Orchestration with Security Appliances - Cisco Live

Orchestration with Security Appliances

Goran Saradzic – Security TME Manager

PSOSEC-2064

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#PSOSEC-2064


Introduce Myself

• From the Balkans - Sarajevo

• Foreign Exchange Student - Houston

• Enjoy skiing, so studied and settled in Colorado

• 2 years in IT Services - IBM

• 11 years in Engineering - Cisco

• 7 years in Technical Marketing

then… …and nowJoined Cisco in 2000

PSOSEC-2064 4

• Introduction

• Cisco Security and Cisco ACI

• Security Device and Remediation Packages

• Orchestration with Stand-alone Device Package

• Summary

Agenda

SECURITY

ASAv NGIPSv

NGFWv

Introduction

Business Drivers for Automation and OrchestrationConverging Skillsets


Business Drivers behind Automation and Orchestration

Rapidly developed

Elastic and scalable

Highest of SLAs

Frequently updated

Deploy quickly with Apps

Enable dynamic access

NGIPS, Malware Protection

Defend from APT

Trying to keep up in…

Resiliency & Capacity

Rate of Change & Uptime

[Hz, V(x)LAN, Route, TB]

Applications Infrastructure Protections

PSOSEC-2064 7


Converging Skillsets into a Full-Stack Engineers

The new software-defined world needs teams with multiple skill sets: provision, maintain, and monitor your network, compute, and security resources.

How do we get there:

• Adopt new strategies to enable digital transformation of your business

• Educate IT admins from each silo in automation and cross-functional skills

• Build new teams from a cross-section of IT org and design new workflows

• Begin efforts to re-write apps and re-design security services for the cloud

PSOSEC-2064 8


Automation and Orchestration

Use a well-tested framework to accelerate device installation & management:

• Day0 - Bootstrapping security appliances, both virtual and hardware form factors

• Day1 – Configure Policy, Operate, Monitor, and Respond

• Day2 and beyond – Optimize policy, Update/Patch Sigs/ACLs

Must consider your product:

• Automation capabilities with CLI/APIs and provided orchestration frameworks

• Extensibility of the purpose-built GUI-based managers/controllers, plus add-on scripting

• Quality of cross-architecture integrations

PSOSEC-2064 9


Where are you stand today, and where do you want to be?

Operations Manual Partially Orchestrated Fully Orchestrated

Day 0

Bootstrapping security

appliances to management

connectivity

Day 1

Configure Policy, Operate,

Monitor, and Respond

Day 2 and Beyond

Optimize policy, Respond, and

Update/Patch Sigs/ACLs

0

1

2

PSOSEC-2064 10

Cisco Security and Cisco ACI

Cisco Portfolio for Software-Defined Security and NetworkingSecurity RESTful-APIs and Orchestration Packages


SOHO/Teleworker Branch Office Internet Edge Campus Data Center

Virtualization

Cisco Advanced Security Platforms

ASA 5545-X

ASA 5505

ASA 5555-X

ASA 5525-XASA 5512/15-X

ASA 5506(W/H)

FPR9300 (FTD app cluster up to 6x SMs)

ASA 5516-X

ASA 5508-X

NGIPSv

FPR4100 (FTD app cluster up to 6x)

FirePOWER 7000/8000

FTDv

ASAv

FPR2100

PSOSEC-2064 12


Cisco FMC REST-API Explorer

Enabled by default. Reach API documentation and console via browser:i.e. https://<FMC IP>/api/api-explorer

PSOSEC-2064 13


Cisco ASA REST API Built-In Documentation

Must enable API agent first. Reach API documentation and console via browser:

i.e. https://<ASA IP Address>/doc

Configure ASA using

CLI, then GET REST-

API JSON code via

console interface.

