SlideShare une entreprise Scribd logo

Agile and compliant firewall ACL configuration management for DevOps

J On The Beach
J On The Beach

The document discusses network automation and security policy orchestration. It introduces Intelliment, a network security policies orchestration controller that abstracts network topology and policies. Intelliment allows users to specify connectivity and compliance needs without considering underlying infrastructure details. It then orchestrates change requests, maintains an inventory of policies, and deploys configurations across hybrid cloud environments while ensuring compliance. A demo shows visualizing network visibility policies and migrating environments using Intelliment.

Technologie
1  sur  43
Télécharger pour lire hors ligne
Agile and compliant firewall ACL configuration management for DevOps Ildefonso Montero <imontero@intellimentsec.com>
Who am I: Ildefonso Montero Backend Software Developer (+10 years) Last 3 years working on DevOps and Network Automation at Intelliment Security
Let’s talk about DevOps, Security, and Network Automation
Application Delivery I’m involved on the development of an application and I need ... to push this changes on production env (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to deploy several services on infrastructure (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)
Application Delivery I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)
Application Delivery I’m involved on the development of an application and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)
Application Delivery I’m involved on the development of an application and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)
Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
create tcp_service mysql modify services mysql color orange modify services mysql port 3306 modify services mysql comments '' modify services mysql include_in_any false update services mysql create tcp_service postgres modify services postgres color orange modify services postgres port 5432 modify services postgres comments '' modify services postgres include_in_any false update services postgres create tcp_service oracle modify services oracle color orange modify services oracle port 1521 modify services oracle comments '' modify services oracle include_in_any false update services oracle create address_range B_PHPs modify network_objects B_PHPs color orange modify network_objects B_PHPs ipaddr_first 10.31.50.60 modify network_objects B_PHPs ipaddr_last 10.31.50.99 modify network_objects B_PHPs comments '' modify network_objects B_PHPs add_adtr_rule false update network_objects B_PHPs create address_range B_DBs_SQL modify network_objects B_DBs_SQL color orange modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10 modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39 modify network_objects B_DBs_SQL comments '' modify network_objects B_DBs_SQL add_adtr_rule false update network_objects B_DBs_SQL create policies_collection IS_rb_SiteB_FG update policies_collections IS_rb_SiteB_FG create firewall_policy ##IS_rb_SiteB_FG modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG update fw_policies ##IS_rb_SiteB_FG addelement fw_policies ##IS_rb_SiteB_FG rule security_rule modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule' modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access' modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle update fw_policies ##IS_rb_SiteB_FG update_all I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
<entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp> <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/> <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend ! I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
Automation I’m involved on the development of an application and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)
Network Automation Why Network Automation Matters, and What You Can Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)
Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco, IOS-XR - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …
Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
still having the same O.P.E.R.A.T.I.O.N.A.L issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
Agility by abstraction I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it
App Owners - Dev/Ops / Network needs I need to consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443
Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …
Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller
Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features
What is Intelliment? A Network Security Policies Orchestration Controller Implementation
What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Abstracts network topology and network security policies ● Security policies are expressed as user intents ● Maintains a network security policies knowledge base ● Orchestrates, Diagnoses and Deploy change requests ● No vendor lock-in ● Agentless ● Hybrid Network Infrastructure (physical, virtual, cloud, SDN) ● Third-party integrations ready ● RESTful API
What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Java, Akka, OSGi, Eclipse MDA Tools ● Hazelcast, CQEngine, MongoDB, MySQL ● Intelliment Security Policy Automation: HTML5, CSS3, ExtJs ● Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.
Let’s see Intelliment working to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings
Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE
Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~minutes)
● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process from this O.P.E.R.A.T.I.O.N.A.L issues ... Let’s recap
● Consolidated Operations: Visualize, query and operate the network policy as a single and consolidated entity ● Policy Portability: Specify policies as vendor and neutral intents. No experts needed. ● Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups ● Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones ● Automated Application Migration: Identify and move network policies associated with applications ● Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Let’s recap
Questions? Thanks you! @imonteroperez imontero@intellimentsec.com

