Alexander Klepal - Virtualization Automation with Ansible

[Applause] [Music]

together us a Trend Micro digital defense then Institute and then our Silver level sponsors our National Security Agency exiting a central federal separate services open security titanium level ciphers like jobs genin hi and thank you so much you can hear me in the back that's great how's everybody doing today alright but it's got a new beer how's everybody doing today I want to hear welcome to virtualization combination with the ansible I am Alexander couple and I'm here to talk to you guys today I am a graduate of the University of Texas at San Antonio I have a bachelor's of business administration and cybersecurity and the BBA in information systems I was asking collegiate cyber defense

competition teams I ran the competition team my senior year I was a member and then treasurer and then president of our computer security associations and that's you know what really ignited my passion for security now I work at Booz Allen Hamilton a federal defense contractor I serve as the cyber Smee and dreams shatter on my team and as the intern liaison so managing a small army of people that are a lot smarter than you sometimes can be a little scary hi Josh all right so what we're going to talk about today is building your own cyber range and the best way to go about that but in order to do that we have to first

talk about what a cyber range is and why you would want one how do you make one and if there are better ways to do it we'll talk about some virtualization and the differences between different types of virtualization and know made it seems really really hard and then we'll automate all of the difficult stuff and make it super super easy everybody on board all right so what is a cyber range you can think of it as a digital playground the shooting range or a bit of both it can be a classroom it can be a malware lab it can be anything that you would want a bunch of computers connected together to do it can contain a mix of

server platforms regular work station platforms networking gear anything your heart desires you can simulate your own network operation center or security operation center you can set it up or read as an offensive glue as in defensive head-to-head training exercises why what I want a cyber race the short answer is practice why would you want to practice because the bad guys are you should too you can also perform learning and assessment of learning through monitored cyber ranges you're able to receive real-time feedback on what people are doing within your cyber range the things they're learning the things they're not learning and you can test out new ideas and techniques without breaking your production environment so here's broken something in production

this is why you don't want to do that all right cyber ranges who really needs a cyber range professionals like myself to hone their own craft organizations like the one that I work for for evaluating their techniques educators such as you know your professors your teachers that you if you're providing mentorship to anyone so then you can give students a place to learn and students themselves to learn without consequences I'm a firm believer that if you're not learning something new every single day in this field you're falling behind so building yourself a cyber range will give you the means to be able to do so all right have I convinced you guys on 180 cyber range

I'll by convinced

all right so there's there's two real good ways to go about this a physical lab and a virtual lab physical lab just kidding it's not always that much of a dumpster fire sometimes it's like this drawbacks to having a physical lab include the equipment costs of having you know all of your workstations or all of your laptops all of your cables all of your networking gear all of this all of that everything is just all over the place you gotta find a place to store it it just takes up way too much room and it needs constant maintenance one thing breaks you swap it out with a spare your spare breaks you swap it out with your

spare spare eventually you run out of spares and you run out of time to fix things because you're too busy playing in your brand-new cyber range so let's go the easy way what's virtualize our lab it's a much more cost-effective solution because you can narrow it down to a single server you don't need a bunch of things and work together to have a decent-sized cyber blader you can change it dynamically you are able to you know create snapshots and go back in time and just fiddle around with it without the worries and woes of breaking expensive equipment usually it also makes a much smaller physical footprint I would rather carry on the road a single server as much as I would hate to

instead of 30 to 50 laptops there are some things that we need to talk about before we can talk about virtualization as a whole what is virtualization is anybody in the room not familiar virtualization all right too bad someone explain it anyway virtualization is technology that allows you to run a computer on another computer and it's traditionally found in it's useful for running resources that are traditionally bound to hardware so take your computer squash it down run it on another computer using a hypervisor a hyper what you would say if you one familiar with virtualization that's the software that lets your computer run another computer it's divided into the host operating system and guest operating systems and

there are two types of hypervisors unless you're a hypervisor snob and think there's only really one the easiest distinction between them is type 1 and type 2 so running on bare metal or on my super-powerful gaming laptop okay so that is a neat little graphic that I stole that talks about the two different types of hypervisors here we have a type 1 hypervisor it runs the actual operating system that runs your virtualized operating systems on the bare metal and then you have your guest operating systems which are your virtual machines there's also a type 2 hypervisor so this host OS this would be like your Windows your Mac your Linux and then you want a hypervisor software

