Dev seccon london 2016 intelliment security
-
Upload
devseccon-limited -
Category
Presentations & Public Speaking
-
view
93 -
download
0
Transcript of Dev seccon london 2016 intelliment security
Join the conversation #devseccon
By Ildefonso Montero
Writing firewall policies
in app manifests
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
This talk is about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery
• Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
From a DevOps perspective
From a DevOps perspective
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
From a DevOps perspective
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
Only from DevOps perspective?
Application Delivery
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live application
ServersContainersServices
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live application
ServersContainersServices
Application Delivery
Writing firewall policies in app manifests
From www.devsecops.org/blog/2016/5/20/-security
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps to the rescue
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.)
• Netmiko, Paramiko• NAPALM + Ansible• SDN, OpenDaylight, NFV, flunnel, kb-proxy
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps/NetOps to the rescue
Security validations and compliance of infrastructure delivery
• ¿?
Application delivery bottlenecks
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
Application delivery bottlenecks
Writing firewall policies in app manifests
IT teams are currently spending 20-32% of their time dealing with misconfigurations.
Network Agility Research 2014. Dynamic Markets
Change request (portal)
Risk assessment(traffic simulation)
APP OWNER
Schedule for enforcement
Approved Validate/Review change
Implement changeDeliver changeTest change
NO
Policy clean-up(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
Application delivery bottlenecks
Writing firewall policies in app manifests
Node provisioning
Automated!
Node configuration
Software testing
Software provisioning
Still mostly manual!
Network provisioning
Network configuration(incl. security policy)
NO PRODUCTS YET!
Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos) with different ways to do things
• Live with the problem is not an option
Security validation and compliance of infrastructure delivery is:
Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos) with different ways to do things
• Live with the problem is not an option
Security validation and compliance of infrastructure delivery is:
What we want
MassiveAgility Gains
MassiveCost Reduction
Better Risk Controls
DevSecOps to the rescue!
Writing firewall policies in app manifests
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps • Define your security rules as code
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
Firewall policies
Writing firewall policies is like …
Writing firewall policies in app manifests
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Abstract all the things!
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
DMZ traffic must be limited to Internet by tcp 443 and tcp80
Firewall policies as code
Writing firewall policies in app manifests
• Abstraction
• Use vendor and topology neutral model
• Declarative
• Express your infrastructure security needs as user intents
• Write policies where you need
• From a DevSecOps perspective:
Apply shift left, so write on your app manifests!
Firewall policies as code pipeline
Writing firewall policies in app manifests
Demo overview
Writing firewall policies in app manifests
Demo overview
Writing firewall policies in app manifests
Define on
Puppet
as code
Automatically
Validate,
Deploy and
Visualize on
Intelliment
Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
Writing firewall policies in app manifests
Demo overview
• App is a simple web application with two webservers and a database server.
• Webserver nodes are located on the frontend network.
• Database server is located on the backend network.
• They must access a dns server present on the management network.
• They must be accessed from Internet and Users and Admins networks.
Writing firewall policies in app manifests
Demo overview
APP VISIBILITY REQUIREMENTS
Users need HTTPS access to webservers.
Webservers need MySQL from database.
All servers should use the dns server.
System administrators need SSH access to all
servers.
Writing firewall policies in app manifests
Demo overviewPRE-APPROVED FLOWS
The RISK TEAM has pre-defined deny requirements to avoid
using risky services:
• Unencrypted HTTP flows from Internet or User network
to webservers are denied
Validation will make sure that no HTTP will be allowed between
these elements.
Writing firewall policies in app manifests
Firewall policies in app manifests
webserverwebserver2
NODES
role::app::webserver
ROLE
profile::app::webserver
PROFILE
database
NODES
role::app:::database
ROLE
profile::app::database
PROFILE
profile::server::base
PROFILE
dns-server
NODES
role::server::dnsserver
ROLE
profile::server::dnsserver
PROFILE
NODE CLASIFICATION APP DEFINITION
Provides web services
Consumes database services
Provides database services
Provides ssh services
Consumes dns services
Provides dns services
Writing firewall policies in app manifests
Firewall policies in app manifests
profile::app::webserver profile::server::base
APP DEFINITION
Provides web services
Consumes database services
Provides ssh services
Consumes dns services
Network visibility
requirements for
Intelliment
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
Pre-approved flows (cannot be contradicted)
Writing firewall policies in app manifests
Demo overview
Writing firewall policies in app manifests
Demo overview
Writing firewall policies in app manifests
Demo overview
profile::app::webserver
PROFILE
APP DEFINITION
Provides web services
Consumes database services
One simple change
Writing firewall policies in app manifests
Demo overview
Before
Writing firewall policies in app manifests
Change request (portal)
Risk assessment(traffic simulation)
APP OWNER
Schedule for enforcement
Approved Validate/Review change
Implement changeDeliver changeTest change
NO
Policy clean-up(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
After
Writing firewall policies in app manifests
Define manifestAutomated Risk
assessment
APP OWNER
Schedule for enforcement
Approved Automated Validate/Review
change
AutomatedImplement change
AutomatedDeliver change
Test change
NO
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
SECOPS TEAM
Application delivery bottlenecks
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
Writing firewall policies in app manifests
Conclusions
• Imposing controls is a way to reduce risks, but not at the expense of agility
• Work together. Security affect to everybody. Live with the problems is not an option
• Define your security needs as code
• Abstract all the things (and automate them)
• Reduce your workflow bottlenecks
Join the conversation #devseccon
Questions?
Thank you!http://www.intellimentsec.com
http://github.com/intelliment
@imonteroperez