Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Automação do físico ao NetSecDevOps

381 Aufrufe

Veröffentlicht am

Automação do físico ao NetSecDevOps

Veröffentlicht in: Technologie
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Automação do físico ao NetSecDevOps

  1. 1. Automação do físico ao NetSecDevOps Introdução e visão Raul Leite rleite@redhat.com Solution Architect @sp4wnr0ot Red Hat Brasil
  2. 2. 2 SIMPLES PODEROSO AGENTLESS Deployment de aplicações Gerenciamento de configurações Network automation Orquestração do ciclo de vida Automação legível por humanos Não são necessárias habilidades especiais de programação Tarefas executadas em ordem Permite que toda equipe utilize e contribua Seja produtivo rapidamente Arquitetura sem Agentes Utiliza OpenSSH, WinRM, API ou Netconf Sem agentes para instalar, gerenciar ou explorar vulnerabilidades Início imediato!! Maior Eficiência & mais segurança POR QUE ANSIBLE?
  3. 3. 3 CROSS PLATAFORMA Suporte sem agente para todas as principais variantes do sistema operacional, dispositivos físicos, virtuais, em nuvem e de rede. HUMAN READABLE Descreva e documenta perfeitamente todos os aspectos do seu ambiente de aplicativos. DESCRIÇÃO PERFEITA DA APLICAÇÃO Cada mudança pode ser feita por Playbooks, garantindo que todos estejam na mesma página. CONTROLE DE VERSÃO Playbooks são texto simples.Trate-os como código em seu controle de versão existente. INVENTÁRIOS DINÂMICOS Capture,,descubra todos os servidores 100% do tempo, independentemente da infraestrutura, localização, ... ORQUESTRAÇÃO COM OUTRAS PLATAFORMAS Cada mudança pode ser feita por Playbooks, garantindo que todos na organização estejam na mesma página. THE ANSIBLE WAY
  4. 4. 4 O QUE PODEMOS FAZER COM ANSIBLE? Automatize a implante o gerenciamento de todo o seu TI. Orquestração Permite... Firewalls Gerenciamento de configuração Entrega de aplicações Provisionamento Continuous Delivery Segurança e compliance Com... Load Balancers Aplicações Containers Clouds Servers Infraestrutura Storage E mais...Network Devices
  5. 5. 5 CLOUD AWS Azure CenturyLink CloudScale Digital Ocean Docker Google Linode OpenStack Rackspace E mais… WINDOWS ACLs Files Commands Packages IIS Regedits Shell Shares Services DSC Users Domains E mais… VIRTUALIZAÇÂO E CONTAINER Docker VMware RHV OpenStack OpenShift Atomic CloudStack E mais… NETWORK Arista A10 Cumulus Big Switch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch E mais… NOTIFICAÇÃO HipChat IRC Jabber Email RocketChat Sendgrid Slack Twilio E mais… ANSIBLE INCLUI MAIS DE 1650 MÓDULOS
  6. 6. 6 ANSIBLE’S AUTOMATION ENGINE CMDB USERS INVENTORY HOSTS NETWORK DEVICES PLUGINS API MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD ANSIBLE PLAYBOOK ANSIBLE’S AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS API MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD USERS ANSIBLE PLAYBOOK PLAYBOOKS • Written in YAML • Tasks are executed sequentially • Invokes Ansible modules MODULES • Tools in the toolkit • Python, Powershell or any language • Extend Ansible simplicity to entire stack ANSIBLE’S AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS API PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD USERS ANSIBLE PLAYBOOK MODULES COMO O ANSIBLE TRABALHA CMDB PUBLIC / PRIVATE CLOUD PLUGINS • Gears in the engine • Python that plugs into the core engine • Adaptability for various uses & platforms USERS ANSIBLE PLAYBOOK ANSIBLE’S AUTOMATION ENGINE HOSTS NETWORK DEVICES API MODULES PUBLIC / PRIVATE CLOUD INVENTORY PLUGINS USERS ANSIBLE PLAYBOOK [web] webserver1.example.com webserver2.example.com [db] dbserver1.example.com ANSIBLE’S AUTOMATION ENGINE CMDB HOSTS NETWORK DEVICES PLUGINS API MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD INVENTORY CLOUD OpenStack, VMware, EC2, Rackspace, GCE, Azure, Spacewalk, Hanlon, Cobbler CUSTOM CMDBUSERS ANSIBLE PLAYBOOK ANSIBLE’S AUTOMATION ENGINE HOSTS NETWORK DEVICES PLUGINS API MODULES PUBLIC / PRIVATE CLOUD INVENTORY CMDB PUBLIC / PRIVATE CLOUD