PSOSEC-2064 14


What’s New with Cisco NGFW and NGIPS

IBM and Cisco

NGIPS

collaboration

Expanded set of

security policies on

FDM, the on-box

manager

Flexibility to manage

local devices using

REST API

Unmask threats with

hardware-based

SSL decryption;

performance

upgrade of 3-5x

throughput

Cisco Next Generation Firewall

Cisco NGFW and

NGIPS recognized

by analysts

Easy single-hop

upgrade to 6.2.3,

with minimized

downtime

Manageability Operational Simplicity Performance Shared Threat Intelligence Third-Party Recognition

PSOSEC-2064 15


Application Centric Infrastructure

Embrace open systems, APIs, and abstracted models to benefit any type of workload

Robust Transport - Nexus9000 Switch Fabric Centralized Management - APIC

Orchestrate networking

and L4-L7 Services

Add any hypervisor or

physical workloads

PSOSEC-2064 16


Service Automation Through Device PackageDevice PackageDevice Specification

<dev type= “f5”>

<service type= “slb”>

<param name= “vip”>

<dev ident=“210.1.1.1”

<validator=“ip”

<hidden=“no”>

<locked=“yes”>

Cisco APIC – Policy Element

Device Model

Device-Specific Python Scripts

Cisco APIC Script Interface

Script Engine

APIC Node

• Service automation requires a vendor

device package. It is a zip file

containing− Device specification (XML file)

− Device scripts (Python)

• Cisco® APIC uses device model (XML)

to pass stored JSON config to device

scripts which interface with a L4-L7

device

• Device script handlers interface with

the device using its REST or CLI

interface over a security connection

(SSL, SSH, etc.)

Device Interface: REST/CLI

Service Device

Service automation

requires a vendor device

package. It is a zip file

containing

Device specification

(XML file)

Device scripts (Python)

Device Manager

PSOSEC-2064 17


Orchestrate Cisco ASA and FTD in ACI Fabric

ASA5585-X (EoS)

ASA5500-X

Divert to SFR

ASAv50

ASAv30

ASAv10

Firepower

Management

Console

(FMC)

FPR9300

FPR4100/2100

Run ASA app

ASA Device Package

FPR9300, FPR4100,

FPR2100Run FTD app

FTD Device Package

Automation and

Orchestration

NGFWv

Virtual FTD

FMC Remediation

Module for ACI & ISE

ASAv

React in detected threats

in an automated fashion

PSOSEC-2064 18


Cisco ASA and FTD Device Packages for ACI

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric

Interfaces, IP Addresses,

VLANs, Inline IPS pairs,

Security Zones

Access & Threat Policies

URL filter, NGIPS, AMP, etc.

APIC configures via FMCVia FTD Device Package

Security team configures via FMC

Cisco NGFW (FTD image)

