Subscribe to the Salt blog to learn about the latest developments in API Security

Salt Security
Deployment Options

The Salt Security platform captures a mirrored copy of all your API traffic and sends it to our big data engine for analysis. Where a Salt sensor is needed, it has low CPU and memory consumption and adds no latency since it doesn't sit inline. The sensor needs to see unencrypted traffic (after SSL termination) to enable our API analysis.

Instructions by platform

The following videos and instructions provide details on the various options to deploy the Salt Security Sensor and direct traffic to the Salt Security Service for analysis.

RPM
Debian
Kubernetes
Docker
apigee
AWS
Azure
Kong
MuleSoft
F5

RPM Deployment CentOS, Red Hat Linux, etc.

Prerequisite

  • Architecture: x64
  • Python version: 2.7
  • The latest version of EPEL

Instructions

Run the following commands on a Linux server:

sudo yum install -y salt-linux-sensor-{SENSOR_VERSION}.x86_64.rpmsudo /usr/local/bin/salt-sensor start

Debian Deployment for Ubuntu, etc.

Prerequisite

  • Architecture: x64
  • Python version: 2.7
  • Current apt package index

Instructions

The following command should be run on Linux server:

sudo dpkg -i salt-linux-sensor-{SENSOR_VERSION}.deb ; sudo apt-get -f -y install

sudo /usr/local/bin/salt-sensor start

Once the Salt Security Sensor is deployed, verify the sensor status with the following command:

sudo /usr/local/bin/salt-sensor status

Kubernetes Deployment

Prerequisite

  • Ensure you have access to Docker Hub and have considered the options for permissions listed in the Salt Security Sensor Deployment Guide.

Instructions

Edit the pod YAML file and add the snippet provided by Salt Security to the “containers” section to add the sensor as a sidecar in your Kubernetes cluster.

Redeploy the Pod:

kubectl apply -f <pod name="">.yaml</pod>

Verify the sidecar by querying the Salt Security Sensor for status:

kubectl exec -c salt-sensor — salt-sensor status

Possible outcomes running the status command are:

Status

Status Text

Starting
Sensor is starting
Upstream connectivity check
Waiting for upstream connectivity (host={host}, control port={control_port}, data port = {data_port})
Network capabilities check
Discovering network capabilities
Replaying
Listening on ports {ports} and replaying to {host}
Restarting
Restarting
Stopping
Stopping
Stopped
Stopped
Unknown
Unknown Status

Docker Deployment

Prerequisite

  • Ensure you have access to Docker Hub and have considered the options for permissions listed in the Salt Security Sensor Deployment Guide.

Instructions

Download the Salt Security Sensor script for Docker. Salt Security can provide both a complete curl command as well as an https link.

$ curl -o salt-installation-docker-{SENSOR_VERSION}.sh “<salt-sensor-downloadable-link>”</salt-sensor-downloadable-link>

Edit the script and replace the placeholders with the information provided by Salt Security. Salt Security can also provide this file to you along with the proper values. By default, the sensor runs as a non-privileged container; see above for running as root.

#!/usr/bin/env bash

# Replace [[SALT_TOKEN]], [[SALT_BACKEND_HOST]]
# more environment variables are available for the sensor, see `salt-configure-options`

Possible outcomes running the status command are:

Status

Status Text

Starting
Sensor is starting
Upstream connectivity check
Waiting for upstream connectivity (host={host}, control port={control_port}, data port = {data_port})
Network capabilities check
Salt sensor is up and running

Apigee Deployment

Prerequisite

Prior to installing a new policy on Apigee, or modifying an existing one, the following items should be understood fully and addressed.

Salt Security Mirroring Policy File

Salt Security will provide two javascript files that will be imported into the Apigee proxy. This will allow Salt Security services to receive all requests and responses to the API proxy.

Salt Host and Authentication

The policies will access the Salt Security HTTP Mirroring API, which requires authentication to prevent unauthorized access. Authentication is done by the basic authentication scheme, which is sent in the request’s authorization header. For example:

Authorization: Basic {TOKEN Base64}

The token value is unique per customer, and will be provided by the Salt Security team. In addition, Salt Security will provide the proper host name.

Instructions

Prepare the policy files:

  • Place the salt-security-mirroring-policy.tar.gz file in a folder of your choice. Note that this file will be provided to you by Salt Security.
  • Unzip and untar the file. This will create a folder named salt-security-mirroring-policy with the two policy files in it.

