Agile and Compliant Firewall ACL Configuration Management for DevOps - J on the Beach 2017

Transcript

1. Agile and compliant firewall ACL configuration management for DevOps Ildefonso

   Montero <[email protected]>

2. Who am I: Ildefonso Montero Backend Software Developer (+10 years)

   Last 3 years working on DevOps and Network Automation at Intelliment Security

3. Let’s talk about DevOps, Security, and Network Automation

4. Application Delivery I’m involved on the development of an application

   and I need ... to push this changes on production env (~minutes)

5. Application Delivery I’m involved on the development of an application

   and I need ... to deploy several services on infrastructure (~minutes)

6. Application Delivery I’m involved on the development of an application

   and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)

7. Application Delivery I’m involved on the development of an application

   and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)

8. Application Delivery I’m involved on the development of an application

   and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)

9. Application Delivery I’m involved on the development of an application

   and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)

10. Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues • Too long time to delivery

    (~25 days avg) • Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process

11. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

12. config firewall address edit "B_PHPs" set comment "Backend PHP servers"

    set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

13. create tcp_service mysql modify services mysql color orange modify services

    mysql port 3306 modify services mysql comments '' modify services mysql include_in_any false update services mysql create tcp_service postgres modify services postgres color orange modify services postgres port 5432 modify services postgres comments '' modify services postgres include_in_any false update services postgres create tcp_service oracle modify services oracle color orange modify services oracle port 1521 modify services oracle comments '' modify services oracle include_in_any false update services oracle create address_range B_PHPs modify network_objects B_PHPs color orange modify network_objects B_PHPs ipaddr_first 10.31.50.60 modify network_objects B_PHPs ipaddr_last 10.31.50.99 modify network_objects B_PHPs comments '' modify network_objects B_PHPs add_adtr_rule false update network_objects B_PHPs create address_range B_DBs_SQL modify network_objects B_DBs_SQL color orange modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10 modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39 modify network_objects B_DBs_SQL comments '' modify network_objects B_DBs_SQL add_adtr_rule false update network_objects B_DBs_SQL create policies_collection IS_rb_SiteB_FG update policies_collections IS_rb_SiteB_FG create firewall_policy ##IS_rb_SiteB_FG modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG update fw_policies ##IS_rb_SiteB_FG addelement fw_policies ##IS_rb_SiteB_FG rule security_rule modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule' modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access' modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle update fw_policies ##IS_rb_SiteB_FG update_all I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

14. <entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp>

    <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/> <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

15. object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range

    10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend ! I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

16. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

17. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

18. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

19. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

20. Automation I’m involved on the development of an application and

    I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)

21. Network Automation Why Network Automation Matters, and What You Can

    Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)

22. Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco, IOS-XR

    - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …

23. Network Automation I’m involved on the development of an application

    and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network

24. Network Automation I’m involved on the development of an application

    and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)

25. still having the same O.P.E.R.A.T.I.O.N.A.L issues • Too long time

    to delivery (~25 days avg) • Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process

26. Agility by abstraction I’m involved on the development of an

    application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it

27. App Owners - Dev/Ops / Network needs I need to

    consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443

28. Network Abstraction Layer App Owner / DevOps specifies app connectivity

    Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …

29. Network Abstraction Layer App Owner / DevOps specifies app connectivity

    Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller

30. Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated

    deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features

31. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

32. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

    • Abstracts network topology and network security policies • Security policies are expressed as user intents • Maintains a network security policies knowledge base • Orchestrates, Diagnoses and Deploy change requests • No vendor lock-in • Agentless • Hybrid Network Infrastructure (physical, virtual, cloud, SDN) • Third-party integrations ready • RESTful API

33. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

    • Java, Akka, OSGi, Eclipse MDA Tools • Hazelcast, CQEngine, MongoDB, MySQL • Intelliment Security Policy Automation: HTML5, CSS3, ExtJs • Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.

34. Let’s see Intelliment working to have network visibility across services

    inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network

35. Demo Use Cases Visualise which network visibilities are defined for

    an AWS-based instance

36. Demo Use Cases Visualise which network visibilities are defined for

    an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances

37. Demo Use Cases Visualise which network visibilities are defined for

    an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings

38. Demo Use Cases Visualise which network visibilities are defined for

    an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE

39. Let’s recap to have network visibility across services inside and

    outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)

40. Let’s recap to have network visibility across services inside and

    outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~minutes)

41. • Too long time to delivery (~25 days avg) •

    Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process from this O.P.E.R.A.T.I.O.N.A.L issues ... Let’s recap

42. • Consolidated Operations: Visualize, query and operate the network policy

    as a single and consolidated entity • Policy Portability: Specify policies as vendor and neutral intents. No experts needed. • Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups • Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones • Automated Application Migration: Identify and move network policies associated with applications • Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Let’s recap

43. Questions? Thanks you! @imonteroperez [email protected]