  7. 7. 7 POR QUE AUTOMAÇÃO É IMPORTANTE? Os aplicativos e sistemas são mais do que apenas software e suas configurações. Eles também são resultado de conhecimento, e procedimentos operacionais, muitas vezes, bem documentados, outras nem tanto … Que resultam em uma lista de atividades e processos necessários para entregar a solução dentro dos parâmetros desejados para atender as áreas de compliance, segurança, operação, arquitetura e performance... Ansible pode fazer tudo: • Provisionamento • Implantação de aplicativos • Gerenciamento de configurações • Orquestração multicamada
  8. 8. 8 Ansible é a primeira linguagem de automação que pode ser utilizada em todas as áreas de TI. Ansible é a única automation engine que pode automatizar o ciclo completo de vida das aplicações e o pipeline de delivery Do desenvolvimento... …para produção. ANSIBLE PLAYBOOK DEV/TEST Q/A OPERAÇÕES GERENCIAMENTO OUTSOURCERS COMUNICAÇÃO É A CHAVE PARA DEVOPS
  9. 9. 9 EXEMPLO DE PLAYBOOK: LINUX --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started --- - name: install and start apache hosts: web become: yes vars: http_port: 80 tasks: - name: httpd package is present yum: name: httpd state: latest - name: latest index.html file is present copy: src: files/index.html dest: /var/www/html/ - name: httpd is started service: name: httpd state: started
  10. 10. 10 - hosts: new_servers tasks: - name: ensure common OS updates are current win_updates: register: update_result - name: ensure domain membership win_domain_membership: dns_domain_name: contoso.corp domain_admin_user: '{{ domain_admin_username }}' domain_admin_password: '{{ domain_admin_password }}' state: domain register: domain_result - name: reboot and wait for host if updates or domain change require it win_reboot: when: update_result.reboot_required or domain_result.reboot_required - name: ensure local admin account exists win_user: name: localadmin password: '{{ local_admin_password }}' groups: Administrators - name: ensure common tools are installed win_chocolatey: name: '{{ item }}' with_items: ['sysinternals', 'googlechrome'] EXEMPLO DE PLAYBOOK: WINDOWS
  11. 11. ANSIBLE NETWORK AUTOMATION ansible.com/networking 570+ Módulos de rede 40 Plataformas de rede
  12. 12. ● A10 ● Apstra AOS ● Arista EOS (cli, eAPI), CVP ● Aruba Networks ● AVI Networks ● Big Switch Networks ● Brocade Ironware ● Cisco ACI, AireOS, ASA, IOS, IOS-XR, NSO, NX-OS ● Citrix Netscaler ● Cumulus Linux ● Dell OS6, OS9, OS10 ● Exoscale ● F5 BIG-IP ● Fortinet FortIOS, FMGR ● Huawei ● Illumos ● Infoblox NIOS ● Juniper Junos ● Lenovo CNOS, ENOS ● Mellanox ONYX ● Ordnance ● NETCONF ● Netvisor ● Openswitch ● Open vSwitch (OVS) ● Palo Alto PAN-OS ● Nokia NetAct, SR OS ● VyOS NETWORK MODULES: BUILT-IN DEVICE ENABLEMENT
  13. 13. 13 --- - name: configure ios interface hosts: ios01 tasks: - name: collect device running-config ios_command: commands: show running-config interface GigabitEthernet0/2 provider: “{{ cli }}” register: config - name: administratively enable interface ios_config: lines: no shutdown parents: interface GigabitEthernet0/2 provider: “{{ cli }}” when: ‘”shutdown” in config.stdout[0]‘ - name: verify operational status ios_command: commands: - show interfaces GigabitEthernet0/2 - show cdp neighbors GigabitEthernet0/2 detail waitfor: - result[0] contains ‘line protocol is up’ - result[1] contains ‘iosxr03’ - result[1] contains ’10.0.0.42’ provider: “{{ cli }}” EXEMPLO DE PLAYBOOK: AUTOMAÇÃO DE REDES