Recommandé

Event Sourcing in less than 20 minutes - With Akka and Java 8
Event Sourcing in less than 20 minutes - With Akka and Java 8Event Sourcing in less than 20 minutes - With Akka and Java 8
Event Sourcing in less than 20 minutes - With Akka and Java 8J On The Beach
 
Petabridge: The New .NET Enterprise Stack
Petabridge: The New .NET Enterprise StackPetabridge: The New .NET Enterprise Stack
Petabridge: The New .NET Enterprise StackDataStax Academy
 
Webinar : Nouveautés de MongoDB 3.2
Webinar : Nouveautés de MongoDB 3.2Webinar : Nouveautés de MongoDB 3.2
Webinar : Nouveautés de MongoDB 3.2MongoDB
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...Big Data Spain
 
Webinar | Building Apps with the Cassandra Python Driver
Webinar | Building Apps with the Cassandra Python DriverWebinar | Building Apps with the Cassandra Python Driver
Webinar | Building Apps with the Cassandra Python DriverDataStax Academy
 
netflix-real-time-data-strata-talk
netflix-real-time-data-strata-talknetflix-real-time-data-strata-talk
netflix-real-time-data-strata-talkDanny Yuan
 
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedis Labs
 

Recommandé

Event Sourcing in less than 20 minutes - With Akka and Java 8
Event Sourcing in less than 20 minutes - With Akka and Java 8Event Sourcing in less than 20 minutes - With Akka and Java 8
Event Sourcing in less than 20 minutes - With Akka and Java 8J On The Beach
 
Petabridge: The New .NET Enterprise Stack
Petabridge: The New .NET Enterprise StackPetabridge: The New .NET Enterprise Stack
Petabridge: The New .NET Enterprise StackDataStax Academy
 
Webinar : Nouveautés de MongoDB 3.2
Webinar : Nouveautés de MongoDB 3.2Webinar : Nouveautés de MongoDB 3.2
Webinar : Nouveautés de MongoDB 3.2MongoDB
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...
Spark Streaming + Kafka 0.10: an integration story by Joan Viladrosa Riera at...Big Data Spain
 
Webinar | Building Apps with the Cassandra Python Driver
Webinar | Building Apps with the Cassandra Python DriverWebinar | Building Apps with the Cassandra Python Driver
Webinar | Building Apps with the Cassandra Python DriverDataStax Academy
 
netflix-real-time-data-strata-talk
netflix-real-time-data-strata-talknetflix-real-time-data-strata-talk
netflix-real-time-data-strata-talkDanny Yuan
 
RedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedisConf18 - Remote Monitoring & Controlling Scienific Instruments
RedisConf18 - Remote Monitoring & Controlling Scienific InstrumentsRedis Labs
 
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...Databricks
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas TutorialAWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas TutorialMongoDB
 
Monitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadogMonitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadogSeth Rosenblum
 
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneMicroservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneNoriaki Tatsumi
 
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...Flink Forward
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Spark Summit
 
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on KubernetesDatabricks
 
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...MongoDB
 
Architecture at Scale
Architecture at ScaleArchitecture at Scale
Architecture at ScaleElasticsearch
 
GumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWSGumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWSDataStax Academy
 
MongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James BroadheadMongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James BroadheadMongoDB
 
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...GetInData
 
Scalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at PinterestScalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at PinterestKrishna Gade
 
In-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software EngineersIn-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software EngineersDenis Magda
 
Monitoring MySQL at scale
Monitoring MySQL at scaleMonitoring MySQL at scale
Monitoring MySQL at scaleOvais Tariq
 
Novinky v Oracle Database 18c
Novinky v Oracle Database 18cNovinky v Oracle Database 18c
Novinky v Oracle Database 18cMarketingArrowECS_CZ
 
RedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.jsRedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.jsRedis Labs
 
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...Spark Summit
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyMediafly
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareSumit Naiksatam
 

Contenu connexe

Tendances

Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...Databricks
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas TutorialAWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas TutorialMongoDB
 
Monitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadogMonitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadogSeth Rosenblum
 
