Agile management of secure web infrastructures during software development and delivery cycles

Transcript

1. Agile management of secure web infrastructures during software development and

   delivery cycles Ildefonso Montero <[email protected]>

2. Who am I: Ildefonso Montero Backend Software Developer (+10 years)

   Last 3 years working on DevOps and Network Automation at Intelliment Security

3. “ Let’s talk about DevOps, Security, and Network Automation

4. “ Application Delivery I’m involved on the development of an

   application and I need ... to push this changes on production env (~minutes)

5. “ Application Delivery I’m involved on the development of an

   application and I need ... to deploy several services on infrastructure (~minutes)

6. “ Application Delivery I’m involved on the development of an

   application and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)

7. “ Application Delivery I’m involved on the development of an

   application and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)

8. “ Application Delivery I’m involved on the development of an

   application and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)

9. “ Application Delivery I’m involved on the development of an

   application and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)

10. • Too long time to delivery (~25 days avg) •

    Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process Network Delivery Operational Issues

11. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure

12. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end

13. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> <entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp> <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/>

14. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend !

15. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

16. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

17. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

18. I’m involved on the development of an application and I

    need ... to have network visibility across services inside and outside the infrastructure

19. “ Automation I’m involved on the development of an application

    and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)

20. “ Network Automation Why Network Automation Matters, and What You

    Can Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)

21. “ Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco,

    IOS-XR - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …

22. “ Network Automation I’m involved on the development of an

    application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network

23. “ Network Automation I’m involved on the development of an

    application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)

24. • Too long time to delivery (~25 days avg) •

    Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process Still having the same operational Issues

25. Agility by abstraction I’m involved on the development of an

    application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it

26. App Owners - Dev/Ops / Network needs I need to

    consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443

27. Network Abstraction Layer App Owner / DevOps specifies app connectivity

    Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …

28. Network Abstraction Layer App Owner / DevOps specifies app connectivity

    Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller

29. Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated

    deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features

30. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

31. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

    • Abstracts network topology and network security policies • Security policies are expressed as user intents • Maintains a network security policies knowledge base • Orchestrates, Diagnoses and Deploy change requests • No vendor lock-in • Agentless • Hybrid Network Infrastructure (physical, virtual, cloud, SDN) • Third-party integrations ready • RESTful API

32. What is Intelliment? A Network Security Policies Orchestration Controller Implementation

    • Java, Akka, OSGi, Eclipse MDA Tools • Hazelcast, CQEngine, MongoDB, MySQL • Intelliment Security Policy Automation: HTML5, CSS3, ExtJs • Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.

33. Demo Use Cases Visualise which network visibilities are defined for

    an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE https://www.youtube.com/watch?v=7eFcgWiGprw

34. • Too long time to delivery (~25 days avg) •

    Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process From Operational Issues ...

35. To agile secure infrastructure • Consolidated Operations: Visualize, query and

    operate the network policy as a single and consolidated entity • Policy Portability: Specify policies as vendor and neutral intents. No experts needed. • Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups • Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones • Automated Application Migration: Identify and move network policies associated with applications • Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Agile Secure Infrastructure

36. Questions? Thanks you! @imonteroperez [email protected]