on top of that like VirtualBox or VMware Workstation and then you're able to run your guests so how would I go about doing this you might have well type 2 is easiest at home if you don't already have this sort of equipment you can download VirtualBox for free VAM we're player also for free my workstation which has definitely worth the extra money if you've got extra Hardware just laying around my recommendation would be to go for a type 1 hypervisor I myself I am very partial to VMware's ESXi platform but Microsoft also has their own virtualization platform called hyper-v it's included with Windows Server and also Windows 10 if you wanted to try that out and you

can also use OpenStack now some of you may say wait a minute OpenStack isn't really a hypervisor and anybody in that camp no ok well I was gonna say if it walks like a duck and it talks like a duck what is it yes all right so why why would you choose ESXi it's expensive not to get the free version because I know what I grew up with I used it in college I use it at home in my own personal home lab I use it at work it has a very versatile API so you're able to make sorts of calls to it with you know something like integrated DevOps tools like this weird danceable

thing I've been hearing a little bit about lately the hardware Alon so why not use it so making a versatile range manually it can be time-consuming it can be painstaking it can make you cry it's done that to me you clip there are some prompts you make your virtual machine and you repeat it over and over and over until you have the rangy one so let's see how we go about making more virtual machine so first things first you click on create new virtual machine button it's big its bold its beautiful and that's why I didn't highlight it in the slide before this is the important stuff so once you get to the create a virtual

machine prompt you just create a new virtual machine you're going to click Next you're going to name your virtual machine in this box you're going to select your guest OS and if you remember back to the slide the graphic that I shamelessly stole that's the operating system that you're running is a virtual machine and you're going to tell it the specific version that you want to be running you're going to select your storage I happen to have a bunch of hard drive sitting in my server and if we go to the next slide this is where you would configure all of the sorts of hardware based things that you know you would be used to if you were going to

say PC part picker and building your own desktop always always always always unless you have another good reason under the part where it says hard disk click on this blue arrow here and fit provision fit provision does anyone wants to take a crack at why you would want to thin provision instead of just thick provision does anybody know the difference performance because I don't have 50 terabytes of storage story space problems because the provisioning already zeroes out of head time with zeros also as you go so it's a lot more efficient disk efficiency all right yes all of those are very valid if I ever run into you and I find out that your thin

provisioning on purpose and you don't have a like 500 word essay as to why

after you've you know been provisioned like you absolutely should I'm going to go down and select from your cd/dvd drive and click the little drop down here and then you're going to go through your folder paths to your beautiful ISO image so that you're able to actually install your operating system that means you're done with your VM right no now we need to actually configure it and install the operating system just like you would on a regular hardware so you're going to want to turn on a VM either click the console button enter or this big play button I don't know why they're so close if they do the exact same thing someone needs a new UX UI

designer so you've clicked console it brings up in your web browser a nice representation of what you would see if you were sitting in front of an actual computer so you go ahead and install it set it up the way that you want install maybe some applications like your favorite web browser now you would have to do this over and over and over for each new machine you would want on your range unless you're paying for the professional version of ESXi or for vSphere which is their larger suite of tools that you can man multiple individual ESXi poses width so after you've made your virtual machine click on actions and install VMware tools because that's very very important

for what we're about to do it allows you to actually interface with the network cards and everything it runs under the hood wait a minute I thought this was a talk about ansible so he doesn't think all right I'm sorry we're getting there all right so let's get ansible has anybody here used ansible all right a lot less than I thought it's a great tool great tool it can totally reduce your workload and it's agentless so how many of you are familiar with chef ok how many of you are familiar with puppet ok so you don't have to install the puppet agent on like every machine you want to manage with it take that remove having to install the

agent and you get ansible if you're able to ping it and you have appropriate credentials you can manage it you're able to take these long and difficult tasks like installing software or deploying virtual machines and turn them into repeatable playbooks it gives you everything that you need with you know just the push of a button and you can distribute that to teams to have in your lab replicated in other avenues thank you so much to Red Hat for making this tool free in the open source you can find out more at ansible comm and you can find it on github under danceable alright so the installation as it is in my personal home environment on the windows guy my handle is Bill