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneMicroservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneNoriaki Tatsumi
 
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...Flink Forward
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Spark Summit
 
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on KubernetesDatabricks
 
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...MongoDB
 
Architecture at Scale
Architecture at ScaleArchitecture at Scale
Architecture at ScaleElasticsearch
 
GumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWSGumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWSDataStax Academy
 
MongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James BroadheadMongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James BroadheadMongoDB
 
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...GetInData
 
Scalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at PinterestScalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at PinterestKrishna Gade
 
In-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software EngineersIn-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software EngineersDenis Magda
 
Monitoring MySQL at scale
Monitoring MySQL at scaleMonitoring MySQL at scale
Monitoring MySQL at scaleOvais Tariq
 
RedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.jsRedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.jsRedis Labs
 
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...Spark Summit
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB
 

Tendances (20)

Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
Behavior-Driven Development (BDD) Testing with Apache Spark with Aaron Colcor...
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization
 
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas TutorialAWS Lambda, Step Functions & MongoDB Atlas Tutorial
AWS Lambda, Step Functions & MongoDB Atlas Tutorial
 
Monitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadogMonitoring and scaling postgres at datadog
Monitoring and scaling postgres at datadog
 
Microservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital OneMicroservices, Continuous Delivery, and Elasticsearch at Capital One
Microservices, Continuous Delivery, and Elasticsearch at Capital One
 
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
Flink Forward Berlin 2017: Aris Kyriakos Koliopoulos - Drivetribe's Kappa Arc...
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
 
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
 
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
MongoDB World 2016: NOW TV and Linear Streaming: Scaling MongoDB for High Loa...
 
Architecture at Scale
Architecture at ScaleArchitecture at Scale
Architecture at Scale
 
GumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWSGumGum: Multi-Region Cassandra in AWS
GumGum: Multi-Region Cassandra in AWS
 
MongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James BroadheadMongoDB Ops Manager and Kubernetes - James Broadhead
MongoDB Ops Manager and Kubernetes - James Broadhead
 
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
Best Practices for ETL with Apache NiFi on Kubernetes - Albert Lewandowski, G...
 
Scalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at PinterestScalable and Reliable Logging at Pinterest
Scalable and Reliable Logging at Pinterest
 
In-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software EngineersIn-Memory Computing Essentials for Software Engineers
In-Memory Computing Essentials for Software Engineers
 
Monitoring MySQL at scale
Monitoring MySQL at scaleMonitoring MySQL at scale
Monitoring MySQL at scale
 
Novinky v Oracle Database 18c
Novinky v Oracle Database 18cNovinky v Oracle Database 18c
Novinky v Oracle Database 18c
 
RedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.jsRedisConf17 - IoT Backend with Redis and Node.js
RedisConf17 - IoT Backend with Redis and Node.js
 
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
Modeling Catastrophic Events in Spark: Spark Summit East Talk by Georg Hofman...
 
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
MongoDB .local Bengaluru 2019: The Journey of Migration from Oracle to MongoD...
 

Similaire à Agile and compliant firewall ACL configuration management for DevOps

Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyMediafly
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareSumit Naiksatam
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docxhoney725342
 
Managing Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with AnsibleManaging Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with Ansiblefmaccioni
 
AnsibleFest London 2016 - managing your cisco datacenter network with ansible
AnsibleFest London 2016 - managing your cisco datacenter network with ansibleAnsibleFest London 2016 - managing your cisco datacenter network with ansible
AnsibleFest London 2016 - managing your cisco datacenter network with ansiblefmaccioni
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesWojciech Barczyński
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceJames Urquhart
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Puppet
 
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las VegasIntroduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las VegasBruno Teixeira
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementJoel W. King
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Eng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfEng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfINOGHOST
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
 
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUsScalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUsIndrajit Poddar
 

Similaire à Agile and compliant firewall ACL configuration management for DevOps (20)

Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshare
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
 
Managing Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with AnsibleManaging Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with Ansible
 
