Monthly Archives: August 2015

Standard

Posted by

Posted on

August 27, 2015

Posted under

Opinion

Comments

1 Comment

Ravello and SimSpace: Security in the cloud

Ravello and SimSpace’s On-Demand Cyber Ranges

Last year, many of us were introduced to Ravello Systems and their nested virtualization product. Their hypervisor, HVX, and their network and storage overlay technologies allow you to run any VM from your enterprise on a cloud – specifically Amazon AWS and Google Compute Engine. You can sign up for a free trial and migrate your VMs into the cloud instantly.

Many in the #vExpert community have used Ravello to augment or replace their home lab. We’ve also seen some pretty interesting uses of Ravello over the last year – AutoLab in the cloud, Ravello/vCloud Air DR setups and numerous blueprints (pre-defined multi-node system designs) such as Puppet and Openstack on AWS.

Yesterday, I had the pleasure of speaking with SimSpace Corporation, a security company focused on cyber assessments, training, and testing. SimSpace has a history of working with and testing next generation cyber-security tools and helping their clients to rapidly build network models, called Cyber Ranges, using these tools at scale. Today, SimSpace and Ravello announced a partnership to expand this functionality and allow users to create their own cyber ranges in the cloud in a product called SimSpace VCN (press release). A VCN is a virtual clone network that is self-contained and isolated from the internet. VCN instances can be spun up and down on demand. This is a pretty awesome use of Ravello that goes a bit beyond what I’ve seen before.

Virtual Clone Networks and Use Cases

Each VCN starts as a blueprint and multiple instances can be deployed using Ravello’s hypervisor in the target cloud. You can deploy multiple DMZs, layer on additional networking like VLANs and port mirroring, and add just about anything else you want to replicate from your production environment. The network will contain not only the server OS VMs but a plethora of network and security devices from vendors such as Cisco, Checkpoint, Fortinet, and Palo Alto Networks. Existing policy settings (firewall, threat, etc.) can then be deployed on the appropriate VCN components. Each instance is completely isolated, allowing the user to treat each VCN as if it were production, but without the negative side effects if something goes wrong.  SimSpace’s traditional clientele would then run cyber defense simulations in the VCN to identify faults, train new users, and test the behavior of modifications such as replacing a firewall of one type with another or modifying policies. SimSpace’s product has an attack framework with the ability to inject common network attacks and even simulate “zero day” attacks.

I see a number of other use cases that SimSpace’s VCN product is useful for. The ability to replace a blueprint node or set of nodes can be used to test how different vendor’s products behave and whether they are suitable for the environment. Even in a virtualized data center, lab testing is often not representative of production behavior, but making the change in production is highly risky and expensive. Testing in a VCN can help provide similar scale to production that a lab cannot and at greatly reduced cost and risk.

Another potential use case is disaster recovery’s awkward sibling, business continuity (BC). Disaster recovery typically involves an online site where some portion of the system is always hot, at least to receive data replication from the primary environment. Business continuity, on the other hand, tends to involve cold and sometimes non-existent datacenters that are built from scratch to provide a minimum level of service during crisis times. Most BC exercises involve numerous runbooks and often end with some level of failure as runbooks tend to get out of date quickly. A VCN, however, can be generated rapidly from production documentation and deployed in less than an hour (more details below) and without the expensive of standby hardware or a business continuity contract.

Finally, auditing for compliance is always tricky. For example, the latest version of PCI-DSS standards require penetration testing, which introduces risks that some tests could cause outages or destroy data. Giving the auditor access to the VCN replica of production allows you and the auditor to map out the likely impact of penetration testing in a controlled manner with zero risk, enumerating the most likely outage scenarios and avoiding surprises. When the real penetration testing occurs in production, the risk can be reduced to an acceptable level for the business.

Product Offerings

SimSpace’s product will be offered in two flavors. A number of pre-defined blueprints exist that can be taken advantage of by users whose production environments closely match or who do not need a higher level of fidelity. These users can be up and running with their first VCN in about an hour, including signup time.

Customers who desire a higher level of fidelity or whose environments do not match the pre-defined blueprints can engage SimSpace about a customized VCN blueprint. SimSpace has a number of tools they are developing, the most promising of which works with Visio-like network diagrams that can be exported as a blueprint. The tool aims to be as simple as adding some metadata (IP, hostname, OS, etc.) to an existing diagram which should result in rapid turnarounds. If the VCN’s blueprint is updated, only the changes need to be deployed to the instance so deployment times remain low.

How It Works

SimSpace has shared some under-the-covers details with me. Each VM has at least two vNICS, one connected to a management network. All the management traffic is segregated from the production network to ensure management has no affect on the security testing results. Puppet is used to manage much of the node configuration, including networking and any user-provided software deployments. Just upload your software to the provided repository and assign the correct version to each node, puppet does the rest. (I mention this for no particular reason of course!) Spinning up a VCN instance with ~40 nodes takes less than 10 minutes for Ravello to deploy and 10 minutes for SimSpace to populate and configure, or about 20 minutes for an average configuration. The minimum network size is about 20 nodes and the current maximum is around 80 nodes. Their developers are pushing that to 150 nodes in tests now and will continue to increase that number.

In addition to replicating your production environment, SimSpace has a “internet bubble” component that can be added to any blueprint that adds a fake internet. A few VMs with thousands of IPs are able to replicate some level of core routing, root DNS, and fake versions of Facebook, Google, and other popular websites, to help simulate the isolated VCN communicating with the greater internet. I imagine this is helpful if you want to test some watering hole exploits or DNS amplification attacks.

There is currently no provided cost for the service. The target model is a monthly subscription service with additional fees for cloud usage and commercial licenses used in the VCN. Commercial licenses for products in each VCN instance will be handled by SimSpace, so there’s no need for users to worry about vendor management with SimSpace VCN. An early access program will be starting in the next week or two and general availability is expected in the 4th quarter of 2015. If you’re interested in the early access program, you can contact SimSpace directly.

All in all, I am very excited about SimSpace VCN. The amount of functionality it enables and the risk it reduces should have value to many individuals and businesses, and the reduction in cost of test environments is nearly limitless. Technologically, it’s also a really novel and powerful use of Ravello’s nested virtualization technology. I cannot wait to see SimSpace VCN in action and see its promise realized.

Standard

Posted by

Posted on

August 10, 2015

Posted under

DevOps

Comments

1 Comment

PHP Unit Testing

I recently needed to investigate unit testing in PHP. I’m familiar with but not very well versed in PHP, and I’m certainly not a PHP aficionado, but a quick google search turned me on to PHPUnit by Sebastian Bergmann. The docs appear very complete and there’s a nice Getting Started guide to keep it simple. Using this tutorial and the accompanying GitHub repo, you can be up and running in a few minutes. Unfortunately, I ran into some problems because I am using PHP 5.3.3 (CentOS EL 6) and I was trying a literal copy and paste instead of using the provided repo. Don’t copy and paste, just use the repo. However, I managed to learn something by doing this.

PHP Versions

The simpler issue is PHP 5.3.3. I installed phpunit per the directions in the Getting Started guide. Here’s what happens when I clone the Money repo and run phpunit:

[rnelson0@build01 money:master]$ git remote -v
origin  git@github.com:sebastianbergmann/money.git (fetch)
origin  git@github.com:sebastianbergmann/money.git (push)
[rnelson0@build01 money:master]$ phpunit --bootstrap src/autoload.php tests/MoneyTest.php
PHP Parse error:  syntax error, unexpected T_CLASS, expecting T_STRING or T_VARIABLE or '$' in /home/rnelson0/php/money/tests/MoneyTest.php on line 55

The current version requires PHP 5.5. It’s okay, there’s an older version we can use in the 1.5 branch. Check it out, run phpunit again, and everything works.

[rnelson0@build01 money:master]$ git branch -a
  1.5
  1.6
* master
  remotes/origin/1.5
  remotes/origin/1.6
  remotes/origin/HEAD -> origin/master
  remotes/origin/master
  remotes/origin/php-7
[rnelson0@build01 money:master]$ git checkout 1.5
Switched to branch '1.5'
[rnelson0@build01 money:1.5]$ phpunit --bootstrap src/autoload.php tests/MoneyTest.php
PHPUnit 4.8.2 by Sebastian Bergmann and contributors.

