SlideShare a Scribd company logo

SRX Automation at Groupon

Alejandro Salinas
Alejandro Salinas

In this presentation Jonathan Hammer from the NetOps team shows our approach to automate our firewall flows/lifecycle management.

1 of 61
Download to read offline
SRX Automation @ GRPN Jon Hammer hammer@groupon.com
Background
NetDevOps @ GRPN Netops git commits at Groupon 2014 - 2017
The Problem
The Problem: Time/Energy
The Problem: Environmental Complexity
The Problem: Lack of Standards
The Problem: Security/Reliability
Goals ● First Milestone: ○ Address 80% of firewall request tickets ○ Achieve consistency and standardization in rules ○ Increase reliability ● Second Milestone: ○ Service based ○ Improve speed and reliability
Firewall Automation create_firewall_rule.py
Step 1 - Getting the ACL Request create_firewall_rule.py - step 1
Standardizing Inputs: Firewall Request Form
Getting the ticket somewhere we can use it jira = netops_jira.JiraSearch() jira.query = 'project in (NETOPS) AND status in (OPEN) AND component in (Firewall)' data = jira.search() for request in data: ticket = netops_jira.FirewallTicketParser(request) netops_jira.py
Jira to Python - netops_jira.py objects In [11]: ticket.source Out[11]: {'Group 1': ['host1.grpn', 'host2.grpn', 'host3.grpn']} In [12]: ticket.destination Out[12]: {'Group 1': ['otherhost11.ls', 'otherhost12.ls']} In [13]: ticket.port Out[13]: {'Group 1': ['2222', '80', '99-100']}
Step 2 - Determine which Devices to Configure create_firewall_rule.py - step 2
Where does a policy go?
Global standardization of policy flow ● Decide on a standard for directionality ● Treat VPN Concentrators like Backbone routers Backbone Internal Network ● Result: FW to configure is deterministic Primary VPN BB Rtr
Step 3 - Determining the Zones create_firewall_rule.py - step 3
Getting the zone of a destination ● Steps: ○ Resolve the host IP ○ Connect to the determined firewall ○ Do a route lookup for the host IP ○ Find the outgoing interface for that route ○ Check the security zones table for that interface hammer@fw> show route 8.8.8.8 inet.0: 258 destinations, 259 routes (258 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 36w5d 14:05:18 > to 1.2.3.4 via ge-0/0/7.0 hammer@fw> show security zones Security zone: untrust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Screen: untrust-screen Interfaces bound: 1 Interfaces: ge-0/0/7.0
Determining Zone Step 1: Resolve the host IP Step 1 - Resolve the host IP Step 2 - ??? Step 3 - Profit! ● There are hidden complexities ● Why not just >show route host1.grpn ? ● Round Robin DNS ● IP used in request? ● Special cases in request?
Determining Zone Step 1a: Parsing the source/dest ● Goal - {name : address} ○ Hostname → Forward Lookup → IP → {hostname : IP} ○ IP → Reverse Lookup → Hostname → {hostname: IP} ○ Subnet → {subnet: subnet} ○ Special cases: ■ E.g., “vpn users” → {‘vpn_users’: predefined_subnet}
Determining Zone Step 2: Connecting to the FW from device_connection import JUNOSConnection Password = “thepassword” myconn = JUNOSConnection(username, “fw1.grpn”, password) myconn.Connect()
XML parsing routes = myconn.get_route_information() Determining Zone Step 3: Route lookup Screen scraping / regex > show route
Tables/Views Refresher - XML config hammer@fw1> show security zones untrust | display xml <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos"> <zones-information xmlns="http://xml.juniper.net/junos/12.3X48/junos-zones" junos:style="detail"> <zones-security> <zones-security-zonename>untrust</zones-security-zonename> <zones-security-interfaces-bound>2</zones-security-interfaces-bound> <zones-security-interfaces> <zones-security-interface-name>ae0.0</zones-security-interface-name> <zones-security-interface-name>ae1.0</zones-security-interface-name> </zones-security-interfaces> </zones-security> </zones-information> <cli> <banner></banner> </cli> </rpc-reply>
