today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE...
Transcript of today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE...
![Page 1: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/1.jpg)
Network device compliance measurement today, remediation tomorrow
Marc PetrivelliArchitect - Automation PracticeRed Hat Consulting NA
![Page 2: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/2.jpg)
Share your automation story
1. How did you get started with Ansible?
2. How long have you been using it?
3. What's your favorite thing to do when you Ansible?
![Page 3: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/3.jpg)
Presentation Flow
Background
![Page 4: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/4.jpg)
Background
Background
● Large global bank had urgent need to enhance compliance measurement over the network and security devices to implement device specific security guides
● Desire to create automated compliance measurement and reporting framework to validate security guide requirements
● Ensure automation approach can be operationalized for consumption across enterprise and used in future remediation efforts
● Looking for the Red Hat Consulting to deliver solution using Ansible Engine and Ansible Tower
![Page 5: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/5.jpg)
Compliance MeasurementBackground
● Large number of financial regulatory compliance requirements handed down from security and auditing teams as security guides
● Security guides span multiple device types and vendors including firewalls VPN, proxy/secure gateway, AAA, load balancer and DNS/DHCP
● Roughly 230 devices in-scope for compliance measurement
● No standardized configuration of devices or source of truth
● Compliance baseline gathered manually through device UIs and ad-hoc scripting by various teams and SMEs
● No standardized reporting format for consumption by enterprise audit teams and device owners
● Compliance measurement is initial focus. Remediation is future state
![Page 6: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/6.jpg)
Solution Goals
Background
● Provide a fully automated approach to measure compliance across in-scope network devices
● Operationalize automation across the enterprise with appropriate role based access control
● Enable standardized reporting for all device compliance measurement
● Design a framework that can be utilized outside of network device compliance. Infrastructure, platform, application
● Ensure approach is extensible to support future remediation use cases
![Page 7: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/7.jpg)
Devices and Compliance Requirements
![Page 8: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/8.jpg)
Approach
● Financial regulatory compliance requirements drove generation of security guides
● Security guides written to be address common and device specific security configurations
● Common security guidelines across all devices○ SEG A10 - Minimum Password Length - The minimum password length must be at least 15
characters
● Device specific security guidelines with varying level of detail○ SEG C20 - IKEv1 Encryption Level - Set the encryption level for IKEv1 to AES negotiation or higher
● Some security guidelines provided implementation detail (ie commands)
● Determine exact commands necessary to collect data to assess compliance
Requirements
![Page 9: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/9.jpg)
Architecture
![Page 10: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/10.jpg)
Approach
● Analyze compliance requirements for each device to determine module usage
● Develop approach for "gaps" in module coverage and usage○ command & raw module usage for basic commands○ custom module development for complex/parent commands
● Design generic reporting approach each device will utilize
● Build custom dynamic inventory to ingest Remedy CMDB export and provide tagging
● Implement suite of playbooks and roles for each device type○ Identify reuse opportunities (ASA VPN/Firewall)○ One git repository per device
● Operationalize ensuring automation is available for consumption across the enterprise
High-level Approach
![Page 11: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/11.jpg)
Approach
● For security checks covered covered by modules evaluate changed in check mode (mostly F5)
● Majority utilize command modules to collect required data
● Develop custom bc_command module to support command execution on symantec/bluecoat proxy
● Initially string checks on output but moved to Ansible network engine parser for structured data
● Each security check performed in separate task file(s) with status set as Ansible fact
● Required fact structure (nested dicts) defined by compliance reporting role with lookup plugin
● Compliance data passed to compliance reporting role rendered as CSV by action plugin
● Custom dynamic inventory (python) to transform data and provide grouping and hostvars
Implementation
![Page 12: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/12.jpg)
Approach
Code Structure
compliance-reporting
asa-common
asa-firewall asa-vpn bluecoat-proxy f5-loadbalancer dns-automation radius checkpoint
network-engine
reusable roles consumed through ansible-galaxy
![Page 13: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/13.jpg)
Approach
● Cisco ASA○ asa_command
● Checkpoint○ raw○ future checkpoint_* - requires web
services API (>= R80)
● Cisco ISE (AAA/Radius)○ ios_command
● Symantec/Bluecoat ProxySG○ bc_command - custom module based on
asa_command module. Extend network_cli connection plugin
Ansible Engine Usage● F5 BIG IP
○ bigip_command, bigip_password_policy, bigip_device_ntp, bigip_device_sshd, bigip_device_httpd, bigip_device_syslog
● DNS/DHCP○ command, shell, template
![Page 14: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/14.jpg)
Approach
● Initially considered using Ansible Tower log aggregator integration (splunk) or custom shipping of data to Tableau
● Compliance and audit team already have consumable format (CSV) from Linux engineering team
● Status of each security guide requirement along with compliance check metadata present in report
● Generate a report for each device type for each compliance run
● Custom action plugin to generate CSV compliance report with gathered fact data
● Compliance report written to shared storage for consumption
● Report ingested into SQL Server through DTS. Tableau hooked into SQL Server for audit and compliance team reporting
Reporting Details
![Page 15: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/15.jpg)
Approach
● Provides a role containing action and lookup plugins to turn unstructured data into structured Ansible "native" data
● Pass output from device command passed to a "command parser"
