Upload
khangminh22
View
0
Download
0
Embed Size (px)
Citation preview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#PSOSEC-2064
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduce Myself
• From the Balkans - Sarajevo
• Foreign Exchange Student - Houston
• Enjoy skiing, so studied and settled in Colorado
• 2 years in IT Services - IBM
• 11 years in Engineering - Cisco
• 7 years in Technical Marketing
then… …and nowJoined Cisco in 2000
PSOSEC-2064 4
• Introduction
• Cisco Security and Cisco ACI
• Security Device and Remediation Packages
• Orchestration with Stand-alone Device Package
• Summary
Agenda
SECURITY
ASAv NGIPSv
NGFWv
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Drivers behind Automation and Orchestration
Rapidly developed
Elastic and scalable
Highest of SLAs
Frequently updated
Deploy quickly with Apps
Enable dynamic access
NGIPS, Malware Protection
Defend from APT
Trying to keep up in…
Resiliency & Capacity
Rate of Change & Uptime
[Hz, V(x)LAN, Route, TB]
Applications Infrastructure Protections
PSOSEC-2064 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Converging Skillsets into a Full-Stack Engineers
The new software-defined world needs teams with multiple skill sets: provision, maintain, and monitor your network, compute, and security resources.
How do we get there:
• Adopt new strategies to enable digital transformation of your business
• Educate IT admins from each silo in automation and cross-functional skills
• Build new teams from a cross-section of IT org and design new workflows
• Begin efforts to re-write apps and re-design security services for the cloud
PSOSEC-2064 8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation and Orchestration
Use a well-tested framework to accelerate device installation & management:
• Day0 - Bootstrapping security appliances, both virtual and hardware form factors
• Day1 – Configure Policy, Operate, Monitor, and Respond
• Day2 and beyond – Optimize policy, Update/Patch Sigs/ACLs
Must consider your product:
• Automation capabilities with CLI/APIs and provided orchestration frameworks
• Extensibility of the purpose-built GUI-based managers/controllers, plus add-on scripting
• Quality of cross-architecture integrations
PSOSEC-2064 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where are you stand today, and where do you want to be?
Operations Manual Partially Orchestrated Fully Orchestrated
Day 0
Bootstrapping security
appliances to management
connectivity
Day 1
Configure Policy, Operate,
Monitor, and Respond
Day 2 and Beyond
Optimize policy, Respond, and
Update/Patch Sigs/ACLs
0
1
2
PSOSEC-2064 10
Cisco Security and Cisco ACI
Cisco Portfolio for Software-Defined Security and NetworkingSecurity RESTful-APIs and Orchestration Packages
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SOHO/Teleworker Branch Office Internet Edge Campus Data Center
Virtualization
Cisco Advanced Security Platforms
ASA 5545-X
ASA 5505
ASA 5555-X
ASA 5525-XASA 5512/15-X
ASA 5506(W/H)
FPR9300 (FTD app cluster up to 6x SMs)
ASA 5516-X
ASA 5508-X
NGIPSv
FPR4100 (FTD app cluster up to 6x)
FirePOWER 7000/8000
FTDv
ASAv
FPR2100
PSOSEC-2064 12
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FMC REST-API Explorer
Enabled by default. Reach API documentation and console via browser:i.e. https://<FMC IP>/api/api-explorer
PSOSEC-2064 13
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASA REST API Built-In Documentation
Must enable API agent first. Reach API documentation and console via browser:
i.e. https://<ASA IP Address>/doc
Configure ASA using
CLI, then GET REST-
API JSON code via
console interface.
PSOSEC-2064 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What’s New with Cisco NGFW and NGIPS
IBM and Cisco
NGIPS
collaboration
Expanded set of
security policies on
FDM, the on-box
manager
Flexibility to manage
local devices using
REST API
Unmask threats with
hardware-based
SSL decryption;
performance
upgrade of 3-5x
throughput
Cisco Next Generation Firewall
Cisco NGFW and
NGIPS recognized
by analysts
Easy single-hop
upgrade to 6.2.3,
with minimized
downtime
Manageability Operational Simplicity Performance Shared Threat Intelligence Third-Party Recognition
PSOSEC-2064 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Centric Infrastructure
Embrace open systems, APIs, and abstracted models to benefit any type of workload
Robust Transport - Nexus9000 Switch Fabric Centralized Management - APIC
Orchestrate networking
and L4-L7 Services
Add any hypervisor or
physical workloads
PSOSEC-2064 16
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Automation Through Device PackageDevice PackageDevice Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Cisco APIC – Policy Element
Device Model
Device-Specific Python Scripts
Cisco APIC Script Interface
Script Engine
APIC Node
• Service automation requires a vendor
device package. It is a zip file
containing− Device specification (XML file)
− Device scripts (Python)
• Cisco® APIC uses device model (XML)
to pass stored JSON config to device
scripts which interface with a L4-L7
device
• Device script handlers interface with
the device using its REST or CLI
interface over a security connection
(SSL, SSH, etc.)