AnsibleFest London 2016 - managing your cisco datacenter network with ansible
AnsibleFest London 2016 - managing your cisco datacenter network with ansibleAnsibleFest London 2016 - managing your cisco datacenter network with ansible
AnsibleFest London 2016 - managing your cisco datacenter network with ansible
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-Service
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013
 
En35793797
En35793797En35793797
En35793797
 
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las VegasIntroduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
Introduction to SDN and Network Programmability - BRKRST-1014 | 2017/Las Vegas
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud management
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
 
Cisco project ideas
Cisco project ideasCisco project ideas
Cisco project ideas
 
Eng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfEng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdf
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUsScalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
Scalable TensorFlow Deep Learning as a Service with Docker, OpenPOWER, and GPUs
 

Plus de J On The Beach

Massively scalable ETL in real world applications: the hard way
Massively scalable ETL in real world applications: the hard wayMassively scalable ETL in real world applications: the hard way
Massively scalable ETL in real world applications: the hard wayJ On The Beach
 
Big Data On Data You Don’t Have
Big Data On Data You Don’t HaveBig Data On Data You Don’t Have
Big Data On Data You Don’t HaveJ On The Beach
 
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...J On The Beach
 
Pushing it to the edge in IoT
Pushing it to the edge in IoTPushing it to the edge in IoT
Pushing it to the edge in IoTJ On The Beach
 
Drinking from the firehose, with virtual streams and virtual actors
Drinking from the firehose, with virtual streams and virtual actorsDrinking from the firehose, with virtual streams and virtual actors
Drinking from the firehose, with virtual streams and virtual actorsJ On The Beach
 
How do we deploy? From Punched cards to Immutable server pattern
How do we deploy? From Punched cards to Immutable server patternHow do we deploy? From Punched cards to Immutable server pattern
How do we deploy? From Punched cards to Immutable server patternJ On The Beach
 
When Cloud Native meets the Financial Sector
When Cloud Native meets the Financial SectorWhen Cloud Native meets the Financial Sector
When Cloud Native meets the Financial SectorJ On The Beach
 
The big data Universe. Literally.
The big data Universe. Literally.The big data Universe. Literally.
The big data Universe. Literally.J On The Beach
 
Streaming to a New Jakarta EE
Streaming to a New Jakarta EEStreaming to a New Jakarta EE
Streaming to a New Jakarta EEJ On The Beach
 
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...J On The Beach
 
Pushing AI to the Client with WebAssembly and Blazor
Pushing AI to the Client with WebAssembly and BlazorPushing AI to the Client with WebAssembly and Blazor
Pushing AI to the Client with WebAssembly and BlazorJ On The Beach
 
Axon Server went RAFTing
Axon Server went RAFTingAxon Server went RAFTing
Axon Server went RAFTingJ On The Beach
 
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...J On The Beach
 
Madaari : Ordering For The Monkeys
Madaari : Ordering For The MonkeysMadaari : Ordering For The Monkeys
Madaari : Ordering For The MonkeysJ On The Beach
 
Servers are doomed to fail
Servers are doomed to failServers are doomed to fail
Servers are doomed to failJ On The Beach
 
Interaction Protocols: It's all about good manners
Interaction Protocols: It's all about good mannersInteraction Protocols: It's all about good manners
Interaction Protocols: It's all about good mannersJ On The Beach
 
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...J On The Beach
 
Leadership at every level
Leadership at every levelLeadership at every level
Leadership at every levelJ On The Beach
 
Machine Learning: The Bare Math Behind Libraries
Machine Learning: The Bare Math Behind LibrariesMachine Learning: The Bare Math Behind Libraries
Machine Learning: The Bare Math Behind LibrariesJ On The Beach
 

Plus de J On The Beach (20)

Massively scalable ETL in real world applications: the hard way
Massively scalable ETL in real world applications: the hard wayMassively scalable ETL in real world applications: the hard way
Massively scalable ETL in real world applications: the hard way
 
Big Data On Data You Don’t Have
Big Data On Data You Don’t HaveBig Data On Data You Don’t Have
Big Data On Data You Don’t Have
 
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
Acoustic Time Series in Industry 4.0: Improved Reliability and Cyber-Security...
 
