Network device compliance measurement today, remediation tomorrow

Marc PetrivelliArchitect - Automation PracticeRed Hat Consulting NA

Share your automation story

1. How did you get started with Ansible?

2. How long have you been using it?

3. What's your favorite thing to do when you Ansible?

Presentation Flow

Background

Background

Background

● Large global bank had urgent need to enhance compliance measurement over the network and security devices to implement device specific security guides

● Desire to create automated compliance measurement and reporting framework to validate security guide requirements

● Ensure automation approach can be operationalized for consumption across enterprise and used in future remediation efforts

● Looking for the Red Hat Consulting to deliver solution using Ansible Engine and Ansible Tower

Compliance MeasurementBackground

● Large number of financial regulatory compliance requirements handed down from security and auditing teams as security guides

● Security guides span multiple device types and vendors including firewalls VPN, proxy/secure gateway, AAA, load balancer and DNS/DHCP

● Roughly 230 devices in-scope for compliance measurement

● No standardized configuration of devices or source of truth

● Compliance baseline gathered manually through device UIs and ad-hoc scripting by various teams and SMEs

● No standardized reporting format for consumption by enterprise audit teams and device owners

● Compliance measurement is initial focus. Remediation is future state

Solution Goals

Background

● Provide a fully automated approach to measure compliance across in-scope network devices

● Operationalize automation across the enterprise with appropriate role based access control

● Enable standardized reporting for all device compliance measurement

● Design a framework that can be utilized outside of network device compliance. Infrastructure, platform, application

● Ensure approach is extensible to support future remediation use cases

Devices and Compliance Requirements

Approach

● Financial regulatory compliance requirements drove generation of security guides

● Security guides written to be address common and device specific security configurations

● Common security guidelines across all devices○ SEG A10 - Minimum Password Length - The minimum password length must be at least 15

characters

● Device specific security guidelines with varying level of detail○ SEG C20 - IKEv1 Encryption Level - Set the encryption level for IKEv1 to AES negotiation or higher

● Some security guidelines provided implementation detail (ie commands)

● Determine exact commands necessary to collect data to assess compliance

Requirements

Architecture

Approach

● Analyze compliance requirements for each device to determine module usage

● Develop approach for "gaps" in module coverage and usage○ command & raw module usage for basic commands○ custom module development for complex/parent commands

● Design generic reporting approach each device will utilize

● Build custom dynamic inventory to ingest Remedy CMDB export and provide tagging

● Implement suite of playbooks and roles for each device type○ Identify reuse opportunities (ASA VPN/Firewall)○ One git repository per device

● Operationalize ensuring automation is available for consumption across the enterprise

High-level Approach

Approach

● For security checks covered covered by modules evaluate changed in check mode (mostly F5)

● Majority utilize command modules to collect required data

● Develop custom bc_command module to support command execution on symantec/bluecoat proxy

● Initially string checks on output but moved to Ansible network engine parser for structured data

● Each security check performed in separate task file(s) with status set as Ansible fact

● Required fact structure (nested dicts) defined by compliance reporting role with lookup plugin

● Compliance data passed to compliance reporting role rendered as CSV by action plugin

● Custom dynamic inventory (python) to transform data and provide grouping and hostvars

Implementation

Approach

Code Structure

compliance-reporting

asa-common

asa-firewall asa-vpn bluecoat-proxy f5-loadbalancer dns-automation radius checkpoint

network-engine

reusable roles consumed through ansible-galaxy

Approach

● Cisco ASA○ asa_command

● Checkpoint○ raw○ future checkpoint_* - requires web

services API (>= R80)

● Cisco ISE (AAA/Radius)○ ios_command

● Symantec/Bluecoat ProxySG○ bc_command - custom module based on

asa_command module. Extend network_cli connection plugin

Ansible Engine Usage● F5 BIG IP

○ bigip_command, bigip_password_policy, bigip_device_ntp, bigip_device_sshd, bigip_device_httpd, bigip_device_syslog

● DNS/DHCP○ command, shell, template

Approach

● Initially considered using Ansible Tower log aggregator integration (splunk) or custom shipping of data to Tableau

● Compliance and audit team already have consumable format (CSV) from Linux engineering team

● Status of each security guide requirement along with compliance check metadata present in report

● Generate a report for each device type for each compliance run

● Custom action plugin to generate CSV compliance report with gathered fact data

● Compliance report written to shared storage for consumption

● Report ingested into SQL Server through DTS. Tableau hooked into SQL Server for audit and compliance team reporting

Reporting Details

Approach

● Provides a role containing action and lookup plugins to turn unstructured data into structured Ansible "native" data

● Pass output from device command passed to a "command parser"

● command_parser action plugin allows for specification of a regex based parser as an Ansible task file

● The parser utilizes pattern matching and data manipulation lookup plugins to create desired data model

● Structured data is implicitly returned as facts(s) for use in verification and configuration tasks

Ansible Network Engine

Example of compliance check

- name: check crypto IKEv1 settings asa_command: commands: show run crypto ikev1 register: asa_crypt_ikev11_output

- name: parse IKEv1 output command_parser: file: "parsers/asa-vpn-ikev1-policy.yml" content: "{{ asa_crypto_ikev1_output.stdout[0] }}"

