SlideShare a Scribd company logo

Bangalore OpenMSA DevDay - September 19, 2018

Download as PPTX, PDF
UBiqube
UBiqube

Presentation for free training event in Bangalore for the OpenMSA Community

Technology
1 of 67
OPEN MSA Network & Security Automation Made Easy DevDay Bengaluru, Sep 19th 2018
Who are we? John Collins, VP of Engineering, Ubiqube • John is the VP of Engineering at UBiqube, leading a global team of development, QA, support, and R&D engineers who are building a uniquely innovative product in the networked device management space. • He is an experienced leader of software engineering teams, loves to work with smart people on difficult problems, applying the latest technologies and best practices. • He is very passionate about open source, DevOps, and all aspects of IT automation. Naveen Kumar, Senior Solutions Architect, Ubiqube • Naveen Kumar is passionate about solving challenges in the networking and security domains in reducing time to market for new services, designing fully automated orchestration solutions for legacy/virtualized/hybrid infrastructures/domains using DevOps. • As a Senior Solution Architect at UBiqube, Naveen is engaging customers, training developers using MSActivator, UBiqube's dev-ops orchestrator, and actively involved in the OpenMSA community to help contributors. Prior to joining UBiqube, Naveen was a STB software stack developer at Cisco India. 2
Welcome! Objectives: ○ Learn how to use Microservices and Workflows on the OpenMSA through real-world examples ○ Empower attendees to use the OpenMSA to perform Networking and Security automation and orchestration ○ Connect with other people who work through similar issues and processes 3
Some definitions Device – any node (devices/controllers/appliances) that can be managed by the MSA. Device adaptor – a code module that enables MSA to communicate with a specific device type. Microservice – a set of standard methods (CREATE, DELETE, IMPORT, UPDATE etc.) that enables MSA to manage a particular service on a devices in a vendor-neutral way. Workflow – a set of scripted processes that can be triggered either manually or via an alarm, that typically are used to orchestrate and manage services in an automated way. 4
The Agenda 13:00 OpenMSA Overview & Positioning Walkthrough of OpenMSA 14:00 Hands-on Session #1: Microservices How to do element management by designing microservices Typical use case: Provision security and networking rules to control traffic flow Followed by QA 15:30 Break 16:00 Hands-on Session #2: Workflows Automate network configurations and orchestrate security services Typical use case: Automate the security policy configuration on multiple devices Followed by QA 17:30 Summary The benefits of joining the OpenMSA Community and where it is headed 18:00 Buffet Dinner 5
What should I do if I have questions during the session? Can I submit them online? Questions Please raise your hand at any time to ask questions
Why use the OpenMSA? What differentiates it?
The OpenMSA Community 9 • Open forum for networking and security automation • Knowledge-based tools and applications to empower developers and network engineers • Vendor-agnostic, multi-domain solutions • The OpenMSA is available at no charge for community members • Available at http://www.openmsa.co/. • Open source development modules available on GitHub
Community Overview 10
What’s on GitHub? Is it free?
On GitHub 12 • Open Source Core engine • Open Source Adaptors (developed by the Community) • Workflow examples • Microservice examples https://github.com/openmsa
Does the OpenMSA allow for automated provisioning and policy configuration?
Industrial IoT Orchestration with the OpenMSA AUTOMATED PROCESSES SINGLE PANE OF GLASS SHARE WITH GITHUB COMMUNITY BUILD YOUR OWN OBJECT FOR ANY VENDOR & DOMAIN OPERATOR
Can I deploy and use the OpenMSA on AWS?
OpenMSA on AWS
After the AMI is deployed, is there anything to configure?
Configuring the OpenMSA 18 • Use the public IP of the instance and access • http://<PUBLIC_IP>:3577/config.xml (socconfig/b5ty9uvh4) • Configure the following: • System name • Company information • Management interface: Enable NAT and use the public IP assigned to the AWS instance • Disable: Backup, maintenance interface, etc. More details available online: https://www.openmsa.co/documentation/getting-started-with-the-openmsa-freeware/
How do I install modules from GitHub?
OpenMSA: The DevOps Way GitHub.com/openmsa/ openmsa/Workflows-Microservices # git clone https://github.com/openmsa/Workflows-Microservices.git OpenMSA [root@DEV-OPENMSA]# ll /opt/fmc_repository/CommandDefinition/ total 60 drwxr----- 4 ncuser ncuser 4096 Nov 15 11:22 LINUX lrwxrwxrwx 1 ncuser ncuser 25 Feb 23 10:37 OpenMSA -> ../OpenMSA/MICROSERVICES/ drwxr----- 16 ncuser ncuser 4096 Apr 12 14:28 Reference clone symlink to OpenMSA repository
Is the OpenMSA multi-tenant? What kind of entities / objects does the OpenMSA have?
OpenMSA Multi-Tenancy
Advanced Product Demo Create a customer and manage a Fortigate and a Linux firewall
Automation and Orchestration via Workflows ✓ Provide automation of operations ✓ Open work-flow builder Automated operation (simplified standardized interfaces) Reduced time to setup and less error prone Workflow Manager Task1 Get floating IP Task2 Create VNF Task3 Create device in DB Task4 Push initial configuration Openstack Device A Device B Device X・・・ Define services by combination of processes and tasks The work-flow consisting of tasks Reusable definition of the business-logic written in simple PHP ① Service ② Process ③ TaskCustomer Order System VM Management Create VNF Update VNF Delete VNF
Advanced Product Demo How to provide secure access to a web server
The Lab: Initial Setup Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet No Connectivity
The Lab: Detailed Setup Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet No Connectivity 54.92.22.191 54.65.133.122 10.1.0.127 10.1.0.235 10.0.0.104 10.0.0.71 10.1.0.10 18.182.220.25 10.1.0.236
