If this Giant Must Walk: A Manifesto for a New Nigeria
Dev seccon london 2016 intelliment security
1. Join the conversation #devseccon
By Ildefonso Montero
Writing firewall policies
in app manifests
2. Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
3. Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
4. Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
This talk is about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery
• Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
5. Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
From a DevOps perspective
From a DevOps perspective
6. Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
From a DevOps perspective
7. Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
Only from DevOps perspective?
11. Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Application
Delivery
Software
Delivery
Infrastructure Delivery
Network
Security (policies)
Live application
Servers
Containers
Services
12. Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps to the rescue
13. Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• NetOps to the rescue:
• Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.)
• Netmiko, Paramiko
• NAPALM + Ansible
• SDN, OpenDaylight, NFV, flunnel, kb-proxy
14. Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps/NetOps to the rescue
Security validations and compliance of infrastructure delivery
• ¿?
16. Application delivery bottlenecks
Writing firewall policies in app manifests
IT teams are currently spending 20-32% of their time dealing with misconfigurations.
Network Agility Research 2014. Dynamic Markets
Change request
(portal)
Risk assessment
(traffic simulation)
APP OWNER
Schedule for
enforcement
Approved
Validate/Review
change
Implement changeDeliver changeTest change
NO
Policy clean-up
(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
18. Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos)
with different ways to do things
• Live with the problem is not an
option
Security validation and
compliance of infrastructure
delivery is:
19. Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos)
with different ways to do things
• Live with the problem is not an
option
Security validation and
compliance of infrastructure
delivery is:
What we want
Massive
Agility Gains
Massive
Cost Reduction
Better Risk
Controls
20. DevSecOps to the rescue!
Writing firewall policies in app manifests
21. DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
22. DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps • Define your security rules as code
23. DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
24. DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
Firewall policies
26. • Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Abstract all the things!
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
27. • Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
28. • Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
29. • Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
DMZ traffic must be limited to Internet by tcp 443 and tcp80
30. Firewall policies as code
Writing firewall policies in app manifests
• Abstraction
• Use vendor and topology neutral model
• Declarative
• Express your infrastructure security needs as user intents
• Write policies where you need
• From a DevSecOps perspective:
Apply shift left, so write on your app manifests!
33. Demo overview
Writing firewall policies in app manifests
Define on
Puppet
as code
Automatically
Validate,
Deploy and
Visualize on
Intelliment
34. Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
35. Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
36. Writing firewall policies in app manifests
Demo overview
• App is a simple web application with two webservers and a database server.
• Webserver nodes are located on the frontend network.
• Database server is located on the backend network.
• They must access a dns server present on the management network.
• They must be accessed from Internet and Users and Admins networks.
37. Writing firewall policies in app manifests
Demo overview
APP VISIBILITY REQUIREMENTS
Users need HTTPS access to webservers.
Webservers need MySQL from database.
All servers should use the dns server.
System administrators need SSH access to all
servers.
38. Writing firewall policies in app manifests
Demo overview
PRE-APPROVED FLOWS
The RISK TEAM has pre-defined deny requirements to avoid
using risky services:
• Unencrypted HTTP flows from Internet or User network
to webservers are denied
Validation will make sure that no HTTP will be allowed between
these elements.
39. Writing firewall policies in app manifests
Firewall policies in app manifests
webserver
webserver2
NODES
role::app::webserver
ROLE
profile::app::webserver
PROFILE
database
NODES
role::app:::database
ROLE
profile::app::database
PROFILE
profile::server::base
PROFILE
dns-server
NODES
role::server::dnsserver
ROLE
profile::server::dnsserver
PROFILE
NODE CLASIFICATION APP DEFINITION
Provides web services
Consumes database services
Provides database services
Provides ssh services
Consumes dns services
Provides dns services
40. Writing firewall policies in app manifests
Firewall policies in app manifests
profile::app::webserver profile::server::base
APP DEFINITION
Provides web services
Consumes database services
Provides ssh services
Consumes dns services
Network visibility
requirements for
Intelliment
41. APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
42. APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
Pre-approved flows (cannot be contradicted)
47. Before
Writing firewall policies in app manifests
Change request
(portal)
Risk assessment
(traffic simulation)
APP OWNER
Schedule for
enforcement
Approved
Validate/Review
change
Implement changeDeliver changeTest change
NO
Policy clean-up
(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
48. After
Writing firewall policies in app manifests
Define manifest
Automated Risk
assessment
APP OWNER
Schedule for
enforcement
Approved Automated
Validate/Review
change
Automated
Implement change
Automated
Deliver change
Test change
NO
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
SECOPS TEAM
50. Writing firewall policies in app manifests
Conclusions
• Imposing controls is a way to reduce risks, but not at
the expense of agility
• Work together. Security affect to everybody. Live with
the problems is not an option
• Define your security needs as code
• Abstract all the things (and automate them)
• Reduce your workflow bottlenecks