WIXLIB

Network device compliance measurementtoday, remediation tomorrowMarc PetrivelliArchitect - Automation PracticeRed Hat Consulting NA

Share your automation story1. How did you get started with Ansible?2. How long have you been using it?3. What's your favorite thing to do when you Ansible?

BackgroundPresentation Flow

BackgroundBackground Large global bank had urgent need to enhance compliance measurement over thenetwork and security devices to implement device specific security guides Desire to create automated compliance measurement and reporting framework tovalidate security guide requirements Ensure automation approach can be operationalized for consumption acrossenterprise and used in future remediation efforts Looking for the Red Hat Consulting to deliver solution using Ansible Engine andAnsible Tower

BackgroundCompliance Measurement Large number of financial regulatory compliance requirements handed down fromsecurity and auditing teams as security guides Security guides span multiple device types and vendors including firewalls VPN,proxy/secure gateway, AAA, load balancer and DNS/DHCP Roughly 230 devices in-scope for compliance measurement No standardized configuration of devices or source of truth Compliance baseline gathered manually through device UIs and ad-hoc scriptingby various teams and SMEs No standardized reporting format for consumption by enterprise audit teams anddevice owners Compliance measurement is initial focus. Remediation is future state

BackgroundSolution Goals Provide a fully automated approach to measure compliance across in-scope networkdevices Operationalize automation across the enterprise with appropriate role based accesscontrol Enable standardized reporting for all device compliance measurement Design a framework that can be utilized outside of network device compliance.Infrastructure, platform, application Ensure approach is extensible to support future remediation use cases

Devices and Compliance Requirements

ApproachRequirements Financial regulatory compliance requirements drove generation of security guides Security guides written to be address common and device specific security configurations Common security guidelines across all devices SEG A10 - Minimum Password Length - The minimum password length must be at least 15characters Device specific security guidelines with varying level of detail SEG C20 - IKEv1 Encryption Level - Set the encryption level for IKEv1 to AES negotiation or higher Some security guidelines provided implementation detail (ie commands) Determine exact commands necessary to collect data to assess compliance

Architecture

ApproachHigh-level Approach Analyze compliance requirements for each device to determine module usage Develop approach for "gaps" in module coverage and usage command & raw module usage for basic commands custom module development for complex/parent commands Design generic reporting approach each device will utilize Build custom dynamic inventory to ingest Remedy CMDB export and provide tagging Implement suite of playbooks and roles for each device type Identify reuse opportunities (ASA VPN/Firewall) One git repository per device Operationalize ensuring automation is available for consumption across the enterprise

ApproachImplementation For security checks covered covered by modules evaluate changed in check mode (mostly F5) Majority utilize command modules to collect required data Develop custom bc command module to support command execution on symantec/bluecoat proxy Initially string checks on output but moved to Ansible network engine parser for structured data Each security check performed in separate task file(s) with status set as Ansible fact Required fact structure (nested dicts) defined by compliance reporting role with lookup plugin Compliance data passed to compliance reporting role rendered as CSV by action plugin Custom dynamic inventory (python) to transform data and provide grouping and hostvars

ApproachCode Structurereusable roles consumedthrough mationnetwork-engineradiuscheckpoint

ApproachAnsible Engine Usage Cisco ASA asa command Checkpoint raw future checkpoint * - requires webservices API ( R80) Cisco ISE (AAA/Radius) ios command Symantec/Bluecoat ProxySG bc command - custom module based onasa command module. Extendnetwork cli connection pluginF5 BIG IP bigip command,bigip password policy,bigip device ntp,bigip device sshd,bigip device httpd,bigip device syslogDNS/DHCP command, shell, template

ApproachReporting Details Initially considered using Ansible Tower log aggregator integration (splunk) or custom shipping ofdata to Tableau Compliance and audit team already have consumable format (CSV) from Linux engineering team Status of each security guide requirement along with compliance check metadata present in report Generate a report for each device type for each compliance run Custom action plugin to generate CSV compliance report with gathered fact data Compliance report written to shared storage for consumption Report ingested into SQL Server through DTS. Tableau hooked into SQL Server for audit andcompliance team reporting

ApproachAnsible Network Engine Provides a role containing action and lookup plugins to turn unstructured data into structuredAnsible "native" data Pass output from device command passed to a "command parser" command parser action plugin allows for specification of a regex based parser as an Ansibletask file The parser utilizes pattern matching and data manipulation lookup plugins to create desireddata model Structured data is implicitly returned as facts(s) for use in verification and configuration tasks

Example of compliance check- name: check crypto IKEv1 settingsasa command:commands: show run crypto ikev1register: asa crypt ikev11 output- name: parse IKEv1 outputcommand parser:file: "parsers/asa-vpn-ikev1-policy.yml"content: "{{ asa crypto ikev1 output.stdout[0] }}"- name: set status for IKEv1 policiesvars:encryption: "{{asa vpn ikev1 policies json query('*.encryption')}}"allowed algos: [ 'aes' , 'aes-192', 'aes-256' ]set fact:seg 30 02 01 02 status: "{{ encryption all in( allowed algos) }}"seg 30 02 01 02 status detail: "Looking for {{ allowed algos }} found {{ encryption }}"- name: update compliance datablockset fact:compliance data: "{{ compliance data combine( curr compliance) }}"set stats:data:compliance data: "{{ compliance data combine( curr compliance) }}"vars:curr compliance: {{ inventory hostname reporting data('SEG 30.02.01.02', 'IKEv1 policy cipher',seg 30 02 01 02 status)