Device Interface: REST/CLI
Service Device
Service automation
requires a vendor device
package. It is a zip file
containing
Device specification
(XML file)
Device scripts (Python)
Device Manager
PSOSEC-2064 17
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Orchestrate Cisco ASA and FTD in ACI Fabric
ASA5585-X (EoS)
ASA5500-X
Divert to SFR
ASAv50
ASAv30
ASAv10
Firepower
Management
Console
(FMC)
FPR9300
FPR4100/2100
Run ASA app
ASA Device Package
FPR9300, FPR4100,
FPR2100Run FTD app
FTD Device Package
Automation and
Orchestration
NGFWv
Virtual FTD
FMC Remediation
Module for ACI & ISE
ASAv
React in detected threats
in an automated fashion
PSOSEC-2064 18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASA and FTD Device Packages for ACI
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric
Interfaces, IP Addresses,
VLANs, Inline IPS pairs,
Security Zones
Access & Threat Policies
URL filter, NGIPS, AMP, etc.
APIC configures via FMCVia FTD Device Package
Security team configures via FMC
Cisco NGFW (FTD image)
Interfaces, VLANs, IPs, Static
or Dynamic Routes
ASA Embedded FirePOWER
Services - Threat Polices
ACLs, Inspections, HA,
Special Features
APIC Configures on ASAvia ASA Device Package
Security team configures via FMC
ASA with FirePOWER Services
APIC Added/Validated
Config
Config added manually
via FMC, outside of
APIC control/visibility
Adding Security Zone to pre-
defined rules under Access &
Threat Policies
PSOSEC-2064 19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD 1.0.2 FI Device Package Posted
PSOSEC-2064 20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC Stores FTD Configuration Exposed via Device Package
PSOSEC-2064 21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
External VRF Internal Tenant VRF
DB EPGApp EPG
Firepower NGFWv in ACI Orchestration Workflow
App host DB hostapp-to-dbContract
FTDv HA
pair
FMC
api-client
Orchestrate FTDv
config via APIC to
secure App to DB
communication
python
scripts
PSOSEC-2064 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA PO & FI Device Package
PSOSEC-2064 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC Stores ASA Configuration Exposed via Device Package
PSOSEC-2064 24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
External VRF Internal Tenant VRF
App EPGWeb EPG
ASA Orchestration Workflow in ACI
Web host App hostweb-to-appContract
ASA Context
on HA pair
api-client
Step 2
Orchestrate ASA
config to secure Web
to App communication
python
scripts
PSOSEC-2064 25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FMC Remediation Module for ACI on Cisco.com
PSOSEC-2064 26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
Step 2: Event is generated to FMC about an attack
blocked from infected host
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
1
FMC
App2
2
34
See demo on http://cs.co/rtc-with-apicPSOSEC-2064 27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shortcut to Provisioning with ACI FTD Device Package
Device Specification
"dn": "uni/tn-%s/lDevVip-
%s/vFTD-l3fw" %
(tenant_name,l47_dev_name),
"name": "FTD-HA1",
"host": fmc_ip,
"virtual": virtual,
…
Device Configuration
(0, '', 4548): {
'dn': "uni/vDev-[uni/tn-pod3/lDevVip-vFTD-l3fw]-tn-[uni/tn-pod3]-ctx-pod3net",
'transaction': 0,
'ackedstate': 0,
'value': {
(4, 'SecurityZone', zone1): {
'state': 2,
'transaction': 0,
FTD
device package
Device Interface: REST/CLI
FMC(FTD Manager)
Device JSON Configurationis recorded in the APIC debug.log under
/data/devicescript/CISCO.FTD_FI.1.0/logs/
PSOSEC-2064 29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal VRF – pod(pod#)net
DB EPGApp EPG
FTD EPG-attached Integration into ACI Fabric
Web host App host DB host
IP 10.1.0.101/16 IP 10.1.40.102/16 IP 10.2.0.103
10.2.0.1
NGFWv (FTDv)
Routed Mode
EPG-attached vNICs
BD1 (web) BD2 (db)
10.1.0.1
FTDv
SVI/Subnet 10.1.0.2/24
FMCService Manager
Web EPG
api-client
python
scripts
Orchestrate FTDvconfiguration using python
scripts and device package. We do not use
APIC in this case.
