Cisco Tetration - Hands-On Lab

Module15: Policy Creation - ADM and Clusters - OpenCart

In this module we will create an Application Workspace for the OpenCart application which consists of a Linux server running Apache web server as the front end talking to a Linux server running MySQL for the back-end database. We will run ADM, change the cluster queries, and tune the discovered policies as needed. We will also accept any Policy Requests made from the OpenCart application workspace to the Common Policy workspace.

Click here to view a video of the tasks necessary to setup an Workspace, run ADM, configure Clusters, and customize the security Policy for the Linux-based app called OpenCart.

Steps for this Module

Step 001 - Create a new App Workspace
Step 002 - Configure the OpenCart Workspace
Step 003 - Begin ADM run
Step 004 - Set the ADM time range
Step 005 - Examine Member Workloads
Step 006 - Set External Dependencies
Step 007 - Set Cluster Granularity to Fine
Step 008 - View ADM run results
Step 009 - View discovered clusters
Step 010 - Edit the MySQL cluster
Step 011 - Rename the cluster and define new query
Step 012 - Edit the Apache cluster
Step 013 - Rename the cluster and define new query
Step 014 - Promote App cluster to Inventory Filter
Step 015 - Promote to Inventory Filter details
Step 016 - Promote DB cluster to Inventory Filter
Step 017 - Promote to Inventory Filter details
Step 018 - Delete rules for outbound access
Step 019 - Change Root Scope to Any
Step 020 - Verify Root Scope changed to Any
Step 021 - Delete TCP 8080 from the inbound web services
Step 022 - Switch to the Common Policy workspace
Step 023 - Approve the Policy Request
Step 024 - View the new rule created by the approved Policy Request

Step 001

Navigate to Applications and create a new workspace.

Step 002

Name the new Application Workspace OpenCart and select the OpenCart scope.

Step 003

Click Automatically Discover Policies to begin the ADM run process.

Step 004

Configure the time range to consider the last 6 hours of traffic.

Step 005

Click Show to reveal the member workloads. The IP addresses of the Apache web server and MySQL database servers should be shown.

Step 006

Expand External Dependencies and set Common Apps and the Root scope to Fine.

Step 007

Set Cluster Granularity to Very Fine and then submit the ADM run.

Step 008

When the ADM run completes, select the link for ADM results available.

Step 009

Expand the discovered clusters to see the cluster members. There should be two clusters, one containing the Apache web server and the other containing the MySQL database server.

Step 010

Click on Clusters, select the cluster that displays the IP address of the MySQL database server and edit the cluster.

Step 011

Change the cluster name and query as shown in the below image.

Step 012

Select the cluster containing the IP address of the Apache web server and edit the cluster.

Step 013

Edit the cluster name and query as shown in the image below.

Step 014

Highlight the OpenCart-App cluster and select the rocket shop icon to promote the cluster to an Inventory Filter.

Step 015

Leave the default settings here and click Promote Cluster.

Step 016

Select the OpenCart-DB cluster and promote it to an Inventory Filter.

Step 017

Keep the default settings here and select Promote Cluster.

Step 018

Delete the two lines which provide outbound access from the OpenCart-DB and OpenCart-App clusters to the Root scope on TCP ports 80, 443 and UDP 123. These outbound policies are covered in our Global Services Absolute policies, so this traffic should be allowed.

Step 019

Modify the rule allowing the Root scope as Consumer access to the OpenCart-App as Provider on TCP 80, 443 and 8080. Click to edit the rule and change the Root scope to Any.

Step 020

The rule should now say Consumer Any to OpenCart-App on TCP 80, 443, and 8080.

Step 021

Recall that in Module10 on Forensics, the attacker came from the outside against port 8080. Since we know that the software is vulnerable and can be easily exploited, we want to make sure not to allow access to the app on port 8080 from the outside world. Click the trash can to delete port 8080 from the rule.

Since the Catch All is set to Deny, anything not explicitly permitted will be denied. Catch-all of Deny is the default on all application workspaces. This can be thought of just like an implicit deny at the end of an access-list or firewall rule. Anything not explicitly permitted will be denied. By removing port 8080, we cause that traffic to be dropped by the Catch-All. We could also configure an explicit Deny rule if desired.