Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
AUTOMATING CLOUD SECURITY WITH ANSIBLE & PALO ALTO NETWORKS
Richard HenshallProduct Manager for Cloud, Ansible, Red Hat
Brian Torres-GilDirector, Developer Relations, Palo Alto Networks
Garfield FreemanSolutions Engineer, Developer Relations, Palo Alto Networks
SIMPLE AGENTLESSPOWERFUL
o No extra code to manage
o Uses OpenSSH
o No agents to exploit or update
o More efficient & more secure
o Human readable automation
o No special coding skills needed
o Tasks executed in order
o Get productive quickly
o App deployment
o Configuration management
o Workflow orchestration
o Orchestrate the app lifecycle
DEV NETWORK IT OPERATIONSBUSINESS
ANSIBLE IS THE UNIVERSAL LANGUAGE
Automating Cloud Security with Ansible and Palo Alto Networks
Brian Torres-GilDirector, Developer Relations - Palo Alto Networks
Garfield FreemanSolutions Engineer - Palo Alto Networks
“Because of the consistency and high percentage of true positives we get from
the Palo Alto Networks platform, we have the confidence now to automate.”
Joel Pfeifer, principal security analyst HealthPartners
“
”
LEADERSHIP IN CYBERSECURITY
63% of the Global 2Kare Palo Alto Networks customers
28% year over yearrevenue growth*
85of Fortune 100
rely on Palo Alto Networks
48%CAGR
FY12–FY17
48,000+customers
in 150+ countries
Revenue trend
FY12 FY13 FY14 FY15 FY16 FY17
* Q2FY2018. Fiscal year ends July 31.
3 | © 2018, Palo Alto Networks. All Rights Reserved.
• The firewall is the right place to enforce policy control
• Sees all traffic• Defines trust boundary• Enables access via positive
control
• BUT…applications have changed• Ports ≠ Applications• IP Addresses ≠ Users• Packets ≠ Content
Need to restore visibility and control in the firewall
SECURITY STARTS WITH THE FIREWALL
4 | © 2018, Palo Alto Networks. All Rights Reserved.
PALO ALTO NETWORKS APPROACH FOR PREVENTING ATTACKS
• Network & endpoint (different views)
• All applications, inc.cloud & SaaS
• All users & devices, inc. all locations
• Encrypted traffic
Complete visibility Reduce attack surface area
• Enable business apps• Block “bad” apps• Limit app functions• Limit high risk
websites and content• Require multi-factor
authentication
Prevent all known threats
• Exploits• Malware• Command & control• Malicious & phishing
websites• Bad domains
• Unknown malware• Zero-day exploits• Custom attack
behavior
Detect & prevent new threats
5 | © 2018, Palo Alto Networks. All Rights Reserved.
Automated | Repeatable
CUSTOMER DEPLOYMENT TRENDS
Large Scale Multi Cloud
6 | © 2018, Palo Alto Networks. All Rights Reserved.
PALO ALTO NETWORKS SECURITY OPERATING PLATFORM
PREVENT SUCCESSFUL
CYBERATTACKS
FOCUS ON WHAT MATTERS
CONSUME INNOVATIONS
QUICKLYPalo Alto Networks, 3rd party,
and customer deliveredOperate with ease using
best practicesAutomate tasks using context and analytics
BUILT FOR AUTOMATION
7 | © 2018, Palo Alto Networks. All Rights Reserved.
ANSIBLE MODULES: AT A GLANCE
8 | © 2018, Palo Alto Networks. All Rights Reserved.
Origin: Jan 2015 Contributors: 10 Modules: ~20
Run any command
Define security policy
Configure NAT
Provision interfaces
Manage administrator accounts
Audit, verify, and commit security configuration
Deploy and scale in the cloud
Leverage Dynamic Address Groups
9 | © 2018, Palo Alto Networks. All Rights Reserved.
ANSIBLE MODULES: THE BENEFIT
10 | © 2018, Palo Alto Networks. All Rights Reserved.
as
ANSIBLE DEMO
CI/CD: A QUICK PRIMER
12 | © 2018, Palo Alto Networks. All Rights Reserved.
Notification Automation
ANSIBLE DEMO: CI/CD DEMO WORKFLOW
13 | © 2018, Palo Alto Networks. All Rights Reserved.
User updates
the application
GitHub WebHook[push] sent
Application code is checked
out
Build Ansible
playbooks
Invoke Ansible
playbooks
GitHub
CI/CD DEMO
ANSIBLE RESOURCES
• Ansible Moduleshttp://docs.ansible.com/ansible/list_of_network_modules.html#panos
• Ansible Galaxyhttps://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks/
• GitHub repositoryhttps://github.com/PaloAltoNetworks/ansible-pan
• Communityhttps://live.paloaltonetworks.com/ansible
15 | © 2018, Palo Alto Networks. All Rights Reserved.
THANK YOU
More information: https://live.paloaltonetworks.com/ansible