cyber ranges on aws using ravello

On-demand Cyber Ranges on AWS using Ravello

How SimSpace built its Cyber Range

David Rocamora, Abhinav Gupta, Lee Rossey

November 2015

Today’s speakers

David RocamoraSolutions Architect

AWS

Lee RosseyChief Technology Officer

SimSpace

Abhinav GuptaDirector Product

MarketingRavello Systems

Housekeeping

• Lots of great material to cover• All attendees on mute – please use the Q&A window for questions• Slides & recording will be shared at the end of the session• If you are already a Ravello user, please rate/review us on AWS

Marketplace

Agenda

• What are cyber ranges?• AWS – enabler for secure workloads• Ravello Systems – perfect platform to build cyber ranges

– Technology : nested virtualization & software defined networking overlay– Live demo– Benefits

• How SimSpace used Ravello to build cyber ranges on AWS– Virtual Clone Network– Cyber Range demo

Ravello Systems

Herit

ageFounded 2011

Benny Schnaider and Rami TamirEx

perti

se

VirtualizationNetworking Storage

Prod

uct SaaS – overlay cloud on AWS that runs VMware & KVM

appliances with L2 networkingGA: Jan-2014

Public & Private Cloud

Inve

stor

s

SimSpace

Herit

ageFounded 2015

Bill Hutchison, Lee Rossey, Laura Lee

Expe

rtis

e

Complex network emulations Sophisticated modeling/assessment toolsHigh fidelity production network cloning

Prod

uct

SaaS/enterprise software – cyber range solutionsGA – Jan 2016

Cyber testing, training, exercises and assessments

What is a cyber range?

Realistic presentation of the networks, infrastructure, tools and threatRealism

Control Safe and controlled environment for live-fire attacks and disruptive effects

Management Ability to define, create, control, monitor, instrument, score and sanitize the environment

Range Infrastructure which supports a testing, training, exercise or mission rehearsal event

Security Secure and protect the customers data

Accurately cloning a production network is non-trivial

Components must be installed and configured like the real network; fully automated build process

AWS enables customers to run secure workloads

The shared responsibility model

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge

Locations

Client-side Data Encryption

Server-side Data

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access ManagementOperating System, Network, & Firewall Configuration

Customer applications & content

Security of the Cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge

Locations

Security in the Cloud

AWS Trusted Advisor

AWS Config Rules

Amazon Inspector

Best practices for performance, reliability, and security

Create rules that govern configuration of your resources

Security insights into your applications

AWS Compliance AWS: Security of the cloud

Customer: Security in the cloud

Cyber ranges are extremely sophisticated environments

Host

Host

Host~

Host

Host

Host~

Host

Host~

Host

Host

Host~

• Complex networking interconnect • Different types of VMs & appliances

mimicking real world scenarios

• Layer 2 networking• Isolated environments• Large scale

…

…

……

Ravello – a platform for building cyber ranges

Use existing or create new multi-tier environments

Quick-deployment – move environments to AWS ‘as-is’

Same networking interconnect as DC

On-demand capacity Global reach and scale Usage-based costs

Ravello’s nested virtualization platform with networking overlay enables VMware & KVM VMs / appliances to run with data-center like capabilities on AWS ‘as-is’ – without migration

Nested Virtualization

Network & Storage Overlay

Self-contained capsule with same VMs & Networking

=+

AWS

same VMs & networking –

encapsulated and isolated

Technology that powers it all - HVX

Unmodified application environmentHigh performance nested virtualization and overlay network

• Runs VMware & KVM VMs and provides application networking services

• Exposes a clean Layer 2 networking to ‘Guest’ VMs

AWS EC2x86 hardware

AWS (Xen)

HVX

DHCPDNS

Software defined networking

Nested virtualization engine

VM VM VM VM

How it works – Ravello live demo

upload your VMs (VMware or KVM)

Ravello auto-discovers the network. {Edit if needed}

deploy to AWS

spin up as many isolated copies as you need

Benefits of using Ravello

Automated deployment of cyber ranges & other workloads through REST API supportAutomation

Scalablility Build cyber ranges and other enterprise environments to ‘real-world’ scale

High Fidelity ‘Drag & drop’ creation of high fidelity copies of production environments for cyber ranges, security testing & training

On-demand Available on-demand – bringing cost economics of public cloud to security testing & training environments

Secure Capsule Isolated self-contained environments – prevent leakage into cloud

Usage based pricing – no upfront fees or commitment

VM

VMVM

VM

Total resources needed for sample 4 VM

application 8 vCPU/ 16 GB RAM$0.56 - $0.96

per hourincludes AWS price

Varies based on complexity of application

network and performance needs

Example: Each VM has 2vCPU and 4 GB RAM

SimSpace’s Cyber Range solutionAWS

SimSpace cloning technology makes laborious simple

Operating Systems• Windows 2008 R2• Windows 7• CentOS, Ubuntu, Kali

Security Tools• Symantec SEP• Splunk• RSA Netwitness• Security Onion• ELK, Google Rapid Response

Network Instances• 3 copies for team training• 1 copy for new products

General• 280 nodes• 15 span ports

Automated setup and configuration of complex environments

SimSpace’s automated range buildout

Step 1 - Create Templates

Step 2 - Network Definition

Step 3 - Build AutomationStep 4 – Configure Devices

Step 6 – Validation

• Infrastructure devices• Operating Systems• Security appliances

• Definition Files (CSV, YAML)

• Provision hosts

• Setup rules, policies

Step 5 – Traffic Tuning• Traffic flows• User behaviors

SimSpace’s enterprise class tools for security practitioners

Monitor the network traffic, user activity and attacker

actions

Visualize the impact of attacks and user actions on

core systems and their effect on business functions

Control and record actions from the defenders, attackers and injects for precise logging

and timing

Event Tracking Network Monitoring Mission Impact

SimSpace Cyber Range – Live Demo

SimSpace’s Cyber Range benefits

Sophisticated, realistic traffic generation--yet rapid

Traffic Generation

Attack Modeling Advanced emulation of sophisticated attackers for realistic “train as you fight” capabilities

Assessment Tools

Mirrors Production Network

Simulate high-stress cyber attacks and disruptive effects on production network clone; model “what if” scenarios

Range Automation Easy, automated buildout of enterprise software components

State-of-the-art assessment tools

Next Steps

2 mins

30 mins

depends on VMs

Identify a multi-VM environment

Sign up for Ravello free trial (2,880 CPU hours)

Technical call to familiarize with Ravello

Upload VMs

Call to check network, deploy, take a blueprint

Start using

15 mins

Questions?

Abhinav Guptaabhinav.gupta@ravellosystems.com

www.ravellosystems.com

Lee Rosseylee@simspace.comwww.simspace.com

David Rocamorarocamora@amazon.com

aws.amazon.com

Thank you!