Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating Network Firewall Rule Creation using Powershell and CI/CD

218 views

Published on

Presentation for SANS Cloud Security Summit.

Topic: Network security automation

Managing firewall rules is a complex task. During this talk, we'll discuss one way to automate the creation and management of those firewall rules using PowerShell and a continuous integration and deployment (CI/CD) pipeline. The basis of the presentation is an actual customer implementation of this end-to-end process. We will discuss the requirements for the solution and how this solution was developed and has grown from proof of concept to production. Although the implementation is Azure-specific, the talk will be abstracted to showcase the feasibility of this approach across multiple clouds. Demos presented during the talk will showcase the PowerShell script and then the end-to-end workflow using Azure DevOps.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Automating Network Firewall Rule Creation using Powershell and CI/CD

  1. 1. Runner Belgian in the US Cloud Solution Architect @ Microsoft • Infrastructure • Networking • Open Source
  2. 2. DDoS protection Identity management Network security Application security Encryption
  3. 3. All major cloud providers offer a native L3/L4 firewall capability (Security Group) A set of network security rules to allow/deny network traffic into/out of instances • ~Like ACLs • Instance tagging – security groups • Stateful • An object Differences • AWS has 2 implementations: security groups and network ACL (stateless) • Azure allows IP-based and security group based rules mixed • Assigned to different levels: AWS is instance level, Azure is instance or subnet level, GCP is VPC level
  4. 4. Organic cloud adoption  structured cloud adoption Security review Micro- segmentation Catalyst: new customer- facing application coming live
  5. 5. Human error. What if we needed to do it all over again? What if this needs to repeated for a second region? We only had half a day to do this right.
  6. 6. We needed to decide Highly parallel Single API call Source code
  7. 7. Automation in step 1 in a DevOps Lifecycle. DevOps is the union of people, process, and products to enable continuous delivery of value to your end users. “ ” Build & Test Continuous Delivery Deploy Operate Monitor & Learn Plan & Track Develop
  8. 8. Read CSV input unsorted Creates per- subnet rules- hashtable Generates per-subnet IaC artifact Validates IaC artifact
  9. 9. Implemented 500 firewall rules in half a day Flexible way to adapt firewall rules afterwards Security review built-in to process Standard format for developers to request firewall changes Happy customer
  10. 10. https://github.com/NillsF/NSG-CSV-to-ARM

×