In some organizations, the theme of “can’t we all just get along” accurately describes the relationship between DevOps and network security. DevOps operates at a rapid and dynamic pace, using the cloud to create and deploy. Security teams exercise industry best practices of policy change control to eliminate potential security holes. Inevitably, deployment challenges arise. The ideal solution is one where security becomes part of the DevOps fabric. In this session, Ivan Bojer, automation specialist, and Jaime Franklin, cloud architect, both of Palo Alto Networks, discuss and demonstrate how AWS customers can automate the deployment of the VM-Series next generation firewall to protect DevOps environments on AWS. The topics in this session are based on current customer examples. They include: “touchless” deployment of a fully configured firewall utilizing automation tools, such as AWS CloudFormation templates, Terraform, and Ansible; consuming AWS tags to execute commitless policy updates; using Amazon CloudWatch and Elastic Load Balancing to deliver scalability and resiliency. This session wraps up with a discussion of sample templates and scripts to get started and a video demonstration of a fully automated VM-Series deployment. Session sponsored by Palo Alto Networks

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
 E m b e d d i n g S e c u r i t y i n t o D e v O p s o n A W S w i t h
A u t o m a t i o n T o o l s e t s
 I v a n B o j e r
 J a i m e F r a n k l i n
 C L I C K T O A D D T E X T

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Automation should not require
programming experience -
it MUST be easy.
We all have other things to do.”
PREVENTION CLOUD
Orchestration
AUTOMATION
SECURITY
Application
Visibility
EASY
APT
Next Generation
API
SEAMLESS
Control
NGFW

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 DevOps is dynamic
 VPCs added/removed
 Frequent workload
adds/removals
 Security is structured
 Follow change control
best practices
 Protection of digital
assets is Job 1
 S e c u r i t y D e v O p s
Devops & Security: Can’t We All Get
Along?

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Accelerate Secure Cloud Deployments
+ =

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Palo Alto Networks Automation Evolution
2018+
• Automation
Partnerships
• Application
Framework
2017(Mar)
• Terraform
2016(Mar)
• Pandevice
2015(Dec)
• Ansible
2014
(Sep)
• pan-python
2009
• XML API

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate Security with Reusable
Frameworks
ANSIBLE SCRIPTS/CFTTERRAFORM
PAN PYTHON
XML API
PAN DEVICE
LAMBDA

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ansible for Automation and
Orchestration
# sample.yml
- hosts: localhost
connection: local
tasks:
- name: set dns and panorama
panos_mgtconfig:
ip_address: "10.5.172.91"
password: "paloalto"
dns_server_primary: "10.0.0.1"
dns_server_secondary: "10.0.0.2"
panorama_primary: "10.0.1.3"
panorama_secondary: "10.0.1.4"
commit: True
ansible-playbook sample.yml -v
localhost
XML API
XML API
XML API
PANW
Ansible
Modules
* limited support

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Public Cloud Deployment Scenario
 Deploy cloud infrastructure
 Provision security
 Configure firewall
Other Public & Private
Cloud Platforms
Terraform
Ansible
Tools
Execute
Cloud
APIs
1. Deploy
2. Provision
3. Configure

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid Deployment Example
# vpn.yml
- hosts: localhost
connection: local
tasks:
- name: create VPN
panos_vpnconfig:
ip_address: "10.5.172.91"
password: "paloalto"
dns_server_primary: "10.0.0.1"
dns_server_secondary: "10.0.0.2"
panorama_primary: "10.0.1.3"
panorama_secondary: "10.0.1.4"
commit: True
CORPORATE NETWORK
BackendFront end
Main router
IPSEC VPN
AWS DIRECTCONNECT

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dynamically Update Firewall Policies

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CI/C: Automated Security for DevOps
 Single declarative syntax
 Infrastructure as code
 Manage multi cloud with single tool chain/ set
Git repo
exists
Create
application
Push feature
Run
automation
tool on test
environment
Deploy to
production
Configure
production
Approve change Test pass Deploy Configure
DevOps - CI/CD Workflow

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Large, high tech company
 Moving all application dev and
test on AWS
 CloudFormation Templates, S3, &
Jenkins enable “touchless”
deployment of developer VPCs
protected by the VM-Series
Automating Secure DevOps VPC
Creation

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incredibly Simple
 Single App-Tier Function
 Standardized
 Re-usable
 Disposable
 Automated
 Best Practices Built-In
 No East-West Traffic
 Automated Security
Building Blocks
VPC - 10.0.0.0/16
Availability Zone
Trust - 10.0.2.0/24
AS-Trust
RT-Trust
0.0.0.0/0 > 10.0.2.5
Untrust - 10.0.1.0/24
IP-Untrust
Management - 10.0.0.0/24
IP-FW-Management
VM-TrustXINT-TrustX
10.0.2.X/24
INT-FW-Untrust
10.0.1.5/24
INT-FW-Management
10.0.0.5/24
INT-FW-Trust
10.0.2.5/24
VM-FW
NLB-Trust
App1-Web
Tags
Other Public & Private
Cloud Platforms

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
• Terraform templates to deploy a multi-tier application environment on AWS
• Ansible automates web servers and VM-Series configuration
• Deployable by specifying a few parameters
• Critical apps deployed with the right security posture
• Repeatable and reproducible across cloud regions
• Simplifies app deployment with security built in
• Leverage best practice blue prints
Demo Setup

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploy
Configure
VM-Series
Policies
• Terraform automates creation of
AWS infrastructure
• Ansible playbooks configure VM-
Series Firewalls and web servers
• Automate deployment to desired
regions
Demo Architecture
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
• Environmental requirements
defined and automated
Ansible
Network Team
App Team
Security Team
US-West Region
US-East Region
Terraform
App
Network
Security

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo (video)

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Accelerating AWS Deployments
https://live.paloaltonetworks.com/cloudtemplate