today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE...
Transcript of today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE...
Network device compliance measurement today, remediation tomorrow
Marc PetrivelliArchitect - Automation PracticeRed Hat Consulting NA
Share your automation story
1. How did you get started with Ansible?
2. How long have you been using it?
3. What's your favorite thing to do when you Ansible?
Presentation Flow
Background
Background
Background
● Large global bank had urgent need to enhance compliance measurement over the network and security devices to implement device specific security guides
● Desire to create automated compliance measurement and reporting framework to validate security guide requirements
● Ensure automation approach can be operationalized for consumption across enterprise and used in future remediation efforts
● Looking for the Red Hat Consulting to deliver solution using Ansible Engine and Ansible Tower
Compliance MeasurementBackground
● Large number of financial regulatory compliance requirements handed down from security and auditing teams as security guides
● Security guides span multiple device types and vendors including firewalls VPN, proxy/secure gateway, AAA, load balancer and DNS/DHCP
● Roughly 230 devices in-scope for compliance measurement
● No standardized configuration of devices or source of truth
● Compliance baseline gathered manually through device UIs and ad-hoc scripting by various teams and SMEs
● No standardized reporting format for consumption by enterprise audit teams and device owners
● Compliance measurement is initial focus. Remediation is future state
Solution Goals
Background
● Provide a fully automated approach to measure compliance across in-scope network devices
● Operationalize automation across the enterprise with appropriate role based access control
● Enable standardized reporting for all device compliance measurement
● Design a framework that can be utilized outside of network device compliance. Infrastructure, platform, application
● Ensure approach is extensible to support future remediation use cases
Devices and Compliance Requirements
Approach
● Financial regulatory compliance requirements drove generation of security guides
● Security guides written to be address common and device specific security configurations
● Common security guidelines across all devices○ SEG A10 - Minimum Password Length - The minimum password length must be at least 15
characters
● Device specific security guidelines with varying level of detail○ SEG C20 - IKEv1 Encryption Level - Set the encryption level for IKEv1 to AES negotiation or higher
● Some security guidelines provided implementation detail (ie commands)
● Determine exact commands necessary to collect data to assess compliance
Requirements
Architecture
Approach
● Analyze compliance requirements for each device to determine module usage
● Develop approach for "gaps" in module coverage and usage○ command & raw module usage for basic commands○ custom module development for complex/parent commands
● Design generic reporting approach each device will utilize
● Build custom dynamic inventory to ingest Remedy CMDB export and provide tagging
● Implement suite of playbooks and roles for each device type○ Identify reuse opportunities (ASA VPN/Firewall)○ One git repository per device
● Operationalize ensuring automation is available for consumption across the enterprise
High-level Approach
Approach
● For security checks covered covered by modules evaluate changed in check mode (mostly F5)
● Majority utilize command modules to collect required data
● Develop custom bc_command module to support command execution on symantec/bluecoat proxy
● Initially string checks on output but moved to Ansible network engine parser for structured data
● Each security check performed in separate task file(s) with status set as Ansible fact
● Required fact structure (nested dicts) defined by compliance reporting role with lookup plugin
● Compliance data passed to compliance reporting role rendered as CSV by action plugin
● Custom dynamic inventory (python) to transform data and provide grouping and hostvars
Implementation
Approach
Code Structure
compliance-reporting
asa-common
asa-firewall asa-vpn bluecoat-proxy f5-loadbalancer dns-automation radius checkpoint
network-engine
reusable roles consumed through ansible-galaxy
Approach
● Cisco ASA○ asa_command
● Checkpoint○ raw○ future checkpoint_* - requires web
services API (>= R80)
● Cisco ISE (AAA/Radius)○ ios_command
● Symantec/Bluecoat ProxySG○ bc_command - custom module based on
asa_command module. Extend network_cli connection plugin
Ansible Engine Usage● F5 BIG IP
○ bigip_command, bigip_password_policy, bigip_device_ntp, bigip_device_sshd, bigip_device_httpd, bigip_device_syslog
● DNS/DHCP○ command, shell, template
Approach
● Initially considered using Ansible Tower log aggregator integration (splunk) or custom shipping of data to Tableau
● Compliance and audit team already have consumable format (CSV) from Linux engineering team
● Status of each security guide requirement along with compliance check metadata present in report
● Generate a report for each device type for each compliance run
● Custom action plugin to generate CSV compliance report with gathered fact data
● Compliance report written to shared storage for consumption
● Report ingested into SQL Server through DTS. Tableau hooked into SQL Server for audit and compliance team reporting
Reporting Details
Approach
● Provides a role containing action and lookup plugins to turn unstructured data into structured Ansible "native" data
