71 Belmore Rd
Randwick NSW 2031 AU
Tel +61 2 8311 3886
info@respiro.com.au

Auto deployment of micro segmentation to Azure

Orchestration of tasks really starts to deliver when we remove human involvement. The value proposition of ServiceOrchestrate is the flexibility or adaptability to build automated workflows incorporating whatever systems are out there. The low-code Intrexx platform makes all this possible.Here we describe one such workflow that integratesdifferent systems and is triggered through a timer, operating without any user interaction.

The goal was to capture any new virtual machines that were created in Azure, get their details into the CMDB and then automate the implementation of cyber-security controls.

Timer. An Intrexx timer schedules the start of the process.

 

 

 

Stage 1: Connect to Azure and identify machines not currently registered in the CMDB
Stage 2: Install the Illumio agent on the new machines(s)

Stages 3: Add labels to the host in Illumio (based on the Azure tags) implementing host controls

Stage 4: Create the new host in the Check Point management server, add the host to a group (based on Azure tags

Stage 5: Set host flags in the CMDB to indicate cyber control commissioning is complete

Process complete

Stages

Timer

Intrexx timers are very flexible and can be configured easily for the full range of options.

The timer event handler simply reacts to the timer and initiates the next process item.

Stage 1 Identify new machines

This stage is key to ensure you capture any new machines added to your environment. We looked atseveral methods including the use of a webhook but settled on a regular poll (triggered by the Timer) of the Azure service management API, retrieving the full list of VMs and comparing that with our current CMDB list.

INFO 2019-07-02T00:25:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
logging initialized for logfile C:\Intrexx\Logs\Process-Azure-New-HostLogFile .txt
INFO 2019-07-02T00:26:30,120Z – azure_activity[https-jsse-nio-8101-exec-8]
GET Success. VM LIST.
INFO 2019-07-02T00:26:33,120Z – azure_activity[https-jsse-nio-8101-exec-8]
New hosts list = [Host24]

Any new devices get a follow up API call to retrieve a richer set of data that is populated into the CMDB.

INFO 2019-07-02T00:28:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]

GET Success. VM DETAIL.

Vm detail = [value:[[properties:[vmId:vvvvvvvv-wwww-xxxx-yyy-zzzzzzzzzz, hardwareProfile:[vmSize:Standard_B4ms], storageProfile:[imageReference:[publisher:MicrosoftWindowsServer, offer:WindowsServer, sku:2019-Datacenter, version:latest], osDisk:[osType:Windows, name:Host24_OsDisk
_1_1111111111111, createOption:FromImage, caching:ReadWrite, managedDisk:[storageAccountType:Premium_LRS, id:/subscriptions/aaaaaa-bbbb-cccc-dddd-eeeeeeee/resourceGroups/SERVICEORCHESTRATE/providers/Microsoft.Compute/disks/Host_OsDisk_1_1111111111111], diskSizeGB:127], dataDisks:[]], osProfile:[computerName:Host24, adminUsername:host24admin, windowsConfiguration:[provisionVMAgent:true, enableAutomaticUpdates:true], secrets:[], allowExtensionOperations:true], networkProfile:[networkInterfaces:[[id:/subscriptions/aaaaaa-bbbb-cccc-dddd-eeeeeeee/resourceGroups/ServiceOrchestrate/providers/Microsoft.Network/networkInterfaces
/Host241]]], diagnosticsProfile:[bootDiagnostics:[enabled:true, storageUri:https://Host24diag.blob.core.windows.net/]], provisioningState:Succeeded], type:Microsoft.Compute/virtualMachines, location:australiaeast, tags:[app:service orchestrate, env:dev, loc:azure, rol:web], id:/subscriptions/aaaaaa-bbbb-cccc-dddd-eeeeeeee/resourceGroups/ServiceOrchestrate/providers/Microsoft.Compute/virtualMachines/Host24, name:Host24]]]

Stage 2 Add Illumio VEN to new machines

Once a new machine has been identified the Illumio VEN is deployed to it. For Windows machines we achieved this through a remote Powershell script executed via the Azure Service Management API, there is no requirement to login onto the machine or have firewall rules configured to allow this. The Powershell script is provided by the Illumio PCE (there’s a Linux shell command also available). The script pairs the VEN agent to the PCE and you will see it in the PCE agents list.

