Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Embedding Security into DevOps on AWS with Automation Toolsets - SID347 - re:Invent 2017

1,516 views

Published on

In some organizations, the theme of “can’t we all just get along” accurately describes the relationship between DevOps and network security. DevOps operates at a rapid and dynamic pace, using the cloud to create and deploy. Security teams exercise industry best practices of policy change control to eliminate potential security holes. Inevitably, deployment challenges arise. The ideal solution is one where security becomes part of the DevOps fabric. In this session, Ivan Bojer, automation specialist, and Jaime Franklin, cloud architect, both of Palo Alto Networks, discuss and demonstrate how AWS customers can automate the deployment of the VM-Series next generation firewall to protect DevOps environments on AWS. The topics in this session are based on current customer examples. They include: “touchless” deployment of a fully configured firewall utilizing automation tools, such as AWS CloudFormation templates, Terraform, and Ansible; consuming AWS tags to execute commitless policy updates; using Amazon CloudWatch and Elastic Load Balancing to deliver scalability and resiliency. This session wraps up with a discussion of sample templates and scripts to get started and a video demonstration of a fully automated VM-Series deployment.

Session sponsored by Palo Alto Networks

  • Be the first to comment

  • Be the first to like this

Embedding Security into DevOps on AWS with Automation Toolsets - SID347 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT  E m b e d d i n g S e c u r i t y i n t o D e v O p s o n A W S w i t h A u t o m a t i o n T o o l s e t s  I v a n B o j e r  J a i m e F r a n k l i n  C L I C K T O A D D T E X T
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Automation should not require programming experience - it MUST be easy. We all have other things to do.” PREVENTION CLOUD Orchestration AUTOMATION SECURITY Application Visibility EASY APT Next Generation API SEAMLESS Control NGFW
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  DevOps is dynamic  VPCs added/removed  Frequent workload adds/removals  Security is structured  Follow change control best practices  Protection of digital assets is Job 1  S e c u r i t y D e v O p s Devops & Security: Can’t We All Get Along?
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accelerate Secure Cloud Deployments + =
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Palo Alto Networks Automation Evolution 2018+ • Automation Partnerships • Application Framework 2017(Mar) • Terraform 2016(Mar) • Pandevice 2015(Dec) • Ansible 2014 (Sep) • pan-python 2009 • XML API
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate Security with Reusable Frameworks ANSIBLE SCRIPTS/CFTTERRAFORM PAN PYTHON XML API PAN DEVICE LAMBDA
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ansible for Automation and Orchestration # sample.yml - hosts: localhost connection: local tasks: - name: set dns and panorama panos_mgtconfig: ip_address: "10.5.172.91" password: "paloalto" dns_server_primary: "10.0.0.1" dns_server_secondary: "10.0.0.2" panorama_primary: "10.0.1.3" panorama_secondary: "10.0.1.4" commit: True ansible-playbook sample.yml -v localhost XML API XML API XML API PANW Ansible Modules * limited support
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public Cloud Deployment Scenario  Deploy cloud infrastructure  Provision security  Configure firewall Other Public & Private Cloud Platforms Terraform Ansible Tools Execute Cloud APIs 1. Deploy 2. Provision 3. Configure
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hybrid Deployment Example # vpn.yml - hosts: localhost connection: local tasks: - name: create VPN panos_vpnconfig: ip_address: "10.5.172.91" password: "paloalto" dns_server_primary: "10.0.0.1" dns_server_secondary: "10.0.0.2" panorama_primary: "10.0.1.3" panorama_secondary: "10.0.1.4" commit: True CORPORATE NETWORK BackendFront end Main router IPSEC VPN AWS DIRECTCONNECT
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dynamically Update Firewall Policies
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CI/C: Automated Security for DevOps  Single declarative syntax  Infrastructure as code  Manage multi cloud with single tool chain/ set Git repo exists Create application Push feature Run automation tool on test environment Deploy to production Configure production Approve change Test pass Deploy Configure DevOps - CI/CD Workflow
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Large, high tech company  Moving all application dev and test on AWS  CloudFormation Templates, S3, & Jenkins enable “touchless” deployment of developer VPCs protected by the VM-Series Automating Secure DevOps VPC Creation
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Incredibly Simple  Single App-Tier Function  Standardized  Re-usable  Disposable  Automated  Best Practices Built-In  No East-West Traffic  Automated Security Building Blocks VPC - 10.0.0.0/16 Availability Zone Trust - 10.0.2.0/24 AS-Trust RT-Trust 0.0.0.0/0 > 10.0.2.5 Untrust - 10.0.1.0/24 IP-Untrust Management - 10.0.0.0/24 IP-FW-Management VM-TrustXINT-TrustX 10.0.2.X/24 INT-FW-Untrust 10.0.1.5/24 INT-FW-Management 10.0.0.5/24 INT-FW-Trust 10.0.2.5/24 VM-FW NLB-Trust App1-Web Tags Other Public & Private Cloud Platforms
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AZ1b Web1 DB1 Mgt E1/1E1/3 E1/2 10.0.0.0/24 10.0.1.0/2410.0.2.0/24 .11 .12 .100 .99 .101 .101 • Terraform templates to deploy a multi-tier application environment on AWS • Ansible automates web servers and VM-Series configuration • Deployable by specifying a few parameters • Critical apps deployed with the right security posture • Repeatable and reproducible across cloud regions • Simplifies app deployment with security built in • Leverage best practice blue prints Demo Setup
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploy Configure VM-Series Policies • Terraform automates creation of AWS infrastructure • Ansible playbooks configure VM- Series Firewalls and web servers • Automate deployment to desired regions Demo Architecture AZ1b Web1 DB1 Mgt E1/1E1/3 E1/2 10.0.0.0/24 10.0.1.0/2410.0.2.0/24 .11 .12 .100 .99 .101 .101 AZ1b Web1 DB1 Mgt E1/1E1/3 E1/2 10.0.0.0/24 10.0.1.0/2410.0.2.0/24 .11 .12 .100 .99 .101 .101 • Environmental requirements defined and automated Ansible Network Team App Team Security Team US-West Region US-East Region Terraform App Network Security
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo (video)
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Accelerating AWS Deployments https://live.paloaltonetworks.com/cloudtemplate

×