Pushing it to the edge in IoT
Pushing it to the edge in IoTPushing it to the edge in IoT
Pushing it to the edge in IoT
 
Drinking from the firehose, with virtual streams and virtual actors
Drinking from the firehose, with virtual streams and virtual actorsDrinking from the firehose, with virtual streams and virtual actors
Drinking from the firehose, with virtual streams and virtual actors
 
How do we deploy? From Punched cards to Immutable server pattern
How do we deploy? From Punched cards to Immutable server patternHow do we deploy? From Punched cards to Immutable server pattern
How do we deploy? From Punched cards to Immutable server pattern
 
Java, Turbocharged
Java, TurbochargedJava, Turbocharged
Java, Turbocharged
 
When Cloud Native meets the Financial Sector
When Cloud Native meets the Financial SectorWhen Cloud Native meets the Financial Sector
When Cloud Native meets the Financial Sector
 
The big data Universe. Literally.
The big data Universe. Literally.The big data Universe. Literally.
The big data Universe. Literally.
 
Streaming to a New Jakarta EE
Streaming to a New Jakarta EEStreaming to a New Jakarta EE
Streaming to a New Jakarta EE
 
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
The TIPPSS Imperative for IoT - Ensuring Trust, Identity, Privacy, Protection...
 
Pushing AI to the Client with WebAssembly and Blazor
Pushing AI to the Client with WebAssembly and BlazorPushing AI to the Client with WebAssembly and Blazor
Pushing AI to the Client with WebAssembly and Blazor
 
Axon Server went RAFTing
Axon Server went RAFTingAxon Server went RAFTing
Axon Server went RAFTing
 
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
The Six Pitfalls of building a Microservices Architecture (and how to avoid t...
 
Madaari : Ordering For The Monkeys
Madaari : Ordering For The MonkeysMadaari : Ordering For The Monkeys
Madaari : Ordering For The Monkeys
 
Servers are doomed to fail
Servers are doomed to failServers are doomed to fail
Servers are doomed to fail
 
Interaction Protocols: It's all about good manners
Interaction Protocols: It's all about good mannersInteraction Protocols: It's all about good manners
Interaction Protocols: It's all about good manners
 
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
A race of two compilers: GraalVM JIT versus HotSpot JIT C2. Which one offers ...
 
Leadership at every level
Leadership at every levelLeadership at every level
Leadership at every level
 
Machine Learning: The Bare Math Behind Libraries
Machine Learning: The Bare Math Behind LibrariesMachine Learning: The Bare Math Behind Libraries
Machine Learning: The Bare Math Behind Libraries
 

Dernier

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Agile and compliant firewall ACL configuration management for DevOps

