SlideShare a Scribd company logo

Agile and compliant firewall ACL configuration management for DevOps

J On The Beach
J On The Beach

The document discusses network automation and security policy orchestration. It introduces Intelliment, a network security policies orchestration controller that abstracts network topology and policies. Intelliment allows users to specify connectivity and compliance needs without considering underlying infrastructure details. It then orchestrates change requests, maintains an inventory of policies, and deploys configurations across hybrid cloud environments while ensuring compliance. A demo shows visualizing network visibility policies and migrating environments using Intelliment.

Technology
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Agile and compliant firewall ACL configuration management for DevOps Ildefonso Montero <imontero@intellimentsec.com>
Who am I: Ildefonso Montero Backend Software Developer (+10 years) Last 3 years working on DevOps and Network Automation at Intelliment Security
Let’s talk about DevOps, Security, and Network Automation
Application Delivery I’m involved on the development of an application and I need ... to push this changes on production env (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to deploy several services on infrastructure (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)
Application Delivery I’m involved on the development of an application and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)
Application Delivery I’m involved on the development of an application and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)
Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
create tcp_service mysql modify services mysql color orange modify services mysql port 3306 modify services mysql comments '' modify services mysql include_in_any false update services mysql create tcp_service postgres modify services postgres color orange modify services postgres port 5432 modify services postgres comments '' modify services postgres include_in_any false update services postgres create tcp_service oracle modify services oracle color orange modify services oracle port 1521 modify services oracle comments '' modify services oracle include_in_any false update services oracle create address_range B_PHPs modify network_objects B_PHPs color orange modify network_objects B_PHPs ipaddr_first 10.31.50.60 modify network_objects B_PHPs ipaddr_last 10.31.50.99 modify network_objects B_PHPs comments '' modify network_objects B_PHPs add_adtr_rule false update network_objects B_PHPs create address_range B_DBs_SQL modify network_objects B_DBs_SQL color orange modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10 modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39 modify network_objects B_DBs_SQL comments '' modify network_objects B_DBs_SQL add_adtr_rule false update network_objects B_DBs_SQL create policies_collection IS_rb_SiteB_FG update policies_collections IS_rb_SiteB_FG create firewall_policy ##IS_rb_SiteB_FG modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG update fw_policies ##IS_rb_SiteB_FG addelement fw_policies ##IS_rb_SiteB_FG rule security_rule modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule' modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access' modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle update fw_policies ##IS_rb_SiteB_FG update_all I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
<entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp> <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/> <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend ! I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
Automation I’m involved on the development of an application and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)
Network Automation Why Network Automation Matters, and What You Can Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)
Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco, IOS-XR - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …
Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
still having the same O.P.E.R.A.T.I.O.N.A.L issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
Agility by abstraction I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it
App Owners - Dev/Ops / Network needs I need to consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443
Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …
Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller
Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features
What is Intelliment? A Network Security Policies Orchestration Controller Implementation
What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Abstracts network topology and network security policies ● Security policies are expressed as user intents ● Maintains a network security policies knowledge base ● Orchestrates, Diagnoses and Deploy change requests ● No vendor lock-in ● Agentless ● Hybrid Network Infrastructure (physical, virtual, cloud, SDN) ● Third-party integrations ready ● RESTful API
What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Java, Akka, OSGi, Eclipse MDA Tools ● Hazelcast, CQEngine, MongoDB, MySQL ● Intelliment Security Policy Automation: HTML5, CSS3, ExtJs ● Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.
Let’s see Intelliment working to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE
Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~minutes)
● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process from this O.P.E.R.A.T.I.O.N.A.L issues ... Let’s recap
● Consolidated Operations: Visualize, query and operate the network policy as a single and consolidated entity ● Policy Portability: Specify policies as vendor and neutral intents. No experts needed. ● Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups ● Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones ● Automated Application Migration: Identify and move network policies associated with applications ● Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Let’s recap
Questions? Thanks you! @imonteroperez imontero@intellimentsec.com

More Related Content

What's hot (20)

PDF
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Databricks
 
PDF
Introducing log analysis to your organization
Sematext Group, Inc.
 
PPTX
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
MongoDB
 
PPTX
Monitoring and scaling postgres at datadog
Seth Rosenblum
 
PPTX
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Noriaki Tatsumi
 
PDF
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward
 
PDF
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Spark Summit
 
PDF
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Databricks
 
PPTX
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB
 
PDF
Architecture at Scale
Elasticsearch
 
PDF
GumGum: Multi-Region Cassandra in AWS
DataStax Academy
 
PPTX
MongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB
 
PDF
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
GetInData
 
PDF
Scalable and Reliable Logging at Pinterest
Krishna Gade
 
PPTX
In-Memory Computing Essentials for Software Engineers
Denis Magda
 
PDF
Monitoring MySQL at scale
Ovais Tariq
 
PDF
Novinky v Oracle Database 18c
MarketingArrowECS_CZ
 
PPTX
RedisConf17 - IoT Backend with Redis and Node.js
Redis Labs
 
PDF
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Spark Summit
 
PDF
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB
 
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Databricks
 
Introducing log analysis to your organization
Sematext Group, Inc.
 
