dev seccon london 2016 intelliment security

Join the conversation #devseccon

By Ildefonso Montero

Writing firewall policies

in app manifests

Who am I

Writing firewall policies in app manifests

• Yet another Software Developer @imonteroperez

Who am I



This talk is NOT about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery

Who am I



This talk is NOT about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery

This talk is about

• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery

• Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)

Preliminar Infrastructure-related Buzzwords


• Automated delivery or provision

• Physical, Virtual, private and/or public clouds

• Inmutable, Scalable, Replicable, etc.

The Good parts

• Security compliance

• Firewalling security needs

• Rapid treat containment under attacks

• (Multi)vendor coupled

The “Ugly” parts

______________________________________________________

From a DevOps perspective







The Good parts






______________________________________________________

Security

Security

Security

Security Others …








The Good parts






______________________________________________________

Security

Security

Security

Security Others …


Only from DevOps perspective?

Application Delivery


ApplicationDelivery

SoftwareDelivery

Infrastructure Delivery

NetworkSecurity (policies)

Live application

ServersContainersServices



Complex communication

• Software delivery

• Infrastructure delivery (servers, containers, services)

• Network delivery (network and security)

ApplicationDelivery

SoftwareDelivery



Live application

ServersContainersServices



From www.devsecops.org/blog/2016/5/20/-security







ApplicationDelivery

SoftwareDelivery



Live applicationServers

ContainersServices







Every part of the process need to be validated and reviewed by people, generating bottlenecks

• DevOps to the rescue








• NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.)

• Netmiko, Paramiko• NAPALM + Ansible• SDN, OpenDaylight, NFV, flunnel, kb-proxy








• DevOps/NetOps to the rescue

Security validations and compliance of infrastructure delivery

• ¿?

Application delivery bottlenecks


ApplicationDelivery

SoftwareDelivery




ContainersServices



IT teams are currently spending 20-32% of their time dealing with misconfigurations.

Network Agility Research 2014. Dynamic Markets

Change request (portal)

Risk assessment(traffic simulation)

APP OWNER

Schedule for enforcement

Approved Validate/Review change

Implement changeDeliver changeTest change

NO

Policy clean-up(historic degradation)

RISK TEAM RISK TEAM SECOPS TEAM

SECOPS TEAMAPP OWNER

CHANGE MANAGEMENT (WORKFLOW)

Not approved

YES

SECOPS TEAM

Periodic

RISK TEAM



Node provisioning

Automated!

Node configuration

Software testing

Software provisioning

Still mostly manual!

Network provisioning

Network configuration(incl. security policy)

NO PRODUCTS YET!

Recap Problems


• Highly manual

• Involve different teams (a.k.a silos) with different ways to do things

• Live with the problem is not an option

Security validation and compliance of infrastructure delivery is:

Recap Problems


• Highly manual

• Involve different teams (a.k.a silos) with different ways to do things

• Live with the problem is not an option

Security validation and compliance of infrastructure delivery is:

What we want

MassiveAgility Gains

MassiveCost Reduction

Better Risk Controls

DevSecOps to the rescue!




• Apply “shift to the left” paradigm

• Define your network needs as code

• Application Delivery






• SecOps • Define your security rules as code






• SecOps

• Risk • Define your compliance as code

• Define your security rules as code






• SecOps

• Risk • Define your compliance as code


Firewall policies

Writing firewall policies is like …





Abstract all the things!



• SecOps

• Define your compliance as code• Risk




Just say what you want



• SecOps


I need to consume SNMP servers

I will provide a service by tcp 443 and tcp80

Firewall policies as code!







• SecOps





User network must have visibility to App server







• SecOps





User network must have visibility to App server

DMZ traffic must be limited to Internet by tcp 443 and tcp80

Firewall policies as code


• Abstraction

• Use vendor and topology neutral model

• Declarative

• Express your infrastructure security needs as user intents

• Write policies where you need

• From a DevSecOps perspective:

Apply shift left, so write on your app manifests!

Firewall policies as code pipeline


Demo overview


Demo overview


Define on

Puppet

as code

Automatically

Validate,

Deploy and

Visualize on

Intelliment

Demo overview


• Consumes: defines what visibility requirements the component needs from others.

• Provides: defines what services it exposes to others.


Demo overview

• App is a simple web application with two webservers and a database server.

• Webserver nodes are located on the frontend network.

• Database server is located on the backend network.

• They must access a dns server present on the management network.

• They must be accessed from Internet and Users and Admins networks.


Demo overview

APP VISIBILITY REQUIREMENTS

Users need HTTPS access to webservers.

Webservers need MySQL from database.

All servers should use the dns server.

System administrators need SSH access to all

servers.


Demo overviewPRE-APPROVED FLOWS

The RISK TEAM has pre-defined deny requirements to avoid

using risky services:

• Unencrypted HTTP flows from Internet or User network

to webservers are denied

Validation will make sure that no HTTP will be allowed between

these elements.


Firewall policies in app manifests

webserverwebserver2

NODES

role::app::webserver

ROLE

profile::app::webserver

PROFILE

database

NODES

role::app:::database

ROLE

profile::app::database

PROFILE

profile::server::base

PROFILE

dns-server

NODES

role::server::dnsserver

ROLE

profile::server::dnsserver

PROFILE

NODE CLASIFICATION APP DEFINITION

Provides web services

Consumes database services

Provides database services

Provides ssh services

Consumes dns services

Provides dns services


Firewall policies in app manifests

profile::app::webserver profile::server::base

APP DEFINITION



Provides ssh services

Consumes dns services

Network visibility

requirements for

Intelliment

APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET


Demo overview

APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET


Demo overview

Pre-approved flows (cannot be contradicted)


Demo overview


Demo overview

profile::app::webserver

PROFILE

APP DEFINITION



One simple change


Demo overview

Before


Change request (portal)

Risk assessment(traffic simulation)

APP OWNER


Approved Validate/Review change

Implement changeDeliver changeTest change

NO

Policy clean-up(historic degradation)




Not approved

YES

SECOPS TEAM

Periodic

RISK TEAM

After


Define manifestAutomated Risk

assessment

APP OWNER


Approved Automated Validate/Review

change

AutomatedImplement change

AutomatedDeliver change

Test change

NO




Not approved

SECOPS TEAM



ApplicationDelivery

SoftwareDelivery




ContainersServices


Conclusions

• Imposing controls is a way to reduce risks, but not at the expense of agility

• Work together. Security affect to everybody. Live with the problems is not an option

• Define your security needs as code

• Abstract all the things (and automate them)

• Reduce your workflow bottlenecks

Join the conversation #devseccon

Questions?

Thank you!http://www.intellimentsec.com

http://github.com/intelliment

[email protected]

@imonteroperez

dev seccon london 2016 intelliment security

Presentations & Public Speaking