Tables/Views Refresher - RPCs hammer@fw1> show security zones untrust | display xml rpc <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos"> <rpc> <get-zones-information> <get-zones-named-information>untrust</get-zones-named-information> </get-zones-information> </rpc> <cli> <banner></banner> </cli> </rpc-reply>
Tables/Views Refresher - yaml definitions SecurityZonesTable: rpc: get-zones-information args: detail: True args_key: get-zones-named-information item: .//zones-security key: zones-security-zonename view: SecurityZonesTableView SecurityZonesTableView: fields: interfaces_bound: zones-security-interfaces-bound interfaces: zones-security-interfaces/zones-security-interface-name
Tables/Views: Refresher, part 4 - XML sucks In [25]: zones.xpath('zones-security[zones-security-zonename]') Out[25]: [<Element zones-security at 0x7f10bfa8cb90>, <Element zones-security at 0x7f10bfa8ca70>, <Element zones-security at 0x7f10bfb94b90>, <Element zones-security at 0x7f10bfb94f80>, <Element zones-security at 0x7f10bfa950e0>, <Element zones-security at 0x7f10bfa95440>, <Element zones-security at 0x7f10bfa95f80>]
Determining the zone step 4: Get the zone from the interface In [8]: zones Out[8]: SecurityZonesTable:fw1.grpn: 8 items In [9]: zones[1].name Out[9]: 'trust' In [10]: zones[1].interfaces Out[10]: ['ae2.101', 'ae3.101'] In [82]: route_table Out[82]: junos_route_table:fw1.grpn: 941 items In [83]: route.destination Out[83]: u'10.1.37.0' In [84]: route.prefix_length Out[84]: 24 In [85]: route.outgoing_interface Out[85]: u'ae2.101'
Flow for getting the zone RPC calls for route, zone table Lookup outgoing interface in route view, and find it in the zone view Yes More hosts? Close connectionNo Firewall Connection Object Some tickets involve hundreds of lookups, extremely resource intensive!
Optimizing, AKA be nice to your production devices Firewall Connection Object Close connection Pull entire routing and zone table Build offline queryable FW object with routing/zone tables Build radix object, tag every route with zone info Route lookup for 10.20.100.1 More hosts?E.g., zone=web Yes Maximum of two calls to the FW regardless of number of hosts
Offline SRX object in action In [18]: srx_obj = srx.BuildSRX(route_table=route_table, zone_table=zone_table) In [19]: srx_obj.get_ip_zone('8.8.8.8') Out[19]: 'untrust'
Radix Library In [7]: route = fw_obj._rtree.search_best('8.8.8.8') In [8]: route.data Out[8]: {'next_hop': u'10.1.1.1', 'outgoing_interface': u'ae2.0', 'zone_name': 'untrust'} We tag zone into every route as we build the radix table https://pypi.python.org/pypi/py-radix
Step 4 - Do we even need this rule? create_firewall_rule.py - step 4
Preventing Configuration Bloat
Automating policy match detection Policy Object: In [13]: sec_pol_table[100].items() Out[13]: [('application_term_source_high', '0'), ('to_zone', 'trust'), ('description', None), ('application', 'tcp_8000'), ('destination', ['host1.grpn', 'host2.grpn']), ('from_zone', 'edge'), ('policy_name', 'NETOPS-5864'), ('application_term_destination_low', '8000'), ('application_term_destination_high', '9000'), ('source', ['box1.omg', 'box2.omg']), ('application_term_protocol', 'tcp'), ('destination_prefix', ['10.1.1.189/32', '10.1.1.132/32']), ('source_prefix', ['10.2.2.222/32', '10.2.2.88/32']), ('application_term_source_low', '0')] Detail view conveniently flattens all the IPs/names! Thanks JUNOS!
Show the user ProdOps Commandline User added a comment - 12/Sep/17 6:05 PM Group 2: Existing policy for Group 2 matches this configured policy: NETOPS-5281
Step 5 - ACL Standardization create_firewall_rule.py - step 5
Standardizing address-book entries: Before webapp1 10.1.1.1/32; web-app1.grpn 10.1.1.1/32; web-ap__grpn 10.1.1.1/32; dbhost_netops-1234 172.16.1.10/32 emea_vpn_users 10.2.1.0/24; vpn_users__emea 10.2.1.0/24; prod_subnet_10.10.1.0 10.10.1.0/24; address-set vpn_users {..} address-set all_vpn_users {..} address-set dns_servers {..} Multiply by several thousand address-books + address-sets!
