Breaking the Kubernetes Kill Chain: Host Path Mount
Bangalore OpenMSA DevDay - September 19, 2018
1. OPEN MSA
Network & Security Automation Made Easy
DevDay
Bengaluru, Sep 19th 2018
2. Who are we?
John Collins, VP of Engineering, Ubiqube
• John is the VP of Engineering at UBiqube, leading a global team of development, QA,
support, and R&D engineers who are building a uniquely innovative product in the
networked device management space.
• He is an experienced leader of software engineering teams, loves to work with smart
people on difficult problems, applying the latest technologies and best practices.
• He is very passionate about open source, DevOps, and all aspects of IT automation.
Naveen Kumar, Senior Solutions Architect, Ubiqube
• Naveen Kumar is passionate about solving challenges in the networking and security
domains in reducing time to market for new services, designing fully automated
orchestration solutions for legacy/virtualized/hybrid infrastructures/domains using
DevOps.
• As a Senior Solution Architect at UBiqube, Naveen is engaging customers, training
developers using MSActivator, UBiqube's dev-ops orchestrator, and actively involved
in the OpenMSA community to help contributors. Prior to joining UBiqube, Naveen
was a STB software stack developer at Cisco India.
2
3. Welcome!
Objectives:
○ Learn how to use Microservices and Workflows on the
OpenMSA through real-world examples
○ Empower attendees to use the OpenMSA to perform
Networking and Security automation and
orchestration
○ Connect with other people who work through similar
issues and processes
3
4. Some definitions
Device – any node (devices/controllers/appliances) that can be managed by the MSA.
Device adaptor – a code module that enables MSA to communicate with a specific device type.
Microservice – a set of standard methods (CREATE, DELETE, IMPORT, UPDATE etc.) that enables
MSA to manage a particular service on a devices in a vendor-neutral way.
Workflow – a set of scripted processes that can be triggered either manually or via an alarm, that
typically are used to orchestrate and manage services in an automated way.
4
5. The Agenda
13:00 OpenMSA Overview & Positioning
Walkthrough of OpenMSA
14:00 Hands-on Session #1: Microservices
How to do element management by designing microservices
Typical use case: Provision security and networking rules to control traffic flow
Followed by QA
15:30 Break
16:00 Hands-on Session #2: Workflows
Automate network configurations and orchestrate security services
Typical use case: Automate the security policy configuration on multiple devices
Followed by QA
17:30 Summary
The benefits of joining the OpenMSA Community and where it is headed
18:00 Buffet Dinner
5
6. What should I do if I have questions during the session?
Can I submit them online?
Questions
Please raise your hand at any time to ask questions
9. The OpenMSA Community
9
• Open forum for networking and security automation
• Knowledge-based tools and applications to empower
developers and network engineers
• Vendor-agnostic, multi-domain solutions
• The OpenMSA is available at no charge for
community members
• Available at http://www.openmsa.co/.
• Open source development modules available on
GitHub
12. On GitHub
12
• Open Source Core engine
• Open Source Adaptors (developed by the Community)
• Workflow examples
• Microservice examples
https://github.com/openmsa
13. Does the OpenMSA allow for automated
provisioning and policy configuration?
14. Industrial
IoT
Orchestration with the OpenMSA
AUTOMATED
PROCESSES
SINGLE PANE OF GLASS
SHARE WITH GITHUB
COMMUNITY
BUILD YOUR OWN
OBJECT FOR ANY
VENDOR & DOMAIN
OPERATOR
17. After the AMI is deployed,
is there anything to configure?
18. Configuring the OpenMSA
18
• Use the public IP of the instance and access
• http://<PUBLIC_IP>:3577/config.xml (socconfig/b5ty9uvh4)
• Configure the following:
• System name
• Company information
• Management interface: Enable NAT and use the public IP assigned to the
AWS instance
• Disable: Backup, maintenance interface, etc.
More details available online:
https://www.openmsa.co/documentation/getting-started-with-the-openmsa-freeware/
24. Automation and Orchestration via
Workflows
✓ Provide automation of operations
✓ Open work-flow builder
Automated operation (simplified standardized interfaces)
Reduced time to setup and less error prone
Workflow Manager
Task1
Get floating IP
Task2
Create VNF
Task3
Create device
in DB
Task4
Push initial
configuration
Openstack Device A Device B Device X・・・
Define services by combination of processes and tasks
The work-flow consisting of tasks
Reusable definition of the business-logic written in simple PHP
① Service
② Process
③ TaskCustomer
Order
System
VM Management
Create VNF
Update VNF
Delete VNF
26. The Lab: Initial Setup
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
No
Connectivity
27. The Lab: Detailed Setup
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
No
Connectivity
54.92.22.191
54.65.133.122
10.1.0.127
10.1.0.235
10.0.0.104
10.0.0.71 10.1.0.10
18.182.220.25
10.1.0.236
28. I want to create a firewall rule to enable
access to the web server. I don’t know
Fortigate CLI and I’m not a Linux expert.
