| Follow @lancinimarco | Subscribe to CloudSecList

Offensive Infrastructure with Modern Technologies

Let's be honest, so called "Security People" are usually not the best at applying DevOps concepts when talking about their own operations, and they usually end up managing their hosts manually, or via a (somehow organised) collection of scripts that try to hold everything together.

That's the reason why I decided to write this N-part blog post series, to record my "journey" and the lessons learned while building a secure, disposable, and completely automated infrastructure to be used in offensive operations.
I’m currently still in the middle of the process, so I will release the different sections as I go.

I would also like to get feedback from other professionals. Let me know if you find the information shared in this series useful, if something is missing, or if you have ideas on how to improve it.

This is the high-level outline of the different sections:

Introduction to the HashiCorp suite, and to Consul in particular.

    • The HashiCorp Stack
      1. Consul as a Service Mesh
    • The Hardware Prerequisites
    • Consul - Basic Configuration
      1. Single Node Deployment
      2. Multi Node Deployment
    • Consul - Hardened Configuration
      1. Running Consul as a Non-Privileged User
      2. Configuring Access Control Lists
      3. Enabling Gossip Encryption
      4. Enabling RPC Encryption with TLS

Step-by-step walkthrough that will allow you to automatically deploy the full HashiCorp stack with Ansible.

    • High Level Design
      1. Multi Node (Physical) Deployment
      2. Logical Deployment of the HashiStack
    • Environment Setup
      1. Code Structure
      2. Vagrant Setup
      3. Ansible Setup
    • Core Components
      1. Core Component 1: Consul (+ dnsmasq)
      2. Core Component 2: Vault
      3. Core Component 3: Nomad (+ docker)
      4. Core Component 4: Traefik
    • Sample Application

About

Hi, I'm Marco Lancini. I am a Principal Security Engineer, advisor, investor, and writer mainly interested in cloud native technologies, security, and technical leadership...  [read more] 

Buy me a coffeeBuy me a coffee

Sponsor

CloudSec* Projects

CloudSecBooks CloudSecDocs CloudSecList

Collections

Continuous Visibility into Ephemeral Cloud Environments
Cloud Security Strategies
The CloudSec Engineer - Previews
Kubernetes Primer for Security Professionals

Must Read

What to look for when reviewing a company's infrastructure
On Establishing a Cloud Security Program
Security Logging in Cloud Environments - GCP
Security Logging in Cloud Environments - AWS
Tracking Moving Clouds: How to continuously track cloud assets with Cartography
The Current State of Kubernetes Threat Modelling
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
So I Heard You Want to Learn Kubernetes

Recent Articles

Migrating Terraform state from Terraform Cloud to S3
Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel
Serverless Emails with Cloudflare Email Routing
Cyber Security Career Pathways
Serverless Ad Blocking with Cloudflare Gateway

Tags

Twitter Feed