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
MongoDB
 
Monitoring and scaling postgres at datadog
Seth Rosenblum
 
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Noriaki Tatsumi
 
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Spark Summit
 
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Databricks
 
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB
 
Architecture at Scale
Elasticsearch
 
GumGum: Multi-Region Cassandra in AWS
DataStax Academy
 
MongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB
 
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
GetInData
 
Scalable and Reliable Logging at Pinterest
Krishna Gade
 
In-Memory Computing Essentials for Software Engineers
Denis Magda
 
Monitoring MySQL at scale
Ovais Tariq
 
Novinky v Oracle Database 18c
MarketingArrowECS_CZ
 
RedisConf17 - IoT Backend with Redis and Node.js
Redis Labs
 
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Spark Summit
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB
 

Similar to Agile and compliant firewall ACL configuration management for DevOps (20)

PDF
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
PPTX
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
DOCX
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
PDF
Managing Your Cisco Datacenter Network with Ansible
fmaccioni
 
PDF
AnsibleFest London 2016 - managing your cisco datacenter network with ansible
fmaccioni
 
PDF
Zero-downtime deployment of Micro-services with Kubernetes
Wojciech Barczyński
 
PPTX
Cloud Computing for Business - The Road to IT-as-a-Service
James Urquhart
 
PDF
Cisco Automation with Puppet and onePK - PuppetConf 2013
Puppet
 
PDF
En35793797
IJERA Editor
 
PDF
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Bruno Teixeira
 
PDF
Weave Your Microservices with Istio
All Things Open
 
PDF
All Things Open 2019 weave-services-istio
Lin Sun
 
PDF
Ato2019 weave-services-istio
Lin Sun
 
PDF
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
PDF
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
PPTX
Openshift Presentation ppt compare with VM
shubhamage1
 
PDF
Cisco project ideas
VIT University
 
PDF
Eng.Abd Elrhman.pdf
INOGHOST
 
PDF
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
PDF
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Indrajit Poddar
 
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
Managing Your Cisco Datacenter Network with Ansible
fmaccioni
 
AnsibleFest London 2016 - managing your cisco datacenter network with ansible
fmaccioni
 
Zero-downtime deployment of Micro-services with Kubernetes
Wojciech Barczyński
 
Cloud Computing for Business - The Road to IT-as-a-Service
James Urquhart
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Puppet
 
En35793797
IJERA Editor
 
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Bruno Teixeira
 
Weave Your Microservices with Istio
All Things Open
 
All Things Open 2019 weave-services-istio
Lin Sun
 
Ato2019 weave-services-istio
Lin Sun
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
Openshift Presentation ppt compare with VM
shubhamage1
 
Cisco project ideas
VIT University
 
Eng.Abd Elrhman.pdf
INOGHOST
 
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Indrajit Poddar
 
Ad

More from J On The Beach (20)

PDF
Massively scalable ETL in real world applications: the hard way
J On The Beach
 
PPTX
Big Data On Data You Don’t Have
J On The Beach
 
PPTX
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
J On The Beach
 
PDF
Pushing it to the edge in IoT
J On The Beach
 
PDF
Drinking from the firehose, with virtual streams and virtual actors
J On The Beach
 
PDF
How do we deploy? From Punched cards to Immutable server pattern
J On The Beach
 
PDF
Java, Turbocharged
J On The Beach
 
PDF
When Cloud Native meets the Financial Sector
J On The Beach
 
PDF
The big data Universe. Literally.
J On The Beach
 
PDF
Streaming to a New Jakarta EE
J On The Beach
 
PDF
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
J On The Beach
 
PDF
Pushing AI to the Client with WebAssembly and Blazor
J On The Beach
 
PDF
Axon Server went RAFTing
J On The Beach
 
PDF
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
J On The Beach
 
PDF
Madaari : Ordering For The Monkeys
J On The Beach
 
PDF
Servers are doomed to fail
J On The Beach
 
PDF
Interaction Protocols: It's all about good manners
J On The Beach
 
PDF
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
J On The Beach
 
PDF
Leadership at every level
J On The Beach
 
PDF
Machine Learning: The Bare Math Behind Libraries
J On The Beach
 
Massively scalable ETL in real world applications: the hard way
J On The Beach
 
Big Data On Data You Don’t Have
J On The Beach
 
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
J On The Beach
 
Pushing it to the edge in IoT
J On The Beach
 
Drinking from the firehose, with virtual streams and virtual actors
J On The Beach
 
