dev seccon london 2016 intelliment security
TRANSCRIPT
![Page 1: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/1.jpg)
Join the conversation #devseccon
By Ildefonso Montero
Writing firewall policies
in app manifests
![Page 2: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/2.jpg)
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
![Page 3: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/3.jpg)
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
![Page 4: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/4.jpg)
Who am I
Writing firewall policies in app manifests
• Yet another Software Developer @imonteroperez
This talk is NOT about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
This talk is about
• ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery
• Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
![Page 5: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/5.jpg)
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
From a DevOps perspective
From a DevOps perspective
![Page 6: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/6.jpg)
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
From a DevOps perspective
![Page 7: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/7.jpg)
Preliminar Infrastructure-related Buzzwords
Writing firewall policies in app manifests
• Automated delivery or provision
• Physical, Virtual, private and/or public clouds
• Inmutable, Scalable, Replicable, etc.
The Good parts
• Security compliance
• Firewalling security needs
• Rapid treat containment under attacks
• (Multi)vendor coupled
The “Ugly” parts
______________________________________________________
Security
Security
Security
Security Others …
From a DevOps perspective
Only from DevOps perspective?
![Page 8: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/8.jpg)
Application Delivery
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live application
ServersContainersServices
![Page 9: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/9.jpg)
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live application
ServersContainersServices
![Page 10: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/10.jpg)
Application Delivery
Writing firewall policies in app manifests
From www.devsecops.org/blog/2016/5/20/-security
![Page 11: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/11.jpg)
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
![Page 12: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/12.jpg)
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps to the rescue
![Page 13: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/13.jpg)
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.)
• Netmiko, Paramiko• NAPALM + Ansible• SDN, OpenDaylight, NFV, flunnel, kb-proxy
![Page 14: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/14.jpg)
Application Delivery
Writing firewall policies in app manifests
Complex communication
• Software delivery
• Infrastructure delivery (servers, containers, services)
• Network delivery (network and security)
Every part of the process need to be validated and reviewed by people, generating bottlenecks
• DevOps/NetOps to the rescue
Security validations and compliance of infrastructure delivery
• ¿?
![Page 15: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/15.jpg)
Application delivery bottlenecks
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
![Page 16: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/16.jpg)
Application delivery bottlenecks
Writing firewall policies in app manifests
IT teams are currently spending 20-32% of their time dealing with misconfigurations.
Network Agility Research 2014. Dynamic Markets
Change request (portal)
Risk assessment(traffic simulation)
APP OWNER
Schedule for enforcement
Approved Validate/Review change
Implement changeDeliver changeTest change
NO
Policy clean-up(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
![Page 17: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/17.jpg)
Application delivery bottlenecks
Writing firewall policies in app manifests
Node provisioning
Automated!
Node configuration
Software testing
Software provisioning
Still mostly manual!
Network provisioning
Network configuration(incl. security policy)
NO PRODUCTS YET!
![Page 18: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/18.jpg)
Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos) with different ways to do things
• Live with the problem is not an option
Security validation and compliance of infrastructure delivery is:
![Page 19: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/19.jpg)
Recap Problems
Writing firewall policies in app manifests
• Highly manual
• Involve different teams (a.k.a silos) with different ways to do things
• Live with the problem is not an option
Security validation and compliance of infrastructure delivery is:
What we want
MassiveAgility Gains
MassiveCost Reduction
Better Risk Controls
![Page 20: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/20.jpg)
DevSecOps to the rescue!
Writing firewall policies in app manifests
![Page 21: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/21.jpg)
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
![Page 22: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/22.jpg)
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps • Define your security rules as code
![Page 23: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/23.jpg)
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
![Page 24: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/24.jpg)
DevSecOps to the rescue!
Writing firewall policies in app manifests
• Apply “shift to the left” paradigm
• Define your network needs as code
• Application Delivery
• SecOps
• Risk • Define your compliance as code
• Define your security rules as code
Firewall policies
![Page 25: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/25.jpg)
Writing firewall policies is like …
Writing firewall policies in app manifests
![Page 26: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/26.jpg)
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Abstract all the things!
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
![Page 27: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/27.jpg)
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
![Page 28: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/28.jpg)
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
![Page 29: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/29.jpg)
• Define your security rules as code
• Apply “shift to the left” paradigm
• Define your network needs as code
Just say what you want
Writing firewall policies in app manifests
• Application Delivery
• SecOps
• Define your compliance as code• Risk
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp80
Firewall policies as code!
User network must have visibility to App server
DMZ traffic must be limited to Internet by tcp 443 and tcp80
![Page 30: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/30.jpg)
Firewall policies as code
Writing firewall policies in app manifests
• Abstraction
• Use vendor and topology neutral model
• Declarative
• Express your infrastructure security needs as user intents
• Write policies where you need
• From a DevSecOps perspective:
Apply shift left, so write on your app manifests!
