The document discusses network automation and security policy orchestration. It introduces Intelliment, a network security policies orchestration controller that abstracts network topology and policies. Intelliment allows users to specify connectivity and compliance needs without considering underlying infrastructure details. It then orchestrates change requests, maintains an inventory of policies, and deploys configurations across hybrid cloud environments while ensuring compliance. A demo shows visualizing network visibility policies and migrating environments using Intelliment.
4. Application Delivery
I’m involved on the development of an application and I need ...
to push this changes on production env (~minutes)
5. Application Delivery
I’m involved on the development of an application and I need ...
to deploy several services on infrastructure (~minutes)
6. Application Delivery
I’m involved on the development of an application and I need ...
to perform live migrations on hybrid multi cloud
environments (~minutes)
7. Application Delivery
I’m involved on the development of an application and I need ...
to have network visibility across services inside and
outside the infrastructure (~hours, ~days)
8. Application Delivery
I’m involved on the development of an application and I need ...
to build a lab environment to test high availability of my
services on networking issues (~days, ~weeks)
9. Application Delivery
I’m involved on the development of an application and I need ...
to being able to work while infrastructure team perform
changes on our network infrastructure
(~weeks, ~months)
10. Network Delivery O.P.E.R.A.T.I.O.N.A.L Issues
● Too long time to delivery (~25 days avg)
● Too many changes (+30.000 per year)
● Network could be evolving continuously
● Network Policies shall be periodically reviewed, and unused rules
removed to prevent rules degradation and tech debt
(~thousands of lines/conf)
● Complicated and highly manual approval process
● Security Compliance is usually managed separately from change
management process
11. *filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p 6 -i B_frontend -o B_backend -m tcp -m iprange --src-range 10.31.50.60-10.31.50.99 -m iprange --dst-range
10.31.40.10-10.31.40.39 -m multiport --destination-ports 3306,5432,1521 -m comment --comment "SQL databases access" -j ACCEPT
COMMIT
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
12. config firewall address
edit "B_PHPs"
set comment "Backend PHP servers"
set color 7
set type iprange
set start-ip 10.31.50.60
set end-ip 10.31.50.99
next
edit "B_DBs_SQL"
set comment "Database servers"
set color 7
set type iprange
set start-ip 10.31.40.10
set end-ip 10.31.40.39
next
end
config firewall policy
edit 1
set srcintf "B_frontend"
set dstintf "B_backend"
set srcaddr "B_PHPs"
set dstaddr "B_DBs_SQL"
set action accept
set service "mysql" "postgres" "oracle"
set schedule "always"
set logtraffic disable
set comments "SQL databases access"
next
end
config firewall service custom
edit "mysql"
set color 7
set protocol TCP/UDP/SCTP
set tcp-portrange 3306
next
edit "postgres"
set color 7
set protocol TCP/UDP/SCTP
set tcp-portrange 5432
next
edit "oracle"
set color 7
set protocol TCP/UDP/SCTP
set tcp-portrange 1521
next
end
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
13. create tcp_service mysql
modify services mysql color orange
modify services mysql port 3306
modify services mysql comments ''
modify services mysql include_in_any false
update services mysql
create tcp_service postgres
modify services postgres color orange
modify services postgres port 5432
modify services postgres comments ''
modify services postgres include_in_any false
update services postgres
create tcp_service oracle
modify services oracle color orange
modify services oracle port 1521
modify services oracle comments ''
modify services oracle include_in_any false
update services oracle
create address_range B_PHPs
modify network_objects B_PHPs color orange
modify network_objects B_PHPs ipaddr_first 10.31.50.60
modify network_objects B_PHPs ipaddr_last 10.31.50.99
modify network_objects B_PHPs comments ''
modify network_objects B_PHPs add_adtr_rule false
update network_objects B_PHPs
create address_range B_DBs_SQL
modify network_objects B_DBs_SQL color orange
modify network_objects B_DBs_SQL ipaddr_first 10.31.40.10
modify network_objects B_DBs_SQL ipaddr_last 10.31.40.39
modify network_objects B_DBs_SQL comments ''
modify network_objects B_DBs_SQL add_adtr_rule false
update network_objects B_DBs_SQL
create policies_collection IS_rb_SiteB_FG
update policies_collections IS_rb_SiteB_FG