How do we deploy? From Punched cards to Immutable server pattern
J On The Beach
 
Java, Turbocharged
J On The Beach
 
When Cloud Native meets the Financial Sector
J On The Beach
 
The big data Universe. Literally.
J On The Beach
 
Streaming to a New Jakarta EE
J On The Beach
 
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
J On The Beach
 
Pushing AI to the Client with WebAssembly and Blazor
J On The Beach
 
Axon Server went RAFTing
J On The Beach
 
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
J On The Beach
 
Madaari : Ordering For The Monkeys
J On The Beach
 
Servers are doomed to fail
J On The Beach
 
Interaction Protocols: It's all about good manners
J On The Beach
 
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
J On The Beach
 
Leadership at every level
J On The Beach
 
Machine Learning: The Bare Math Behind Libraries
J On The Beach
 
Ad

Recently uploaded (20)

PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PPTX
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
PPTX
Digital Circuits, important subject in CS
contactparinay1
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
PDF
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
Digital Circuits, important subject in CS
contactparinay1
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 

Agile and compliant firewall ACL configuration management for DevOps

  • 1. Agile and compliant firewall ACL configuration management for DevOps Ildefonso Montero <[email protected]>
  • 2. Who am I: Ildefonso Montero Backend Software Developer (+10 years) Last 3 years working on DevOps and Network Automation at Intelliment Security
  • 3. Let’s talk about DevOps, Security, and Network Automation
  • 4. Application Delivery I’m involved on the development of an application and I need ... to push this changes on production env (~minutes)
  • 5. Application Delivery I’m involved on the development of an application and I need ... to deploy several services on infrastructure (~minutes)
  • 6. Application Delivery I’m involved on the development of an application and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)
  • 7. Application Delivery I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)
  • 8. Application Delivery I’m involved on the development of an application and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)
  • 9. Application Delivery I’m involved on the development of an application and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)
  • 10. Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
  • 11. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 12. config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 13. create tcp_service mysql modify services mysql color orange modify services mysql port 3306 modify services mysql comments '' modify services mysql include_in_any false update services mysql create tcp_service postgres modify services postgres color orange modify services postgres port 5432 modify services postgres comments '' modify services postgres include_in_any false update services postgres create tcp_service oracle modify services oracle color orange modify services oracle port 1521 modify services oracle comments '' modify services oracle include_in_any false update services oracle create address_range B_PHPs modify network_objects B_PHPs color orange modify network_objects B_PHPs ipaddr_first 10.31.50.60 modify network_objects B_PHPs ipaddr_last 10.31.50.99 modify network_objects B_PHPs comments '' modify network_objects B_PHPs add_adtr_rule false update network_objects B_PHPs create address_range B_DBs_SQL modify network_objects B_DBs_SQL color orange modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10 modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39 modify network_objects B_DBs_SQL comments '' modify network_objects B_DBs_SQL add_adtr_rule false update network_objects B_DBs_SQL create policies_collection IS_rb_SiteB_FG update policies_collections IS_rb_SiteB_FG create firewall_policy ##IS_rb_SiteB_FG modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG update fw_policies ##IS_rb_SiteB_FG addelement fw_policies ##IS_rb_SiteB_FG rule security_rule modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule' modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access' modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle update fw_policies ##IS_rb_SiteB_FG update_all I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 14. <entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp> <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/> <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 15. object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend ! I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 16. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 17. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 18. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 19. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 20. Automation I’m involved on the development of an application and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)
  • 21. Network Automation Why Network Automation Matters, and What You Can Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)
  • 22. Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco, IOS-XR - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …
  • 23. Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
  • 24. Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
  • 25. still having the same O.P.E.R.A.T.I.O.N.A.L issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
  • 26. Agility by abstraction I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it
  • 27. App Owners - Dev/Ops / Network needs I need to consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443
  • 28. Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …
  • 29. Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller
  • 30. Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features
  • 31. What is Intelliment? A Network Security Policies Orchestration Controller Implementation
  • 32. What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Abstracts network topology and network security policies ● Security policies are expressed as user intents ● Maintains a network security policies knowledge base ● Orchestrates, Diagnoses and Deploy change requests ● No vendor lock-in ● Agentless ● Hybrid Network Infrastructure (physical, virtual, cloud, SDN) ● Third-party integrations ready ● RESTful API
  • 33. What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Java, Akka, OSGi, Eclipse MDA Tools ● Hazelcast, CQEngine, MongoDB, MySQL ● Intelliment Security Policy Automation: HTML5, CSS3, ExtJs ● Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.
  • 34. Let’s see Intelliment working to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
  • 35. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance
  • 36. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances
  • 37. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings
  • 38. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE
  • 39. Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
  • 40. Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~minutes)
  • 41. ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process from this O.P.E.R.A.T.I.O.N.A.L issues ... Let’s recap
  • 42. ● Consolidated Operations: Visualize, query and operate the network policy as a single and consolidated entity ● Policy Portability: Specify policies as vendor and neutral intents. No experts needed. ● Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups ● Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones ● Automated Application Migration: Identify and move network policies associated with applications ● Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Let’s recap