Interfaces, VLANs, IPs, Static

or Dynamic Routes

ASA Embedded FirePOWER

Services - Threat Polices

ACLs, Inspections, HA,

Special Features

APIC Configures on ASAvia ASA Device Package

Security team configures via FMC

ASA with FirePOWER Services

APIC Added/Validated

Config

Config added manually

via FMC, outside of

APIC control/visibility

Adding Security Zone to pre-

defined rules under Access &

Threat Policies

PSOSEC-2064 19


FTD 1.0.2 FI Device Package Posted

PSOSEC-2064 20


APIC Stores FTD Configuration Exposed via Device Package

PSOSEC-2064 21


External VRF Internal Tenant VRF

DB EPGApp EPG

Firepower NGFWv in ACI Orchestration Workflow

App host DB hostapp-to-dbContract

FTDv HA

pair

FMC

api-client

Orchestrate FTDv

config via APIC to

secure App to DB

communication

python

scripts

PSOSEC-2064 22


ASA PO & FI Device Package

PSOSEC-2064 23


APIC Stores ASA Configuration Exposed via Device Package

PSOSEC-2064 24


External VRF Internal Tenant VRF

App EPGWeb EPG

ASA Orchestration Workflow in ACI

Web host App hostweb-to-appContract

ASA Context

on HA pair

api-client

Step 2

Orchestrate ASA

config to secure Web

to App communication

python

scripts

PSOSEC-2064 25


FMC Remediation Module for ACI on Cisco.com

PSOSEC-2064 26


FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC

DB EPG

ACI Fabric

App EPG

Infected App1

Step 4: APIC Quarantines infected App1

workload into an isolated uSeg EPG

Step 1: Infected End Point launches an attack

that NGFW(v), FirePOWER Services in ASA,

or FirePOWER appliance blocks the attack

Step 2: Event is generated to FMC about an attack

blocked from infected host

Step 3: Attack event is configured to trigger

remediation module for APIC and quarantine

infected host using APIC NB API

1

FMC

App2

2

34

See demo on http://cs.co/rtc-with-apicPSOSEC-2064 27

http://cs.co/rtc-with-apic

Orchestrating FTD Configuration Using ACI Device Package and JSON


Shortcut to Provisioning with ACI FTD Device Package

Device Specification

"dn": "uni/tn-%s/lDevVip-

%s/vFTD-l3fw" %

(tenant_name,l47_dev_name),

"name": "FTD-HA1",

"host": fmc_ip,

"virtual": virtual,

…

Device Configuration

(0, '', 4548): {

'dn': "uni/vDev-[uni/tn-pod3/lDevVip-vFTD-l3fw]-tn-[uni/tn-pod3]-ctx-pod3net",

'transaction': 0,

'ackedstate': 0,

'value': {

(4, 'SecurityZone', zone1): {

'state': 2,

'transaction': 0,

FTD

device package

Device Interface: REST/CLI

FMC(FTD Manager)

Device JSON Configurationis recorded in the APIC debug.log under

/data/devicescript/CISCO.FTD_FI.1.0/logs/

PSOSEC-2064 29


Internal VRF – pod(pod#)net

DB EPGApp EPG

FTD EPG-attached Integration into ACI Fabric

Web host App host DB host

IP 10.1.0.101/16 IP 10.1.40.102/16 IP 10.2.0.103

10.2.0.1

NGFWv (FTDv)

Routed Mode

EPG-attached vNICs

BD1 (web) BD2 (db)

10.1.0.1

FTDv

SVI/Subnet 10.1.0.2/24

FMCService Manager

Web EPG

api-client

python

scripts

Orchestrate FTDvconfiguration using python

scripts and device package. We do not use

APIC in this case.

PSOSEC-2064 30


What we need to before we start

1) Scripting Host that you can use to program FMC (I suggest Linux)

2) Install Python interpreter, 2.7.3 or later

3) Download FTD 1.0.2 Device Package for ACI from Cisco.com(see the previous slide for location of the package)

4) Download Github config and unconfig python scriptshttps://github.com/cisco-security/FMC-REST-API-scripts

5) Create manual-devpkg directory (choose the name as appropriate)

PSOSEC-2064 31

https://github.com/cisco-security/FMC-REST-API-scripts


Unzip FTD Device Package in a New Directory

(In manual-devpkg directory, unzip FTD DevPkg and see created ftd-fi directory)

user@api-client:~/manual-devpkg/ftd-fi$ ls -l

total 220

-r--r--r-- 1 user user 34355 2017-12-07 15:32 device_script.py

-r--r--r-- 1 user user 25110 2017-12-07 15:34 device_script.pyc

-r--r--r-- 1 user user 28600 2017-11-11 22:29 device_specification.xml

drwxrwxr-x 4 user user 4096 2017-12-07 15:34 devpkg

drwxrwxr-x 2 user user 4096 2017-12-07 15:34 fmc

drwxrwxr-x 2 user user 4096 2017-12-07 15:34 ftd

-rw-r--r-- 1 user user 108064 2017-11-29 13:58 ftd-fi-device-pkg-1.0.2.14.zip

drwxrwxr-x 2 user user 4096 2017-12-07 15:33 images

Device spec defines the model

Of our FTD device package

Python procedured writted by security BU

to provision given FTD configuration

PSOSEC-2064 32


Prepare FMC and FTD for Orchestration

• Setup FMC with necessary licenses (use demo with evaluation mode)

• Ensure connectivity between FMC and FTD

• You can register FTD(s) via FMC GUI, or you can use a script (See script ftd-reg.pl: https://github.com/cisco-security/FMC-REST-API-scripts)

