Set up intrusion prevention service in your network

Intrusion prevention service monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. To enable this service on your network, you must set up multiple Cloud Next Generation Firewall components. This tutorial describes the end-to-end workflow to configure intrusion prevention service in your network.

Objectives

This tutorial shows you how to complete the following tasks:

Create a Virtual Private Cloud (VPC) network with two subnets.
Create a server virtual machine (VM) instance in the first subnet of the VPC network and install the Apache server on the VM.
Create a client VM instance in the second subnet of the VPC network.
Create a security profile and a security profile group.
Create a firewall endpoint and associate it with the VPC network.
Add a global network firewall policy with the following firewall rules:
- A firewall rule to enable Identity-Aware Proxy (IAP) access to the VM instances in the VPC network.
- A firewall rule to direct all ingress traffic for Layer 7 inspection.
Verify whether malicious traffic to the server VM instance is blocked.
Clean up the resources.

The following diagram shows the high-level architecture of the deployment setup in this tutorial. The firewall policy fw-policy-ips on VPC vpc-ips, redirects the ingress traffic to the firewall endpoint in zone asia-southeast1-a. The firewall endpoint endpoint-ips inspects the traffic for any threats. If any threat is detected, it applies the preventive actions by using the directions specified in the security profile sec-profile-ips.

Intrusion prevention service in a custom VPC network to identify and prevent any threats. — Intrusion prevention service in a custom VPC network (click to enlarge).

Costs

There is a cost associated with creating the firewall endpoints. For pricing details, see Cloud Next Generation Firewall pricing.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Compute Engine API for your project.
Enable the Network Security API for your project.
Enable the Identity-Aware Proxy API for your project.
Have the Compute Network Admin (roles/compute.networkAdmin) IAM role on your organization.
If you prefer to work from the command line, install the Google Cloud CLI. For conceptual and installation information about the tool, see gcloud CLI overview.
Note: If you haven't run the gcloud CLI previously, first run gcloud init to initialize your gcloud CLI directory.

Create a custom VPC network with subnets

In this section, you create a custom mode VPC network with two IPv4 subnets.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click Create VPC network.
For Name, enter vpc-ips.
For Description, enter VPC network to set up intrusion prevention service.
For Subnet creation mode, select Custom.
In the New subnet section, specify the following configuration parameters for a subnet:
- Name: subnet-ips-server
- Region: asia-southeast1
- IPv4 range: 10.0.0.0/24
Click Done.
Click Add subnet and specify the following configuration parameters:
- Name: subnet-ips-client
- Region: us-central1
- IPv4 range: 192.168.10.0/24
Click Done.
Click Create.

gcloud

To create a VPC network, run the following command:

gcloud compute networks create vpc-ips \
  --subnet-mode custom \
  --description "VPC network to set up intrusion prevention service."

In the Authorize cloud shell dialog, click Authorize.

To create a subnet, run the following command:

gcloud compute networks subnets create  subnet-server-ips \
  --network vpc-ips \
  --region asia-southeast1 \
  --range 10.0.0.0/24

To create another subnet, run the following command:

gcloud compute networks subnets create subnet-client-ips \
  --network vpc-ips \
  --region us-central1 \
  --range 192.168.10.0/24

Create VM instances

In this section, you create server and client VM instances.

Create the server VM instance

In this section, you create a VM instance in the subnet subnet-server-ips and install the Apache server on it.

Console

In the Google Cloud console, go to the Create an instance page.

Go to Create an instance
For Name, enter vm-server-ips.
For Region, select asia-southeast1 (Singapore).
For Zone, select asia-southeast1-a.
In the Boot disk section, select Change, and then, for the operating system, select Debian.
Click Select.
Expand Advanced options, and then expand Networking.
In the Network interfaces section, specify the following configuration parameters:
- Network: vpc-ips
- Subnetwork: subnet-server-ips IPv4 (10.0.0.0/24)
Click Done.
Expand the Management section.