Create the request policy:

  • Note that depending on your particular implementation, it may instead be necessary to modify an existing policy.
  • From the API-Proxy list on Apigee, select the relevant proxy, and click the Develop tab.
  • Under Proxy Endpoints, click PreFlow.
  • Above Request flow, click +Step.
  • Scroll down to select JavaScript under the Extension group.
  • Set the display name to “Salt Security Request Mirroring Policy”.
  • From the Script File option, select Import new script.
  • Click Choose File and select the “requestPolicy.js” file from the decompressed policy package.
  • When complete, click the Add button.

Creating the Response policy:

  • Under Proxy Endpoints, click PostFlow.
  • Below Response flow, click +Step.
  • Scroll down to select JavaScript under the Extension group.
  • Set the display name to “Salt Security Response Mirroring Policy”.
  • From the Script File option, select Import new script.
  • Click Choose File and select the “responsePolicy.js” file from the decompressed policy package.
  • When complete, click the Add button.

Configure the request and response policies:

This step configures the communication settings between Apigee and the Salt Security HTTP Mirroring API.

From the Policies List, select the Salt-Security-Request-Mirroring-Policy, and replace the empty <Properties/> entity with the values provided to you by Salt Security.Repeat this process for the Salt-Security-Response-Mirroring-Policy. Please note that the example below uses the response endpoint in the URL; it is otherwise identical to the example above.Be sure to click Save when all changes are complete.

Validate traffic:

  • At this point, the API Proxy is now configured to send all requests and responses to the Salt Security service (Hybrid or Saas).
  • The final step is to send traffic to Apigee and work with Salt Security to ensure that data is being received.

Connectivity Check

In order to verify connectivity between Apigee Node and Salt Mirroring APIs, use hello RESTful API. To ease connectivity checks on Hybrid environments, the Hello RESTFul API will not force authentication. However if given, the Hello RESTful API will respond with an indication of whether authentication succeeded.

CURL Example:

curl -k -X GET \
‘https://{SALT_MIRRORING_API_DOMAIN}:{SALT_MIRRORING_API_PORT}/api/vi/http/hello’ \-H ‘Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l’

Success-Response Example:

HTTP/1.1 200 OK
It Works! Welcome To Salt Security HybridAuthentication Succeeded

AWS API Gateway Deployment

Prerequisite

Make sure that you have the following permissions in AWS:

  • Create and run Cloudformation
  • Create and modify Lambda functions
  • View and modify API Gateway stages
  • Add and view Cloudwatch logs
  • View and deploy SAM applications
  • Read files from S3

Provide the following information to Salt Security:

The Salt Security SAM application is private and requires permission sharing by Salt Security. For that to happen, Salt Security requires the following information:

  • The AWS region API Gateway is operating in
  • The Organization ID or Account ID that needs to gain access to the application

Instructions

Make sure CloudWatch logging is enabled for the desired API

For Salt Security monitoring to work, INFO level CloudWatch logging needs to be enabled for the API. A retention period of one day usually is more than enough for this purpose.To achieve that, please navigate to your API page, click on “Stages,” select the “Logs/Tracing” tab and enable the following options:

  • Enable CloudWatch Logs
  • Log level: INFO
  • Log full requests/responses data

Confirm the API is active and receiving traffic

Enable CloudTrail for automatic LogGroup discovery (NOTE: Only needed if the cloud trail is not configured)

Locate the application in your AWS environment

Once you’ve supplied this information and Salt Security has confirmed that permission has been granted, you can access your AWS console. You should be able to see the salt-security-API-gateway-logs-consumer application under Serverless Application Repository -> Available applications -> Private applications.

Deploy the SAM Application

Click on the application name to go to the application page and then scroll down to enter the required parameters.

Enter values for the following parameters:

