ASMS integration to SaaS services

For more details, see Check connectivity for the hybrid network .

Related: Enable CloudFlow to perform AWS data collection and feed the ASMS network map.

Benefits of CloudFlow - ASMS integration

CloudFlow-ASMS integration provides the following benefits:

  • Traffic Simulation Query can be run from CloudFlow towards ASMS. See Check connectivity for the hybrid network

  • CloudFlow feeds ASMS with AWS network elements like VPC router, VPC peering, Internet Gateway, VPN Gateway, AWS Transit Gateway and Transit Gateway Peering. In the future, CloudFlow will feed more network elements to the ASMS map.

  • If you are using AWS Transit Gateway, connecting CloudFlow and ASMS will enable you to see it on the map and run TSQ through it in ASMS also.

  • Enhanced risk analysis based on ASMS customizable risk profile for Azure NSG and AWS SG.

  • You can see Google Cloud risks in ASMS

Prerequisites

Supported ASMS versions: CloudFlow can be integrated with ASMS A32.10 and above.

Note: If you are running ASMS A32.60, you need to upgrade to ASMS build version A32.60.260-94 or higher in order to have Azure Firewall and NSG support. After the upgrade, connect or reconnect CloudFlow to ASMS. For more details, see Additional steps for Azure subscriptions after upgrading your system.

Connect CloudFlow to ASMS

This procedure describes how the Admin role can create a CloudFlow trust token and enter it in ASMS, thus establishing a trust and connecting the two systems.

Note: The following steps are relevant both for existing customers of other AlgoSec SaaS solutions and for customers connecting ASMS to AlgoSec SaaS Services for the first time.

Note: ASMS-AlgoSec SaaS integration supports integrating a single ASMS host (i.e. production, testing or Beta) to each AlgoSec SaaS tenant. If you need to change the ASMS host integrated to AlgoSec SaaS, follow Offboard AlgoSec SaaS (CloudFlow, ObjectFlow, AppViz) from ASMS and then reconnect CloudFlow to ASMS. If you are also using other AlgoSec SaaS applications, reconnect as well.

Do the following:

  1. Connect to Kafka destination hosts:

    • Open ASMS outbound TCP/9094 connections and reach the following Kafka destination hosts. Alternatively, upgrade to ASMS A32.10 (June 6 HF (build A32.10.380-180) and above.

      US region:

      • kafka1.us.algocare.algosec.com

      • kafka2.us.algocare.algosec.com

      • kafka3.us.algocare.algosec.com

      EU region:

      • kafka1.eu.algocare.algosec.com

      • kafka2.eu.algocare.algosec.com

      • kafka3.eu.algocare.algosec.com

      ANZ region:

      • kafka1.anz.algocare.algosec.com

      • kafka2.anz.algocare.algosec.com

      • kafka3.anz.algocare.algosec.com

      ME region:

      • kafka1.me.algocare.algosec.com

      • kafka2.me.algocare.algosec.com

      • kafka3.me.algocare.algosec.com

    • For ASMS A32.10 (June 6 HF (build A32.10.380-180) and above: Connect to the Kafka hosts in the required region:

      Allow outgoing HTTP traffic on port 8082 towards the Kafka hosts.

      Note: If your firewall configuration restricts the usage of these FQDNs for any reason, an alternative approach is to treat the resolved IPs as static instead.

      US region:

      • kafka1.us.algocare.algosec.com

      • kafka2.us.algocare.algosec.com

      • kafka3.us.algocare.algosec.com

      EU region:

      • kafka1.eu.algocare.algosec.com

      • kafka2.eu.algocare.algosec.com

      • kafka3.eu.algocare.algosec.com

      ANZ region:

      • kafka1.anz.algocare.algosec.com

      • kafka2.anz.algocare.algosec.com

      • kafka3.anz.algocare.algosec.com

      ME region:

      • kafka1.me.algocare.algosec.com

      • kafka2.me.algocare.algosec.com

      • kafka3.me.algocare.algosec.com

    Important: In order to maintain the security of your ASMS instance, CloudFlow is barred from establishing inbound connections to the ASMS host. CloudFlow-ASMS integration communication is always initiated by ASMS.

