Automating Network Firewall Rule Creation using Powershell and CI/CD

•Descargar como PPTX, PDF•

1 recomendación•989 vistas

Presentation for SANS Cloud Security Summit. Topic: Network security automation Managing firewall rules is a complex task. During this talk, we'll discuss one way to automate the creation and management of those firewall rules using PowerShell and a continuous integration and deployment (CI/CD) pipeline. The basis of the presentation is an actual customer implementation of this end-to-end process. We will discuss the requirements for the solution and how this solution was developed and has grown from proof of concept to production. Although the implementation is Azure-specific, the talk will be abstracted to showcase the feasibility of this approach across multiple clouds. Demos presented during the talk will showcase the PowerShell script and then the end-to-end workflow using Azure DevOps.

Tecnología

Runner
Belgian in the US
Cloud Solution Architect @ Microsoft
• Infrastructure
• Networking
• Open Source

DDoS
protection
Identity
management
Network
security
Application
security
Encryption

All major cloud providers offer a native L3/L4 firewall capability (Security Group)
A set of network security rules to allow/deny network traffic into/out of instances
• ~Like ACLs
• Instance tagging – security groups
• Stateful
• An object
Differences
• AWS has 2 implementations: security groups and network ACL (stateless)
• Azure allows IP-based and security group based rules mixed
• Assigned to different levels: AWS is instance level, Azure is instance or subnet level, GCP is VPC level

Organic cloud
adoption 
structured
cloud adoption
Security review
Micro-
segmentation
Catalyst: new
customer-
facing
application
coming live

Human error.
What if we needed to do it all
over again?
What if this needs to
repeated for a second
region?
We only had half a day to do
this right.

We needed to decide
Highly parallel
Single API call
Source code

Automation in step 1 in a DevOps Lifecycle.
DevOps is the union of people,
process, and products to
enable continuous delivery of
value to your end users.
“
”
Build
&
Test
Continuous
Delivery
Deploy
Operate
Monitor
&
Learn
Plan
&
Track
Develop

Read CSV
input
unsorted
Creates per-
subnet rules-
hashtable
Generates
per-subnet
IaC artifact
Validates IaC
artifact

Implemented 500 firewall rules in half a day
Flexible way to adapt firewall rules afterwards
Security review built-in to process
Standard format for developers to request firewall changes
Happy customer

https://github.com/NillsF/NSG-CSV-to-ARM

Más contenido relacionado

La actualidad más candente

Karpenter

Knoldus Inc.

네트워크 가상화 발표자료-SDN/NFV/Cloud

seungdols

Automating with NX-OS: Let's Get Started!

Cisco DevNet

Autoscaling Kubernetes

craigbox

Kubernetes: Reducing Infrastructure Cost & Complexity

DevOps.com

Using the KVMhypervisor in CloudStack

ShapeBlue

While Azure provides native load balancing capabilities, our KEMP Virtual LoadMaster (VLM) significantly improves on these via advance features like application delivery and load balancing in Layer 7 of the network stack. Other features that KEMP VLM delivers for Azure based and hybrid infrastructure deployments are: - Client authentication and single sign-on (SSO) High Performance Layer 4 & Layer 7 Application Load Balancing - Intelligent Global Site Traffic Distribution - Application Health Checking - IP and Layer 7 Persistence - Content Switching - SSL Acceleration and Offload - Compression - Caching - Advanced App Gateway Services - Provide better Load Balancing over the Internal Load Balancer - Sophisticated Traffic Manager https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/ https://azure.microsoft.com/en-us/marketplace/partners/kemptech/vlm-azure/

Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure

Kemp

Aks pimarox from zero to hero

Johan Biere

Service mesh

Arnab Mitra

Productionizing Machine Learning with a Microservices Architecture

Databricks

Scalable Service-Oriented Middleware on IP (SOME/IP) is a proposal aimed at providing service-oriented communication in vehicles. SOME/IP nodes are able to dynamically discover and subscribe to available services through the SOME/IP Service Discovery protocol (SOME/IP SD). In this context, a key performance criterion to achieve the required responsiveness is the subscription latency that is the time it takes for a client to subscribe to a service. In this paper we provide a recap of SOME/SD and list a number of assumptions based on what we can foresee about the use of SOME/IP in the automotive domain. Then, we identify the factors having an effect on the subscription latency, and, by sensitivity analysis, quantify their importance regarding the worst-case service subscription latency. The analysis and experiments in this study provide practical insights into how to best configure SOME/IP SD protocol.