![Page 31: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/31.jpg)
Firewall policies as code pipeline
Writing firewall policies in app manifests
![Page 32: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/32.jpg)
Demo overview
Writing firewall policies in app manifests
![Page 33: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/33.jpg)
Demo overview
Writing firewall policies in app manifests
Define on
Puppet
as code
Automatically
Validate,
Deploy and
Visualize on
Intelliment
![Page 34: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/34.jpg)
Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
![Page 35: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/35.jpg)
Demo overview
Writing firewall policies in app manifests
• Consumes: defines what visibility requirements the component needs from others.
• Provides: defines what services it exposes to others.
![Page 36: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/36.jpg)
Writing firewall policies in app manifests
Demo overview
• App is a simple web application with two webservers and a database server.
• Webserver nodes are located on the frontend network.
• Database server is located on the backend network.
• They must access a dns server present on the management network.
• They must be accessed from Internet and Users and Admins networks.
![Page 37: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/37.jpg)
Writing firewall policies in app manifests
Demo overview
APP VISIBILITY REQUIREMENTS
Users need HTTPS access to webservers.
Webservers need MySQL from database.
All servers should use the dns server.
System administrators need SSH access to all
servers.
![Page 38: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/38.jpg)
Writing firewall policies in app manifests
Demo overviewPRE-APPROVED FLOWS
The RISK TEAM has pre-defined deny requirements to avoid
using risky services:
• Unencrypted HTTP flows from Internet or User network
to webservers are denied
Validation will make sure that no HTTP will be allowed between
these elements.
![Page 39: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/39.jpg)
Writing firewall policies in app manifests
Firewall policies in app manifests
webserverwebserver2
NODES
role::app::webserver
ROLE
profile::app::webserver
PROFILE
database
NODES
role::app:::database
ROLE
profile::app::database
PROFILE
profile::server::base
PROFILE
dns-server
NODES
role::server::dnsserver
ROLE
profile::server::dnsserver
PROFILE
NODE CLASIFICATION APP DEFINITION
Provides web services
Consumes database services
Provides database services
Provides ssh services
Consumes dns services
Provides dns services
![Page 40: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/40.jpg)
Writing firewall policies in app manifests
Firewall policies in app manifests
profile::app::webserver profile::server::base
APP DEFINITION
Provides web services
Consumes database services
Provides ssh services
Consumes dns services
Network visibility
requirements for
Intelliment
![Page 41: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/41.jpg)
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
![Page 42: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/42.jpg)
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET
Writing firewall policies in app manifests
Demo overview
Pre-approved flows (cannot be contradicted)
![Page 43: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/43.jpg)
Writing firewall policies in app manifests
Demo overview
![Page 44: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/44.jpg)
Writing firewall policies in app manifests
Demo overview
![Page 45: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/45.jpg)
Writing firewall policies in app manifests
Demo overview
profile::app::webserver
PROFILE
APP DEFINITION
Provides web services
Consumes database services
One simple change
![Page 46: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/46.jpg)
Writing firewall policies in app manifests
Demo overview
![Page 47: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/47.jpg)
Before
Writing firewall policies in app manifests
Change request (portal)
Risk assessment(traffic simulation)
APP OWNER
Schedule for enforcement
Approved Validate/Review change
Implement changeDeliver changeTest change
NO
Policy clean-up(historic degradation)
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
YES
SECOPS TEAM
Periodic
RISK TEAM
![Page 48: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/48.jpg)
After
Writing firewall policies in app manifests
Define manifestAutomated Risk
assessment
APP OWNER
Schedule for enforcement
Approved Automated Validate/Review
change
AutomatedImplement change
AutomatedDeliver change
Test change
NO
RISK TEAM RISK TEAM SECOPS TEAM
SECOPS TEAMAPP OWNER
CHANGE MANAGEMENT (WORKFLOW)
Not approved
SECOPS TEAM
![Page 49: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/49.jpg)
Application delivery bottlenecks
Writing firewall policies in app manifests
ApplicationDelivery
SoftwareDelivery
Infrastructure Delivery
NetworkSecurity (policies)
Live applicationServers
ContainersServices
![Page 50: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/50.jpg)
Writing firewall policies in app manifests
Conclusions
• Imposing controls is a way to reduce risks, but not at the expense of agility
• Work together. Security affect to everybody. Live with the problems is not an option
• Define your security needs as code
• Abstract all the things (and automate them)
• Reduce your workflow bottlenecks
![Page 51: Dev seccon london 2016 intelliment security](https://reader031.vdocument.in/reader031/viewer/2022030317/58714e121a28ab55588b737b/html5/thumbnails/51.jpg)
Join the conversation #devseccon
Questions?
Thank you!http://www.intellimentsec.com
http://github.com/intelliment
@imonteroperez