    For more details, refer to the ASMS-AlgoSec SaaS trust and communication.

  1. Start in CloudFlow, and click the Settings icon at the bottom left of your screen.
  2. Select ASMS INTEGRATION. Click Configuration File.

    Note the downloaded file's name (AlgoSec_Cloud_trust_establish_data-{tenant ID}.zip) and location for use in Step 4, below.
  3. Upload the trust file (AlgoSec_Cloud_trust_establish_data-{tenant ID}.zip) to the ASMS upgrade directory (/root/AlgoSec_Upgrade).

  4. Log in to your ASMS machine with username root.

    Note: More details regarding the algosec_conf utility can be found in Connect to the Administration interface in the ASMS Documentation.

  5. Enter 14 to select option 14. Product and Cloud Configuration from the algosec_conf menu that is displayed .

  6. Enter 3 to select 3. Cloud Integration from the configuration items submenu.

  7. Enter 1 to select 1. Onboard AlgoSec Cloud components.


  8. When prompted for the path of the configuration file, enter: /root/AlgoSec_Upgrade/AlgoSec_Cloud_trust_establish_data-{tenant ID}.zip


    A message will indicate the success or failure of the ASMS-CloudFlow integration.

Calculate risks from ASMS

When trust is established with ASMS, CloudFlow will by default perform risk analysis with the CloudFlow generic device risks.

Alternatively, calculate risks from ASMS:

Use the ASMS standard risk profile

Do the following:

  1. Click ASMS INTEGRATION on the left side menu. The ASMS integration page appears.

  2. Set Calculate risks from ASMS to on.

Use a custom risk proflie

Do the following:

  1. On the ASMS machine, follow the steps described in Add a custom profile.

  2. In CloudFlow, click ASMS INTEGRATION on the left side menu. The ASMS integration page appears.

  3. Set Calculate risks from ASMS to on.

  4. Enter the new profile name in the Change Risk profile field (for Standard profile write Standard or for a custom profile use the format, for example, profile_name.xml).

  5. Click Validate and Save

Update a risk profile

Do the following:

  1. On the ASMS machine, edit the custom profile xml.

  2. In CloudFlow, Click ASMS INTEGRATION on the left side menu. The ASMS integration page appears.

  3. Click Recalculate risks.

Note: Risks recalculation may take a long time. When risks are recalculating, CloudFlow lets you know by displaying the message on the upper right hand side of the Risks page.

Disable risks from ASMS

Do the following:

  1. Set Calculate risks from ASMS to off.

  2. Click Disable.

Offboard AlgoSec SaaS (CloudFlow, ObjectFlow, AppViz) from ASMS

To manually offboard (remove the trust between the subject ASMS machine and the target SaaS tenant):

Do the following:

  1. Login via SSH to the target ASMS machine as user root

  2. Recommended: Backup the folder: /home/afa/.fa/kafka

  3. Remove the tunnel:

    1. In the algosec_conf main menu, enter 14 Product and cloud configuration.

    2. Enter 3 Cloud Integration.

    3. Enter 2 HTTPS tunnel Configuration.

    4. Enter 2 Remove HTTPS tunnel.

    5. Confirm by entering y. The tunnel is removed.

  4. Delete the folder: /home/afa/.fa/kafka

  5. Open the file: /home/afa/.fa/config and remove the following parameters:

    1. Kafka_Tenant_Region

    2. Kafka_Tenant_Environment

    3. Cloud_Tenant_Id

    4. APPVIZCLOUD_ENABLED

    Save your changes.

  6. Run the following command: 

    service ms-cloudflow-broker restart

 

â See also: