Using Ravello to Create a Security Lab in the Cloud

[Music] so I don't know about the rest of you I don't know how long you've been in IT but I've been in IT now about 20 years most of my training has been in formal training I haven't had a lot of school experience and I certainly didn't coming out of high school and when I first got into computers by getting into gaming and it was a text-based games and so you connect to the network and you would you know go north go south go and so and then I needed to upgrade my computer and so then I started upgrading my computer but one of the things that's been consistent throughout all that is that as soon as you start learning about

computers and you get interested you have to grab every piece of equipment that came your way if you saw somebody threw out a switch menu that was yours and then you take it home and then you'd have wires running all over your house and you'd have you know computers sitting in every corner of the room and so let alone the electricity and heat that they generate but you never could really get a really good lab you had to always put things together so I discovered oh I forgot to thank our sponsors so thank you for letting us come and do some presentations so the thing is if you if you want to learn security especially but infrastructure

as well that it's always changing and we really need some way to reduce the barrier so that you don't have to buy you know a Cisco switch is $5000 let's say well if you don't have $5,000 to buy to Cisco switches then you're going to have you can't you can't practice you have to go somewhere that somebody else has them and the other thing is in security as we've already talked about is very likely that if you start practicing your security skills on the general internet you're going to get in trouble either legally or someone else will catch you in make you wish you were sorry and then the other thing that is true is that you

also have to work on your core skills you have to be able to do system administration in Linux or but you might not have that ability you might be a student and not have access to the the servers or you might be an employee and not have access to those resources so we really need something that basically is lower the barrier so I'm flipping through slides because I want to focus mostly on a demo and actually show you what what you can do with it but so the cloud works perfectly for this and the the development of shareable resources and virtual resources is just exploded and a company called Ravello who's now been bought by Oracle is front-end

for cloud resources so you can do what you need want to do or but you might want to do without Ravello but Ravello has is basically a front-end for designing patterns and labs and then deploying them quickly and then you can do whatever you need to do save them run them a later time or break it break them down start them over again it's a it's a safe place and a great front-end to to the cloud and we'll go through the different scenarios that you can do so you go to Ravello systems comm in the top right corner you log in with a username and password they have a two week free trial without a credit card

they actually pay for your resources for two weeks so anybody who wants to go out and try it you can get with me later if you want to today or evening go home and work on it you start with blank slate there's no applications but you can build and deploy those applications and they're saved there's also a library so if you want to load your own systems up you can load your own ISOs or your own virtual machines into the Ravello environment save them and use them and play around with them that the examples that were to talk about today there's a man-in-the-middle security playground there's a Linux web security lab blueprint and a lab just a straight test

Linux security just the kernel and things like that once you design a blueprint and again you'll see all this in the demo but once you design a blueprint you can add it to your library and then you can keep lis redeploying that so you you name it and you can come back later and tweak it a little bit and have version control in your environments either so the way most of the systems work is with SSH keys so you'll be creating keys and then you to log in to the public if you if your application has a public access then you can log into the servers using SSH or usually you can't log in very easily as

a username and password so they shut that off so that it helps build your security but you can configure it with you know again it's pretty configurable but so you'll want to keep your key somewhere safe if you don't already have a good practice of keeping your key safe and then some of the other cool features is that when you start an application it comes up and asks you how long you want to run and you can choose network how long before you shutdown you can choose never but it's by default it's 2 hours so if you're being charged for resources per hour is if you'd let it run for two hours and you don't and you forget to

shut it down it'll shut it down itself that's another good feature because in the cloud that's the one of the number-one challenges as you start something up and forget it and then it runs for a month and then you get billed for a month so it does shut it down automatically and then the help files are really comprehensive they've built a really good system that can walk you through this

okay on to the fun part so I'm gonna stand over here not and not point to the screen so much because it's since I'm actually going to be doing stuff but you can stop me and ask questions if you want to look at Rai and look up as much as I can so I've already deployed and you can see here I've deployed two applications one of them is running I started it this morning and the other one is stopped but I'm going to go ahead and look for a new one to add so if I look at so again you can create your own with your own libraries but I'm if you look there's the Ravello repro rare repo has lots and

lots of group blueprints and actually how I got started with this is a you know where I work we've switched our infrastructure from typical storage to Nutanix hyper-converged infrastructure and so we want to I I wanted to play with new TEDx and actually get to figure out how how it worked and and and so I I found a link that took me to this site and Nutanix builds their community edition and puts it on here so you can just drag and drop it nute annex on here and start learning how to use Nutanix the commands for the CDMS and prisms and things like that so you can you can just scroll through these there's a one of

the things that's cool is you can there's a lab from and you can go to the lot of the documentation is sometimes out on other sites like lab guides but there's also Cisco CSRs so if you're interested in learning Cisco and learning routing and switching routing mostly I haven't seen a virtual switch up here yet but there's a puppet lab deployment that's already configured so if you were to if you wanted to look at that blueprint you click on it and it'll tell you it's got four VMs and how they're configured and about what the cost is to run so my security labs I've spent I don't think I've ever spent more than fifteen dollars a month but that's

on the really high side because my security lab cost me about 53 cents to run and we'll go back to the security lab and actually look what what options are there but once you pick a blueprint and I'm going to find a different one because I don't use puppet that often Oh you can also search I didn't up here in the right hand side you can search for a so I'm not gonna search because I just I'll use this security one so this is interesting it's got a Kali it's got Metasploit and webgoat so if we look closer at that there are three VMs cost about 43 cents an hour and you just read through the different options and then

this is they do tell you the credentials so if you need to log into the system with username and password so once you decide so I decide this is the one that I'm going to use you add it to your library and it creates a copy