In the Automation section, add the following startup script:

  #! /bin/bash
  apt update
  apt -y install apache2
  cat <<EOF > /var/www/html/index.html
  <html><body><p>Hello world.</p></body></html>
  EOF

Click Create.
Make a note of the External IP address of the server VM after it is created.

gcloud

To create the server VM, run the following command:

gcloud compute instances create vm-server-ips \
    --network vpc-ips \
    --zone asia-southeast1-a \
    --subnet subnet-server-ips \
    --stack-type IPV4_ONLY \
    --image-project debian-cloud \
    --image-family debian-11 \
    --metadata=startup-script='#! /bin/bash
     apt update
     apt -y install apache2
     cat <<EOF > /var/www/html/index.html
     <html><body><p>Hello World.</p></body></html>
     EOF'

Make a note of the external IP address of the VM in the returned status.

Create the client VM instance

In this section, you create a VM instance in the subnet subnet-client-ips.

Console

In the Google Cloud console, go to the Create an instance page.

Go to Create an instance
For Name, enter vm-client-ips.
For Region, select us-central1.
For Zone, select us-central1-a.
Expand Advanced options, and then expand Networking.
In the Network interfaces section, specify the following configuration parameters:
- Network: vpc-ips
- Subnetwork: subnet-client-ips IPv4 (192.168.10.0/24)
Click Done.
Click Create.

gcloud

To create the client VM, run the following command:

gcloud compute instances create vm-client-ips \
    --network vpc-ips \
    --zone us-central1-a \
    --subnet subnet-client-ips \
    --stack-type IPV4_ONLY

Create a security profile

In this section, you create a security profile of type threat-prevention in your organization. To view the permissions required to create a security profile, see Permissions required for this task.

Console

In the Google Cloud console, go to the Security profiles page.

Go to Security profiles
In the project selector menu, select your organization.
Select the Security profiles tab.
Click Create profile.
For Name, enter sec-profile-ips.
For Description, enter Security profile to set up intrusion prevention service.
Click Continue.
Click Create.

gcloud

To create a security profile, run the following command:

gcloud network-security security-profiles \
    threat-prevention \
    create sec-profile-ips \
    --organization ORGANIZATION_ID \
    --location global \
    --project PROJECT_ID \
    --description "Security profile to set up intrusion prevention service."

Replace the following:

ORGANIZATION_ID: the organization where the security profile is created.
PROJECT_ID: a project ID to use for quotas and access restrictions on the security profile.

Create a security profile group

In this section, you create a security profile group to include the security profile that you created in the preceding section. To view the permissions required to create a security profile group, see Permissions required for this task.

Console

In the Google Cloud console, go to the Security profiles page.

Go to Security profiles
In the project selector menu, select your organization.
Select the Security profile groups tab.
Click Create profile group.
For Name, enter sec-profile-group-ips.
For Description, enter Security profile group to set up intrusion prevention service.
In the Threat prevention profile list, select sec-profile-ips.
Click Create.

gcloud

To create a security profile group, run the following command:

gcloud network-security security-profile-groups \
    create sec-profile-group-ips \
    --organization ORGANIZATION_ID \
    --location global \
    --project PROJECT_ID \
    --threat-prevention-profile  \
    organizations/ORGANIZATION_ID/locations/global/securityProfiles/sec-profile-ips \
    --description "Security profile group to set up intrusion prevention service."

Replace the following:

ORGANIZATION_ID: the organization where the security profile group is created.
PROJECT_ID: a project ID to use for quotas and access restrictions on the security profile group.

Create a firewall endpoint

In this section you create a firewall endpoint in a specific zone. To view the permissions required to create a firewall endpoint, see Permissions required for this task.

Note: When you create a firewall endpoint, the state of the firewall endpoint is set to Creating. After the firewall endpoint is ready, the state changes to Active.

Console

In the Google Cloud console, go to the Firewall endpoints page.