Gates I was just like his mug shot so I'm using Windows 10 and we bump to through the windows subsystem for Linux so if you don't want to go out buy another computer just run ansible you're able to do that as well so once you've got wsl set up you can run these commands you want to update everything you want to add the repository financeable anyone install ansible itself all right so where's my range I've been expecting it right you need some more software so you need pipe bomb and to also interact with ESXi you will need this installed through pip it's tidy in omi I don't know what the evil in my eye stands for but I bet you all

know what the VM stands for all right so there is once you've got everything set up in your beautiful beautiful ansible installation you'll want to check your ansel host file it's stored under netsy ansible posts and this is where we'll tell ansible what machines we want to have created I know what it is that I'm building so my house file as one of the headers sent to Windows 7 so that I'm able to you know know whenever I look at it oh well machines are running Windows 7 well it's the ones that have these IP addresses ansible uses playbooks where chef would use a recipes think of these in terms of this talk as the guides to building your

rims they'll control what it is that's happening within your environment it uses the host model as the list of things that it wants to target and if you use ansible the normal way don't hate that I am constantly changing the host file and not keeping it static to a regular environment I'm sort of using it backwards from the way that it's intended to be instead of changing playbooks I'm changing the host file and then running playbooks against that

animals play books are written in the gamal format so it's really easy to read it's really easy to write you're able to declare variables and prompts for variables so that you don't have to leave your password and plain text which is great this is how you would go about using those variables so we have the the vSphere guest ansible module which comes completely already installed and everyone's financeable you don't have to go on configure it a certain way or download other packages it down financeable you get all of it you would use the the variables here with the the curly braces inventory hubs now here is the VMware specific stuff thank provisioning the data store that you

want to deploy it to the the VM network if you have multiple networks on your virtualized switch you would you know pick one be one here I'm declare their IP addresses based on their hostname in the inventory file so the VMS that are created would have an IP address of 1 & 2 1 6 8 1.2 a hostname of 1 or 2 1 6 8 1 2 and the actual virtual machine name is guess

alright notice that the launch of my little sleepy myself included template what we're gonna use for a template well you remember that virtual machine that I walked us through making and clicking and picking things we're just going to use that so instead of remaking it over and over and over we're going to let ansible do the heavy lifting for us so you just run the PlayBook super super easy ansible - playbook the name of your PlayBook it asks for the vSphere password which is hidden whenever you actually type it out which is great it then prompts you for VM knows the default from what I've defined in the ansible playbook is deployed with ansible here I decided to

say this is for besides SAT X 2019 because this is for piece nuts SAT X 2019 it then asks you for the source man to deploy back a few slides harbors that make sure you name your VM I didn't have the name in the slide but it is besides underscore SAT X it goes and actually starts cloning that virtual machine template that you asked it to and deploys it on to your range so ansible gives you this nice little summary of the things that it did okay you told me to go look at these IP addresses these are the things that changed okay well what changed it's not exactly super intuitive on the command line to tell

you what it is that has and has not changed however you the playbook you should know what it is that is changing for your partner so here is my new beautiful range just like we declared in the host file other use cases for ansible include deploying software you can use ansible to connect to things like apt or if you're on Windows chocolaty to install software across both your cyber range and your own enterprise network if you have custom applications just like that you've written that you want to test in your range you're able to do that as well it's a little bit outside the the scope of the talk that I have prepared but I realized I'm talking really really

really fast so there will definitely be time for lots of questions I hope you guys have some here are some useful links we have the VMware evaluation center so that you can grab your free copy of the ESXi they have the download for the VMware vCenter server appliance which is that thing that lets you manage multiple his exciting senses Tom Ansel is actually writing in Python so that's super handy if you're already familiar with it and I list be the ansible dogs as useful but not really this is an actual screenshot of their documentation in regards to the VMware modules there's no was just playing with the module and seeing what worked of course I'm only here to show the successes I'm