  • 1. Agile and compliant firewall ACL configuration management for DevOps Ildefonso Montero <imontero@intellimentsec.com>
  • 2. Who am I: Ildefonso Montero Backend Software Developer (+10 years) Last 3 years working on DevOps and Network Automation at Intelliment Security
  • 3. Let’s talk about DevOps, Security, and Network Automation
  • 4. Application Delivery I’m involved on the development of an application and I need ... to push this changes on production env (~minutes)
  • 5. Application Delivery I’m involved on the development of an application and I need ... to deploy several services on infrastructure (~minutes)
  • 6. Application Delivery I’m involved on the development of an application and I need ... to perform live migrations on hybrid multi cloud environments (~minutes)
  • 7. Application Delivery I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure (~hours, ~days)
  • 8. Application Delivery I’m involved on the development of an application and I need ... to build a lab environment to test high availability of my services on networking issues (~days, ~weeks)
  • 9. Application Delivery I’m involved on the development of an application and I need ... to being able to work while infrastructure team perform changes on our network infrastructure (~weeks, ~months)
  • 10. Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
  • 11. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range 10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT COMMIT I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 12. config firewall address edit "B_PHPs" set comment "Backend PHP servers" set color 7 set type iprange set start-ip 10.31.50.60 set end-ip 10.31.50.99 next edit "B_DBs_SQL" set comment "Database servers" set color 7 set type iprange set start-ip 10.31.40.10 set end-ip 10.31.40.39 next end config firewall policy edit 1 set srcintf "B_frontend" set dstintf "B_backend" set srcaddr "B_PHPs" set dstaddr "B_DBs_SQL" set action accept set service "mysql" "postgres" "oracle" set schedule "always" set logtraffic disable set comments "SQL databases access" next end config firewall service custom edit "mysql" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 3306 next edit "postgres" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 5432 next edit "oracle" set color 7 set protocol TCP/UDP/SCTP set tcp-portrange 1521 next end I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 13. create tcp_service mysql modify services mysql color orange modify services mysql port 3306 modify services mysql comments '' modify services mysql include_in_any false update services mysql create tcp_service postgres modify services postgres color orange modify services postgres port 5432 modify services postgres comments '' modify services postgres include_in_any false update services postgres create tcp_service oracle modify services oracle color orange modify services oracle port 1521 modify services oracle comments '' modify services oracle include_in_any false update services oracle create address_range B_PHPs modify network_objects B_PHPs color orange modify network_objects B_PHPs ipaddr_first 10.31.50.60 modify network_objects B_PHPs ipaddr_last 10.31.50.99 modify network_objects B_PHPs comments '' modify network_objects B_PHPs add_adtr_rule false update network_objects B_PHPs create address_range B_DBs_SQL modify network_objects B_DBs_SQL color orange modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10 modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39 modify network_objects B_DBs_SQL comments '' modify network_objects B_DBs_SQL add_adtr_rule false update network_objects B_DBs_SQL create policies_collection IS_rb_SiteB_FG update policies_collections IS_rb_SiteB_FG create firewall_policy ##IS_rb_SiteB_FG modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG update fw_policies ##IS_rb_SiteB_FG addelement fw_policies ##IS_rb_SiteB_FG rule security_rule modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule' modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access' modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle update fw_policies ##IS_rb_SiteB_FG update_all I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 14. <entry name="localhost.localdomain"> <vsys> <entry name="vsys1"> <service> <entry name="mysql"> <protocol> <tcp> <port>3306</port> </tcp> </protocol> </entry> <entry name="postgres"> <protocol> <tcp> <port>5432</port> </tcp> </protocol> </entry> <entry name="oracle"> <protocol> <tcp> <port>1521</port> </tcp> </protocol> </entry> </service> <service-group/> <address> <entry name="B_PHPs"> <ip-range>10.31.50.60-10.31.50.99</ip-range> </entry> <entry name="B_DBs_SQL"> <ip-range>10.31.40.10-10.31.40.39</ip-range> </entry> </address> <address-group/> <application/> <zone/> <rulebase> <security> <rules> <entry name="IS_rule"> <action>allow</action> <from> <member>any</member> </from> <to> <member>any</member> </to> <source> <member>B_PHPs</member> </source> <destination> <member>B_DBs_SQL</member> </destination> <service> <member>mysql</member> <member>postgres</member> <member>oracle</member> </service> <application> <member>any</member> </application> <description>SQL databases access</description> <log-start>no</log-start> <log-end>no</log-end> </entry> </rules> </security> </rulebase> </entry> </vsys> </entry> I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 15. object network B_PHPs range 10.31.50.60 10.31.50.99 object network B_DBs_SQL range 10.31.40.10 10.31.40.39 object service mysql service tcp destination eq 3306 object service postgres service tcp destination eq 5432 object service oracle service tcp destination eq 1521 object-group service G_586576025 service-object object mysql service-object object postgres service-object object oracle access-list Intelliment_Rule_B_frontend remark SQL databases access access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable ! access-group Intelliment_Rule_B_frontend in interface B_frontend ! I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 16. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 17. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 18. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 19. I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure
