Presentation for SANS Cloud Security Summit.
Topic: Network security automation
Managing firewall rules is a complex task. During this talk, we'll discuss one way to automate the creation and management of those firewall rules using PowerShell and a continuous integration and deployment (CI/CD) pipeline. The basis of the presentation is an actual customer implementation of this end-to-end process. We will discuss the requirements for the solution and how this solution was developed and has grown from proof of concept to production. Although the implementation is Azure-specific, the talk will be abstracted to showcase the feasibility of this approach across multiple clouds. Demos presented during the talk will showcase the PowerShell script and then the end-to-end workflow using Azure DevOps.
4. All major cloud providers offer a native L3/L4 firewall capability (Security Group)
A set of network security rules to allow/deny network traffic into/out of instances
• ~Like ACLs
• Instance tagging – security groups
• Stateful
• An object
Differences
• AWS has 2 implementations: security groups and network ACL (stateless)
• Azure allows IP-based and security group based rules mixed
• Assigned to different levels: AWS is instance level, Azure is instance or subnet level, GCP is VPC level
6. Human error.
What if we needed to do it all
over again?
What if this needs to
repeated for a second
region?
We only had half a day to do
this right.
7. We needed to decide
Highly parallel
Single API call
Source code
8. Automation in step 1 in a DevOps Lifecycle.
DevOps is the union of people,
process, and products to
enable continuous delivery of
value to your end users.
“
”
Build
&
Test
Continuous
Delivery
Deploy
Operate
Monitor
&
Learn
Plan
&
Track
Develop
12. Implemented 500 firewall rules in half a day
Flexible way to adapt firewall rules afterwards
Security review built-in to process
Standard format for developers to request firewall changes
Happy customer