dev seccon london 2016 intelliment security

Join the conversation #devseccon

By Ildefonso Montero

Writing firewall policies

in app manifests

Who am I

Writing firewall policies in app manifests

• Yet another Software Developer @imonteroperez

Who am I

Writing firewall policies in app manifests

• Yet another Software Developer @imonteroperez

This talk is NOT about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery

Who am I

Writing firewall policies in app manifests

• Yet another Software Developer @imonteroperez

This talk is NOT about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery

This talk is about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery

• Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)

Preliminar Infrastructure-related Buzzwords

Writing firewall policies in app manifests

• Automated delivery or provision

• Physical, Virtual, private and/or public clouds

• Inmutable, Scalable, Replicable, etc.

The Good parts

• Security compliance

• Firewalling security needs

• Rapid treat containment under attacks

• (Multi)vendor coupled

The “Ugly” parts

______________________________________________________

From a DevOps perspective

From a DevOps perspective

Preliminar Infrastructure-related Buzzwords

Writing firewall policies in app manifests

• Automated delivery or provision

• Physical, Virtual, private and/or public clouds

• Inmutable, Scalable, Replicable, etc.

The Good parts

• Security compliance

• Firewalling security needs

• Rapid treat containment under attacks

• (Multi)vendor coupled

The “Ugly” parts

______________________________________________________

Security

Security

Security

Security Others …

From a DevOps perspective

From a DevOps perspective

Preliminar Infrastructure-related Buzzwords

Writing firewall policies in app manifests

• Automated delivery or provision

• Physical, Virtual, private and/or public clouds

• Inmutable, Scalable, Replicable, etc.

The Good parts

• Security compliance

• Firewalling security needs

• Rapid treat containment under attacks

• (Multi)vendor coupled

The “Ugly” parts

______________________________________________________

Security

Security

Security

Security Others …

From a DevOps perspective

Only from DevOps perspective?

Application Delivery

Writing firewall policies in app manifests

ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live application

ServersContainersServices

Application Delivery

Writing firewall policies in app manifests

Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live application

ServersContainersServices

Application Delivery

Writing firewall policies in app manifests

From www.devsecops.org/blog/2016/5/20/-security

Application Delivery

Writing firewall policies in app manifests

Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live applicationServers

ContainersServices

Application Delivery

Writing firewall policies in app manifests

Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

Every part of the process need to be validated and reviewed by people, generating bottlenecks

• DevOps to the rescue

Application Delivery

Writing firewall policies in app manifests

Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

Every part of the process need to be validated and reviewed by people, generating bottlenecks

• NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.)

• Netmiko, Paramiko• NAPALM + Ansible• SDN, OpenDaylight, NFV, flunnel, kb-proxy

Application Delivery

Writing firewall policies in app manifests

Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

Every part of the process need to be validated and reviewed by people, generating bottlenecks

• DevOps/NetOps to the rescue

Security validations and compliance of infrastructure delivery

• ¿?

Application delivery bottlenecks

Writing firewall policies in app manifests

ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live applicationServers

ContainersServices

Application delivery bottlenecks

Writing firewall policies in app manifests

IT teams are currently spending 20-32% of their time dealing with misconfigurations.

Network Agility Research 2014. Dynamic Markets

Change request (portal)

Risk assessment(traffic simulation)

APP OWNER

Schedule for enforcement

Approved Validate/Review change

Implement changeDeliver changeTest change

NO

Policy clean-up(historic degradation)

RISK TEAM RISK TEAM SECOPS TEAM

SECOPS TEAMAPP OWNER

CHANGE MANAGEMENT (WORKFLOW)

Not approved

YES

SECOPS TEAM

Periodic

RISK TEAM

Application delivery bottlenecks

Writing firewall policies in app manifests

Node provisioning

Automated!

Node configuration

Software testing

Software provisioning

Still mostly manual!

Network provisioning

Network configuration(incl. security policy)

NO PRODUCTS YET!

Recap Problems

Writing firewall policies in app manifests

• Highly manual

• Involve different teams (a.k.a silos) with different ways to do things

• Live with the problem is not an option

Security validation and compliance of infrastructure delivery is:

Recap Problems

Writing firewall policies in app manifests

• Highly manual

• Involve different teams (a.k.a silos) with different ways to do things

• Live with the problem is not an option

Security validation and compliance of infrastructure delivery is:

What we want

MassiveAgility Gains

MassiveCost Reduction

Better Risk Controls

DevSecOps to the rescue!

Writing firewall policies in app manifests

DevSecOps to the rescue!

Writing firewall policies in app manifests

• Apply “shift to the left” paradigm

• Define your network needs as code

• Application Delivery

DevSecOps to the rescue!

Writing firewall policies in app manifests

• Apply “shift to the left” paradigm

• Define your network needs as code

• Application Delivery

• SecOps • Define your security rules as code

DevSecOps to the rescue!

Writing firewall policies in app manifests

• Apply “shift to the left” paradigm

• Define your network needs as code

• Application Delivery

• SecOps

• Risk • Define your compliance as code

• Define your security rules as code

DevSecOps to the rescue!

Writing firewall policies in app manifests

• Apply “shift to the left” paradigm

• Define your network needs as code

• Application Delivery

• SecOps

• Risk • Define your compliance as code

• Define your security rules as code

Firewall policies

Writing firewall policies is like …

Writing firewall policies in app manifests

• Define your security rules as code

• Apply “shift to the left” paradigm

• Define your network needs as code

Abstract all the things!