..............................S

Time: 665 ms, Memory: 18.75Mb

OK, but incomplete, skipped, or risky tests!
Tests: 31, Assertions: 50, Skipped: 1.

To Autoload, or not to Autoload

The second issue, where I copied the test code directly from the tutorial, was a little trickier. You are supposed to use the file src/autoload.php, but the tutorial does not provide it. You can see the full file in the repo, here’s an important snippet:

spl_autoload_register(
    function($class) {
        static $classes = null;
        if ($classes === null) {
            $classes = array(
                //...
                'sebastianbergmann\\money\\currency' => '/Currency.php',
                'sebastianbergmann\\money\\currencymismatchexception' => '/exceptions/CurrencyMismatchException.php',
                //...
                'sebastianbergmann\\money\\money' => '/Money.php',
                //...

This function maps the namespace’d classes to the files they are located in. I have not gone through the PHPUnit docs in great detail yet, but I haven’t seen instructions on generating this dynamically or crafting it manually. It’s certainly not part of the tutorial, so I decided to see if I could get around this with brute force. First, I generated a simple namespace and class, NewProject\Base.

<?php

namespace NewProject;

class Base {
  /**
   * @var integer
   */
  private $counter;

  /**
   * param integer $count
   */
  public function __construct($counter) {
    if (!is_int($counter)) {
      throw new \InvalidArgumentException('$counter must be an Integer');
    }
    $this->counter = $counter;
  }

  /**
   * Return the current counter value
   *
   * @return integer
   */
  public function getCount() {
    return $this->counter;
  }

  /**
   * Increase the counter and return its current value
   *
   * @return integer
   */
  public function increaseCount() {
    $this->counter++;

    return $this->counter;
  }
}

?>

The comments are there for PHPUnit. I think I’m doing it right, but I’m still new to this so it may not be accurate. This is also a very contrived class that exists just to do some testing, but for that purpose it’s great! Next, we need a class to do the testing. The name of the class is <Class>Test and it extends the PHPUnit_Framework_TestCase (there are others, but we’re starting small). Here’s the first draft:

<?php
namespace NewProject;

class BaseTest extends \PHPUnit_Framework_TestCase {
  /**
   * @covers NewProject\Base::__construct
   */
  public function testConstructor() {
    new Base(0);
  }

  public function testShouldFail() {
    new Base('string');
  }
}
?>

With unit tests, you want everything to pass, but I put the last one in because I wanted to make sure that an actual failure would be detected as a failure, not as a syntax error or something else that would bomb out the entire test suite. Here’s what happens when you run phpunit against that without an autoload file:

[rnelson0@build01 NewProject]$ phpunit tests
PHPUnit 4.8.2 by Sebastian Bergmann and contributors.

PHP Fatal error:  Class 'NewProject\Base' not found in /home/rnelson0/php/NewProject/tests/BaseTest.php on line 9

Well, shoot. It’s not loading the underlying class that it needs to test, and I don’t know how to generate an autoload file yet. Since it can’t find the class, I tried to see if I could force it to load that by adding a require() statement (emphasis on the additional line):

[rnelson0@build01 NewProject]$ cat tests/BaseTest.php
<?php
namespace NewProject;

require ('src/Base.php');

class BaseTest extends \PHPUnit_Framework_TestCase {
  /**
   * @covers NewProject\Base::__construct
   */
  public function testConstructor() {
    new Base(0);
  }

  public function testShouldFail() {
    new Base('string');
  }
}
?>
[rnelson0@build01 NewProject]$ phpunit tests
PHPUnit 4.8.2 by Sebastian Bergmann and contributors.

.E

Time: 221 ms, Memory: 18.25Mb

There was 1 error:

1) NewProject\BaseTest::testShouldFail
InvalidArgumentException: $counter must be an Integer

/home/rnelson0/php/NewProject/src/Base.php:16
/home/rnelson0/php/NewProject/tests/BaseTest.php:15

FAILURES!
Tests: 2, Assertions: 0, Errors: 1.

Lo and behold, that works! I’m sure at some point I’ll figure out how to generate the autoload, but this is good enough for now.

Summary

I’m well on my way to unit testing with PHP, thanks to Sebastian’s awesome framework. Thank you, Sebastian, you have taken much of the suck out of PHP!

You can find my test repo on github.