Parameter Name

Parameter Value

Parameter Description

ApplicationName
<applicationname>-<api_id>
mycompany-12345
The stack name of this application created via AWS CloudFormation
NOTE: Must be unique, or the previous application deployment will be overwritten
SaltSecurityServiceUrl
Fully qualified domain name provided by Salt Security when sending to the Salt Security SaaS service
The format is:<companyname>.dnssf.com
or
Hostname or IP of the Salt Security Hybrid Server when in use.
The target URL to which the policy will transmit the incoming requests and responses
SaltSecurityServicePort
443 when connecting to the Salt Security SaaS service
31443 when connecting to the Salt Security Hybrid Server
The port number which should be used for sending the mirrored traffic to Salt Security
SaltSecurityToken
64 characters long string, encoded as base64. Provided by Salt Security
A token used for authentication of the policy
FilterApiIds
The Rest API ID from the GW
ad797avuqc, ba843plkmj
(Optional) Specify a comma-separated list of API IDs to filter log groups by
FilterApiIdsMode
Include/Exclude
(Optional) Controls include/exclude of log groups by API ID filtering
Allowed Values: “include” / “exclude”
NOTE: If an ApiId is provided, then this setting will take precedence on any subsequent filter modes
SubscribeNewAuto
True/False
(Optional) Create an Auto-subscriber lambda that will subscribe to new log groups to the Salt Security Service
NOTE: this requires the use of CloudTrail.  CloudTrail creates events when new LogGroups are created
SubscribeExistingList
Name of the API CloudWatch log group
(Optional) Specify a comma-separated list of the log group names from the API Gateways being monitored
SubscribeExistingAuto
True/False
(Optional) Subscribe existing log groups to Salt Security Service. (Log Groups parameter will be ignored)
Stages
Prod, dev, uat
API-Gateway-Execution-Logs_ad797avuqc/prod
The suffix can also include
ad797avuqc/prod
(Optional) Specify a comma-separated list of stages to filter log groups by
If the ApiId ad797avuqc is included in the ApiId, then that filter mode takes precedence
StagesFilterMode
Include/Exclude
(Optional) Controls if to include/exclude log groups by stages filtering
NOTE: you cannot exclude or include an API that is matched by the ApiId filter
Tags
Matches key-value pairs or just the key
tag=prod
Or if the key is prod, then:
prod
(Optional) Specify a comma-separated list of tags to include/exclude log groups with (e.g. ‘tag1=value1,tag2,tag3’) Which can test for the existence of a tag (e.g. ‘tag2’), and can also test the value of the tag too (e.g. ‘tag1=value1’)
TagsFilterMode
Include/Exclude
(Optional) Controls if to include/exclude log groups by tag filtering

Once the required values have been entered click “Deploy” to deploy the application.

Azure API Management Deployment

Prerequisite

Authentication

Accessing the Salt Security HTTP mirroring API requires authentication to prevent unauthorized access. Authentication is done by a basic authentication scheme, which is sent via the request’s authorization header. Credentials information:

  • Authorization: Basic {TOKEN Base64} (Salt Security will provide)

NOTE: The TOKEN value is unique per customer, and shall be provided by the Salt Security team.

Azure Firewall Considerations

Option 1: Mirroring from Azure API Management services → Salt Security Hybrid Server

In your private network firewalls/security settings, make sure traffic is allowed to the Salt Security Hybrid Server. Below is the list of ports required for communication from the Azure API Management services to the Salt Security Hybrid Server (NOTE: this is only required if traffic is being sent to the Salt Security Hybrid Server):

URL

IP Address

Outbound Ports

Description

<hybrid url/ip>
<hybrid url/ip>
31443 (TCP/TLS)
Sensor Data path

Option 2: Mirroring from Azure API Management services → Salt Cloud Service

URL

Static IP

Port

Description

<companyname>.dnssf.com
169.47.178.236
443 (TLS/TCP)
Sensor Data path

Instructions

Salt Security APIM integration is done by defining an APIM policy which includes inbound and outbound statements to mirror any given request and response. The policy definition can be applied at the endpoint, API, product, or global levels. Once defined, the policy will capture any incoming request and response handled by the APIM, and mirror it to Salt Security, by using Salt Security’s RESTFul API, over a secure HTTPS connection.

Policy Configuration

In order to operate, Salt Security APIM requires the appropriate environment variables to be set.The environment variables can be set in the API Management -> Named values Menu in the APIM dashboard.

Add the following two Named Values and their corresponding values:

Parameter Name

Parameter Value

Parameter Description

SaltSecurityServiceUrl
Fully qualified domain name. Provided by Salt Security
The target URL to which the policy will transmit the incoming requests and responses
(e.g. company.dnssf.com)
SaltSecurityToken
64 characters long string, encoded as  base64. Provided by Salt Security
A token used for authentication of the policy

Policy Deployment

To deploy the Salt Security APIM policy, select the appropriate policy to deploy. Policies can be configured globally or at the scope of a Product, API, or Operation. To begin configuring a policy, you must first select the scope at which the policy should apply.

Policy scopes are evaluated in the following order:

  • Global scope
  • Product scope
  • API scope
  • Operation scope

NOTE: Salt Security Should be Deployed at the Product or ALL API Scope.

Select the Correct Policy Placement

Next, select Policies from the Policies menu and paste the Salt Security APIM Mirroring Policy under the product’s Policies tab.

NOTE: The Salt Security APIM Policy is provided by Salt Security and consists of a Send-One-Way-Request statement which is designed to transmit the inbound and outbound messages over a secured HTTPS RESTFul API.

Kong Deployment

Prerequisite

Authentication

Accessing the Salt Security HTTP mirroring API requires authentication to prevent unauthorized access. Authentication is done by a basic authentication scheme, which is sent via the request’s authorization header (base64-encoded):

  • Authorization: Basic {TOKEN}

NOTE: The TOKEN value is unique per customer, and shall be provided by the Salt Security team.