create firewall_policy ##IS_rb_SiteB_FG
modify fw_policies ##IS_rb_SiteB_FG collection policies_collections:IS_rb_SiteB_FG
update fw_policies ##IS_rb_SiteB_FG
addelement fw_policies ##IS_rb_SiteB_FG rule security_rule
modify fw_policies ##IS_rb_SiteB_FG rule:0:name 'IS_rule'
modify fw_policies ##IS_rb_SiteB_FG rule:0:comments 'SQL databases access'
modify fw_policies ##IS_rb_SiteB_FG rule:0:disabled false
addelement fw_policies ##IS_rb_SiteB_FG rule:0:action accept_action:accept
addelement fw_policies ##IS_rb_SiteB_FG rule:0:src:'' network_objects:B_PHPs
addelement fw_policies ##IS_rb_SiteB_FG rule:0:dst:'' network_objects:B_DBs_SQL
addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:mysql
addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:postgres
addelement fw_policies ##IS_rb_SiteB_FG rule:0:services:'' services:oracle
update fw_policies ##IS_rb_SiteB_FG
update_all
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
14. <entry name="localhost.localdomain">
<vsys>
<entry name="vsys1">
<service>
<entry name="mysql">
<protocol>
<tcp>
<port>3306</port>
</tcp>
</protocol>
</entry>
<entry name="postgres">
<protocol>
<tcp>
<port>5432</port>
</tcp>
</protocol>
</entry>
<entry name="oracle">
<protocol>
<tcp>
<port>1521</port>
</tcp>
</protocol>
</entry>
</service>
<service-group/>
<address>
<entry name="B_PHPs">
<ip-range>10.31.50.60-10.31.50.99</ip-range>
</entry>
<entry name="B_DBs_SQL">
<ip-range>10.31.40.10-10.31.40.39</ip-range>
</entry>
</address>
<address-group/>
<application/>
<zone/>
<rulebase>
<security>
<rules>
<entry name="IS_rule">
<action>allow</action>
<from>
<member>any</member>
</from>
<to>
<member>any</member>
</to>
<source>
<member>B_PHPs</member>
</source>
<destination>
<member>B_DBs_SQL</member>
</destination>
<service>
<member>mysql</member>
<member>postgres</member>
<member>oracle</member>
</service>
<application>
<member>any</member>
</application>
<description>SQL databases access</description>
<log-start>no</log-start>
<log-end>no</log-end>
</entry>
</rules>
</security>
</rulebase>
</entry>
</vsys>
</entry>
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
15. object network B_PHPs
range 10.31.50.60 10.31.50.99
object network B_DBs_SQL
range 10.31.40.10 10.31.40.39
object service mysql
service tcp destination eq 3306
object service postgres
service tcp destination eq 5432
object service oracle
service tcp destination eq 1521
object-group service G_586576025
service-object object mysql
service-object object postgres
service-object object oracle
access-list Intelliment_Rule_B_frontend remark SQL databases access
access-list Intelliment_Rule_B_frontend extended permit object-group G_586576025 object B_PHPs object B_DBs_SQL log disable
!
access-group Intelliment_Rule_B_frontend in interface B_frontend
!
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
16. I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
17. I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
18. I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
19. I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside
the infrastructure
20. Automation
I’m involved on the development of an application and I need ...
to push this changes on production env (~minutes)
to deploy several services on infrastructure (~minutes)
to perform live migrations on hybrid multi cloud
environments (~minutes)
21. Network Automation
Why Network Automation Matters, and What You Can Do
About It – Rick Sherman at PuppetConf 2016
(https://www.youtube.com/watch?v=GZs2rXSEXoY)
23. Network Automation
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside the infrastructure
to build a lab environment to test high availability on networking issues
to being able to work while infrastructure team perform changes on our network
24. Network Automation
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside the infrastructure
to build a lab environment to test high availability on networking issues
to being able to work while infrastructure team perform changes on our network
(~days, ~weeks, ~months)
25. still having the same O.P.E.R.A.T.I.O.N.A.L issues
● Too long time to delivery (~25 days avg)
● Too many changes (+30.000 per year)
● Network could be evolving continuously
● Network Policies shall be periodically reviewed, and unused rules
removed to prevent rules degradation and tech debt
(~thousands of lines/conf)
● Complicated and highly manual approval process
● Security Compliance is usually managed separately from change
management process
26. Agility by abstraction
I’m involved on the development of an application and I need ...