  14. 14. --- - name: system node properties hosts: all tasks: - name: configure eos system properties eos_system: domain_name: ansible.com vrf: management when: network_os == 'eos' - name: configure nxos system properties nxos_system: domain_name: ansible.com vrf: management when: network_os == 'nxos' - name: configure ios system properties ios_system: domain_name: ansible.com lookup_enabled: yes when: network_os == 'ios' ● Per Platform Implementation ● Declarative by design ● Abstracted over the connection ● Violates DRY principals ● Makes platforms happy ● … Not so much for operators RESOURCE MODULES
  15. 15. - name: configure network interface net_interface: name: “{{ interface_name }}” description: “{{ interface_description }}” enabled: yes mtu: 9000 state: up - name: configure bgp neighbors net_bgp_neighbor: peers: “{{ item.peer }}” remote_as: “{{ item.remote_as }}” update_source: Loopback0 send_community: both enabled: yes state: present - iosxr_interface: ... - iosxr_bgp_neighbor: ... - nxos_interface: ... - nxos_bgp_neighbor: ... - junos_interface: ... - junos_bgp_neighbor: ... - eos_interface: ... - eos_bgp_neighbor: ... - ios_interface: ... - ios_bgp_neighbor: ... MINIMUM VIABLE PLATFORM AGNOSTIC (MVPA)
  16. 16. - name: configure interface net_interface: aggregate: name: GigabitEthernet0/2 description: public interface configuration enabled: yes state: present status: state: connected tx_rate: ge(7Gbps) rx_rate: ge(2Gbps) delay: 30 neighbors: - host: core-01 port: Ethernet5/2/6 Declaração da Configuração Estado Desejado DECLARATIVO...
  17. 17. - name: validate bgp neighbor net_bgp_neighbor: peer: 1.1.1.1 nbr_state: established pfx_rx: 16593 pfx_tx: 132 DECLARATIVE INTENTCONFIGURAÇÃO VALIDAÇÃO DO ESTADO - name: configure bgp neighbor net_bgp_neighbor: peer: 1.1.1.1 remote_as: 65000 enabled: yes Somente realiza a configuração Ignora o estado do recurso no dispositivo Somente realiza a validação do estado Ignora a configuração do dispositivo DECLARATIVO...
  18. 18. Networking Pain Points
  19. 19. Apply the same configuration to both members as the same time: EXEMPLO: GERENCIAR ELEMENTOS EM ALTA DISPONIBILIDADE port_data: - { desc: ”Host_A", switch: ”tor1", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" } - { desc: ”Host_A", switch: ”tor1", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" } - { desc: ”Host_B", switch: ”tor2", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" } - { desc: ”Host_B", switch: ”tor2", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" } - name: Configure individual port-channel interfaces nxos_interface: provider: "{{ cli }}" host: "{{ item.0.switch }}" interface: "{{ item.1 }}" state: present description: "{{ item.0.desc | default(omit) }}" mode: layer2 admin_state: up with_subelements: - "{{ port_data | default([]) }}" - port_list - skip_missing: yes - name: Create port-channels on the ToR(s) nxos_portchannel: provider: "{{ cli }}" host: "{{ item.switch }}" Playbook
  20. 20. GERENCIE [PORTS, VLANS, {{ RESOURCES }}] $ ansible-playbook deploy-workload.yaml PLAY [deploy application workload] ********************************* TASK [collect device running-config] ******************************* ok: [ios01] ok: [ios02] TASK [administratively enable interface] *************************** ok: [ios01] ok: [ios02] TASK [deploy workloads ] ******************************************* ok: [app01] ok: [app02] PLAY RECAP ********************************************************* ios01 : ok=2 changed=0 unreachable=0 failed=0 ios02 : ok=2 changed=0 unreachable=0 failed=0 app01 : ok=1 changed=0 unreachable=0 failed=0 app02 : ok=1 changed=0 unreachable=0 failed=0 O MOMENTO “UH-OH @#$!@”