Standardizing address-book entries: After web-app1.grpn 10.1.1.1/32; If Host (/32): <dns-entry>, <ip> db1__1.grpn 172.16.1.10/32; db1__2.grpn 172.16.1.11/32 If RR DNS: <dns-entry> + __<n>, <ip> 10.32.100.0/24 10.32.100.0/24; If Subnet: <subnet> <subnet> address-set src_NETOPS-1234 { web-app1.grpn } address-set dst_NETOPS-1234 { db1__1.grpn db1__2.grpn } Address set: src or dst + ticket number Static exception: address-set vpn_users {..}
Standardizing Policies: Before policy dev-hosts--to--monitoring-rw-vip-sjc { match { source-address [ devhosts dev12 prodnet_33 devhosts__new ]; destination-address gdr-sjc1-prod-graph-ro-vip__sjc1; application monitoring_services; } then { permit; } }
Standardizing Policies: After policy NETOPS-7432__2 { match { source-address src_NETOPS-7432__2; destination-address dst_NETOPS-7432__2; application tcp_10906-10910; } then { permit; } } No more trying to engineer context into configurations!
Side benefit of Standardization ● Show policy ● Show source address(es) / sets ● Show destination address(es) / sets ● Show application(s) ● show configuration | match <ticket> | display set
Addressbook entry re-use ● It doesn’t exist ○ New address-book entry added ● It exists ○ SRX Ignores it ● It exists and is different: ○ Overwrite with new value ○ (Verify by admin)
Cleaning Up Legacy Stuff
Step 6 - Representing the ACL in code create_firewall_rule.py - step 6
srx.py In [13]: address1.ip Out[13]: '1.1.1.1/32' In [14]: address1.name Out[14]: 'myhost1.grpn' In [15]: address1.zone Out[15]: 'trust' In [16]: print address1.config() security { zones { security-zone trust { address-book { address myhost1.grpn 1.1.1.1/32; } } } }
Configuration logic stored outside of jinja In [19]: app = srx.Application('foo') In [20]: app.port = "9999" In [21]: app.port = "9999-65535" In [22]: app.port = "9999-65536" --------------------------------------------------------------------------- Exception Traceback (most recent call last) {...}
Creating the configuration objects Parsed Sources / Destinations Zones from device srx.py Address objects Address-set objects Application Objects Policy Objects Destination port(s) SRX JUNOS configuration
create_firewall_rule.py create_firewall_rule.py
Firewall Automation Flow, part 1 FW Connection Object 3x RPC: routing/zone /policy tables JIRA API Parse ticket (netops_jira.py) into object Iterate over each group in the ticket create_firewall_ru le.py Username, Ticket # Determine which FW to configure based on standard Parse src/dst Parsable Assign to oncall for manual processing Not parsable Build offline SRX (close previous connection) Ticket # json Assign to oncall Leave in retry queue Unable to determine fw Connection fail
Firewall Automation Flow, part 2 Verify rule doesn’t already exist Build ACL objects (srx.py library) Get zone info for src/dst Save into per-colo dictionary For each colo, push all rules to active/backup FW Comment diffs to ticket + resolve Comment + Resolve ticket Doesn’t exist Exists Offline SRX Object More groups in request? No Yes Process other groups
Step 7 - Ensuring the Firewalls are in Sync
Tools for firewall synchronization - sync_policies.py
Tools for firewall synchronization - fwsync_check.py
Step 7 - Optimization
Firewall Automation: The Service ● Created service code that runs periodically and finds “Approved” Firewall tickets ● The code will run create_firewall_rule.py on those tickets ● Engineers simply need to review the request for sanity/security purposes, and click approve. ● No need to run any script or open up a terminal ● Success = Comment + Resolve ● Fail = Re-assign to pagerduty API ● Only see tickets that require approval or troubleshooting ● Effective SLA: 30 minutes
Caching, AKA being nice to our Production devices
New Feature: Policy Match
Conclusion
Questions
SRX Automation @ GRPN Jon Hammer hammer@groupon.com