  • 20. Automation I’m involved on the development of an application and I need ... to push this changes on production env (~minutes) to deploy several services on infrastructure (~minutes) to perform live migrations on hybrid multi cloud environments (~minutes)
  • 21. Network Automation Why Network Automation Matters, and What You Can Do About It – Rick Sherman at PuppetConf 2016 (https://www.youtube.com/watch?v=GZs2rXSEXoY)
  • 22. Network Automation Juniper PyEZ, PanOS, Cisco NX-API - pycsco, IOS-XR - pyIOSXR … NetConf, YANG, Openconfig, IETF Operational Model Structure … Netmiko, Paramiko, Napalm … Software Defined Networks, Opendaylight, NFV, flunnel, kb-proxy … Project Calico, Romana, Fugue … ansible, puppet-modules, chef inspec …
  • 23. Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
  • 24. Network Automation I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
  • 25. still having the same O.P.E.R.A.T.I.O.N.A.L issues ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process
  • 26. Agility by abstraction I’m involved on the development of an application and I need ... to have network visibility across services inside and outside the infrastructure Just say what you want instead of thinking how to perform it
  • 27. App Owners - Dev/Ops / Network needs I need to consume SNMP servers I will provide a service by tcp 443 and tcp 80 SecOps / Security Rules User network must have visibility to App server Risk teams / Compliance DMZ traffic must be limited to Internet by tcp 443
  • 28. Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion …
  • 29. Network Abstraction Layer App Owner / DevOps specifies app connectivity Network Engineer specifies quality Security Consultant specifies compliance Security Engineer specifies threat response Network Infrastructure Data Ingestion … API / UI Query and Operate the Network In Code Network Security Policies Orchestration Controller
  • 30. Security Policies Inventory Visualization Line of Sight Automatic Migration Orchestrated deployment Multivendor Change Simulation Validations Change Traceability Pre-approved Flows / Policies Application Delivery Automatic Change Implementation Network Security Policies Orchestration Controller Features
  • 31. What is Intelliment? A Network Security Policies Orchestration Controller Implementation
  • 32. What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Abstracts network topology and network security policies ● Security policies are expressed as user intents ● Maintains a network security policies knowledge base ● Orchestrates, Diagnoses and Deploy change requests ● No vendor lock-in ● Agentless ● Hybrid Network Infrastructure (physical, virtual, cloud, SDN) ● Third-party integrations ready ● RESTful API
  • 33. What is Intelliment? A Network Security Policies Orchestration Controller Implementation ● Java, Akka, OSGi, Eclipse MDA Tools ● Hazelcast, CQEngine, MongoDB, MySQL ● Intelliment Security Policy Automation: HTML5, CSS3, ExtJs ● Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.
  • 34. Let’s see Intelliment working to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network
  • 35. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance
  • 36. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances
  • 37. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings
  • 38. Demo Use Cases Visualise which network visibilities are defined for an AWS-based instance Setup predefined network visibilities configurations (ssh, ping) for GCE instances Deliver network visibilities for an application inside an infrastructure which configuration is managed via Puppet evaluating compliance settings Perform a migration from on-premise environment managed by Cisco, Palo Alto and Fortigate, to AWS and GCE
  • 39. Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~days, ~weeks, ~months)
  • 40. Let’s recap to have network visibility across services inside and outside the infrastructure to build a lab environment to test high availability on networking issues to being able to work while infrastructure team perform changes on our network (~minutes)
  • 41. ● Too long time to delivery (~25 days avg) ● Too many changes (+30.000 per year) ● Network could be evolving continuously ● Network Policies shall be periodically reviewed, and unused rules removed to prevent rules degradation and tech debt (~thousands of lines/conf) ● Complicated and highly manual approval process ● Security Compliance is usually managed separately from change management process from this O.P.E.R.A.T.I.O.N.A.L issues ... Let’s recap
  • 42. ● Consolidated Operations: Visualize, query and operate the network policy as a single and consolidated entity ● Policy Portability: Specify policies as vendor and neutral intents. No experts needed. ● Firewall Policy as Code: Write app connectivity as code to avoid translation mistakes and clean-ups ● Continuous Preemptive Compliance: Pre-approve well known requests and pre-deny risky ones ● Automated Application Migration: Identify and move network policies associated with applications ● Policy Synchronization: Sync policies across QA/Dev/Prod/Failover environments Let’s recap