not going to show you you know everything that I did have didn't work all right so I know my super super super won over time so I have plenty of time for questions the PlayBook that I used for deploying my range will be available on my github and it was that link on my Twitter feel free to you know give that a look follow me or anything but if you enjoy it and you want to see more of this sort of stuff you know just let me know and feel free to send me a connection on LinkedIn and say hey I saw your talking besides could you help me with blah blah blah and I'll see what I

can do but as of right now I'm here to take questions I don't want this to be a little more interactive really no questions so am i worse for developing separate third-party installers is it pile-up everyone open it at the end and make sure you among all these installs before you would optical wheel do you know given a list of these installers go through run the script and install those so so the question was if I have like a list of applications that need to be unzipped and installed can I do that with ansible the answer is yes absolutely you can do that absolutely so not only are you able to utilize existing repositories like act or

chocolaty if you're on Windows if you have you know custom application it's like something I'm I've written both will say a hello world dot exe I could put that up on like a local web server and half ansible say hey on one my two one six eight 1.2 I want you to look at web server not URL and pull this package and install it Crisp apple on top okay so yes you are able to do that both with publicly available repositories and a repository that you make but that's a little bit outside the scope of what we're doing here why change the IP addresses in the host bio and not in the recipe in the playbook so why use the

host file instead of the playbook to declare your range because I'm lazy the module wasn't working and you know whenever you [Music] whenever you have documentation like this you find something that works and you stick to your guns and it doesn't matter if it's wrong to everyone else you stick to your guns because it works

[Music] yes the chocolate has deployment capabilities so how big is your environment not person it's a work environment yeah so if your that the question is the question complain I'm sorry no it is yeah the question was well why would I run ansible to run chocolaty if I could just run chocolaty scaleability I am so sorry

stall arch with danceable I actually have a serious answer for that do it once manually that do everything that I just presented on and deploy it to your range so you mentioned every OS what about Windows XP yes you could manage XP very little though because you're able to still run Windows shell commands through ansible heading into communication and where it works over about so ansible interfaces with Linux machines over SSH there's no SSH on Windows XP however there is windows remote management so using win RM you're able to then remotely manage your machines at scale with answer have you done this in practice 1x paper yes yes it's ever human production yes heads it was a book if you set up

instead of making it via cloning it could you set up it as well as I'm going to use the word net answer if I didn't have it just in case of a - yes sir sort of so the question was it correct me if I'm wrong could I use ansible to create like a VMware answer model which would just pre-configured at the end whenever it's being loaded I haven't seen them a way to do that I'd love to see it because it would save me about half the time because whenever you run things through at the anvil it's almost like you're running through it all across the network at once so it has to actually go

through and set the IP addresses instead of just having them set up at boot that would be a very interesting thing to see and not something that I considered so thank you so I have not used solvent so my comparison is well I've had chocolate but I've never had strawberry I can't tell you which is better

the best place of the minutes yes I think a scalable format of pseudo-random p.m. so if I have usernames and passwords lists that I mean is s'matter across the country teams I don't want them to be the same across the floor yes thank you so much for asking that's something that I meant to actually include in these slides there is a width random choice variable that is available let's go back to farm that is available that you can actually set like you can say with random choice username and you can provide a list of usernames with random choice password provided list of passwords and it'll randomly generate these these virtual machines and set up with that username

and password can you do that with software packages as well dependencies yes I'm sorry could you could you ask that one more time a lot before another enthusiastic yes if I've got enough if I've got my package is laid out with mobile services obviously it's not gonna work across different flavors but I need those other flavors in the environment decide to find the dependencies yes [Music] it won't try to support them something doesn't work right so if the question was what can I do that with software packages - the answer is yes you are able to randomly select if you had a repository of vulnerable services you can select from that list at random and

have it also install the dependencies so long as you have defined them appropriately in your playbook and if you use the with random choice it will go through like oh I need to install Apache version zero point zero point one and all of its dependencies and you can do it randomly which is really beautiful if you want to say create a mock penetration test sort of lab environment

all right well I don't think there are any more questions and I totally blew through my slides thank you guys [Applause] and I'll put up the play books that are used for deploying this range up on my github and I'll post it out on Twitter again this evening to show you with random choice