Insights on the configuration and performances of SOME/IP Service Discovery

Nicolas Navet

Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core

Vietnam Open Infrastructure User Group

Kubernetes internals (Kubernetes 해부하기)

DongHyeon Kim

building microservices

Cisco DevNet

Azure kubernetes service (aks)

Akash Agrawal

Introduction to OpenFlow

Joel W. King

IBM WebSphere MQ Introduction

ejlp12

The RabbitMQ Message Broker

Martin Toshev

02 api gateway

Janani Velmurugan

CCNAv5 - S3: Chapter1 Introduction to Scaling Networks

Vuz Dở Hơi

La actualidad más candente (20)

Karpenter

네트워크 가상화 발표자료-SDN/NFV/Cloud

Automating with NX-OS: Let's Get Started!

Autoscaling Kubernetes

Kubernetes: Reducing Infrastructure Cost & Complexity

Using the KVMhypervisor in CloudStack

Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure

Aks pimarox from zero to hero

Service mesh

Productionizing Machine Learning with a Microservices Architecture

Insights on the configuration and performances of SOME/IP Service Discovery

Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core

Kubernetes internals (Kubernetes 해부하기)

building microservices

Azure kubernetes service (aks)

Introduction to OpenFlow

IBM WebSphere MQ Introduction

The RabbitMQ Message Broker

02 api gateway

CCNAv5 - S3: Chapter1 Introduction to Scaling Networks

Similar a Automating Network Firewall Rule Creation using Powershell and CI/CD

Netflix Cloud Architecture and Open Source

aspyker

Regulated Reactive - Security Considerations for Building Reactive Systems in...

Ryan Hodgin

Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data. Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.

Azure 101: Shared responsibility in the Azure Cloud

Paulo Renato

How we think about and architect network security has stayed fairly constant for quite some time. Until we moved to the cloud. Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing and hybrid networks requires a different mindset, different tools, and a new approach. Hybrid networks complicate management, both in your data center and in the cloud. Each side uses a different basic configuration and security controls, so the challenge is to maintain consistency across both, even though the tools you use – such as your nifty next generation firewall – might not work the same (if at all) in both environments. Presented by AlgoSec and Rich Mogull, Analyst and CEO at Securosis, this webinar explains how cloud network security is different, and how to pragmatically manage it for both pure cloud and hybrid cloud networks. We will start with some background material and Cloud Networking 101, then move into cloud network security controls, and specific recommendations on how to use and manage them in a hybrid environment.

A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment

AlgoSec

AWS Security Architecture - Overview

Sai Kesavamatham

Getting Started With AWS Security

Amazon Web Services

Microservices with Azure Service Fabric

Davide Benvegnù

http://www.secludit.com We integrated Elastic Detector, which is SecludIT's product, with OSSIM in order to detect side-channel attacks occurring in cloud infrastructures. Elastic Detector takes care of solving the cloud elasticity issue, collecting security-relevant logs and forwarding (rsyslog) them to OSSIM where the correlation takes place (thanks to our plugin). DEMO showed at the RaSIEM workshop (ARES conference) in Regensburg, Germany.

How to detect side channel attacks in cloud infrastructures

Pasquale Puzio

AWS, Azure and Google Cloud have disrupted the traditional infrastructure market. After realizing that security is a major roadblock to cloud adoption, they are putting money and effort to built-in security features. But hybrid setups remain a challenge for companies and there is a learning curve for security teams to be proficient on cloud. Find out how to choose the best toolset to secure your data in the cloud.

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...

Outpost24

Managed Threat Detection and Response

Alert Logic

Managed Threat Detection & Response for AWS Applications

Alert Logic

Service fabric and azure service fabric mesh

Mikkel Mørk Hegnhøj

Hybrid - Seguridad en Contenedores v3.pptx

HansFarroCastillo1

A hybrid Architecture is one of the easiest ways to securely address new application requirements and cloud-first development initiatives. This approach allows you to start small and expand as your requirements change while maintaining a strong security posture. In this session, you will learn the 5 key steps to building a hybrid architecture using the VM-Series next-generation firewall. Speaker: Bisham Kishnani, Consulting Engineer (APJC) – DataCenter & Virtualization, Palo Alto Networks

5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...

Amazon Web Services

[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking

OpenStack Korea Community

Security in the cloud Workshop HSTC 2014

Akash Mahajan

OpenStack - Security Professionals Information Exchange

Cybera Inc.