to have network visibility across services inside and outside the
infrastructure
Just say what you want instead of thinking how to
perform it
27. App Owners - Dev/Ops / Network needs
I need to consume SNMP servers
I will provide a service by tcp 443 and tcp 80
SecOps / Security Rules
User network must have visibility to App server
Risk teams / Compliance
DMZ traffic must be limited to Internet by tcp 443
31. What is Intelliment?
A Network Security Policies Orchestration Controller Implementation
32. What is Intelliment?
A Network Security Policies Orchestration Controller Implementation
● Abstracts network topology and network security policies
● Security policies are expressed as user intents
● Maintains a network security policies knowledge base
● Orchestrates, Diagnoses and Deploy change requests
● No vendor lock-in
● Agentless
● Hybrid Network Infrastructure (physical, virtual, cloud, SDN)
● Third-party integrations ready
● RESTful API
33. What is Intelliment?
A Network Security Policies Orchestration Controller Implementation
● Java, Akka, OSGi, Eclipse MDA Tools
● Hazelcast, CQEngine, MongoDB, MySQL
● Intelliment Security Policy Automation: HTML5, CSS3, ExtJs
● Integrations: puppet, Cisco ISE, Opendaylight SDN, etc.
34. Let’s see Intelliment working
to have network visibility across services inside and outside the infrastructure
to build a lab environment to test high availability on networking issues
to being able to work while infrastructure team perform changes on our network
36. Demo Use Cases
Visualise which network visibilities are defined for an AWS-based instance
Setup predefined network visibilities configurations (ssh, ping) for GCE instances
37. Demo Use Cases
Visualise which network visibilities are defined for an AWS-based instance
Setup predefined network visibilities configurations (ssh, ping) for GCE instances
Deliver network visibilities for an application inside an infrastructure which
configuration is managed via Puppet evaluating compliance settings
38. Demo Use Cases
Visualise which network visibilities are defined for an AWS-based instance
Setup predefined network visibilities configurations (ssh, ping) for GCE instances
Deliver network visibilities for an application inside an infrastructure which
configuration is managed via Puppet evaluating compliance settings
Perform a migration from on-premise environment managed by Cisco, Palo Alto
and Fortigate, to AWS and GCE
39. Let’s recap
to have network visibility across services inside and outside the infrastructure
to build a lab environment to test high availability on networking issues
to being able to work while infrastructure team perform changes on our network
(~days, ~weeks, ~months)
40. Let’s recap
to have network visibility across services inside and outside the infrastructure
to build a lab environment to test high availability on networking issues
to being able to work while infrastructure team perform changes on our network
(~minutes)
41. ● Too long time to delivery (~25 days avg)
● Too many changes (+30.000 per year)
● Network could be evolving continuously
● Network Policies shall be periodically reviewed, and unused rules
removed to prevent rules degradation and tech debt
(~thousands of lines/conf)
● Complicated and highly manual approval process
● Security Compliance is usually managed separately from change
management process
from this O.P.E.R.A.T.I.O.N.A.L issues ...
Let’s recap
42. ● Consolidated Operations: Visualize, query and operate the network policy
as a single and consolidated entity
● Policy Portability: Specify policies as vendor and neutral intents. No
experts needed.
● Firewall Policy as Code: Write app connectivity as code to avoid translation
mistakes and clean-ups
● Continuous Preemptive Compliance: Pre-approve well known requests and
pre-deny risky ones
● Automated Application Migration: Identify and move network policies
associated with applications
● Policy Synchronization: Sync policies across QA/Dev/Prod/Failover
environments
Let’s recap