- name: set status for IKEv1 policies vars: _encryption: "{{asa_vpn_ikev1_policies | json_query('*.encryption')}}" _allowed_algos: [ 'aes' , 'aes-192', 'aes-256' ] set_fact: seg_30_02_01_02_status: "{{ _encryption | all_in(_allowed_algos) }}" seg_30_02_01_02_status_detail: "Looking for {{ allowed_algos }} found {{ _encryption }}"

- name: update compliance data block set_fact: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" set_stats: data: compliance_data: "{{ compliance_data | combine(_curr_compliance) }}" vars: _curr_compliance: | {{ inventory_hostname | reporting_data('SEG 30.02.01.02', 'IKEv1 policy cipher', seg_30_02_01_02_status)

- name: PARSER META DATA parser_metadata : version: 1.0 command: "show run crypto ikev1" network_os : asa

- name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" match_all: yes match_greedy : yes register: asa_vpn_ikev1_policy_group export: yes

- name: match policy values pattern_group : - name: match ikev1 policy pattern_match : regex: "^crypto\\s+ikev1\\s+policy\\s+(\\d+)" content: "{{ item }}" register: asa_vpn_ikev1_policy

- name: match ikev1 authentication pattern_match : regex: "authentication\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_auth

- name: match ikev1 encryption pattern_match : regex: "encryption\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_encryption

- name: match ikev1 hash pattern_match : regex: "hash\\s+(\\S+)" content: "{{ item }}" register: asa_vpn_ikev1_hash

- name: generate IKEv1 data json_template : template: - key: "{{ item.asa_vpn_ikev1_policy.matches.0 }}" object: - key: authentication value: "{{ item.asa_vpn_ikev1_auth.matches.0 }}" - key: encryption value: "{{ item.asa_vpn_ikev1_encryption.matches.0 }}" - key: hash value: "{{ item.asa_vpn_ikev1_hash.matches.0 }}" - key: group value: "{{ item.asa_vpn_ikev1_group.matches.0 | int }}" - key: lifetime value: "{{ item.asa_vpn_ikev1_lifetime.matches.0 | int}}" export_as: dict export: yes register: asa_vpn_ikev1_policies loop: "{{ asa_vpn_ikev1_policy_list }}"

Cisco ASA IKEv1 VPN Policy Parser

Cisco ASA IKEv1 VPN Policy Parser Output TASK [asa-vpn : parse IKEv1 output] ******************************************************************************task path: test/asa-vpn/roles/asa-vpn/tasks/check-ikev1-policy.yml:3ok: [asadev01] => { "ansible_facts": { "asa_vpn_ikev1_policies": { << CLIPPED >> "53": { "authentication": "pre-share", "encryption": "aes", "group": "3", "hash": "md5", "lifetime": null }, "8": { "authentication": "pre-share", "encryption": "aes-256", "group": "3", "hash": "md5", "lifetime": "86400" } } }, "changed": false, "included": [ "parsers/asa-vpn-ikev1-policy.yml" ]}

COMMAND: show run crypto ikev1

crypto ikev1 enable outsidecrypto ikev1 am-disablecrypto ikev1 policy 53 authentication pre-share encryption aes hash md5 group 3crypto ikev1 policy 8 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400<<CLIPPED>>

Example of compliance report generation

# compliance check roles and task executed

- name: include reporting role for report generation include_role: name: compliance-reporting vars: report_base_compliance_results: "{{ compliance_data }}" report_base_device_type: "vpn"

Job name,Date,Logical Server name,Virtual DC,Rule name,Reference number,Rules comply

ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true

ansible_network_vpn,13/05/2019 19:08,asavpndev1,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false

ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true

ansible_network_vpn,13/05/2019 19:08,asavpndev2,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false

ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Encryption Level,SEG 30.02.01.02,true

ansible_network_vpn,13/05/2019 19:08,asavpndev3,VIRTUAL_DC,IKEv1 Hash,SEG 30.02.01.03,false

Approach

So we have a solid Ansible framework to run compliance checks but need to:

● tightly manage inventories and associated host and group metadata

● provide proper access controls to run and modify the automation

● allow for a development process to provide verified releases

● run the automation through external orchestrators or on a schedule

● target execution across data centers without direct connectivity to devices

Operationalize the Automation

Architecture

Manage Inventory

● CSV export of remedy CMDB as source of truth

● Dynamic inventory to structure inventory and hostvars

● Master inventory containing all devices

● Smart inventories for each device type

● Device specific automation tied to smart inventory

Role Based Access Control

● Load balancer and VPN automation shown

● Architecture org controls all inventory and permissions

● Development org/team uses inventory to build workflows

● Production org prod admin team builds out workflows

● Prod admin give execute access to netsec ops team

● Netsec ops team only has execute permissions

● Projects point to appropriate branches

Compliance Automation Workflow

Compliance Automation Workflow

Approach

● Achieved ~85% implementation for ~160 security guide controls

● Reduced compliance measurement timeline for devices from weeks to hours

● Operational solution where compliance ran on a schedule and by authorized teams across the enterprise

● Ansible content structured to allow for easy review by auditors and external teams

● Enabled a development and release workflow to allow for continued updates and verified releases

● Extensible Ansible automation framework to support future devices and remediation

Success Metrics