nope I already called it that and you'll see that it adds to the library and you can just click to open so once you get in once you get in a blueprint this is the canvas that you work on so these all these are three different VMs you can tell what they've what they've been configured with as far as networking by you know these little icons that they have you can also come over here to the network tab and it'll show you the network layout they'll show you that it's you know what what subnet it's gonna pull IP addresses from it could figure DHCP servers to do different things or DNS so you can there's again a lot of flexibility that

you can play with here once you once you've finished playing around you can actually if you get on a server you can actually change things like instead of two CPUs oh I gotta save it to my library because it's not because it's cutting out custom but

so you can change how many CPUs you run how much memory what type of platform you want to run it on it doesn't really change what you see but you can if you if you're if you're trying to use this for production loads which I don't recommend but if you if you're trying to run a production load out here you can optimize it for performance and that cost more but it it gives you more resources and dedicates more back in processing to it so you can also allow nested virtualization which is kind of a new feature within ESX as well the way you you know you have multiple virtual machines running inside and they're running a virtual machine environment so

once you get the blueprint the way you want the blueprint then you can publish the application and click create application now this is the actual this once I click create application this is the application that's going to be saved and the virtual machines created so it's not like some of the labs that you work with where you have to save everything you're doing and then save the config files out this these are virtual machines that are created and stored until you delete them so once you get in and change configuration it's you know it's just like that server so you can get in make configuration changes save them and reboot them shut them down and

they work all of your date all of your effort is stored I'm just going to go into the the lab that I have running already so then it takes it takes about five to ten minutes depending on how many virtual machines you have set up to start all of them and configure all the networking and do all that so it's you know it takes a few minutes to get started but once you're started they're running and you have all the resources that you need so this particular lab I like because it's not accident there's no the kali linux box doesn't have access to from the internet so it's just one box less likely to get

hit the WordPress vulnerabilities are exposed to the Internet which you can again go in and change so I I use the console to log into the Kali Linux

I haven't got this one configured very far so I still have to log in his route which we all know is a bad practice but in Cali it's can be your friend because all the tools run under root so otherwise you're sitting a lot

so one of the things that you can do in here is in the security lab is you can all of the the nice thing about the Cali distro is that you can go into these applications and they're grouped together by the type of tool that they are so you can if you're learning and you want to see what's on the network

Hey having trouble moving the mouse but that's probably because I'm just not patient enough so you can see here the infamous end map which we've already heard about today recon I just use that discover the other day

and so walks you through you know what you need to do

and you can see on this on this subnet that the callee axe kali linux has access to it can see the other hosts that are available so then you can open up doing iceweasel or or at this point you would use you know in map to start actually scanning the host and determining what kind of host it is and what what you need to access but you can see they've already provisioned WordPress

oh I didn't turn on the hold on a second I have so I have already configured this to do web application analysis so it's configured for a proxy server

now I think it should run

and there's a network penetration testing blog set up on WordPress so you can actually see in the background that Paris is capturing the data and you can scroll through and actually look at that information that's coming back but so that's the security lab once you're done with it you can come back to it it can individually shut down the machines you can stop and restart them you can grant so this has the feature for corporations that or large organizations you can create sub users and then you can grant users to access to the specific libraries or applications that you want them to have access to so it is it is more flexible for that way I haven't

used any of those features so I can't testify to how well they work but you can see also that you can create disk images and virtual machines you can import them and once you get them imported you can basically start configuring them and running them around I want an example as I keep it a bun to server up-to-date so I just keep it up-to-date and then publish it and I can rapidly deploy mode to server and put more stuff on it whatever I want to they can connect to the internet outbound so you can get the repositories and start testing and playing around from their virtual environment they can connect outbound yeah yeah and then lastly once

you're done you just need to shut down everything you can actually shut down the application and it'll shut down all of your VMs as well you can also save it as a blueprint so you can read again you make changes save it then go back in version control but it's a really cheap and relatively cheap anyway tool that lets you build your labs in the cloud you can build your I don't this isn't to preclude you from if you want to build ads in Amazon Web secure or Amazon Web Services you can go out there they have a trial for basically you can get a year of free access if you use T to micro

instances and you can create instances tell your you know blue in the face and do all the networking there and as your has a two hundred dollar credit but that goes pretty fast so haven't had as much experience with is your and then Google Google's public cloud I haven't had a lot of luck getting that to do just to do quick access if you want to migrate workloads there they have they have a lot of api's and things that you can call and move entire workloads back and forth but it's not as easy that it uses a kind of this front-end so I guess I talk fast but that's about all I have now let's open it up for questions

although now that should I do no you can it'll run x86 as well you just have to when you upload the image or find an image that's XA that's 32-bit or sixty and you just select that as an option in this CPU

yeah yes yeah yeah and you can also you can also do inbound yeah 22 in the security lab I deliberately leave it it can self contain so that I'm not encouraging people to hit me so it's up to you how you want to use it but it's again major leap forwards and innovation because you know I used to have to collect equipment and have 100 computers in my house and now I don't have to have any I'm running it on my wife's computer to be able to get on and do my lab work so anything else cool yeah so I haven't looked for I would assume so you would if you upload an ISO you could I mean an

image you could so you could create your own image of Windows you'd have to license it yourself and then upload the virtual machine I haven't seen any Windows environment labs yet so I don't I don't know if they're just not out there or if people are deliberately avoiding putting them on Ravello for licensing in Amazon you can load Windows boxes so they've got licensing worked out so it's certainly possible it's just I don't know if they've ever addressed that question yeah for sure that's what I use a lot of is the 1980 day licenses for Windows boxes thanks for your time

[Music]