Go to Firewall endpoints
In the project selector menu, select your organization.
Click Create.
In the Region list, select asia-southeast1 (Singapore).
In the Zone list, select asia-southeast1-a.
For Name, enter endpoint-ips.
Click Create.

gcloud

To create a firewall endpoint, run the following command:

gcloud network-security firewall-endpoints \
    create endpoint-ips \
    --organization ORGANIZATION_ID \
    --zone asia-southeast1-a \
    --billing-project PROJECT_ID

Replace the following:

ORGANIZATION_ID: the organization where the firewall endpoint is created.
PROJECT_ID: a project ID to use for the billing of the firewall endpoint.

Create a firewall endpoint association

In this section, you associate the firewall endpoint to the VPC network that you created in the preceding step.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the vpc-ips network to show its VPC network details page.
Select the Firewall endpoint tab.
Click Add endpoint association.
In the Region list, select asia-southeast1.
In the Zone list, select asia-southeast1-a.
In the Firewall endpoint list, select endpoint-ips.
Click Create.

gcloud

To create a firewall endpoint association, run the following command:

gcloud network-security firewall-endpoint-associations \
    create endpoint-association-ips \
    --endpoint  organizations/ORGANIZATION_ID/locations/asia-southeast1-a/firewallEndpoints/endpoint-ips \
    --network vpc-ips \
    --zone asia-southeast1-a \
    --project PROJECT_ID

Replace the following:

ORGANIZATION_ID: the organization where the firewall endpoint is created.
PROJECT_ID: a project ID where the association is created.

Create a global network firewall policy

In this section, you create a global network firewall policy that contains the following two firewall rules:

An ingress firewall rule with priority 100 to allow TCP traffic to ports 3389 and 22. This rule enables IAP access to the VM instances in the VPC network.
An ingress firewall rule with priority 200 to perform Layer 7 inspection on the incoming traffic to the server VM in a specific zone.

Console

In the Google Cloud console, go to the Firewall policies page.

Go to Firewall policies
In the project selector list, select your project within your organization.
Click Create firewall policy.
For Name, enter fw-policy-ips.
For Deployment scope, select Global.
Click Continue, and then click Add rule.
In the Priority field, enter 100.
For Logs, select On.
For Direction of traffic, select Ingress.
For Action on match, select Allow.
For the Source filter, select IPv4, and then in the IP range field enter 35.235.240.0/20.
In the Protocols and ports section, select Specified protocols and ports.
Select TCP, and for Ports, enter 22,3389.
Click Create.
Click Add rule.
In the Priority field, enter 200.
For Logs, select On.
For Direction of traffic, select Ingress.
For Action on match, select Proceed to L7 inspection.
In the Security profile group list, select sec-profile-group-ips.
In the Destination filter, select IPv4, and then in the IP range field enter the external IP address of the server VM that you created in the Create the server VM instances section.
Click Create.
Click Continue.
Click Associate policy with VPC networks.
Select vpc-ips network.
Click Associate.
Click Create.

gcloud

To create a global network firewall policy, run the following command:
```
gcloud compute network-firewall-policies \
  create fw-policy-ips \
  --global \
  --project PROJECT_ID
```
Replace the following:
- PROJECT_ID: a project ID where the global network firewall policy is created.

To add the firewall rule to enable IAP access, run the following command:

gcloud compute network-firewall-policies rules create 100 \
  --firewall-policy fw-policy-ips \
  --direction INGRESS \
  --action ALLOW \
  --src-ip-ranges 35.235.240.0/20 \
  --layer4-configs tcp:22, tcp:3389 \
  --global-firewall-policy \
  --enable-logging

To add the firewall rule to enable Layer 7 inspection for threat prevention and detection, run the following command:

gcloud compute network-firewall-policies rules create 200 \
  --direction INGRESS \
  --firewall-policy fw-policy-ips \
  --action apply_security_profile_group \
  --dest-ip-ranges SERVER_VM_IP \
  --layer4-configs tcp:0-65535 \
  --global-firewall-policy \
  --security-profile-group \
  //networksecurity.googleapis.com/organizations/ORGANIZATION_ID \
  /locations/global/securityProfileGroups/sec-profile-group-ips \
  --enable-logging

Replace the following:

SERVER_VM_IP: the external IP address of the server VM that you created in the Create the server VM instances section.
ORGANIZATION_ID: the organization where the secure profile group is created.