I want to create a firewall rule to enable access to the web server. I don’t know Fortigate CLI and I’m not a Linux expert. How can the OpenMSA help?
Design & Abstraction
Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices Use Microservice to configure a firewall policy and a NAT rule The Lab: Microservices Configuring a NAT
The Lab: Connectivity is Established Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices
I want to automate the web server access control. How can I do that?
Design & Abstraction
The Lab: Configuring the Policies Workflow Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices Use Microservice and Workflow to configure IP based filtering on multiple network elements
The Lab: Filtering Policies Configured Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet
Part 2: coding
Up Next Coding Exercises #1: Microservices
Use Case Overview End-customer or MSSP (Managed Security Service Provider) needs to be able to: • Use a simple, multi-vendor, automated tool • Implement basic network security policies
High-Level Requirements • The operator should have the option to protect IT resources (e.g. public or corporate servers, like ticketing systems, web servers, etc.) with a firewall • The firewalls should not be limited to a single vendor • The operator should benefit from a single management pane for all operations, from policy provisioning, to monitoring and reporting • Configuring the firewall should be as simple as possible
The Lab: Typical Infrastructure Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet
Specifications for a Simple Firewall • The user (operator or end-customer) must be able to specify an IP address and a service (network port number) on the OpenMSA console • The user must be able to select a group of firewalls to configure • The OpenMSA will use the two parameters IP + port to automatically configure the firewalls selected by the user
Detailed Design: Typical Infrastructure Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Operator access for device management Internet OpenMSA builds vendor-specific configuration Operator enters IP + port on the OpenMSA portal OpenMSA automates the configuration
Firewall Implementation on Linux • Based on Linux IPtables • Takes an IP and a port as parameters Create a rule sudo iptables -A INPUT -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP sudo iptables -A FORWARD -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP Get the list of rules iptables -L INPUT -n | grep -v Chain | grep -v target Returns DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt: DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt:80
Firewall Implementation on Linux config firewall address edit “123” set subnet <IP TO BLOCK> 255.255.255.255 next end config firewall service custom edit “<PORT TO BLOCK>" set tcp-portrange <PORT TO BLOCK>:<PORT TO BLOCK> next End config firewall policy edit {$params.object_id} set name "<IP TO BLOCK> :<PORT TO BLOCK>" set srcintf "port1" set dstintf "port2" set srcaddr "<IP TO BLOCK>" set dstaddr "VIP-PUB-WEB-SERVER" set service "<PORT TO BLOCK>” next end • Based on FGT firewall policy, address and service • Takes an IP and a port as parameters
Implementation of Microservices on Linux Step 1: Create a new Microservice in the repository Step 2: Implement the CREATE command Step 3: Implement the DELETE command Step 4: Implement the IMPORT command Step 5: Test and check the Linux vFW via the Command Line Interface
Implementation of Microservices on Linux I Step 1: Create a new Microservice in the repository
Implementation of Microservices on Linux II Step 2: Implement the CREATE command
Implementation of Microservices on Linux III Step 3: Implement the DELETE command
Implementation of Microservices on Linux IV Step 4: Implement the IMPORT command
Implementation of Microservices on Linux V Step 5: Test and check the Linux vFW via the Command Line Interface
Implementation of Microservices on Fortigate Step 1: Create a new Microservice in the repository Step 2: Implement the CREATE command Step 3: Implement the DELETE command Step 4: Implement the IMPORT command Step 5: Test and check the Fortigate vFW via its management GUI
Implementation of Microservices on Fortigate I Step 1: create a new Microservice in the repository
Implementation of Microservices on Fortigate II Step 2: Implement the CREATE command
Implementation of Microservices on Fortigate III Step 3: Implement the DELETE command
Implementation of Microservices on Fortigate IV Step 4: Implement the IMPORT command
Implementation of Microservices on Fortigate V Step 5: Test and check the Fortigate vFW via its management GUI
Q&A
Up Next Coding Exercises #2: Workflow
Simple Firewall Workflow • The user selects one or several firewalls to manage • The user enters a new security rule (IP and port) to block • The user selects an existing security rule and deletes it from the firewall configuration
Implementation of Workflows • Step 1: Define the parameters: • List of firewall devices • Rule ID / Rule IP / Rule Port • Array of (Rule ID / Rule IP / Rule Port) • Step 2: Implement the process to instantiate a new service • Step 3: Implement the process to delete the service • Step 4: Implement the process to configure a new security policy • Step 5: Implement the process to remove existing security policies
Implementation of Workflows I Step 1: Define the parameters
Implementation of Workflows II Step 2: Implement the process to instantiate a new service
Implementation of Workflows III Step 3: Implement the process to delete the service
Implementation of Workflows IV Step 4: Implement the process to configure a new security policy
Implementation of Workflows V Step 5: Implement the process to remove existing security policies
Test Your Workflow I Use the new workflow to configure simple firewall rules on multiple devices, and verify that the access to the web servers can be blocked • http://54.92.22.191/jira.html • http://54.65.133.122/openmsa.html
67 Thank You For Attending