Cisco ACI for the Microsoft Cloud Platform

Shashi Kiran

Discuss following: What does it really take to make sure your application is production ready? With new privacy regulations being added, many aspects need to be taken into account when deciding when to deliver your final application is ready for production. Can your application handle multiple users with different levels of access? Can you extend your application to use existing authentication and authorization platforms? Have you invested in using Mutual TLS for communication between components? How do you manage the certificates and passwords used within your product? Is CICD your friend or your enemy when it comes to delivering your product? Have you considered the availability and scalability of the application?

From Containerized Application to Secure and Scaling With Kubernetes

Shikha Srivastava

BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx

JasonOstrom1

Similar a Automating Network Firewall Rule Creation using Powershell and CI/CD (20)

Netflix Cloud Architecture and Open Source

Regulated Reactive - Security Considerations for Building Reactive Systems in...

Azure 101: Shared responsibility in the Azure Cloud

A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment

AWS Security Architecture - Overview

Getting Started With AWS Security

Microservices with Azure Service Fabric

How to detect side channel attacks in cloud infrastructures

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...

Managed Threat Detection and Response

Managed Threat Detection & Response for AWS Applications

Service fabric and azure service fabric mesh

Hybrid - Seguridad en Contenedores v3.pptx

5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...

[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking

Security in the cloud Workshop HSTC 2014

OpenStack - Security Professionals Information Exchange

Cisco ACI for the Microsoft Cloud Platform

From Containerized Application to Secure and Scaling With Kubernetes

BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx

Más de Nills Franssens

Gentle introduction to containers and kubernetes

Nills Franssens

Automation - Azure training day Cloud security and governance

Nills Franssens

Containers and Kubernetes

Nills Franssens

Nodeless and serverless kubernetes

Nills Franssens

Bay Area Azure Meetup - Ignite update session

Nills Franssens

Making sense of containers, docker and Kubernetes on Azure.

Nills Franssens

The container ecosystem @ MicrosoftA story of developer productivity

Nills Franssens

My most complex ARM template - Story from the trenches

Nills Franssens

Más de Nills Franssens (8)

Gentle introduction to containers and kubernetes

Automation - Azure training day Cloud security and governance

Containers and Kubernetes

Nodeless and serverless kubernetes

Bay Area Azure Meetup - Ignite update session

Making sense of containers, docker and Kubernetes on Azure.

The container ecosystem @ MicrosoftA story of developer productivity

My most complex ARM template - Story from the trenches

Último

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Real Time Object Detection Using Open CV

Khem

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

MINDCTI Revenue Release Quarter One 2024

MIND CTI

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

Automating Network Firewall Rule Creation using Powershell and CI/CD

2. Runner Belgian in the US Cloud Solution Architect @ Microsoft • Infrastructure • Networking • Open Source

3. DDoS protection Identity management Network security Application security Encryption

4. All major cloud providers offer a native L3/L4 firewall capability (Security Group) A set of network security rules to allow/deny network traffic into/out of instances • ~Like ACLs • Instance tagging – security groups • Stateful • An object Differences • AWS has 2 implementations: security groups and network ACL (stateless) • Azure allows IP-based and security group based rules mixed • Assigned to different levels: AWS is instance level, Azure is instance or subnet level, GCP is VPC level

5. Organic cloud adoption  structured cloud adoption Security review Micro- segmentation Catalyst: new customer- facing application coming live

6. Human error. What if we needed to do it all over again? What if this needs to repeated for a second region? We only had half a day to do this right.

7. We needed to decide Highly parallel Single API call Source code

8. Automation in step 1 in a DevOps Lifecycle. DevOps is the union of people, process, and products to enable continuous delivery of value to your end users. “ ” Build & Test Continuous Delivery Deploy Operate Monitor & Learn Plan & Track Develop

10. Read CSV input unsorted Creates per- subnet rules- hashtable Generates per-subnet IaC artifact Validates IaC artifact

11.

12. Implemented 500 firewall rules in half a day Flexible way to adapt firewall rules afterwards Security review built-in to process Standard format for developers to request firewall changes Happy customer

13. https://github.com/NillsF/NSG-CSV-to-ARM

Notas del editor

DevOps is the union of people, process and products to enable the continuous delivery of value to your end customers

Automating Network Firewall Rule Creation using Powershell and CI/CD

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Automating Network Firewall Rule Creation using Powershell and CI/CD

Similar a Automating Network Firewall Rule Creation using Powershell and CI/CD (20)

Más de Nills Franssens

Más de Nills Franssens (8)

Último

Último (20)

Automating Network Firewall Rule Creation using Powershell and CI/CD

Notas del editor