To associate the firewall policy with the VPC network, run the following command:

gcloud compute network-firewall-policies associations create \
 --firewall-policy fw-policy-ips \
 --network vpc-ips \
 --name fw-pol-association-ips \
 --global-firewall-policy \
 --project PROJECT_ID

Replace the following:

PROJECT_ID: the project ID where the VPC association is created.

Test the setup

In this section, you generate the traffic that is intercepted by the endpoint, and the global network firewall policy is applied to perform Layer 7 inspection.

Console

In the Google Cloud console, go to the VM instances page.

Go to VM instances
From the External IP column of the vm-server-ips VM, copy the external IP address of the VM.
In the Connect column of the vm-client-ips VM, click SSH.
In the SSH-in-browser dialog, click Authorize and wait for the connection to establish.
To verify whether a non-threat request isn't blocked, run the following command:
```
curl EXTERNAL_IP -m 2
```
Replace EXTERNAL_IP with the external IP of the vm-server-ips VM.

The expected response message is as follows:

<!doctype html><html><body><h1>Hello World!</h1></body></html>
To verify that a malicious request is blocked, run the following command. This command sends a request to access the password file, which is forbidden.
```
curl -m 2 EXTERNAL_IP:80/cgi-bin/../../../../bin/cat%20/etc/passwd/
```
Replace EXTERNAL_IP with the external IP of vm-server-ips VM.

A Connection timed out message is expected because the firewall endpoint detects the threat in the request and blocks the packet.
Close the SSH-in-browser dialog.

gcloud

To connect to the vm-client-ips VM, run the following command:
```
gcloud compute ssh vm-client-ips \
   --zone=us-central1-a \
   --tunnel-through-iap
```
When prompted, press Y to confirm, and then press Enter.

Note: While the SSH to the vm-client-ips VM is connected, ignore any warning messages that you see.
To verify whether a non-threat request isn't blocked, run the following command:
```
curl EXTERNAL_IP -m 2
```
Replace EXTERNAL_IP with the external IP of the vm-server-ips VM.

The expected response message is as follows:

<!doctype html><html><body><h1>Hello World!</h1></body></html>
To verify that a malicious request is blocked, run the following command:
```
curl -m 2 EXTERNAL_IP:80/cgi-bin/../../../../bin/cat%20/etc/passwd/
```
Replace EXTERNAL_IP with the external IP of the vm-server-ips VM.

A Connection timed out message is expected because the firewall endpoint detects the threat in the request and blocks the packet.
To close the SSH-in-browser, enter exit.

View the threat logs

In the Google Cloud console, go to the Threats page.

Go to Threats
If necessary, select your Google Cloud project.
In the Threat section, you can see the logs entry for the threat detected on your vpc-ips network.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

In this section, you delete the resources created in this tutorial.

Delete the firewall endpoint association

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the vpc-ips network to show its VPC network details page.
Select the Firewall endpoint tab. The tab shows a list of configured firewall endpoint associations.
Select the checkbox next to endpoint-ips, and then click Delete.
Click Delete again to confirm.

gcloud

To delete the firewall endpoint association, run the following command: yes,

gcloud network-security firewall-endpoint-association 

    delete endpoint-ips 

    --zone asia-southeast1-a

Delete the firewall endpoint

Console

In the Google Cloud console, go to the Firewall endpoints page.

Go to Firewall endpoints
Select endpoint-ips, and then click Delete.
Click Delete again to confirm.

gcloud

To delete the firewall endpoint, run the following commands:

gcloud network-security firewall-endpoints delete endpoint-ips \
    --organization ORGANIZATION_ID \
    --zone asia-southeast1-a

Replace the following:

ORGANIZATION_ID: the organization where the endpoint is created.

