Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds

511 views

Published on

Network analytics provides insight to the traffic flow between applications and endpoints. Telemetry data is streamed in real-time from software sensors and network devices to big-data clusters. Implementing the policy to create a whitelist-based segmentation and zero-trust model requires automation when dealing with tens of thousands of workloads and complex rules.

This session examines how Cisco Tetration Analytics provides an accurate inventory of devices, software packages and version information to detect software vulnerabilities and implement a zero-trust policy model on network fabrics, firewalls and application delivery controllers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds

  1. 1. AUSTIN 2018 Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds
  2. 2. Network analytics provides insight to the traffic flow between applications and endpoints. Telemetry data is streamed in real-time from software sensors and network devices to big-data clusters. Implementing the policy to create a whitelist-based segmentation and zero-trust model requires automation when dealing with tens of thousands of workloads and complex rules. This session examines how Cisco Tetration Analytics provides an accurate inventory of devices, software packages and version information to detect software vulnerabilities and implement a zero-trust policy model on network fabrics, firewalls and application delivery controllers. Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds
  3. 3. o How did I get started using Ansible? Wrote NX-API module for Cisco Nexus switches o How long? Since January 2015 o Favorite thing to do with Ansible? Mentor network engineers on infrastructure programmability
  4. 4. o Joel W. King Principal Architect World Wide Technology Research Triangle Park, NC o Experience AMP Incorporated, Network Architect Cisco, Cisco Validated Designs (CVDs) NetApp, Big Data: Video Surveillance Storage o Facts and Contact Info CCIE 1846 (ret.) 2016 Phantom Cyber Hall of Fame linkedin.com/in/programmablenetworks @joelwking joel.king@wwt.com DevNet Create 2018
  5. 5. Deploy Sensors Dynamic Inventory Tetration Network Policy Publisher Resources
  6. 6. SHARE ACT TRACE HUNT BEHAVIORS THREATS TRIAGE DETECTION TELEMETRY INVENTORY Can you collaborate with trusted partners to disrupt adversary campaigns? Can you deploy proven countermeasures to evict and recover? During an intrusion, can you observe adversary activity in real time? Can you detect an adversary that is already embedded? Can you detect adversary activity within your environment? Who are your adversaries? What are their capabilities? Can you accurately classify detection results? Can you detect unauthorized activity? Do you have visibility across your assets? Can you name the assets you are defending? What is it doing? Should it? What’s on my network?
  7. 7. Automated whitelist policy Zero-trust, application segmentation Cisco Tetration Analytics​ Illumio​ VMware vRNI
  8. 8. telemetry agent installation 1 2 3 inventory policy enforcement iptables | firewall publisher kafka INVENTORY NETWORK DEVICES
  9. 9. Data Collection Layer Cisco Tetration Analytics™ NETWORKING [TELEMETRY ONLY] Data Consumption Layer REST API KAFKA MESSAGE BUS
  10. 10. o Deploy Software Sensors setup_tetration_sensor.yml o Dynamic Inventory inventory/sensors.py o Network Policy Publisher library/tetration_network_policy.py PLUGINS MODULES ANSIBLE PLAYBOOK DATA REST API https://github.com/joelwking/ansible-tetration
  11. 11. Deploy Sensors
  12. 12. Data Collection Layer Cisco Tetration Analytics™ 39-RU 8-RU SaaS 25,000 | 5,000 | 1,000 NETWORK INFRASTRUCTURE NetFlow | ERSPAN VM Appliance COMPUTE or virtual appliance
  13. 13. o Extensive matrix of Windows | Unix | Linux o Package and version dependencies e.g. rpm (even in Ubuntu/Debian) o Different agent RPMs for … o Agent type, e.g. enforcement, visibility o Target system, e.g. CentOS 6.0 vs 7.0 o Latest version covers 34 RPMs o Agent downloaded from GUI
