Enabling ASM for Envoy

문서 > Datadog 보안 > 애플리케이션 보안 관리 > 애플리케이션 위협 관리 > Threat Management Setup > Enabling ASM Threat Detection using Datadog Tracing Libraries > Enabling ASM for Envoy

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

ASM for Envoy is in Preview

To try the preview of ASM for Envoy, follow the setup instructions below.

You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking.

Prerequisites

The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
Configure the Agent with Remote Configuration to block attackers using the Datadog UI.

Enabling threat detection

Get started

The ASM Envoy integration uses the Envoy external processing filter.

Configure Envoy to use the external processing filter. For example:

http_filters:
  # ... other filters
  - name: envoy.filters.http.ext_proc
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
      config:
        grpc_service:
          envoy_grpc:
            cluster_name: datadog_ext_proc_cluster
            timeout: 1s

clusters:
    # ... other clusters
    - name: datadog_ext_proc_cluster
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      http2_protocol_options: {}
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
      load_assignment:
        cluster_name: datadog_ext_proc_cluster
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: Your Datadog image host from step 2
                      port_value: 443

Note: you need to replace Your Datadog image host from step 2 in the above example with the host where the Datadog Envoy docker image is running. You will configure this host next.

You can find more configuration options available in the Envoy external processor documentation.

Run a new container with the Datadog Envoy Docker image. The image is available on the Datadog GitHub Registry.

The Docker image exposes some settings specifically for the Envoy integration:

Environment variable	Default value	Description
`DD_SERVICE_EXTENSION_HOST`	`0.0.0.0`	gRPC server listening address.
`DD_SERVICE_EXTENSION_PORT`	`443`	gRPC server port.
`DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`	`80`	HTTP server port for health checks.

Configure the Datadog Agent to receive traces from the integration using the following environment variables:

Environment variable	Default value	Description
`DD_AGENT_HOST`	`localhost`	Hostname where your Datadog Agent is running.
`DD_TRACE_AGENT_PORT`	`8126`	Port of the Datadog Agent for trace collection.

이 구성을 완료하면 라이브러리가 애플리케이션에서 보안 데이터를 수집해 에이전트로 전송하고, 이 데이터는 다시 Datadog로 전송됩니다. 그러면 기본 감지 규칙에 기반해 공격자 기술과 잠재 구성 오류가 플래그되며, 이를 기반으로 문제 해결 단계를 진행할 수 있습니다.

애플리케이션 보안 관리에서 감지 활동을 잘 하고 있는지 확인하려면 알려진 공격 패턴을 애플리케이션으로 보내세요. 예를 들어 다음 curl 스크립트가 포함된 파일을 실행해 보안 스캐너 감지됨 규칙을 트리거할 수 있습니다.
```
for ((i=1;i<=250;i++)); 
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A dd-test-scanner-log;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
done
```
참고: dd-test-scanner-log 값은 최신 릴리스에서 지원됩니다.
애플리케이션을 활성화하고 실행한 몇 분 후 Application Signals Explorer에서 위협 정보가 표시되고 Vulnerability Explorer에 취약 정보가 표시됩니다.

Datadog Go Tracer and Envoy integration

Note: The ASM Envoy integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.

The Envoy integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and ASM Library Configuration.