AWS Firewall: je ne sais quoi

in Cloud

Table of Contents

Description

Last week I got asked by a customer what I think about the AWS Firewall and if it would be wise for him to implement it in his environment.
I browsed fast through the various tech documents about it, got initially confused and realised that this is not one of those topics that I was going to understand fast and move on.

I invested more time into it, started reading about rule groups, stateless, statefull rules and … I needed a break. There was surely no quick answer in sight.

Going into the topic even deeper I reached the proverbial French saying “je ne sais quoi”.

Would I implement this firewall in my own environment ?

Maybe
Then again I’m a perfectionist, always afraid of failing…

I tend to find limitations, restrictions, imperfections and get easily disappointed.

If you want to learn I invite you to join me in this journey :)

Continue reading

Burp: When Terraform just does not cut it

in Linux

Table of Contents

Description

Each time I visit a potentially new customer, there’s always that moment after a sip of coffee, after a few whiteboarding events and heated technical discussions when the following question pops up:


“How do you manage this Multicloud environment ?”
“Isn’t this complex for my Operations Team ?"


If you had asked me this 5-6 years ago…I would have probably said yes.
I was there jumping into action, incidents in the middle of the night, pager alarms and zombie eyes after 4-5h of sleep and the rollercoaster just kept going.

The daily struggle to reduce configuration and administration headaches was something real. I used Bash scripts, Python, Ruby, a mix of various vendor tools and still lost a lot of time investigating each time what went wrong.


This is where in the last few years Terraform has come to the rescue and has provided a consistent way of defining infrastructure while at the same time making tracking of changes easy

(hint: Github/Gitlab + a CI/CD pipeline).


Sounds like a dream come true, right ? Not if you're restless like me and always want to see what's under the hood...

Continue reading

SSL Certs: Create own CA + cert for S2S VPN auth - RSA and ECDSA

in Linux

Table of Contents

Description

I recently had to configure Strongswan with Certificate Authentication to a Checkpoint GW and got lost a bit in all the articles I could find about the openssl utility and how to generate a CA, CSRs, sign a certificate and so on.
I will summarize here the steps required for generating the CA/cert so that everything is in a single place.

I give an example with RSA and one with ECDSA.

The changes are minimal.

On the Checkpoint side I only had to import the CA from Strongswan side and configure it under the Public Key auth pertaining to the Network Interoperable Device (representation of 3rd party device Checkpoint wise).

Continue reading

MongoDB: Upgrade to 4.x breaks mmapv1 storage type

in Linux

Table of Contents

Description

I was using a custom solution running MongoDB in the Backend on Ubuntu 18.04 and recently decided to try out an

apt-get update
apt-get dist-upgrade

I got quickly reminded why doing such operations require a bit more planning ahead instead of the just do it way of thinking.

systemctl status mongod
● mongod.service loaded failed failed MongoDB Database Server

cat /var/log/mongodb/mongod.log

“ctx”:“initandlisten”,“msg”:“Storage engine to use detected by data files”,“attr”:{“dbpath”:"/var/lib/mongodb", Functions"storageEngine":“mmapv1”}}

Cannot start server with an unknown storage engine: mmapv1"}}

Luckily in IT, there’s always a solution for everything and a chance to reverse engineer what happened…

Continue reading

GCP: Functions - Connectivity, Security, Visibility with Aviatrix

in Cloud

Table of Contents

Description

A customer recently asked me about extending his existing Aviatrix environment from Azure to GCP.
This came with a small caveat.

In GCP he is using Functions.
One of those functions needs to:

  • reach a backend in Azure
  • be accessed from the Internet
  • be accessed by customers landing over Site2Cloud connections on Spokes

My initial lab setup for this scenario looked similar to this

Can you see the challenge here?
Wherever I would deploy a GCP function, it would just live outside the VPC by default.
I would NOT be able to control where traffic flows.
NOT able to easily apply various layers of security to it.
Have NO straightforward and consistent way to monitor what happens in real time and take measures in case I need to troubleshoot and fix its functionality.
I would be walking blind in the dark and get annoyed with the whole process.

For any challenge there is a solution :)
That’s the reason I chose to be a techie.

Continue reading

Azure: Ingress via Firenet with Palo

in Cloud

Table of Contents

Description

This will NOT be a 5 min reading article.
It will require more time but it will cover all areas of interest :)
Most importantly, at the end, your Setup will WORK.

Kudos to Adam, my colleague, who first tested this in his lab.
It served as a basis for both me and the customer later on.

To start things off, a little while back someone asked me how he can have:
Incoming Traffic from Outside -> Azure Aviatrix Environment with FW Inspection -> Spoke with his Application
and also Preserve the source IP address when it hits the FW Rules.

Why this ?

He wanted to use the real source IP for logging and filtering purposes on Aviatrix FireNet attached FWs.
Pretty understandable and reasonable.

He read our article from here:
Spoke Ingress with Application Gateway
He saw the Diagram:

but noticed that the Azure Application Gateway does SNAT and as such his Firenet Firewalls are not seeing the original User IP of the request.

One could argue that the X-Forwarded-For header added by the Azure Application Gateway can be used to preserve the original IP…

Do you see a corner case here ?
I for one did not at the beginning. I always rush through things.

What if your Application is NOT a WebApp and as such there is NO HTTP Header where to add the X-Forwarded-For to?

Continue reading

Aviatrix alerting, easy with Microsoft Teams

in Cloud

Welcome to my first post since I joined Aviatrix.
What is Aviatrix for the first time reader?

In very simple words:

  • Cisco/Juniper = the foundation for On-Prem solutions and traditional Datacenters.
  • Aviatrix steps in when it comes to the world of Multicloud.
    Connectivity, Visibility, Security in the datapath, Cloud born and IaaS powered (Terraform).

Spoiler Alert - Security on top
Log4J Detect & Block with Aviatrix inside your Cloud Environment

Coming back on topic…
Any system you deploy comes with its own alerting capabilities.
Most alerting capabilities offer first the functionality of sending emails to a noc or operations list where the Engineer On Duty usually monitors the events and takes action.
Simple, right?
Not when you’re growing and you have multiple different departments and solutions running in your company…each one sending you emails for each event that takes place.

A “normal” day in the life of an engineer can easily turn into this (yes, that is my very own mailbox):

I’ve been through this, especially when coming back after a bank holiday and it has always been painful to figure out what is still DOWN.
It was also challenging not to skip some alerts while rushing through emails and then be called later in the day to be asked why connectivity between some application components still does not work => Headache moment…

What if there was a different way of doing it ?
What about the Chatops model ?
MS Teams, Slack, Webex and the list goes on.

A pop-up you can never easily ignore :)

Scroll down to see how you can both personalise your Aviatrix alerts as well as have them delivered on an MS Teams chat channel.

Continue reading

Author's picture

Mihai Tanasescu

All Rounder and Jack of all trades (master of none? :) ).
Sailing the Cloud world with my fantastic team@Aviatrix, former Network, Systems Engineer (Cisco, Juniper, Linux, Openshift, Openstack).
A flavor of Security added to the mix (Offensive Security OSCE).
If there’s anything new and cool, then I like to learn about it. I’m also a fan of deep diving under the hood of a product to see what makes it tick as well as what breaks it.

Solutions Architect @ Aviatrix

Switzerland