Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process Network Delivery Operational Issues
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
need ... to have network visibility across services inside and outside the infrastructure config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end
need ... to have network visibility across services inside and outside the infrastructure object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend !
and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)
application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process Still having the same operational Issues
application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it
consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443
an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE https://www.youtube.com/watch?v=7eFcgWiGprw
Too many changes (+30.000 per year) • Network could be evolving continuously • Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) • Complicated and highly manual approval process • Security Compliance is usually managed separately from change management process From Operational Issues ...
operate the network policy as a single and consolidated entity • Policy Portability: Specify policies as vendor and neutral intents. No experts needed. • Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups • Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones • Automated Application Migration: Identify and move network policies associated with applications • Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Agile Secure Infrastructure