Recommended

Dev Day Tokyo Hands-On Materials
Dev Day Tokyo Hands-On MaterialsDev Day Tokyo Hands-On Materials
Dev Day Tokyo Hands-On MaterialsUBiqube
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your businessCisco Canada
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Canada
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Solomon Abavire Kobina,
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 

Recommended

Dev Day Tokyo Hands-On Materials
Dev Day Tokyo Hands-On MaterialsDev Day Tokyo Hands-On Materials
Dev Day Tokyo Hands-On MaterialsUBiqube
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your businessCisco Canada
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Canada
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Solomon Abavire Kobina,
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationnetworkershome
 
Cci Welcome
Cci WelcomeCci Welcome
Cci WelcomeSoftLayer Technologies
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco Canada
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Secure collab on prem hikmat
Secure collab on prem hikmatSecure collab on prem hikmat
Secure collab on prem hikmatCisco Canada
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewali raza
 
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security02 ipv6-cpe-panel security
02 ipv6-cpe-panel securityHaris Padinharethil
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Canada
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityCisco Canada
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)purushotham m
 
Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning Cisco Russia
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 

More Related Content

What's hot

Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationnetworkershome
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco Canada
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Secure collab on prem hikmat
Secure collab on prem hikmatSecure collab on prem hikmat
Secure collab on prem hikmatCisco Canada
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewali raza
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Canada
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityCisco Canada
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)purushotham m
 

What's hot (20)

Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installation
 
Cci Welcome
Cci WelcomeCci Welcome
Cci Welcome
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
Secure collab on prem hikmat
Secure collab on prem hikmatSecure collab on prem hikmat
Secure collab on prem hikmat
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security02 ipv6-cpe-panel security
02 ipv6-cpe-panel security
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation Branch
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber Security
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)
 

Similar to Bangalore OpenMSA DevDay - September 19, 2018

Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning Cisco Russia
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Sophos Benelux
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops OverviewJoel W. King
 
Cozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsCozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsAndrei Kvapil
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCA Technologies
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cnOpenCity Community
 
Collaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled CloudCollaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled CloudTesora
 
OSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkOSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkNETWAYS
 
