Toolbox Quarantine

Quarantine your security concerns with this Halo Toolbox function

shaane syed / 02.28.17

Guest Post by Richard Huffaker, http://www.richardsomething.com/about

Cloud infrastructure and agile application delivery have been an incredible boon for many organizations, greatly increasing the speed of their deployment cycles and IT delivery processes. With this increase in speed, though, also comes an increase in server workloads, adding  exponentially  more potential points of entry that must be kept secure from potential attackers.

This growing need for extra security can be tackled either by hiring loads more high-level IT staff, since even low level security tasks need to be handled by someone with an in-depth knowledge of the system, or through automation. Only one of these two solutions is likely to both fit into the security budget and not be annoyed when their beeper goes off every thirty minutes as they’re trying to sleep. In other words, the more you can automate cloud workload security, the happier everyone is going to be.

That’s why the Halo Toolbox function we’re featuring today – Quarantine – works with our Halo Firewall to automatically quarantine (it’s right in the name) any workloads that encounter potential anomalies you’ve told it to lookout for, restricting network traffic in and out of those workloads to help ensure any such anomalies can do no harm.

How does it do this?

Quarantine runs in the background, scanning the Halo API endpoint (where events are published) in order to look for specific event types. If it should happen to match one of these event types, the associated workload is moved to the quarantine group within Halo for closer inspection.

How can you use it?

You’ll need Docker, a Git client, and, of course, a Halo account. Your Halo account should have an R+W API key and a configured quarantine group with firewall policies that restrict access to security operators who’ll be investigating potential problems. Without any such rules, it’s less like a quarantine and more like a house party where half the guests have recently been bitten by zombies.

If you’re unfamiliar with setting up a quarantine group, here’s how to do it:

  1. Clone the repository.
  2. Go to the target-events file and specify what an anomaly looks like for you.
  3. Build the container.
  4. Run the container.
  5. Start monitoring output.

Done! Take a look at our video walkthrough to learn more:

And please note that we consider Quarantine to be a community-supported tool. That means you should only use it in production if you understand it well enough to support it on your own. Should you discover any problems while using it, feel free to open an issue in the Github project. Guidelines for contributing are included in the CONTRIBUTING.md file, found in the Github repository.