Cisco ASA IKEv1 VPN Policy Parser- name: PARSER META DATAparser metadata :version : 1.0command : "show run crypto ikev1"network os : asa- name: match ikev1 policypattern match :regex: " crypto\\s ikev1\\s policy\\s (\\d )"match all : yesmatch greedy : yesregister : asa vpn ikev1 policy groupexport : yes- name: match policy valuespattern group :- name: match ikev1 policypattern match :regex: " crypto\\s ikev1\\s policy\\s (\\d )"content : "{{ item }}"register : asa vpn ikev1 policy- name: match ikev1 authenticationpattern match :regex: "authentication\\s (\\S )"content : "{{ item }}"register : asa vpn ikev1 auth- name: match ikev1 encryptionpattern match :regex: "encryption\\s (\\S )"content : "{{ item }}"register : asa vpn ikev1 encryption- name: match ikev1 hashpattern match :regex: "hash\\s (\\S )"content : "{{ item }}"register : asa vpn ikev1 hash- name: generate IKEv1 datajson template :template :- key: "{{ item.asa vpn ikev1 policy.matches.0 }}"object :- key: authenticationvalue: "{{ item.asa vpn ikev1 auth.matches.0 }}"- key: encryptionvalue: "{{ item.asa vpn ikev1 encryption.matches.0 }}"- key: hashvalue: "{{ item.asa vpn ikev1 hash.matches.0 }}"- key: groupvalue: "{{ item.asa vpn ikev1 group.matches.0 int }}"- key: lifetimevalue: "{{ item.asa vpn ikev1 lifetime.matches.0 int}}"export as : dictexport : yesregister : asa vpn ikev1 policiesloop: "{{ asa vpn ikev1 policy list }}"

Cisco ASA IKEv1 VPN Policy Parser OutputCOMMAND: show run crypto ikev1crypto ikev1 enable outsidecrypto ikev1 am-disablecrypto ikev1 policy 53authentication pre-shareencryption aeshash md5group 3crypto ikev1 policy 8authentication pre-shareencryption aes-256hash shagroup 2lifetime 86400 CLIPPED TASK [asa-vpn : parse IKEv1 ***********************************task path: y.yml:3ok: [asadev01] {"ansible facts": {"asa vpn ikev1 policies": { CLIPPED "53": {"authentication": "pre-share","encryption": "aes","group": "3","hash": "md5","lifetime": null},"8": {"authentication": "pre-share","encryption": "aes-256","group": "3","hash": "md5","lifetime": "86400"}}},"changed": false,"included": ["parsers/asa-vpn-ikev1-policy.yml"]}

Example of compliance report generation# compliance check roles and task executed- name: include reporting role for report generationinclude role:name: compliance-reportingvars:report base compliance results: "{{ compliance data }}"report base device type: "vpn"Job name,Date,Logical Server name,Virtual DC,Rule name,Reference number,Rules complyansible network vpn,13/05/2019 19:08,asavpndev1,VIRTUAL DC,IKEv1 Encryption Level,SEG 30.02.01.02,trueansible network vpn,13/05/2019 19:08,asavpndev1,VIRTUAL DC,IKEv1 Hash,SEG 30.02.01.03,falseansible network vpn,13/05/2019 19:08,asavpndev2,VIRTUAL DC,IKEv1 Encryption Level,SEG 30.02.01.02,trueansible network vpn,13/05/2019 19:08,asavpndev2,VIRTUAL DC,IKEv1 Hash,SEG 30.02.01.03,falseansible network vpn,13/05/2019 19:08,asavpndev3,VIRTUAL DC,IKEv1 Encryption Level,SEG 30.02.01.02,trueansible network vpn,13/05/2019 19:08,asavpndev3,VIRTUAL DC,IKEv1 Hash,SEG 30.02.01.03,false

ApproachOperationalize the AutomationSo we have a solid Ansible framework to run compliance checks but need to: tightly manage inventories and associated host and group metadata provide proper access controls to run and modify the automation allow for a development process to provide verified releases run the automation through external orchestrators or on a schedule target execution across data centers without direct connectivity to devices

Architecture

Manage Inventory CSV export of remedyCMDB as source of truth Dynamic inventory tostructure inventory andhostvars Master inventory containingall devices Smart inventories for eachdevice type Device specific automationtied to smart inventory

Role Based Access Control Load balancer and VPNautomation shown Architecture org controls allinventory and permissions Development org/team usesinventory to build workflows Production org prod adminteam builds out workflows Prod admin give executeaccess to netsec ops team Netsec ops team only hasexecute permissions Projects point to appropriatebranches

Compliance Automation Workflow

Compliance Automation Workflow

ApproachSuccess Metrics Achieved 85% implementation for 160 security guide controls Reduced compliance measurement timeline for devices from weeks to hours Operational solution where compliance ran on a schedule and by authorized teams across theenterprise Ansible content structured to allow for easy review by auditors and external teams Enabled a development and release workflow to allow for continued updates and verified releases Extensible Ansible automation framework to support future devices and remediation

Load balancer and VPN automation shown Architecture org controls all inventory and permissions Development org/team uses inventory to build workflows Production org prod admin team builds out workflows Prod admin give execute access to netsec ops team Netsec ops team o