AWS Loft Talk: Behind the Scenes with SignalFx
AWS Loft Talk: Behind the Scenes with SignalFxAWS Loft Talk: Behind the Scenes with SignalFx
AWS Loft Talk: Behind the Scenes with SignalFxSignalFx
 
All-in-one monitoring solution for DevOps & IT
All-in-one monitoring solution for DevOps & ITAll-in-one monitoring solution for DevOps & IT
All-in-one monitoring solution for DevOps & ITRex Antony Peter
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Ambassador Labs
 

Similar to Bangalore OpenMSA DevDay - September 19, 2018 (20)

Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning Enterprise Architecture, Deployment and Positioning
Enterprise Architecture, Deployment and Positioning
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring tools
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
Dattatray Resume
Dattatray ResumeDattatray Resume
Dattatray Resume
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops Overview
 
Cozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsCozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building clouds
 
Opensource tools for OpenStack IAAS
Opensource tools for OpenStack IAASOpensource tools for OpenStack IAAS
Opensource tools for OpenStack IAAS
 
OpenWhisk JavaOne
OpenWhisk JavaOneOpenWhisk JavaOne
OpenWhisk JavaOne
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP way
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
 
Collaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled CloudCollaborating with OpenDaylight for a Network-Enabled Cloud
Collaborating with OpenDaylight for a Network-Enabled Cloud
 
OSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkOSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd Erk
 
AWS Loft Talk: Behind the Scenes with SignalFx
AWS Loft Talk: Behind the Scenes with SignalFxAWS Loft Talk: Behind the Scenes with SignalFx
AWS Loft Talk: Behind the Scenes with SignalFx
 
All-in-one monitoring solution for DevOps & IT
All-in-one monitoring solution for DevOps & ITAll-in-one monitoring solution for DevOps & IT
All-in-one monitoring solution for DevOps & IT
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Bangalore OpenMSA DevDay - September 19, 2018

