Automating Labs with DevOps Tools and IaC Practices (a primer)
TLDR: What is IaC+DevOps and why you should care.
If you’ve spent any time around the InfoSec or IT community you’ve definitely heard about the importance of home labs. Whether it be a single laptop with VirtualBox or a rack full of servers, labs provide hands-on experience from the comfort of your home. It’s relatively low risk since its not a production system, and even just setting up a home lab offers great knowledge on systems, hardware, virtualization, and more.
However, what happens once you’re past that initial phase of PoCs and test runs? What happens when you want to perform more extensive, in-depth research? You end up needing an environment that’s scalable and agile and suddenly the thought of manually creating VMs doesn’t look so pleasant. (Trust me as someone who’s created thousands of VMs, I know.)
So what do you do? You could invest in enterprise solutions such as VMware’s vSphere and Horizon VDI. I use it for my day job and it’s a great platform. But the costs for the hypervisor, management console, licensing, and supported hardware start to rack up a huge bill. And while it does provide more functionally such as VM pools, templates, and a scripting language, it still doesn’t completely make your environment agile.
Enter the new kids on the block: DevOps and Infrastructure as Code.
Okay, truth be told it’s not really a new concept. Scripting has been around for decades but these practices’ take it to the next level. Both of these concepts work hand in hand and provide the exact type of elasticity a lab environment needs.
Amazon defines DevOps as:
“the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity..” source
While Microsoft defines Infrastructure as Code as:
“the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning as DevOps team uses for source code..” source
Putting both of them together leaves you with a rapid software development workflow for provisioning infrastructure. Let’s see how we can actually leverage them to create environments.
Traditional vs Declarative
In a typical scenario this is how VMs are provisioned:
- A virtual machine is created on a hypervisor
- An OS is installed
- Necessary apps and software are installed
- VM gets turned into a template to copy new VMs from
- (or) Process starts over to create a new VM
So far so good right? You perform all the tasks manually, select your OS and software, install everything, and now you have a running VM. But here’s some problems with this model:
- Time consuming; Making VMs by hand gets tedious after a while.
- Not scalable; Sure, you could provision new VMs from a template or master image but then there’s no individual customization for those VMs.
- No configuration management; If you make changes to multiple virtual machines how could you revert back to the same exact configuration you had before ?
Lets look at another model following IaC and DevOps practices:
- Infrastructure and Configuration Code is written
- Code is uploaded to Repo for approval and change management
- Code is pulled from Repo to Provider and Provisioning solutions to deploy VMs
This kind of workflow offers a few advantages over the traditional model:
- Declarative instead of Imperative; You just have to define what you want and the software takes care of getting that infrastructure up instead of manually doing it yourself.
- Scalable; If you need more VMs or more resources you just have to declare it in the file.
- Better change management with version control; By treating your environment as code, you can have different versions of your environment and roll back or view changes easily.
Cool, so we’ve established the IaC+DevOps methodology from a high level overview. How do we actually get started with it?
There’s really no right answer as this is a practice and not a product. However, there are solutions directly targeting this process.
HashiCorp is one of the companies with open source solutions for IaC, DevOps, and Automation.
They offer solutions in all parts of the stack for a cloud-agnostic infrastructure. One of their most popular being Terraform, used to provision infrastructure in public and private clouds.
Then there’s the application and configuration aspect after the VMs have been created. You could use automation software such as Ansible, Chef, or Puppet to get the proper configuration to the VMs. You could also even run bash or powershell scripts packed into the VM when it gets provisioned to configure your apps.
With all of this on the table, you can probably see how this leads into security labs. By making the environments agile and easier to set up, we can focus on the security tasks rather than spending hours setting up the virtual infrastructure. The prospect of creating new environments for all kinds of security: Malware, Networking, Web, Windows, Linux, suddenly doesn’t seem so daunting and time consuming.
In the next article I’ll be using Hashicorp’s Vagrant and Red Hat’s Ansible to set up a disposable environment for Web Application Security. I’ll go through the steps of installing the software and how to get started with writing infrastructure as code. (I’ll even throw the code in a public repo so you can check it out)
Update: Next Article is out! Check it out here
What is DevOps: https://aws.amazon.com/devops/what-is-devops/
What is IaC: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code