Firewall Considerations

Option 1: Mirroring from Kong server → Salt Security Hybrid Server

In your private network firewalls/security settings, make sure traffic is allowed to the Salt Security Hybrid Server. Below is the list of ports required for communication from your Kong server to the Salt Security Hybrid Server.

NOTE: this is only required if traffic is being sent to the Salt Security Hybrid Server

URL

IP Address

Outbound Ports

Description

<hybrid url/ip>
<hybrid url/ip>
31443 (TCP/TLS)
Sensor Data path

Option 2: Mirroring from Kong server → Salt Cloud Service

URL

Static IP

Port

Description

Traffic-receiver-i.dnssf.com
169.47.178.236
443 (TLS/TCP)
Sensor Data path

Instructions

Extract the Salt Security Sensor for Kong

tar -xzf kong-plugin-salt-sensor.tar.gz

Install the Salt Security Sensor

luarocks install kong-plugin-salt-sensor-1.0.0-1.all.rock

Edit the Kong configuration and add the path to the sensor

Restart Kong

kong restart -c kong.conf

Enable the Salt Security Sensor

curl -i -X POST \
–url http://:/services//plugins/ \
–data-urlencode ‘name=salt-sensor’ \
–data-urlencode ‘config.salt_domain=’ \
–data-urlencode ‘config.salt_backend_port=’ \
–data-urlencode ‘config.salt_token=’

Where possible return codes are:

Return Value

Description

0
Sensor is up & running
1
Sensor is up & running
2
Sensor is up & running

MuleSoft Deployment

Prerequisite

Mule version 4.1.1 and later is required

Authentication

Accessing the Salt Security HTTP mirroring API requires authentication to prevent unauthorized access. Authentication is done by a basic authentication scheme, which is sent via the request’s authorization header:

  • Authorization: Basic {TOKEN}

NOTE: The TOKEN value is unique per customer, and shall be provided by the Salt Security team.

MuleSoft Firewall Considerations

Option 1: Mirroring from MuleSoft → Salt Security Hybrid Server

In your private network firewalls/security settings, make sure traffic is allowed to the Salt Security Hybrid Server. Below is the list of ports required for communication from your MuleSoft to the Salt Security Hybrid Server (NOTE: this is only required if traffic is being sent to the Salt Security Hybrid Server):

URL

IP Address

Outbound Ports

Description

<hybrid url/ip>
<hybrid url/ip>
31443 (TCP/TLS)
Sensor Data path

Option 2: Mirroring from MuleSoft → Salt Cloud Service

URL

Static IP

Port

Description

Traffic-receiver-i.dnssf.com
169.47.178.236
443 (TLS/TCP)
Sensor Data path

Instructions

The Policy

Salt Security Mirroring Policy consists of a maven package, which results in a deployable JAR file that contains the policy implementation.

The package contains:

  • Salt-mirroring-policy.yaml – A configuration File, where the policy parameters and metadata are defined
  • pom.xml – Defines policy dependencies
  • template.xml – An XML file which contains the implementation of the policy using Mule’s XML schema language

Applying the Policy

See the official MuleSoft guide covering how to upload the policy to the exchange server: https://docs.mulesoft.com/api-manager
/2.x/custom-policy-uploading-to-exchange

In the Anypoint Platform, search your organization’s ID to use in the following steps:

  • Go to Access Management > Organization, click the name of your organization. Copy the UUID from the browser address.
  • Update the settings.xml file in your Maven .m2 directory with your Exchange credentials.
  • In the pom.xml perform the following steps:
    a. Replace the groupId with the organization ID from the previous step.
    b. Replace the {orgId} in the exchange URL with the organization ID:
  • Upload the policy to the organization exchange account by running the mvn deploy command from the policy directory.
  • From API Manager go to Automated Policies, and click on “Apply new Automated Policy”. Choose Salt Mirroring Policy, and update it with the address of the Mirroring API address and the authentication token. NOTE: Target URL should contain domain names only.
  • After clicking on the “Apply” button, the policy will be added to the Automated Policies list.

F5 Deployment

Prerequisite

Works with any Big IP version that supports clone pools.

The Salt Security virtual machine must receive unencrypted cloned traffic from the BIG-IP.

Instructions

Create a new Pool with the sensor Host’s IP as the pool member.

create /ltm pool SALT_POOL members add { SALT_VIRTUAL_MACHINE_IP:80 }

To add the application server to the clone pool:

tmsh modify /ltm virtual <VIRTUAL_NAME_OF_APP_SERVER> clone-pools add { SALT_POOL }