  14. 14. o Rather than PDF … o ./setup_tetration_sensor.yml [administrator@centos-ansible-1 ~]$ uname Linux [administrator@centos-ansible-1 ~]$ -r -bash: -r: command not found [administrator@centos-ansible-1 ~]$ uname -r 3.10.0-862.el7.x86_64 command: uname -r value: 3.10.0-862.el7.x86_64 command: cat /etc/shells value: /bin/sh command: dmidecode -V value: 3.0 command: openssl version -a value: OpenSSL 1.0.2k-fips command: cpio --version value: cpio (GNU cpio) 2.11 command: sed --version value: sed (GNU sed) 4.2.2 command: awk --version value: GNU Awk 4.0.2 command: flock -V value: flock from util-linux 2.23.2 command: iptables --version value: iptables v1.4.21 command: ipset --version value: ipset v6.29, ansible-tetration/setup_tetration_sensor.yml
  15. 15. Dynamic Inventory
  16. 16. ANSIBLE AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS CLI MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD CORE NETWORK COMMUNITY ANSIBLE PLAYBOOK
  17. 17. ANSIBLE AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS CLI MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD CORE NETWORK COMMUNITY NOW.PY EC2.PY VMWARE_FACTS ANSIBLE PLAYBOOK
  18. 18. ANSIBLE AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS CLI MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD CORE NETWORK COMMUNITY NOW.PY EC2.PY VMWARE_FACTS ANSIBLE PLAYBOOK Cisco Tetration Analytics™ SENSORS.PY ansible-tetration/inventory/sensors.py
  19. 19. $ ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py { "agent_type": "ENFORCER", "auto_upgrade_opt_out": false, "cpu_quota_mode": 1, "cpu_quota_usec": 30000, "current_sw_version": "2.3.1.41-1-enforcer", "data_plane_disabled": false, "enable_forensics": false, "enable_pid_lookup": false, "host_name": "centos-ansible-1", "interfaces": [ { "family_type": "IPV4", "ip": "10.255.40.139", "mac": "00:50:56:b9:62:58", "name": "ens160", "netmask": "255.255.255.0", "vrf": "Default", "vrf_id": 1 }, [snip] ], "last_config_fetch_at": 1537905092, "last_software_update_at": 1535054507, "platform": "CentOS-7.5", "uuid": "965e77504bf605d62c575231fa3d56463aed38bf" } ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py
  20. 20. Tetration Network Policy Publisher
  21. 21. 3policy enforcement iptables | firewall publisher kafka NETWORK DEVICES INFRASTRUCTURE
  22. 22. DevNet Create 2018 Export whitelist policy GUI SAVE AS [ JSON, XML or YAML ] https://github.com/joelwking/ansible-aci/blob/master/aci_contracts_filters.yml No SQL ANSIBLE PLAYBOOK CISCO ACI NETWORK MODULES python
  23. 23. Network Policy Publisher ANSIBLE PLAYBOOK aci_create_filters.yml BROKER message publisher policy subscription MODULES tetration_network_policy.py Alerts every minute for enforcement Released in 2.3.1.41 April 2018
  24. 24. - name: Tetration Network Policy tetration_network_policy: broker: "192.0.2.1:9093" topic: "Tnp-2" cert_directory: "{{ playbook_dir }}/files/certificates/producer-tnp-2.cert/" https://github.com/joelwking/ansible-tetration/blob/master/aci_create_filters.yml 226
  25. 25. UPDATE_START UPDATE UPDATE_END Tetration Network Policy Kafka message(s) topic partition offset key value Google Protocol Buffer Network Policy Network Policy len( value ) == 8
  26. 26. o AnsibleFest 2018: Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds https://github.com/joelwking/ansible-tetration o DevNetCreate 2018: Applying a whitelist policy generated by Cisco Tetration to an ACI network fabric. https://www.wwt.com/all-blog/devnet-create-2018/ o Cisco Tetration Light-board: Cloud Workload Protection https://youtu.be/Hd56GVVr_AE o WWT AnsibleFest https://www.wwt.com/event/ansiblefest/
  27. 27. David Goeckler, EVP / GM of Cisco's Networking and Security … turning the whole network into essentially a big software system where you define your policy in one place … That policy gets translated into what you want the network to do, and then you have an automation layer that activates all of those changes across your network fabric. https://www.networkworld.com/article/3280959/lan-wan/cisco-s-david-goeckeler-talks-security-networking-software-and-sd-wan-outlook.html

×