Recommended

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support
Hanoch Haim
 
Performance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen HemmingerPerformance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen Hemminger
harryvanhaaren
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 

Recommended

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support
Hanoch Haim
 
Performance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen HemmingerPerformance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen Hemminger
harryvanhaaren
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
Alexander Krizhanovsky
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OpenvSwitch
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
Antonio Ojea Garcia
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
Thomas Graf
 
Byte blower basic setting full_v2
Byte blower basic setting full_v2Byte blower basic setting full_v2
Byte blower basic setting full_v2
Chen-Chih Lee
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
Michelle Holley
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
PacSecJP
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
John Villamil
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
Cassiano Campes
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OpenvSwitch
 
Accelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDKAccelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDK
OPNFV
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios
 
Dhcp snooping option 82 configuration
Dhcp snooping option 82 configurationDhcp snooping option 82 configuration
Dhcp snooping option 82 configuration
IT Tech
 

More Related Content

What's hot

Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
Alexander Krizhanovsky
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OpenvSwitch
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
Antonio Ojea Garcia
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
Thomas Graf
 
Byte blower basic setting full_v2
Byte blower basic setting full_v2Byte blower basic setting full_v2
Byte blower basic setting full_v2
Chen-Chih Lee
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
Michelle Holley
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
PacSecJP
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
John Villamil
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
Cassiano Campes
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OpenvSwitch
 
Accelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDKAccelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDK
OPNFV
 

What's hot (20)

Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
Byte blower basic setting full_v2
Byte blower basic setting full_v2Byte blower basic setting full_v2
Byte blower basic setting full_v2
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
 
Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1Stuart Larsen, attacking http2implementations-rev1
Stuart Larsen, attacking http2implementations-rev1
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Attacking http2 implementations (1)
Attacking http2 implementations (1)Attacking http2 implementations (1)
Attacking http2 implementations (1)
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitch
 
Accelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDKAccelerate Service Function Chaining Vertical Solution with DPDK
Accelerate Service Function Chaining Vertical Solution with DPDK
 

Similar to SRX Automation at Groupon

Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios
 
Dhcp snooping option 82 configuration
Dhcp snooping option 82 configurationDhcp snooping option 82 configuration
Dhcp snooping option 82 configuration
IT Tech
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Nagios
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in Rudder
RUDDER
 
Pygrib documentation
Pygrib documentationPygrib documentation
Pygrib documentationArulalan T
 
slides-frnog34.pdf
slides-frnog34.pdfslides-frnog34.pdf
slides-frnog34.pdf
jnbrains
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
Davide Carboni
 
Modul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik osModul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik os
Een Pahlefi
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
iman darabi
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
Memcache as udp traffic reflector
Memcache as udp traffic reflectorMemcache as udp traffic reflector
Memcache as udp traffic reflector
Bangladesh Network Operators Group
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
Dewa Ketut Setiawan
 
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step [Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
Ming-Hung Hseih
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemTutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Dheryta Jaisinghani
 
Support for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPSupport for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPAndrea Galvani
 

Similar to SRX Automation at Groupon (20)

Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
 
Dhcp snooping option 82 configuration
Dhcp snooping option 82 configurationDhcp snooping option 82 configuration
Dhcp snooping option 82 configuration
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in Rudder
 
Pygrib documentation
Pygrib documentationPygrib documentation
Pygrib documentation
 
slides-frnog34.pdf
slides-frnog34.pdfslides-frnog34.pdf
slides-frnog34.pdf
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
Modul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik osModul dhcp server menggunakan mikrotik os
Modul dhcp server menggunakan mikrotik os
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
 
Memcache as udp traffic reflector
Memcache as udp traffic reflectorMemcache as udp traffic reflector
Memcache as udp traffic reflector
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step [Advantech] ADAM-3600 open vpn setting Tutorial step by step
[Advantech] ADAM-3600 open vpn setting Tutorial step by step
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemTutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
 
Support for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPSupport for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISP
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 

Recently uploaded

Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
seandesed
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 

Recently uploaded (20)

Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 

SRX Automation at Groupon

  • 1. SRX Automation @ GRPN Jon Hammer hammer@groupon.com
  • 3. NetDevOps @ GRPN Netops git commits at Groupon 2014 - 2017
  • 7. The Problem: Lack of Standards
  • 9. Goals ● First Milestone: ○ Address 80% of firewall request tickets ○ Achieve consistency and standardization in rules ○ Increase reliability ● Second Milestone: ○ Service based ○ Improve speed and reliability
  • 11. Step 1 - Getting the ACL Request create_firewall_rule.py - step 1
  • 13. Getting the ticket somewhere we can use it jira = netops_jira.JiraSearch() jira.query = 'project in (NETOPS) AND status in (OPEN) AND component in (Firewall)' data = jira.search() for request in data: ticket = netops_jira.FirewallTicketParser(request) netops_jira.py
  • 14. Jira to Python - netops_jira.py objects In [11]: ticket.source Out[11]: {'Group 1': ['host1.grpn', 'host2.grpn', 'host3.grpn']} In [12]: ticket.destination Out[12]: {'Group 1': ['otherhost11.ls', 'otherhost12.ls']} In [13]: ticket.port Out[13]: {'Group 1': ['2222', '80', '99-100']}
  • 15. Step 2 - Determine which Devices to Configure create_firewall_rule.py - step 2
  • 16. Where does a policy go?
  • 17. Global standardization of policy flow ● Decide on a standard for directionality ● Treat VPN Concentrators like Backbone routers Backbone Internal Network ● Result: FW to configure is deterministic Primary VPN BB Rtr
  • 18. Step 3 - Determining the Zones create_firewall_rule.py - step 3
  • 19. Getting the zone of a destination ● Steps: ○ Resolve the host IP ○ Connect to the determined firewall ○ Do a route lookup for the host IP ○ Find the outgoing interface for that route ○ Check the security zones table for that interface hammer@fw> show route 8.8.8.8 inet.0: 258 destinations, 259 routes (258 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 36w5d 14:05:18 > to 1.2.3.4 via ge-0/0/7.0 hammer@fw> show security zones Security zone: untrust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Screen: untrust-screen Interfaces bound: 1 Interfaces: ge-0/0/7.0
  • 20. Determining Zone Step 1: Resolve the host IP Step 1 - Resolve the host IP Step 2 - ??? Step 3 - Profit! ● There are hidden complexities ● Why not just >show route host1.grpn ? ● Round Robin DNS ● IP used in request? ● Special cases in request?
  • 21. Determining Zone Step 1a: Parsing the source/dest ● Goal - {name : address} ○ Hostname → Forward Lookup → IP → {hostname : IP} ○ IP → Reverse Lookup → Hostname → {hostname: IP} ○ Subnet → {subnet: subnet} ○ Special cases: ■ E.g., “vpn users” → {‘vpn_users’: predefined_subnet}
  • 22. Determining Zone Step 2: Connecting to the FW from device_connection import JUNOSConnection Password = “thepassword” myconn = JUNOSConnection(username, “fw1.grpn”, password) myconn.Connect()
  • 23. XML parsing routes = myconn.get_route_information() Determining Zone Step 3: Route lookup Screen scraping / regex > show route
  • 24. Tables/Views Refresher - XML config hammer@fw1> show security zones untrust | display xml <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos"> <zones-information xmlns="http://xml.juniper.net/junos/12.3X48/junos-zones" junos:style="detail"> <zones-security> <zones-security-zonename>untrust</zones-security-zonename> <zones-security-interfaces-bound>2</zones-security-interfaces-bound> <zones-security-interfaces> <zones-security-interface-name>ae0.0</zones-security-interface-name> <zones-security-interface-name>ae1.0</zones-security-interface-name> </zones-security-interfaces> </zones-security> </zones-information> <cli> <banner></banner> </cli> </rpc-reply>
  • 25. Tables/Views Refresher - RPCs hammer@fw1> show security zones untrust | display xml rpc <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos"> <rpc> <get-zones-information> <get-zones-named-information>untrust</get-zones-named-information> </get-zones-information> </rpc> <cli> <banner></banner> </cli> </rpc-reply>
