Post on 13-Jan-2017
transcript
Copyright © 2016 World Wide Technology, Inc. All rights reserved.
Phantom app: Ansible Tower
18 August 2016 Building And Automating The Next Generation Network
Joel W. King Engineering and Innovations Network Solutions
Abstract
Ansible Tower by RedHat provides a visual dashboard (GUI) with role-based access control and inventory management of the open source Ansible orchestration and automation software. Tower provides an API which can be used to launch job templates, while passing extra variables into the template in the body of the REST POST.
The Phantom app for Ansible Tower is a force multiplier for Phantom, providing a means to consume Ansible modules and playbooks without writing the module functionality as an app in Phantom.
FOR YOUR REFERENCE
Phantom app
Solution ArchitectureRemote Triggered Black Hole
PHANTOM2.0.67
ANSIBLETOWER
3.0
ansible-tower.sandbox.wwtatc.localphantom.sandbox.wwtatc.local
github.wwt.com
router bgp 65536……
ISR-2911-D.sandbox.wwtatc.local
Phantom Playbook
Job Template IDJob template name or id number can be specified
Ansible Playbook
"ip route {{malicious_ip}} 255.255.255.255 Null0 tag 66 name BGP_RTBH"
Ansible Job Template
Select Prompt on Launch
Ansible Job
extra varsprovided from Phantomwhen job is launched
Router Configurationafter playbook has executed
[phantom@localhost ansible_tower]$ ssh admin@isr-2911-d.sandbox.wwtatc.localPassword:
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action.
WAN Edge (Outside) router
ISR-2911-D>enPassword:ISR-2911-D#show run | inc RTBHip route 192.0.2.1 255.255.255.255 Null0 tag 66 name BGP_RTBHip route 198.200.139.176 255.255.255.255 Null0 tag 66 name BGP_RTBH
Solution ArchitectureIncorporating ACI app
PHANTOM2.0.67
ANSIBLETOWER
3.0
github.wwt.com
router bgp 65536……
dbgacEpgToIp.ymlapply atomic counter configuration
atomic_counters.py
PhantomIngest.py
Create Incident in Phantom based on atomic counters exceeding threshold
Multiple variables can be passed to job template
Key Take-aways Launching job templates from Phantom provides access to existing
Ansible modules and playbooks.
Phantom F5 app used Python module written for Ansible.
Ideally, Remotely triggered black hole (RTBH) should be native Phantom app
Challenge, BGP speaking routers encompass wide range of vendors and operating systems.
References Ansible Tower
www.ansible.com/tower
Ansible Tower API Guide v3.0docs.ansible.com/ansible-tower/latest/html/towerapi/
Source Codegithub.com/joelwking/Phantom-Cyber/tree/master/ansible_tower