• FTD HA must be pre-configured manually via FMC

• Pre-configure FMC Policy and Rule(s) you want FTD interfaces to use

• Create a separate admin account for API communication (i.e. apiuser)

PSOSEC-2064 33

https://github.com/cisco-security/FMC-REST-API-scripts


Copy and Modify Github Scripts in New Directory

user@api-client:~/manual-devpkg$ ls –l-rw-rw-r-- 1 user user 17780 2017-12-07 17:12 config-ftdha-app-to-db.pydrwxrwxr-x 6 user user 4096 2017-12-07 15:34 ftd-fi-rw-rw-r-- 1 user user 17768 2017-12-07 17:15 unconfig-ftdha-app-to-db.py

user@api-client:~/manual-devpkg$ egrep 'sys.|raw_input' config-ftdha-app-to-db.pysys.path.insert(0, '/home/user/manual-devpkg/ftd-fi')#tenant_name = raw_input("Enter Tenant name: ")#l47_dev_name = raw_input("L4-L7 Device Name: ")#vlan_tagged = raw_input("Tagged VLAN True/False: ")interface1 = raw_input("Interface1 i.e. unmanaged graph is on G0/1, for no graph use G0/3: ")interface2 = raw_input("Interface2 i.e. unmanaged graph is on G0/2, for no graph use G0/4: ")#data_ip1 = raw_input("Interface1 IP/mask i.e. 10.1.0.1/16: "#data_ip2 = raw_input("Interface1 IP/mask i.e. 10.2.0.1/24: "#ifname1 = raw_input("Interface1 name i.e. app-nic: ")#ifname2 = raw_input("Interface2 name i.e. db-nic: ")#vlan1 = raw_input("Interface1 VLAN tag number i.e. 310: ")#vlan2 = raw_input("Interface2 VLAN tag number i.e. 311: ")#zone1 = raw_input("Zone1 name i.e. app-zone: ")#zone2 = raw_input("Zone2 name i.e. db-zone: ")

Uncomment parameters you’d like to enter

as input on script execution. I.e., these two

indicate which interfaces will be configured

PSOSEC-2064 34


Run FTD Orchestration Script

user@api-client:~/manual-devpkg$ python config-ftdha-app-to-db.pyInterface1 i.e. unmanaged graph is on G0/1, for no graph use G0/3: g0/3Interface2 i.e. unmanaged graph is on G0/2, for no graph use G0/4: g0/4

***** API Called: serviceModify[Device argument]{

"dn": "uni/tn-cl/lDevVip-ftdvha/vFTD-l3fw","name": "FTD-HA1","manager": {

"hosts": {"10.0.0.30": {

"port": 443}

},"name": "fmc62","creds": {

"username": "apiuser","password": "cisco"

}},"virtual": true,"devs": {

…snip…

PSOSEC-2064 35


Python Script Execution

• Provide customer parameters for your deployment

• Prints out JSON that it submits to the device package as full config to apply

• Then interacts with FMC via APIs with output similar to this:

Requesting POST from FSMC URL https://10.0.0.30:443/api/fmc_platform/v1/auth/generatetokenRequesting FSMC for parameters loginresponse: <Response [204]>Requesting GET from FSMC URL https://10.0.0.30:443/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecordsRequesting FSMC for parameters ?hostName=10.0.0.51

• When it completes all API actions, it should finish with state = 0

Requesting FSMC for parameters ?expanded=true&limit=10000&name=ftd-policyresponse: <Response [200]>[Result of serviceModify]{'state': 0}

PSOSEC-2064 36

Demo


Summary

• APIs are great…

• Having ability to use both API and GUI managers is even better…

• But, some guidance on orchestration with APIs is needed

• Security device packages for ACI provide the structure for orchestration via APIs

• GitHub scripts can be used as examples and there will be more to come

• ACI device packages can be used with out APIC and speed up provisioning

PSOSEC-2064 38


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#PSOSEC-2064


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

41PSOSEC-2064

Thank you

Documents

Orchestration with Security Appliances - Cisco Live