INFO 2019-07-02T00:30:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
LOGIN POST Success. LOGIN: HTTP/1.1 200 OK
INFO 2019-07-02T00:31:42,120Z – azure_activity[https-jsse-nio-8101-exec-8]
GET Success. ENABLE REMOTE PS: HTTP/1.1 202 Accepted

The deployment of the VEN agent can take some time so the API call polls every 60 seconds to get an update on the progress:

INFO 2019-07-02T00:33:12,120Z – azure_activity[https-jsse-nio-8101-exec-8]
https://management.azure.com/subscriptions/fa546064-fd6c-4055-8ac4-883aacf4c08c/providers/Microsoft.Compute/locations/australiaeast/operations/832b9bee-7a82-48ec-a274-0e8f04a83e57?api-version=2017-03-30
INFO 2019-07-02T00:34:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
GET Success. ASYNC STATUS CHECK: HTTP/1.1 200 OK
InProgress
INFO 2019-07-02T01:34:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
GET Success. ASYNC STATUS CHECK: HTTP/1.1 200 OK
InProgress
INFO 2019-07-02T02:34:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
Succeeded
INFO 2019-07-02T02:36:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
{startTime=2019-07-02T00:33:12,120Z +00:00, endTime=2019-07-02T02:34:52,120Z +00:00, status=Succeeded, properties={output=[{code=ComponentStatus/StdOut/succeeded, level=Info, displayStatus=Provisioning succeeded, message=Major Minor Build Revision
—– —– —– ——–
5 1 17763 503

}, {code=ComponentStatus/StdErr/succeeded, level=Info, displayStatus=Provisioning succeeded, message=}]}, name=832b9bee-7a82-48ec-a274-0e8f04a83e57}

Stage 3 Configure Illumio labels

The labels applied to the machine in Illumio determine the host firewall rules that will be deployed. The first stage of this process is to retrieve the Illumio HREF (the machine reference in Illumio) and populate this value into our CMDB. This allows us to make configuration changes against the device via the Illumio API:

INFO 2019-07-02T02:46:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
Host24url is https://serviceorchestratePOC.illum.io/api/v1/orgs/50/workloads/f0604896-d06e-4fe9-a066-4a92638a4e41

We read the set of tags applied to the host (in the API call to Azure to retrieve machine details) and do a look-upagainst a list in ServiceOrchestrate (pre-populated) that matches sets of tags to Illumio labels. The labels are then applied to the machine in Illumio through an API call to the Illumio PCE.

INFO 2019-07-02T02:48:52,120Z – azure_activity[https-jsse-nio-8101-exec-8]
Host24:[{“href”:”/orgs/50/labels/7241″}, {“href”:”/orgs/50/labels/7212″}, {“href”:”/orgs/50/labels/7229″}]
INFO 2019-07-02T02:49:02,120Z – azure_activity[https-jsse-nio-8101-exec-8]
success messagesuccesful update labels

Stage 4 Add to Check Point Groups & Publish

Our environment in this scenario has Illumio providing micro-segmentation controls (East-West) and a Check Point firewall providing the macro controls. To add the Check Point control we add the host; Service Orchestrate makes an API call to the Check Point Policy Manager, creates the host and, similar to our Illumio tag to label matching, we match the tags to a Check Point group, add the host to that group in the same API call, publish the policy and then push it to the firewall.

INFO 2019-07-02T02:52:12,120Z – azure_activity[https-jsse-nio-8101-exec-8]
POST Success. Check Point LOGIN: HTTP/1.1 200 OK
INFO 2019-07-02T02:54:02,120Z – azure_activity[https-jsse-nio-8101-exec-8]
POST Success. Host Created
INFO 2019-07-02T02:55:02,120Z – azure_activity[https-jsse-nio-8101-exec-8]
{name=507dbede-cf5b-4e3c-8174-c71f5e8d1cbf, members={add=SO}}
INFO 2019-07-02T02:54:2
2,120Z – azure_activity[https-jsse-nio-8101-exec-8]
POST Success. Set Group: HTTP/1.1 200 OK

Stage 5 Set status to ADDED

Finally, we update the CMDB to flag that the host has been ‘commissioned’. This ensures further checks against the CMDB recognise this machine is not a candidate for a repeat of this process.

End: Stop Process

© Copyright 2019 Respiro Pty Ltd. All Rights Reserved.