● command_parser action plugin allows for specification of a regex based parser as an Ansible task file
● The parser utilizes pattern matching and data manipulation lookup plugins to create desired data model
● Structured data is implicitly returned as facts(s) for use in verification and configuration tasks
Ansible Network Engine
![Page 16: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/16.jpg)
Example of compliance check
- name: check crypto IKEv1 settings asa_command: commands: show run crypto ikev1 register: asa_crypt_ikev11_output
- name: parse IKEv1 output command_parser: file: "parsers/asa-vpn-ikev1-policy.yml" content: "{{ asa_crypto_ikev1_output.stdout[0] }}"
- name: set status for IKEv1 policies vars: _encryption: "{{asa_vpn_ikev1_policies | json_query('*.encryption')}}" _allowed_algos: [ 'aes' , 'aes-192', 'aes-256' ] set_fact: seg_30_02_01_02_status: "{{ _encryption | all_in(_allowed_algos) }}" seg_30_02_01_02_status_detail: "Looking for {{ allowed_algos }} found {{ _encryption }}"
- name: update compliance data block set_fact: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" set_stats: data: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" vars: _curr_compliance: | {{ inventory_hostname | reporting_data('SEG 30.02.01.02', 'IKEv1 policy cipher', seg_30_02_01_02_status)
![Page 17: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/17.jpg)
- name: PARSER META DATA parser_metadata : version: 1.0 command: "show run crypto ikev1" network_os : asa
- name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" match_all: yes match_greedy : yes register: asa_vpn_ikev1_policy_group export: yes
- name: match policy values pattern_group : - name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" content: "{{ item }}" register: asa_vpn_ikev1_policy
- name: match ikev1 authentication pattern_match : regex: "authentication\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_auth
- name: match ikev1 encryption pattern_match : regex: "encryption\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_encryption
- name: match ikev1 hash pattern_match : regex: "hash\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_hash
- name: generate IKEv1 data json_template : template: - key: "{{ item.asa_vpn_ikev1_policy.matches.0 }}" object: - key: authentication value: "{{ item.asa_vpn_ikev1_auth.matches.0 }}" - key: encryption value: "{{ item.asa_vpn_ikev1_encryption.matches.0 }}" - key: hash value: "{{ item.asa_vpn_ikev1_hash.matches.0 }}" - key: group value: "{{ item.asa_vpn_ikev1_group.matches.0 | int }}" - key: lifetime value: "{{ item.asa_vpn_ikev1_lifetime.matches.0 | int}}" export_as: dict export: yes register: asa_vpn_ikev1_policies loop: "{{ asa_vpn_ikev1_policy_list }}"
Cisco ASA IKEv1 VPN Policy Parser
![Page 18: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/18.jpg)
Cisco ASA IKEv1 VPN Policy Parser Output TASK [asa-vpn : parse IKEv1 output] ******************************************************************************task path: test/asa-vpn/roles/asa-vpn/tasks/check-ikev1-policy.yml:3ok: [asadev01] => { "ansible_facts": { "asa_vpn_ikev1_policies": { << CLIPPED >> "53": { "authentication": "pre-share", "encryption": "aes", "group": "3", "hash": "md5", "lifetime": null }, "8": { "authentication": "pre-share", "encryption": "aes-256", "group": "3", "hash": "md5", "lifetime": "86400" } } }, "changed": false, "included": [ "parsers/asa-vpn-ikev1-policy.yml" ]}
COMMAND: show run crypto ikev1
crypto ikev1 enable outsidecrypto ikev1 am-disablecrypto ikev1 policy 53 authentication pre-share encryption aes hash md5 group 3crypto ikev1 policy 8 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400<<CLIPPED>>
![Page 19: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/19.jpg)
Example of compliance report generation
# compliance check roles and task executed
- name: include reporting role for report generation include_role: name: compliance-reporting vars: report_base_compliance_results: "{{ compliance_data }}" report_base_device_type: "vpn"
Job name,Date,Logical Server name,Virtual DC,Rule name,Reference number,Rules comply
ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true
ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false
![Page 20: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/20.jpg)
Approach
So we have a solid Ansible framework to run compliance checks but need to:
● tightly manage inventories and associated host and group metadata
● provide proper access controls to run and modify the automation
● allow for a development process to provide verified releases
● run the automation through external orchestrators or on a schedule
● target execution across data centers without direct connectivity to devices
Operationalize the Automation
![Page 21: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/21.jpg)
Architecture
![Page 22: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/22.jpg)
Manage Inventory
● CSV export of remedy CMDB as source of truth
● Dynamic inventory to structure inventory and hostvars
● Master inventory containing all devices
● Smart inventories for each device type
● Device specific automation tied to smart inventory
![Page 23: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/23.jpg)
Role Based Access Control
● Load balancer and VPN automation shown
● Architecture org controls all inventory and permissions
● Development org/team uses inventory to build workflows
● Production org prod admin team builds out workflows
● Prod admin give execute access to netsec ops team
● Netsec ops team only has execute permissions
● Projects point to appropriate branches
![Page 24: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/24.jpg)
Compliance Automation Workflow
![Page 25: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/25.jpg)
Compliance Automation Workflow
![Page 26: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/26.jpg)
Approach
● Achieved ~85% implementation for ~160 security guide controls
● Reduced compliance measurement timeline for devices from weeks to hours
● Operational solution where compliance ran on a schedule and by authorized teams across the enterprise
● Ansible content structured to allow for easy review by auditors and external teams
● Enabled a development and release workflow to allow for continued updates and verified releases
● Extensible Ansible automation framework to support future devices and remediation
Success Metrics
![Page 27: today, remediation tomorrow Network device compliance ... ATL... · services API (>= R80) Cisco ISE (AAA/Radius) ios_command Symantec/Bluecoat ProxySG bc_command - custom module based](https://reader034.fdocuments.us/reader034/viewer/2022050311/5f72c6a4b98f7e6942069ef8/html5/thumbnails/27.jpg)