● Pass output from device command passed to a "command parser"
● command_parser action plugin allows for specification of a regex based parser as an Ansible task file
● The parser utilizes pattern matching and data manipulation lookup plugins to create desired data model
● Structured data is implicitly returned as facts(s) for use in verification and configuration tasks
Ansible Network Engine
Example of compliance check
- name: check crypto IKEv1 settings asa_command: commands: show run crypto ikev1 register: asa_crypt_ikev11_output
- name: parse IKEv1 output command_parser: file: "parsers/asa-vpn-ikev1-policy.yml" content: "{{ asa_crypto_ikev1_output.stdout[0] }}"
- name: set status for IKEv1 policies vars: _encryption: "{{asa_vpn_ikev1_policies | json_query('*.encryption')}}" _allowed_algos: [ 'aes' , 'aes-192', 'aes-256' ] set_fact: seg_30_02_01_02_status: "{{ _encryption | all_in(_allowed_algos) }}" seg_30_02_01_02_status_detail: "Looking for {{ allowed_algos }} found {{ _encryption }}"
- name: update compliance data block set_fact: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" set_stats: data: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" vars: _curr_compliance: | {{ inventory_hostname | reporting_data('SEG 30.02.01.02', 'IKEv1 policy cipher', seg_30_02_01_02_status)
- name: PARSER META DATA parser_metadata : version: 1.0 command: "show run crypto ikev1" network_os : asa
- name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" match_all: yes match_greedy : yes register: asa_vpn_ikev1_policy_group export: yes
- name: match policy values pattern_group : - name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" content: "{{ item }}" register: asa_vpn_ikev1_policy
- name: match ikev1 authentication pattern_match : regex: "authentication\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_auth
- name: match ikev1 encryption pattern_match : regex: "encryption\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_encryption
- name: match ikev1 hash pattern_match : regex: "hash\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_hash
- name: generate IKEv1 data json_template : template: - key: "{{ item.asa_vpn_ikev1_policy.matches.0 }}" object: - key: authentication value: "{{ item.asa_vpn_ikev1_auth.matches.0 }}" - key: encryption value: "{{ item.asa_vpn_ikev1_encryption.matches.0 }}" - key: hash value: "{{ item.asa_vpn_ikev1_hash.matches.0 }}" - key: group value: "{{ item.asa_vpn_ikev1_group.matches.0 | int }}" - key: lifetime value: "{{ item.asa_vpn_ikev1_lifetime.matches.0 | int}}" export_as: dict export: yes register: asa_vpn_ikev1_policies loop: "{{ asa_vpn_ikev1_policy_list }}"
Cisco ASA IKEv1 VPN Policy Parser
Cisco ASA IKEv1 VPN Policy Parser Output TASK [asa-vpn : parse IKEv1 output] ******************************************************************************task path: test/asa-vpn/roles/asa-vpn/tasks/check-ikev1-policy.yml:3ok: [asadev01] => { "ansible_facts": { "asa_vpn_ikev1_policies": { << CLIPPED >> "53": { "authentication": "pre-share", "encryption": "aes", "group": "3", "hash": "md5", "lifetime": null }, "8": { "authentication": "pre-share", "encryption": "aes-256", "group": "3", "hash": "md5", "lifetime": "86400" } } }, "changed": false, "included": [ "parsers/asa-vpn-ikev1-policy.yml" ]}
COMMAND: show run crypto ikev1
crypto ikev1 enable outsidecrypto ikev1 am-disablecrypto ikev1 policy 53 authentication pre-share encryption aes hash md5 group 3crypto ikev1 policy 8 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400<<CLIPPED>>
Example of compliance report generation
# compliance check roles and task executed
- name: include reporting role for report generation include_role: name: compliance-reporting vars: report_base_compliance_results: "{{ compliance_data }}" report_base_device_type: "vpn"
Job name,Date,Logical Server name,Virtual DC,Rule name,Reference number,Rules comply
ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
Approach
So we have a solid Ansible framework to run compliance checks but need to:
● tightly manage inventories and associated host and group metadata
● provide proper access controls to run and modify the automation
● allow for a development process to provide verified releases
● run the automation through external orchestrators or on a schedule
● target execution across data centers without direct connectivity to devices
Operationalize the Automation
Architecture
Manage Inventory
● CSV export of remedy CMDB as source of truth
● Dynamic inventory to structure inventory and hostvars
● Master inventory containing all devices
● Smart inventories for each device type
● Device specific automation tied to smart inventory
Role Based Access Control
● Load balancer and VPN automation shown
● Architecture org controls all inventory and permissions
● Development org/team uses inventory to build workflows
● Production org prod admin team builds out workflows
● Prod admin give execute access to netsec ops team
● Netsec ops team only has execute permissions
● Projects point to appropriate branches
Compliance Automation Workflow
Compliance Automation Workflow
Approach
● Achieved ~85% implementation for ~160 security guide controls
● Reduced compliance measurement timeline for devices from weeks to hours
● Operational solution where compliance ran on a schedule and by authorized teams across the enterprise
● Ansible content structured to allow for easy review by auditors and external teams
● Enabled a development and release workflow to allow for continued updates and verified releases
● Extensible Ansible automation framework to support future devices and remediation
Success Metrics