Workflow of this lab

The demo is split into 3 classes and 9 steps :

  1. Deploy modern application with modern tools

    1. Deploy and publish Arcadia Finance application in Kubernetes

    2. Publish Arcadia app with an NGNIX Plus Ingress Controller

  2. Protect Arcadia with NGINX App Protect in Docker

    1. Build your first NAP (NGINX App Protect) docker image

    2. Update this image with the latest WAF signatures

    3. Check logs in Kibana

    4. Customize the WAF policy

    5. Deploy NAP with a CI/CD a toolchain

  3. Protect Arcadia with NGINX App Protect in Linux host

    1. Install the NGINX Plus and App Protect packages manually

    2. Deploy App Protect via CI/CD pipeline


Step 1 - Deploy and publish Arcadia Finance application in Kubernetes

Note

Goal is to deploy Arcadia Application in Kubernetes

Tasks:

  1. Run a Kubernetes command (kubectl) that will download Arcadia containers from an external public repo (Gitlab.com), and run them

  2. Check in Kubernetes Dashboard if Arcadia is deployed and runnning


Step 2 - Publish Arcadia app with a NGINX Plus Ingress Controller

Note

Goal is to publish Arcadia application outside the Kubernetes cluster and use NGINX Plus Ingress Controller for that

Tasks:

  1. Run a Kubernetes command (kubectl) that will download and run an NGINX Plus Ingress Controller image from a private repo (Gitlab.com)

  2. Check how this NIC (NGINX Ingress Controller) is set in order to route packets to the right Arcadia container (pod)


Step 3 - Build your first NAP (NGINX App Protect) docker image

Note

Goal is to build your first NAP docker image and run it

Tasks:

  1. Run a docker build command using a Dockerfile

  2. Run a docker run command to start this docker container in front of Arcadia application

  3. Check the signature package included in this image

  4. Check that Aracadia is protected


Step 4 - Update this image with the latest WAF signature

Note

Goal is to create a new NAP image with the latest Signature package.

Task:

  1. Run the same Docker build command but with a new Dockerfile containing the new repo with the signatures

  2. Destroy the previous NAP container and run a new one from this new image

  3. Check the signature date


Step 5 - Update the Docker image with the Threat Campaign package

Note

Goal is to create a new NAP image with the latest Threat Campaign package ruleset.

Task:

  1. Run the same Docker build command but with a new Dockerfile containing the new package to install

  2. Destroy the previous NAP container and run a new one from this new image

  3. Check the Threat Campaign ruleset date


Step 6 - Check logs in Kibana

Note

Goal is to check logs in ELK (Elastic, Logstash, Kibana)

Task:

  1. Connect to Kibana and check logs


Step 7 - Customize the WAF policy

Note

Goal is to customize the WAF policy in front of Arcadia application. By default, a base policy is deployed.

Task:

  1. Run NAP container with a new nginx.conf file refering to the new policies


Step 8 - Deploy NAP with a CI/CD toolchain

Note

Goal is to deploy NAP in a real environment with a CI/CD toolchain in place.

Task:

  1. Upload a new signature package into the local repo (gitlab) or ask for an update

  2. GitLab CI build a new version of the NAP image with this new signature package

  3. Deploy and run this new version of the NAP image in front of Arcadia

  4. Check the signature package date


Step 9 - Install the NGINX Plus and App Protect packages manually

Note

Goal is to deploy NAP and NGINX Plus in a CentOS linux host.

Task:

  1. Install NGINX Plus r20

  2. Install NGINX App Protect

  3. Install NGINX App Protect Signature Package


Step 10 - Deploy App Protect via CI/CD pipeline

Note

Goal is to deploy NAP by using a CI/CD pipeline with automation toolchain packages provided by F5.

Task:

  1. Use CI/CD toolchain in order to deploy NAP automatically with the latest signature package.

Step 11 - Deploy a new version of the NGINX Plus Ingress Controller

Note

Goal is to deploy NAP in the Kubernetes Ingress Controller. Since NAP v1.3, NAP can be deployed in a KIC with NGINX+

Task:

  1. Pull NGINX+ KIC image from my private Gitlab repo

  2. Deploy a new Ingress configuration with NAP annotations and configuration

Step 12 - API Security with OpenAPI file import

Note

Goal is to deploy NAP in Centos to protect an API

Tasks:

  1. Push OpenAPI file to a repo (swaggerhub in this lab)

  2. Create a new NAP policy based on this OAS file