Mais conteúdo relacionado Mais de Amazon Web Services (20) Embedding Security into DevOps on AWS with Automation Toolsets - SID347 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
E m b e d d i n g S e c u r i t y i n t o D e v O p s o n A W S w i t h
A u t o m a t i o n T o o l s e t s
I v a n B o j e r
J a i m e F r a n k l i n
C L I C K T O A D D T E X T
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Automation should not require
programming experience -
it MUST be easy.
We all have other things to do.”
PREVENTION CLOUD
Orchestration
AUTOMATION
SECURITY
Application
Visibility
EASY
APT
Next Generation
API
SEAMLESS
Control
NGFW
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DevOps is dynamic
VPCs added/removed
Frequent workload
adds/removals
Security is structured
Follow change control
best practices
Protection of digital
assets is Job 1
S e c u r i t y D e v O p s
Devops & Security: Can’t We All Get
Along?
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Accelerate Secure Cloud Deployments
+ =
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Palo Alto Networks Automation Evolution
2018+
• Automation
Partnerships
• Application
Framework
2017(Mar)
• Terraform
2016(Mar)
• Pandevice
2015(Dec)
• Ansible
2014
(Sep)
• pan-python
2009
• XML API
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate Security with Reusable
Frameworks
ANSIBLE SCRIPTS/CFTTERRAFORM
PAN PYTHON
XML API
PAN DEVICE
LAMBDA
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ansible for Automation and
Orchestration
# sample.yml
- hosts: localhost
connection: local
tasks:
- name: set dns and panorama
panos_mgtconfig:
ip_address: "10.5.172.91"
password: "paloalto"
dns_server_primary: "10.0.0.1"
dns_server_secondary: "10.0.0.2"
panorama_primary: "10.0.1.3"
panorama_secondary: "10.0.1.4"
commit: True
ansible-playbook sample.yml -v
localhost
XML API
XML API
XML API
PANW
Ansible
Modules
* limited support
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Public Cloud Deployment Scenario
Deploy cloud infrastructure
Provision security
Configure firewall
Other Public & Private
Cloud Platforms
Terraform
Ansible
Tools
Execute
Cloud
APIs
1. Deploy
2. Provision
3. Configure
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid Deployment Example
# vpn.yml
- hosts: localhost
connection: local
tasks:
- name: create VPN
panos_vpnconfig:
ip_address: "10.5.172.91"
password: "paloalto"
dns_server_primary: "10.0.0.1"
dns_server_secondary: "10.0.0.2"
panorama_primary: "10.0.1.3"
panorama_secondary: "10.0.1.4"
commit: True
CORPORATE NETWORK
BackendFront end
Main router
IPSEC VPN
AWS DIRECTCONNECT
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dynamically Update Firewall Policies
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CI/C: Automated Security for DevOps
Single declarative syntax
Infrastructure as code
Manage multi cloud with single tool chain/ set
Git repo
exists
Create
application
Push feature
Run
automation
tool on test
environment
Deploy to
production
Configure
production
Approve change Test pass Deploy Configure
DevOps - CI/CD Workflow
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Large, high tech company
Moving all application dev and
test on AWS
CloudFormation Templates, S3, &
Jenkins enable “touchless”
deployment of developer VPCs
protected by the VM-Series
Automating Secure DevOps VPC
Creation
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Incredibly Simple
Single App-Tier Function
Standardized
Re-usable
Disposable
Automated
Best Practices Built-In
No East-West Traffic
Automated Security
Building Blocks
VPC - 10.0.0.0/16
Availability Zone
Trust - 10.0.2.0/24
AS-Trust
RT-Trust
0.0.0.0/0 > 10.0.2.5
Untrust - 10.0.1.0/24
IP-Untrust
Management - 10.0.0.0/24
IP-FW-Management
VM-TrustXINT-TrustX
10.0.2.X/24
INT-FW-Untrust
10.0.1.5/24
INT-FW-Management
10.0.0.5/24
INT-FW-Trust
10.0.2.5/24
VM-FW
NLB-Trust
App1-Web
Tags
Other Public & Private
Cloud Platforms
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
• Terraform templates to deploy a multi-tier application environment on AWS
• Ansible automates web servers and VM-Series configuration
• Deployable by specifying a few parameters
• Critical apps deployed with the right security posture
• Repeatable and reproducible across cloud regions
• Simplifies app deployment with security built in
• Leverage best practice blue prints
Demo Setup
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploy
Configure
VM-Series
Policies
• Terraform automates creation of
AWS infrastructure
• Ansible playbooks configure VM-
Series Firewalls and web servers
• Automate deployment to desired
regions
Demo Architecture
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
AZ1b
Web1
DB1
Mgt
E1/1E1/3
E1/2
10.0.0.0/24
10.0.1.0/2410.0.2.0/24
.11
.12
.100
.99
.101
.101
• Environmental requirements
defined and automated
Ansible
Network Team
App Team
Security Team
US-West Region
US-East Region
Terraform
App
Network
Security
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo (video)
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Accelerating AWS Deployments
https://live.paloaltonetworks.com/cloudtemplate