PSOSEC-2064 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What we need to before we start
1) Scripting Host that you can use to program FMC (I suggest Linux)
2) Install Python interpreter, 2.7.3 or later
3) Download FTD 1.0.2 Device Package for ACI from Cisco.com(see the previous slide for location of the package)
4) Download Github config and unconfig python scriptshttps://github.com/cisco-security/FMC-REST-API-scripts
5) Create manual-devpkg directory (choose the name as appropriate)
PSOSEC-2064 31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unzip FTD Device Package in a New Directory
(In manual-devpkg directory, unzip FTD DevPkg and see created ftd-fi directory)
user@api-client:~/manual-devpkg/ftd-fi$ ls -l
total 220
-r--r--r-- 1 user user 34355 2017-12-07 15:32 device_script.py
-r--r--r-- 1 user user 25110 2017-12-07 15:34 device_script.pyc
-r--r--r-- 1 user user 28600 2017-11-11 22:29 device_specification.xml
drwxrwxr-x 4 user user 4096 2017-12-07 15:34 devpkg
drwxrwxr-x 2 user user 4096 2017-12-07 15:34 fmc
drwxrwxr-x 2 user user 4096 2017-12-07 15:34 ftd
-rw-r--r-- 1 user user 108064 2017-11-29 13:58 ftd-fi-device-pkg-1.0.2.14.zip
drwxrwxr-x 2 user user 4096 2017-12-07 15:33 images
Device spec defines the model
Of our FTD device package
Python procedured writted by security BU
to provision given FTD configuration
PSOSEC-2064 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prepare FMC and FTD for Orchestration
• Setup FMC with necessary licenses (use demo with evaluation mode)
• Ensure connectivity between FMC and FTD
• You can register FTD(s) via FMC GUI, or you can use a script (See script ftd-reg.pl: https://github.com/cisco-security/FMC-REST-API-scripts)
• FTD HA must be pre-configured manually via FMC
• Pre-configure FMC Policy and Rule(s) you want FTD interfaces to use
• Create a separate admin account for API communication (i.e. apiuser)
PSOSEC-2064 33
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Copy and Modify Github Scripts in New Directory
user@api-client:~/manual-devpkg$ ls –l-rw-rw-r-- 1 user user 17780 2017-12-07 17:12 config-ftdha-app-to-db.pydrwxrwxr-x 6 user user 4096 2017-12-07 15:34 ftd-fi-rw-rw-r-- 1 user user 17768 2017-12-07 17:15 unconfig-ftdha-app-to-db.py
user@api-client:~/manual-devpkg$ egrep 'sys.|raw_input' config-ftdha-app-to-db.pysys.path.insert(0, '/home/user/manual-devpkg/ftd-fi')#tenant_name = raw_input("Enter Tenant name: ")#l47_dev_name = raw_input("L4-L7 Device Name: ")#vlan_tagged = raw_input("Tagged VLAN True/False: ")interface1 = raw_input("Interface1 i.e. unmanaged graph is on G0/1, for no graph use G0/3: ")interface2 = raw_input("Interface2 i.e. unmanaged graph is on G0/2, for no graph use G0/4: ")#data_ip1 = raw_input("Interface1 IP/mask i.e. 10.1.0.1/16: "#data_ip2 = raw_input("Interface1 IP/mask i.e. 10.2.0.1/24: "#ifname1 = raw_input("Interface1 name i.e. app-nic: ")#ifname2 = raw_input("Interface2 name i.e. db-nic: ")#vlan1 = raw_input("Interface1 VLAN tag number i.e. 310: ")#vlan2 = raw_input("Interface2 VLAN tag number i.e. 311: ")#zone1 = raw_input("Zone1 name i.e. app-zone: ")#zone2 = raw_input("Zone2 name i.e. db-zone: ")
Uncomment parameters you’d like to enter
as input on script execution. I.e., these two
indicate which interfaces will be configured
PSOSEC-2064 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Run FTD Orchestration Script
user@api-client:~/manual-devpkg$ python config-ftdha-app-to-db.pyInterface1 i.e. unmanaged graph is on G0/1, for no graph use G0/3: g0/3Interface2 i.e. unmanaged graph is on G0/2, for no graph use G0/4: g0/4
***** API Called: serviceModify[Device argument]{
"dn": "uni/tn-cl/lDevVip-ftdvha/vFTD-l3fw","name": "FTD-HA1","manager": {
"hosts": {"10.0.0.30": {
"port": 443}
},"name": "fmc62","creds": {
"username": "apiuser","password": "cisco"
}},"virtual": true,"devs": {
…snip…
PSOSEC-2064 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Python Script Execution
• Provide customer parameters for your deployment
• Prints out JSON that it submits to the device package as full config to apply
• Then interacts with FMC via APIs with output similar to this:
Requesting POST from FSMC URL https://10.0.0.30:443/api/fmc_platform/v1/auth/generatetokenRequesting FSMC for parameters loginresponse: <Response [204]>Requesting GET from FSMC URL https://10.0.0.30:443/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecordsRequesting FSMC for parameters ?hostName=10.0.0.51
• When it completes all API actions, it should finish with state = 0
Requesting FSMC for parameters ?expanded=true&limit=10000&name=ftd-policyresponse: <Response [200]>[Result of serviceModify]{'state': 0}
PSOSEC-2064 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
• APIs are great…
• Having ability to use both API and GUI managers is even better…
• But, some guidance on orchestration with APIs is needed
• Security device packages for ACI provide the structure for orchestration via APIs
• GitHub scripts can be used as examples and there will be more to come
• ACI device packages can be used with out APIC and speed up provisioning
PSOSEC-2064 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#PSOSEC-2064
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
41PSOSEC-2064