empty, click the refresh icon (🔄) next to the field.
Provide the details of the MCD Gateway, and then click Next
Click NEXT.
Note: If the field is empty, click the refresh icon (🔄) next to the field.
After a while, you should see a “Success!” message.
Now, let’s point the newly created ingress MCD Gateway to our test application residing in the Defender VPC.
From the upper menu, go to Manage > Addresses > ciscomcd-sample-backend-app. Click Edit.
In the Value field, enter defender_instance_private_ip. Click Save.
Now, it’s time to enable the IPS and IDS feature on the MCD Gateway.
Enabling IPS and IDS
From the upper menu, go to Manage > Rule Sets > ciscomcd-sample-ingress-policy-ruleset > ciscomcd-sample-ingress-allow. Click Edit.
Scroll down to Profiles, and select the Network Intrusion sample profile; it should be set to ciscomcd-sample-ips-balanced-alert. Click Save.
Click Save Changes and Save again on the Save Rules Confirmation page.
The last task is to attach Cisco MCD with IPS and IDS to our Defender VPC.
Attaching MCD to Protect the VPC
From the upper menu, go to Manage > Cloud Accounts > Inventory > VPCs/VNets. In the Defender VPC field, click Secure Now.
Define the following:
Click Save.
Confirm the default route modification by clicking Yes.
You should receive “SUCCESS!” and “Spoke VPC Updated” messages once completed, and see status “Secured” for the Defender VPC.
Congratulations! You have successfully configured the MCD Gateway for east-west and egress traffic inspection with IPS and IDS.
In this task, we are going to test whether visibility and IPS and IDS are detecting and informing on threats. The following three items will be tested:
Finding Security Group Misconfigurations
From the upper menu, go to Discover > Inventory > Security Group. In the Defender Security Group row, click 2 in the Medium column.
You should see security findings that are specific to the affected security group.
Malicious Traffic Identification
From the upper menu, go to Discover > Traffic > Topology. Click the red-highlighted Virginia region.
You should see details on the malicious traffic, such as the attacking country.
You can further deep-dive from this point to investigate the attacks.
IPS/IDS and Shellshock Attack Simulation
From the local PC, connect to the attacker instance. The value for the target is attacker_instance_id
.
aws ssm start-session --target "i-0XXXXXXXXXXXXXXXX"
Return to Cisco MCD, and from the upper menu, go to Manage > Gateways > ingress-us-east-1-gw-01. Copy the gateway endpoint next to the Defender VPC.
We’re going to run a simulated attack against that endpoint (hostname).
Launch the simulated Shellshock attack against the MCD-protected application. The Nmap tool is used for the attack simulation.
Note: Remember to adjust
ciscomcd-l-xxxxxxxxxxxx-xxxxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com
to match your ingress MCD Gateway endpoint.
nmap -p 443 -Pn --script=/usr/share/nmap/scripts/http-shellshock.nse ciscomcd-l-xxxxxxxxxxxx-xxxxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com
From the upper menu, go to Investigate > Network Threats.
You should see the event “OS-OTHER Bash CGI environment variable injection attempt” generated as the result of the simulated Shellshock attack.
You can click the event to investigate the attack details.
Congratulations! You have successfully tested the visibility and IPS/IDS capabilities.
Once you are done with your lab, it is recommended that you clean up the lab resources to avoid incurring cloud-related charges and minimize the risk of exposing the lab environment.
Detach the Defender VPC from the MCD Inspection VPC
From the upper menu, go to Manage > Service VPCs/VNets. Check inspection-vpc, click Actions, and then click Manage Spoke VPC/VNet.
Choose the Defender VPC check box, and click Remove.
Click Yes to confirm.
Delete the MCD Gateways
From the upper menu, go to Manage > Gateways. Choose both the egress and ingress gateway check boxes, click Actions, and then click Disable.
Click Yes to confirm.
Choose both the egress and ingress gateway check boxes again, click Actions, and then click Delete.
Click Yes to confirm.
Delete the Inspection VPC
From the upper menu, go to Manage > Service VPCs/VNets. Check inspection-vpc, click Actions, and then click Delete.
Click Yes to confirm.
Detach the AWS Account from MCD
From the upper menu, go to Manage > Accounts. Check lcp-ciscou-spotlight, click Actions, and then click Delete.
Click Yes to confirm.
.
Delete MCD Resources in AWS
From the AWS Management Console, delete the inspection-vpc-tgw transit gateway.
Delete the VPC flow logs configuration for the Defender VPC.
Delete the query logging configuration for the Defender VPC.
Delete CloudTrail.
Empty the MCD S3 Bucket that was defined during the CloudFormation stack deployment.
Delete the mcd-resources CloudFormation stack.
Destroy the Sandbox Lab Resources
Run the following command from the directory where you deployed the lab resources in the Prepping the Sandbox task of this tutorial:
terraform destroy
Congratulations! You have successfully cleaned up your environment from MCD-related resources.
Congratulations! You have successfully completed this lab.
Learn More