  • 26. Tables/Views Refresher - yaml definitions SecurityZonesTable: rpc: get-zones-information args: detail: True args_key: get-zones-named-information item: .//zones-security key: zones-security-zonename view: SecurityZonesTableView SecurityZonesTableView: fields: interfaces_bound: zones-security-interfaces-bound interfaces: zones-security-interfaces/zones-security-interface-name
  • 27. Tables/Views: Refresher, part 4 - XML sucks In [25]: zones.xpath('zones-security[zones-security-zonename]') Out[25]: [<Element zones-security at 0x7f10bfa8cb90>, <Element zones-security at 0x7f10bfa8ca70>, <Element zones-security at 0x7f10bfb94b90>, <Element zones-security at 0x7f10bfb94f80>, <Element zones-security at 0x7f10bfa950e0>, <Element zones-security at 0x7f10bfa95440>, <Element zones-security at 0x7f10bfa95f80>]
  • 28. Determining the zone step 4: Get the zone from the interface In [8]: zones Out[8]: SecurityZonesTable:fw1.grpn: 8 items In [9]: zones[1].name Out[9]: 'trust' In [10]: zones[1].interfaces Out[10]: ['ae2.101', 'ae3.101'] In [82]: route_table Out[82]: junos_route_table:fw1.grpn: 941 items In [83]: route.destination Out[83]: u'10.1.37.0' In [84]: route.prefix_length Out[84]: 24 In [85]: route.outgoing_interface Out[85]: u'ae2.101'
  • 29. Flow for getting the zone RPC calls for route, zone table Lookup outgoing interface in route view, and find it in the zone view Yes More hosts? Close connectionNo Firewall Connection Object Some tickets involve hundreds of lookups, extremely resource intensive!
  • 30. Optimizing, AKA be nice to your production devices Firewall Connection Object Close connection Pull entire routing and zone table Build offline queryable FW object with routing/zone tables Build radix object, tag every route with zone info Route lookup for 10.20.100.1 More hosts?E.g., zone=web Yes Maximum of two calls to the FW regardless of number of hosts
  • 31. Offline SRX object in action In [18]: srx_obj = srx.BuildSRX(route_table=route_table, zone_table=zone_table) In [19]: srx_obj.get_ip_zone('8.8.8.8') Out[19]: 'untrust'
  • 32. Radix Library In [7]: route = fw_obj._rtree.search_best('8.8.8.8') In [8]: route.data Out[8]: {'next_hop': u'10.1.1.1', 'outgoing_interface': u'ae2.0', 'zone_name': 'untrust'} We tag zone into every route as we build the radix table https://pypi.python.org/pypi/py-radix
  • 33. Step 4 - Do we even need this rule? create_firewall_rule.py - step 4
  • 35. Automating policy match detection Policy Object: In [13]: sec_pol_table[100].items() Out[13]: [('application_term_source_high', '0'), ('to_zone', 'trust'), ('description', None), ('application', 'tcp_8000'), ('destination', ['host1.grpn', 'host2.grpn']), ('from_zone', 'edge'), ('policy_name', 'NETOPS-5864'), ('application_term_destination_low', '8000'), ('application_term_destination_high', '9000'), ('source', ['box1.omg', 'box2.omg']), ('application_term_protocol', 'tcp'), ('destination_prefix', ['10.1.1.189/32', '10.1.1.132/32']), ('source_prefix', ['10.2.2.222/32', '10.2.2.88/32']), ('application_term_source_low', '0')] Detail view conveniently flattens all the IPs/names! Thanks JUNOS!
  • 36. Show the user ProdOps Commandline User added a comment - 12/Sep/17 6:05 PM Group 2: Existing policy for Group 2 matches this configured policy: NETOPS-5281
  • 37. Step 5 - ACL Standardization create_firewall_rule.py - step 5
  • 38. Standardizing address-book entries: Before webapp1 10.1.1.1/32; web-app1.grpn 10.1.1.1/32; web-ap__grpn 10.1.1.1/32; dbhost_netops-1234 172.16.1.10/32 emea_vpn_users 10.2.1.0/24; vpn_users__emea 10.2.1.0/24; prod_subnet_10.10.1.0 10.10.1.0/24; address-set vpn_users {..} address-set all_vpn_users {..} address-set dns_servers {..} Multiply by several thousand address-books + address-sets!