  • 1. OPEN MSA Network & Security Automation Made Easy DevDay Bengaluru, Sep 19th 2018
  • 2. Who are we? John Collins, VP of Engineering, Ubiqube • John is the VP of Engineering at UBiqube, leading a global team of development, QA, support, and R&D engineers who are building a uniquely innovative product in the networked device management space. • He is an experienced leader of software engineering teams, loves to work with smart people on difficult problems, applying the latest technologies and best practices. • He is very passionate about open source, DevOps, and all aspects of IT automation. Naveen Kumar, Senior Solutions Architect, Ubiqube • Naveen Kumar is passionate about solving challenges in the networking and security domains in reducing time to market for new services, designing fully automated orchestration solutions for legacy/virtualized/hybrid infrastructures/domains using DevOps. • As a Senior Solution Architect at UBiqube, Naveen is engaging customers, training developers using MSActivator, UBiqube's dev-ops orchestrator, and actively involved in the OpenMSA community to help contributors. Prior to joining UBiqube, Naveen was a STB software stack developer at Cisco India. 2
  • 3. Welcome! Objectives: ○ Learn how to use Microservices and Workflows on the OpenMSA through real-world examples ○ Empower attendees to use the OpenMSA to perform Networking and Security automation and orchestration ○ Connect with other people who work through similar issues and processes 3
  • 4. Some definitions Device – any node (devices/controllers/appliances) that can be managed by the MSA. Device adaptor – a code module that enables MSA to communicate with a specific device type. Microservice – a set of standard methods (CREATE, DELETE, IMPORT, UPDATE etc.) that enables MSA to manage a particular service on a devices in a vendor-neutral way. Workflow – a set of scripted processes that can be triggered either manually or via an alarm, that typically are used to orchestrate and manage services in an automated way. 4
  • 5. The Agenda 13:00 OpenMSA Overview & Positioning Walkthrough of OpenMSA 14:00 Hands-on Session #1: Microservices How to do element management by designing microservices Typical use case: Provision security and networking rules to control traffic flow Followed by QA 15:30 Break 16:00 Hands-on Session #2: Workflows Automate network configurations and orchestrate security services Typical use case: Automate the security policy configuration on multiple devices Followed by QA 17:30 Summary The benefits of joining the OpenMSA Community and where it is headed 18:00 Buffet Dinner 5
  • 6. What should I do if I have questions during the session? Can I submit them online? Questions Please raise your hand at any time to ask questions
  • 7. Why use the OpenMSA? What differentiates it?
  • 8.
  • 9. The OpenMSA Community 9 • Open forum for networking and security automation • Knowledge-based tools and applications to empower developers and network engineers • Vendor-agnostic, multi-domain solutions • The OpenMSA is available at no charge for community members • Available at http://www.openmsa.co/. • Open source development modules available on GitHub
  • 12. On GitHub 12 • Open Source Core engine • Open Source Adaptors (developed by the Community) • Workflow examples • Microservice examples https://github.com/openmsa
  • 13. Does the OpenMSA allow for automated provisioning and policy configuration?
  • 14. Industrial IoT Orchestration with the OpenMSA AUTOMATED PROCESSES SINGLE PANE OF GLASS SHARE WITH GITHUB COMMUNITY BUILD YOUR OWN OBJECT FOR ANY VENDOR & DOMAIN OPERATOR
  • 15. Can I deploy and use the OpenMSA on AWS?
  • 17. After the AMI is deployed, is there anything to configure?
  • 18. Configuring the OpenMSA 18 • Use the public IP of the instance and access • http://<PUBLIC_IP>:3577/config.xml (socconfig/b5ty9uvh4) • Configure the following: • System name • Company information • Management interface: Enable NAT and use the public IP assigned to the AWS instance • Disable: Backup, maintenance interface, etc. More details available online: https://www.openmsa.co/documentation/getting-started-with-the-openmsa-freeware/
  • 19. How do I install modules from GitHub?
  • 20. OpenMSA: The DevOps Way GitHub.com/openmsa/ openmsa/Workflows-Microservices # git clone https://github.com/openmsa/Workflows-Microservices.git OpenMSA [root@DEV-OPENMSA]# ll /opt/fmc_repository/CommandDefinition/ total 60 drwxr----- 4 ncuser ncuser 4096 Nov 15 11:22 LINUX lrwxrwxrwx 1 ncuser ncuser 25 Feb 23 10:37 OpenMSA -> ../OpenMSA/MICROSERVICES/ drwxr----- 16 ncuser ncuser 4096 Apr 12 14:28 Reference clone symlink to OpenMSA repository
  • 21. Is the OpenMSA multi-tenant? What kind of entities / objects does the OpenMSA have?
  • 23. Advanced Product Demo Create a customer and manage a Fortigate and a Linux firewall
  • 24. Automation and Orchestration via Workflows ✓ Provide automation of operations ✓ Open work-flow builder Automated operation (simplified standardized interfaces) Reduced time to setup and less error prone Workflow Manager Task1 Get floating IP Task2 Create VNF Task3 Create device in DB Task4 Push initial configuration Openstack Device A Device B Device X・・・ Define services by combination of processes and tasks The work-flow consisting of tasks Reusable definition of the business-logic written in simple PHP ① Service ② Process ③ TaskCustomer Order System VM Management Create VNF Update VNF Delete VNF
  • 25. Advanced Product Demo How to provide secure access to a web server
  • 26. The Lab: Initial Setup Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet No Connectivity
  • 27. The Lab: Detailed Setup Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet No Connectivity 54.92.22.191 54.65.133.122 10.1.0.127 10.1.0.235 10.0.0.104 10.0.0.71 10.1.0.10 18.182.220.25 10.1.0.236
  • 28. I want to create a firewall rule to enable access to the web server. I don’t know Fortigate CLI and I’m not a Linux expert. How can the OpenMSA help?
  • 30. Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices Use Microservice to configure a firewall policy and a NAT rule The Lab: Microservices Configuring a NAT
