automating cloud security with ansible & palo alto …

AUTOMATING CLOUD SECURITY WITH ANSIBLE & PALO ALTO NETWORKS

Richard HenshallProduct Manager for Cloud, Ansible, Red Hat

Brian Torres-GilDirector, Developer Relations, Palo Alto Networks

Garfield FreemanSolutions Engineer, Developer Relations, Palo Alto Networks

SIMPLE AGENTLESSPOWERFUL

o No extra code to manage

o Uses OpenSSH

o No agents to exploit or update

o More efficient & more secure

o Human readable automation

o No special coding skills needed

o Tasks executed in order

o Get productive quickly

o App deployment

o Configuration management

o Workflow orchestration

o Orchestrate the app lifecycle

DEV NETWORK IT OPERATIONSBUSINESS

ANSIBLE IS THE UNIVERSAL LANGUAGE

Automating Cloud Security with Ansible and Palo Alto Networks

Brian Torres-GilDirector, Developer Relations - Palo Alto Networks

Garfield FreemanSolutions Engineer - Palo Alto Networks

“Because of the consistency and high percentage of true positives we get from

the Palo Alto Networks platform, we have the confidence now to automate.”

Joel Pfeifer, principal security analyst HealthPartners

“

”

LEADERSHIP IN CYBERSECURITY

63% of the Global 2Kare Palo Alto Networks customers

28% year over yearrevenue growth*

85of Fortune 100

rely on Palo Alto Networks

48%CAGR

FY12–FY17

48,000+customers

in 150+ countries

Revenue trend

FY12 FY13 FY14 FY15 FY16 FY17

* Q2FY2018. Fiscal year ends July 31.

3 | © 2018, Palo Alto Networks. All Rights Reserved.

• The firewall is the right place to enforce policy control

• Sees all traffic• Defines trust boundary• Enables access via positive

control

• BUT…applications have changed• Ports ≠ Applications• IP Addresses ≠ Users• Packets ≠ Content

Need to restore visibility and control in the firewall

SECURITY STARTS WITH THE FIREWALL


PALO ALTO NETWORKS APPROACH FOR PREVENTING ATTACKS

• Network & endpoint (different views)

• All applications, inc.cloud & SaaS

• All users & devices, inc. all locations

• Encrypted traffic

Complete visibility Reduce attack surface area

• Enable business apps• Block “bad” apps• Limit app functions• Limit high risk

websites and content• Require multi-factor

authentication

Prevent all known threats

• Exploits• Malware• Command & control• Malicious & phishing

websites• Bad domains

• Unknown malware• Zero-day exploits• Custom attack

behavior

Detect & prevent new threats


Automated | Repeatable

CUSTOMER DEPLOYMENT TRENDS

Large Scale Multi Cloud


PALO ALTO NETWORKS SECURITY OPERATING PLATFORM

PREVENT SUCCESSFUL

CYBERATTACKS

FOCUS ON WHAT MATTERS

CONSUME INNOVATIONS

QUICKLYPalo Alto Networks, 3rd party,

and customer deliveredOperate with ease using

best practicesAutomate tasks using context and analytics

BUILT FOR AUTOMATION


ANSIBLE MODULES: AT A GLANCE


Origin: Jan 2015 Contributors: 10 Modules: ~20

Run any command

Define security policy

Configure NAT

Provision interfaces

Manage administrator accounts

Audit, verify, and commit security configuration

Deploy and scale in the cloud

Leverage Dynamic Address Groups


ANSIBLE MODULES: THE BENEFIT


as

ANSIBLE DEMO

CI/CD: A QUICK PRIMER


Notification Automation

ANSIBLE DEMO: CI/CD DEMO WORKFLOW


User updates

the application

GitHub WebHook[push] sent

Application code is checked

out

Build Ansible

playbooks

Invoke Ansible

playbooks

GitHub

CI/CD DEMO

ANSIBLE RESOURCES

• Ansible Moduleshttp://docs.ansible.com/ansible/list_of_network_modules.html#panos

• Ansible Galaxyhttps://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks/

• GitHub repositoryhttps://github.com/PaloAltoNetworks/ansible-pan

• Communityhttps://live.paloaltonetworks.com/ansible


http://docs.ansible.com/ansible/list_of_network_modules.html

https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks/

https://github.com/PaloAltoNetworks/ansible-pan

https://live.paloaltonetworks.com/ansible

THANK YOU

More information: https://live.paloaltonetworks.com/ansible

automating cloud security with ansible & palo alto …

Documents