How can the OpenMSA help?
30. Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
Microservices
Use
Microservice to
configure a
firewall policy
and a NAT rule
The Lab: Microservices Configuring a NAT
31. The Lab: Connectivity is Established
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
Microservices
32. I want to automate the web server
access control.
How can I do that?
34. The Lab: Configuring the Policies
Workflow
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
Microservices
Use Microservice and
Workflow to
configure IP based
filtering on multiple
network elements
35. The Lab: Filtering Policies Configured
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
38. Use Case Overview
End-customer or MSSP (Managed Security Service Provider)
needs to be able to:
• Use a simple, multi-vendor, automated tool
• Implement basic network security policies
39. High-Level Requirements
• The operator should have the option to protect IT resources
(e.g. public or corporate servers, like ticketing systems, web
servers, etc.) with a firewall
• The firewalls should not be limited to a single vendor
• The operator should benefit from a single management pane
for all operations, from policy provisioning, to monitoring
and reporting
• Configuring the firewall should be as simple as possible
40. The Lab: Typical Infrastructure
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Internet
Corporate access to internal
resources
Public access to web server
Operator access for device
management
Internet
Internet
41. Specifications for a Simple Firewall
• The user (operator or end-customer) must be able to
specify an IP address and a service (network port number)
on the OpenMSA console
• The user must be able to select a group of firewalls to
configure
• The OpenMSA will use the two parameters IP + port to
automatically configure the firewalls selected by the user
42. Detailed Design: Typical Infrastructure
Corporate
Application
Server (JIRA)
Linux vFW
Fortigate vFW
Public Web
Server
(OpenMSA)
Operator access for device
management
Internet
OpenMSA builds
vendor-specific
configuration
Operator enters IP
+ port on the
OpenMSA portal
OpenMSA
automates the
configuration
43. Firewall Implementation on Linux
• Based on Linux IPtables
• Takes an IP and a port as parameters
Create a rule
sudo iptables -A INPUT -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP
sudo iptables -A FORWARD -p tcp --dport <PORT TO BLOCK> -s <IP TO BLOCK> -j DROP
Get the list of rules
iptables -L INPUT -n | grep -v Chain | grep -v target
Returns
DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt:
DROP tcp -- 92.103.182.20 0.0.0.0/0 tcp dpt:80
44. Firewall Implementation on Linux
config firewall address
edit “123”
set subnet <IP TO BLOCK> 255.255.255.255
next
end
config firewall service custom
edit “<PORT TO BLOCK>"
set tcp-portrange <PORT TO BLOCK>:<PORT
TO BLOCK>
next
End
config firewall policy
edit {$params.object_id}
set name "<IP TO BLOCK> :<PORT TO BLOCK>"
set srcintf "port1"
set dstintf "port2"
set srcaddr "<IP TO BLOCK>"
set dstaddr "VIP-PUB-WEB-SERVER"
set service "<PORT TO BLOCK>”
next
end
• Based on FGT firewall policy, address and service
• Takes an IP and a port as parameters
45. Implementation of Microservices on Linux
Step 1: Create a new Microservice in the repository
Step 2: Implement the CREATE command
Step 3: Implement the DELETE command
Step 4: Implement the IMPORT command
Step 5: Test and check the Linux vFW via the Command Line
Interface
51. Implementation of Microservices on Fortigate
Step 1: Create a new Microservice in the repository
Step 2: Implement the CREATE command
Step 3: Implement the DELETE command
Step 4: Implement the IMPORT command
Step 5: Test and check the Fortigate vFW via its management GUI
59. Simple Firewall Workflow
• The user selects one or several firewalls to manage
• The user enters a new security rule (IP and port) to block
• The user selects an existing security rule and deletes it
from the firewall configuration
60. Implementation of Workflows
• Step 1: Define the parameters:
• List of firewall devices
• Rule ID / Rule IP / Rule Port
• Array of (Rule ID / Rule IP / Rule Port)
• Step 2: Implement the process to instantiate a new service
• Step 3: Implement the process to delete the service
• Step 4: Implement the process to configure a new security policy
• Step 5: Implement the process to remove existing security policies
66. Test Your Workflow I
Use the new workflow to configure simple firewall rules on
multiple devices, and verify that the access to the web servers
can be blocked
• http://54.92.22.191/jira.html
• http://54.65.133.122/openmsa.html