  • 31. The Lab: Connectivity is Established Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices
  • 32. I want to automate the web server access control. How can I do that?
  • 34. The Lab: Configuring the Policies Workflow Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet Microservices Use Microservice and Workflow to configure IP based filtering on multiple network elements
  • 35. The Lab: Filtering Policies Configured Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet
  • 37. Up Next Coding Exercises #1: Microservices
  • 38. Use Case Overview End-customer or MSSP (Managed Security Service Provider) needs to be able to: • Use a simple, multi-vendor, automated tool • Implement basic network security policies
  • 39. High-Level Requirements • The operator should have the option to protect IT resources (e.g. public or corporate servers, like ticketing systems, web servers, etc.) with a firewall • The firewalls should not be limited to a single vendor • The operator should benefit from a single management pane for all operations, from policy provisioning, to monitoring and reporting • Configuring the firewall should be as simple as possible
  • 40. The Lab: Typical Infrastructure Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Internet Corporate access to internal resources Public access to web server Operator access for device management Internet Internet
  • 41. Specifications for a Simple Firewall • The user (operator or end-customer) must be able to specify an IP address and a service (network port number) on the OpenMSA console • The user must be able to select a group of firewalls to configure • The OpenMSA will use the two parameters IP + port to automatically configure the firewalls selected by the user
  • 42. Detailed Design: Typical Infrastructure Corporate Application Server (JIRA) Linux vFW Fortigate vFW Public Web Server (OpenMSA) Operator access for device management Internet OpenMSA builds vendor-specific configuration Operator enters IP + port on the OpenMSA portal OpenMSA automates the configuration
  • 43. Firewall Implementation on Linux • Based on Linux IPtables • Takes an IP and a port as parameters Create a rule sudo iptables -A INPUT -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP sudo iptables -A FORWARD -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP Get the list of rules iptables -L INPUT -n | grep -v Chain | grep -v target Returns DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt: DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt:80
  • 44. Firewall Implementation on Linux config firewall address edit “123” set subnet <IP TO BLOCK> 255.255.255.255 next end config firewall service custom edit “<PORT TO BLOCK>" set tcp-portrange <PORT TO BLOCK>:<PORT TO BLOCK> next End config firewall policy edit {$params.object_id} set name "<IP TO BLOCK> :<PORT TO BLOCK>" set srcintf "port1" set dstintf "port2" set srcaddr "<IP TO BLOCK>" set dstaddr "VIP-PUB-WEB-SERVER" set service "<PORT TO BLOCK>” next end • Based on FGT firewall policy, address and service • Takes an IP and a port as parameters
  • 45. Implementation of Microservices on Linux Step 1: Create a new Microservice in the repository Step 2: Implement the CREATE command Step 3: Implement the DELETE command Step 4: Implement the IMPORT command Step 5: Test and check the Linux vFW via the Command Line Interface
  • 46. Implementation of Microservices on Linux I Step 1: Create a new Microservice in the repository
  • 47. Implementation of Microservices on Linux II Step 2: Implement the CREATE command
  • 48. Implementation of Microservices on Linux III Step 3: Implement the DELETE command
  • 49. Implementation of Microservices on Linux IV Step 4: Implement the IMPORT command
  • 50. Implementation of Microservices on Linux V Step 5: Test and check the Linux vFW via the Command Line Interface
  • 51. Implementation of Microservices on Fortigate Step 1: Create a new Microservice in the repository Step 2: Implement the CREATE command Step 3: Implement the DELETE command Step 4: Implement the IMPORT command Step 5: Test and check the Fortigate vFW via its management GUI
  • 52. Implementation of Microservices on Fortigate I Step 1: create a new Microservice in the repository
  • 53. Implementation of Microservices on Fortigate II Step 2: Implement the CREATE command
  • 54. Implementation of Microservices on Fortigate III Step 3: Implement the DELETE command
  • 55. Implementation of Microservices on Fortigate IV Step 4: Implement the IMPORT command
  • 56. Implementation of Microservices on Fortigate V Step 5: Test and check the Fortigate vFW via its management GUI
  • 57. Q&A
  • 58. Up Next Coding Exercises #2: Workflow
  • 59. Simple Firewall Workflow • The user selects one or several firewalls to manage • The user enters a new security rule (IP and port) to block • The user selects an existing security rule and deletes it from the firewall configuration
  • 60. Implementation of Workflows • Step 1: Define the parameters: • List of firewall devices • Rule ID / Rule IP / Rule Port • Array of (Rule ID / Rule IP / Rule Port) • Step 2: Implement the process to instantiate a new service • Step 3: Implement the process to delete the service • Step 4: Implement the process to configure a new security policy • Step 5: Implement the process to remove existing security policies
  • 61. Implementation of Workflows I Step 1: Define the parameters
  • 62. Implementation of Workflows II Step 2: Implement the process to instantiate a new service
  • 63. Implementation of Workflows III Step 3: Implement the process to delete the service
  • 64. Implementation of Workflows IV Step 4: Implement the process to configure a new security policy
  • 65. Implementation of Workflows V Step 5: Implement the process to remove existing security policies
  • 66. Test Your Workflow I Use the new workflow to configure simple firewall rules on multiple devices, and verify that the access to the web servers can be blocked • http://54.92.22.191/jira.html • http://54.65.133.122/openmsa.html