  • 39. Standardizing address-book entries: After web-app1.grpn 10.1.1.1/32; If Host (/32): <dns-entry>, <ip> db1__1.grpn 172.16.1.10/32; db1__2.grpn 172.16.1.11/32 If RR DNS: <dns-entry> + __<n>, <ip> 10.32.100.0/24 10.32.100.0/24; If Subnet: <subnet> <subnet> address-set src_NETOPS-1234 { web-app1.grpn } address-set dst_NETOPS-1234 { db1__1.grpn db1__2.grpn } Address set: src or dst + ticket number Static exception: address-set vpn_users {..}
  • 40. Standardizing Policies: Before policy dev-hosts--to--monitoring-rw-vip-sjc { match { source-address [ devhosts dev12 prodnet_33 devhosts__new ]; destination-address gdr-sjc1-prod-graph-ro-vip__sjc1; application monitoring_services; } then { permit; } }
  • 41. Standardizing Policies: After policy NETOPS-7432__2 { match { source-address src_NETOPS-7432__2; destination-address dst_NETOPS-7432__2; application tcp_10906-10910; } then { permit; } } No more trying to engineer context into configurations!
  • 42. Side benefit of Standardization ● Show policy ● Show source address(es) / sets ● Show destination address(es) / sets ● Show application(s) ● show configuration | match <ticket> | display set
  • 43. Addressbook entry re-use ● It doesn’t exist ○ New address-book entry added ● It exists ○ SRX Ignores it ● It exists and is different: ○ Overwrite with new value ○ (Verify by admin)
  • 45. Step 6 - Representing the ACL in code create_firewall_rule.py - step 6
  • 46. srx.py In [13]: address1.ip Out[13]: '1.1.1.1/32' In [14]: address1.name Out[14]: 'myhost1.grpn' In [15]: address1.zone Out[15]: 'trust' In [16]: print address1.config() security { zones { security-zone trust { address-book { address myhost1.grpn 1.1.1.1/32; } } } }
  • 47. Configuration logic stored outside of jinja In [19]: app = srx.Application('foo') In [20]: app.port = "9999" In [21]: app.port = "9999-65535" In [22]: app.port = "9999-65536" --------------------------------------------------------------------------- Exception Traceback (most recent call last) {...}
  • 48. Creating the configuration objects Parsed Sources / Destinations Zones from device srx.py Address objects Address-set objects Application Objects Policy Objects Destination port(s) SRX JUNOS configuration
  • 50. Firewall Automation Flow, part 1 FW Connection Object 3x RPC: routing/zone /policy tables JIRA API Parse ticket (netops_jira.py) into object Iterate over each group in the ticket create_firewall_ru le.py Username, Ticket # Determine which FW to configure based on standard Parse src/dst Parsable Assign to oncall for manual processing Not parsable Build offline SRX (close previous connection) Ticket # json Assign to oncall Leave in retry queue Unable to determine fw Connection fail
  • 51. Firewall Automation Flow, part 2 Verify rule doesn’t already exist Build ACL objects (srx.py library) Get zone info for src/dst Save into per-colo dictionary For each colo, push all rules to active/backup FW Comment diffs to ticket + resolve Comment + Resolve ticket Doesn’t exist Exists Offline SRX Object More groups in request? No Yes Process other groups
  • 52. Step 7 - Ensuring the Firewalls are in Sync
  • 53. Tools for firewall synchronization - sync_policies.py
  • 54. Tools for firewall synchronization - fwsync_check.py
  • 55. Step 7 - Optimization
  • 56. Firewall Automation: The Service ● Created service code that runs periodically and finds “Approved” Firewall tickets ● The code will run create_firewall_rule.py on those tickets ● Engineers simply need to review the request for sanity/security purposes, and click approve. ● No need to run any script or open up a terminal ● Success = Comment + Resolve ● Fail = Re-assign to pagerduty API ● Only see tickets that require approval or troubleshooting ● Effective SLA: 30 minutes
  • 57. Caching, AKA being nice to our Production devices
  • 61. SRX Automation @ GRPN Jon Hammer hammer@groupon.com