Writing firewall policies in app manifests

• Application Delivery

• SecOps

• Define your compliance as code• Risk

• Define your security rules as code

• Apply “shift to the left” paradigm

• Define your network needs as code

Just say what you want

Writing firewall policies in app manifests

• Application Delivery

• SecOps

• Define your compliance as code• Risk

I need to consume SNMP servers

I will provide a service by tcp 443 and tcp80

Firewall policies as code!

• Define your security rules as code

• Apply “shift to the left” paradigm

• Define your network needs as code

Just say what you want

Writing firewall policies in app manifests

• Application Delivery

• SecOps

• Define your compliance as code• Risk

I need to consume SNMP servers

I will provide a service by tcp 443 and tcp80

Firewall policies as code!

User network must have visibility to App server

• Define your security rules as code

• Apply “shift to the left” paradigm

• Define your network needs as code

Just say what you want

Writing firewall policies in app manifests

• Application Delivery

• SecOps

• Define your compliance as code• Risk

I need to consume SNMP servers

I will provide a service by tcp 443 and tcp80

Firewall policies as code!

User network must have visibility to App server

DMZ traffic must be limited to Internet by tcp 443 and tcp80

Firewall policies as code

Writing firewall policies in app manifests

• Abstraction

• Use vendor and topology neutral model

• Declarative

• Express your infrastructure security needs as user intents

• Write policies where you need

• From a DevSecOps perspective:

Apply shift left, so write on your app manifests!

Firewall policies as code pipeline

Writing firewall policies in app manifests

Demo overview

Writing firewall policies in app manifests

Demo overview

Writing firewall policies in app manifests

Define on

Puppet

as code

Automatically

Validate,

Deploy and

Visualize on

Intelliment

Demo overview

Writing firewall policies in app manifests

• Consumes: defines what visibility requirements the component needs from others.

• Provides: defines what services it exposes to others.

Demo overview

Writing firewall policies in app manifests

• Consumes: defines what visibility requirements the component needs from others.

• Provides: defines what services it exposes to others.

Writing firewall policies in app manifests

Demo overview

• App is a simple web application with two webservers and a database server.

• Webserver nodes are located on the frontend network.

• Database server is located on the backend network.

• They must access a dns server present on the management network.

• They must be accessed from Internet and Users and Admins networks.

Writing firewall policies in app manifests

Demo overview

APP VISIBILITY REQUIREMENTS

Users need HTTPS access to webservers.

Webservers need MySQL from database.

All servers should use the dns server.

System administrators need SSH access to all

servers.

Writing firewall policies in app manifests

Demo overviewPRE-APPROVED FLOWS

The RISK TEAM has pre-defined deny requirements to avoid

using risky services:

• Unencrypted HTTP flows from Internet or User network

to webservers are denied

Validation will make sure that no HTTP will be allowed between

these elements.

Writing firewall policies in app manifests

Firewall policies in app manifests

webserverwebserver2

NODES

role::app::webserver

ROLE

profile::app::webserver

PROFILE

database

NODES

role::app:::database

ROLE

profile::app::database

PROFILE

profile::server::base

PROFILE

dns-server

NODES

role::server::dnsserver

ROLE

profile::server::dnsserver

PROFILE

NODE CLASIFICATION APP DEFINITION

Provides web services

Consumes database services

Provides database services

Provides ssh services

Consumes dns services

Provides dns services

Writing firewall policies in app manifests

Firewall policies in app manifests

profile::app::webserver profile::server::base

APP DEFINITION

Provides web services

Consumes database services

Provides ssh services

Consumes dns services

Network visibility

requirements for

Intelliment

APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET

Writing firewall policies in app manifests

Demo overview

APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET

Writing firewall policies in app manifests

Demo overview

Pre-approved flows (cannot be contradicted)

Writing firewall policies in app manifests

Demo overview

Writing firewall policies in app manifests

Demo overview

Writing firewall policies in app manifests

Demo overview

profile::app::webserver

PROFILE

APP DEFINITION

Provides web services

Consumes database services

One simple change

Writing firewall policies in app manifests

Demo overview

Before

Writing firewall policies in app manifests

Change request (portal)

Risk assessment(traffic simulation)

APP OWNER

Schedule for enforcement

Approved Validate/Review change

Implement changeDeliver changeTest change

NO

Policy clean-up(historic degradation)

RISK TEAM RISK TEAM SECOPS TEAM

SECOPS TEAMAPP OWNER

CHANGE MANAGEMENT (WORKFLOW)

Not approved

YES

SECOPS TEAM

Periodic

RISK TEAM

After

Writing firewall policies in app manifests

Define manifestAutomated Risk

assessment

APP OWNER

Schedule for enforcement

Approved Automated Validate/Review

change

AutomatedImplement change

AutomatedDeliver change

Test change

NO

RISK TEAM RISK TEAM SECOPS TEAM

SECOPS TEAMAPP OWNER

CHANGE MANAGEMENT (WORKFLOW)

Not approved

SECOPS TEAM

Application delivery bottlenecks

Writing firewall policies in app manifests

ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live applicationServers

ContainersServices

Writing firewall policies in app manifests

Conclusions

• Imposing controls is a way to reduce risks, but not at the expense of agility

• Work together. Security affect to everybody. Live with the problems is not an option

• Define your security needs as code

• Abstract all the things (and automate them)

• Reduce your workflow bottlenecks

Join the conversation #devseccon

Questions?

Thank you!http://www.intellimentsec.com

http://github.com/intelliment

imontero@intellimentsec.com

@imonteroperez