Delete the global network firewall endpoint policy

Console

In the Google Cloud console, go to the Firewall policies page.

Go to Firewall policies
In the project selector menu, select your project that contains the policy.
Click fw-policy-ips.
Click the Associations tab.
Select all associations.
Click Remove Associations.
After all associations are removed, click Delete.

gcloud

To remove the association between firewall policy and VPC network, run the following command:
```
gcloud compute network-firewall-policies associations delete \
  --name fw-pol-association-ips \
  --firewall-policy fw-policy-ips \
  --global-firewall-policy
```
Note: If you set up the association between the firewall policy and the VPC network through Google Cloud console, don't use the gcloud CLI command to remove the association. If you can't remember how you created the association or get the The network firewall policy does not have an association with pol-association-fw-rules error when you run the command, use the Google Cloud console to remove the association.
Delete the firewall policy.
```
gcloud compute network-firewall-policies delete fw-policy-ips --global
```
When prompted, press Y to confirm, and then press Enter.

Delete the security profile group

Console

In the Google Cloud console, go to the Security profiles page.

Go to Security profiles
Select the Security profile groups tab.
Select sec-profile-group-ips, and then click Delete.
Click Delete again to confirm.

gcloud

To delete the security profile group, run the following command:

gcloud network-security security-profile-groups \
    delete sec-profile-group-ips \
    --organization ORGANIZATION_ID \
    --location global

Replace the following:

ORGANIZATION_ID: the organization where the security profile group is created.

Delete the security profile

Console

In the Google Cloud console, go to the Security profiles page.

Go to Security profiles
Select the Security profiles tab. The tab shows a list of configured security profiles.
Select sec-profile-ips, and then click Delete.
Click Delete again to confirm.

gcloud

To delete the security profile, run the following command:

gcloud network-security security-profiles threat-prevention \
    delete sec-profile-ips \
    --organization ORGANIZATION_ID \
    --location global

Replace the following:

ORGANIZATION_ID: the organization where the security profile is created.

Delete the VMs

Console

In the Google Cloud console, go to the VM instances page.

Go to VM instances
Select the checkboxes of both the vm-client-ips and vm-server-ips VMs.
Click Delete.
In the Delete 2 instances? dialog, click Delete.

gcloud

To delete the vm-client-ips VM, run the following command:
```
gcloud compute instances delete vm-client-ips \
  --zone us-central1-a
```
When prompted, press Y to confirm, and then press Enter.
To delete the vm-server-ips VM, run the following command:
```
gcloud compute instances delete vm-server-ips \
  --zone asia-southeast1-a
```
When prompted, press Y to confirm, and then press Enter.

Delete the VPC network and its subnets

Console

In the Google Cloud console, go to the VPC networks page.

Go to VM instances
In the Name column, click vpc-ips.
Click Delete VPC network.
In the Delete a network dialog, click Delete.

When you delete a VPC, its subnets are also deleted.

gcloud

To delete the subnet subnet-ips-client of the vpc-ips VPC network, run the following command:
```
gcloud compute networks subnets delete subnet-ips-client \
    --region us-central1
```
When prompted, press Y to confirm, and then press Enter.
To delete the subnet subnet-ips-server of the vpc-ips VPC network, run the following command:
```
gcloud compute networks subnets delete subnet-ips-server \
    --region=asia-southeast1
```
When prompted, press Y to confirm, and then press Enter.
To delete the vpc-ips VPC network, run the following command:
```
gcloud compute networks delete vpc-ips
```

What's next

For conceptual information about intrusion prevention service, see Intrusion prevention service overview.
For conceptual information about firewall policies, see Firewall policies.
For conceptual information about firewall policy rules, see Firewall policy rules.
To determine costs, see Cloud NGFW pricing.