Enabling ASM for GCP Service Extensions

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.
ASM Service Extensions is in Preview

To try the preview of ASM Service Extensions for GCP, follow the setup instructions below.

You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog Application Security Management (ASM) Service Extensions integration has support for threat detection and blocking.

Prerequisites

  • The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.

  • Configure the Agent with Remote Configuration to block attackers using the Datadog UI.

  • In your GCP project, verify that you have either the project owner or editor role, or the relevant Compute Engine IAM roles: compute.instanceAdmin.v1 (to spin up instances) and compute.networkAdmin (to set up load balancing).

  • A GCP project with a Cloud Load Balancer configured with your services. Your Cloud Load Balancer must be one of the Application Load Balancers that supports Traffic Callouts.

  • Ensure that the Compute Engine API and Network Services API are enabled:

    gcloud services enable compute.googleapis.com networkservices.googleapis.com

Enabling threat detection

Get started

On your GCP project, multiple steps are needed to fully create a Service Extension. Google Cloud provides guides to create a callout backend service and create a Service Extension as a traffic extension.

To integrate a Service Extension with ASM, do the following:

  1. Create a new VM Compute instance using the Datadog Service Extensions Docker image. The image is available on the Datadog Go tracer GitHub Registry.

    The Docker image exposes some settings:

    Environment variableDefault valueDescription
    DD_SERVICE_EXTENSION_HOST0.0.0.0gRPC server listening address.
    DD_SERVICE_EXTENSION_PORT443gRPC server port.
    DD_SERVICE_EXTENSION_HEALTHCHECK_PORT80HTTP server port for health checks.

    Configure the Datadog Agent to receive traces from the integration using the following environment variables:

    Environment variableDefault valueDescription
    DD_AGENT_HOSTlocalhostHostname where your Datadog Agent is running.
    DD_TRACE_AGENT_PORT8126Port of the Datadog Agent for trace collection.

  2. Add the VM to an unmanaged instance group.

    Specify http:80 and grpc:443 (or any other previously configured values) for the port mappings of the instance group.

  3. Update the load balancer by creating a backend service and adding a backend.

    Create a callout backend service that uses the HTTP/2 protocol and has an HTTP health check:

    • Protocol: HTTP2
    • Port name: grpc
    • Region: us-west1
    • Health check port number: 80 (or any other previously configured value)

    1. Add the instance group with the extension server as a backend to the backend service.

    2. Create a Traffic Service Extension callout.

      1. In the Google Cloud console, go to Service Extensions and create a new Service Extension.
      2. Select your load balancer type.
      3. Select Traffic extensions as the type.
      4. Select your forwarding rules.

    3. When creating a new Extension Chain, do the following:

      1. To send all traffic to the extension, insert true in the Match condition.
      2. For Programability type, select Callouts.
      3. Select the backend service you created in the previous step.
      4. Select all Events from the list where you want ASM to run detection.

        이 구성을 완료하면 라이브러리가 애플리케이션에서 보안 데이터를 수집해 에이전트로 전송하고, 이 데이터는 다시 Datadog로 전송됩니다. 그러면 기본 감지 규칙에 기반해 공격자 기술과 잠재 구성 오류가 플래그되며, 이를 기반으로 문제 해결 단계를 진행할 수 있습니다.

  4. 애플리케이션 보안 관리에서 감지 활동을 잘 하고 있는지 확인하려면 알려진 공격 패턴을 애플리케이션으로 보내세요. 예를 들어 다음 curl 스크립트가 포함된 파일을 실행해 보안 스캐너 감지됨 규칙을 트리거할 수 있습니다.

    for ((i=1;i<=250;i++)); 
    do
    # Target existing service’s routes
    curl https://your-application-url/existing-route -A dd-test-scanner-log;
    # Target non existing service’s routes
    curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
    done

    참고: dd-test-scanner-log 값은 최신 릴리스에서 지원됩니다.

    애플리케이션을 활성화하고 실행한 몇 분 후 Application Signals Explorer에서 위협 정보가 표시되고 Vulnerability Explorer에 취약 정보가 표시됩니다.

Datadog Go tracer and GCP Service Extensions

Note: The GCP Service Extensions integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.

The GCP Service Extensions integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and ASM Library Configuration.

Limitations

The available functionality for GCP Service Extensions version 1.71.0 has the following important limitations:

  • The request body is not inspected, regardless of its content type.

Further Reading

추가 유용한 문서, 링크 및 기사:

ASM Service Extension's source codeSOURCE CODE more more Google Cloud Service Extensions overviewDOCUMENTATION more more OOTB Application Security Management RulesDOCUMENTATION more more Troubleshooting Application Security ManagementDOCUMENTATION more more