  21. 21. Problema: • Gerenciar políticas através de diferentes tipos de hardware e software é uma atividade complexa e sujeita a erros • Implementar requerimentos de segurança (STIG, PCI..;) na infraestrutura é difícil de implementar e manter SEGURANÇA Solução: • Defina a política uma única vez. Aplique-a em multiplas infraestruturas (física, virtual, cloud, network, sistema…) • Aproveite políticas e diretrizes pré definidas para implementar em toda a infraestrutura
  22. 22. EXAMPLE: PERVASIVE SECURITY Problema: diferentes Dispositivos/Vendors requerem diferentes formatos de ACL (regras) Solução: Aplique a mesma regra abstraida para firewalls, routers, hosts … EXEMPLO: SEGURAÇA PERVASIVA fw_rules: - { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 32400, proto: tcp, action: allow, comment: plex } - { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 1900, proto: udp, action: allow, comment: plex } - { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 3005, proto: tcp, action: allow, comment: plex } - { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 5353, proto: udp, action: allow, comment: plex } - name: Insert ASA ACL asa_config: lines: - "access-list {{ item.rule }} extended {{ item.action }}{{ item.proto }}{{ item.src_ip | ipaddr('network') }}{{ item.src_ip | ipaddr('network') }}{{ item.dst_ip | ipaddr('network') }}{{ item.dst_ip | ipaddr('network') }} eq {{ item.dst_port }}" provider: "{{ cli }}" with_items: "{{ fw_rules }}" - iptables: chain: "{{ item.chain | default('INPUT') }}" source: "{{ item.src_ip | default(omit) }}" destination: "{{ item.src_ip }}" destination_port: "{{ item.dst_port }}" protocol: "{{ item.proto | default('tcp') }}" jump: "{{ 'ACCEPT' if item.action == 'allow' else 'DENY' }}" comment: "{{ item.comment | default(omit) }}" with_items: "{{ fw_rules }}"
  23. 23. Problema: • Clouds privadas, públicas e híbridas aumenta o número de recursos gerenciados • Recursos de Clouds são diferentes de recursos de on-premise e diferentes nuvens aumentam ainda mais a complexidade Solução: • Automatize tarefas através de múltiplos dispositivos e nuvens com o mesmo workflow • Defina a política uma única vez, e aplique-a a multiplas infraestruturas (física, virtual, cloud, network, sistema…) CLOUD PRIVADA, PÚBLICA OU HÍBRIDA
  24. 24. 1. Crie os VPCs: ansible-playbook build_aws_vpc.yml ansible-playbook build_azure_vpc.yml Builds “hosts” file 2. Construa um DMVPN Overlay: ansible-playbook –i hosts build-dmvpn.yml EXEMPLO: CLOUD ELÁSTICA VPC Host Resource Group build_aws_vpc.yml build_azure_vpc.yml build_dmvpn.yml Host
  25. 25. 25 RED HAT ANSIBLE TOWER RED HAT ANSIBLE ENGINE Escala + operacionalização para sua automação Suporte para suas automações em Ansilble CONTROLE CONHECIMENTO DELEGAÇÃO SIMPLES PODEROSO AGENTLESS ALIMENTADO POR UMA COMUNIDADE OPEN SOURCE INOVADORA
  26. 26. 26 USE CASES USERS ANSIBLE PYTHON CODEBASE OPEN SOURCE MODULE LIBRARY PLUGINS CLOUD AWS, GOOGLE CLOUD, AZURE … INFRASTRUCTURE LINUX, WINDOWS, UNIX … NETWORKS ARISTA, CISCO, JUNIPER … CONTAINERS DOCKER, LXC … SERVICES DATABASES, LOGGING, SOURCE CONTROL MANAGEMENT… TRANSPORT SSH, WINRM, ETC. AUTOMATE YOUR ENTERPRISE ADMINS ANSIBLE CLI & CI SYSTEMS ANSIBLE PLAYBOOKS …. ANSIBLE TOWER SIMPLE USER INTERFACE TOWER API ROLE-BASED ACCESS CONTROL KNOWLEDGE & VISIBILITY SCHEDULED & CENTRALIZED JOBS CONFIGURATION MANAGEMENT APP DEPLOYMENT CONTINUOUS DELIVERY SECURITY & COMPLIANCE ORCHESTRATIONPROVISIONING
  27. 27. 27 Client accessing Ansible Tower Postgre5QL MANAGED HOSTS DOMAIN CONTROLLER CMDB ANSIBLE TOWER INTEGRATIONS
  28. 28. 28 JOB STATUS UPDATE ANSIBLE TOWER
  29. 29. 29 ACTIVITY STREAM ANSIBLE TOWER
  30. 30. 30 MULTI-PLAYBOOK WORKFLOWS ANSIBLE TOWER
  31. 31. 31 SCALE-OUT CLUSTERING ANSIBLE TOWER
  32. 32. 32 MANAGE AND TRACK YOUR INVENTORY ANSIBLE TOWER
  33. 33. 33 SCHEDULE JOBS ANSIBLE TOWER
  34. 34. 34 INTEGRATED NOTIFICATIONS ANSIBLE TOWER
  35. 35. 35 SELF-SERVICE IT ANSIBLE TOWER
  36. 36. 36 REMOTE COMMAND EXECUTION ANSIBLE TOWER
  37. 37. TOWER EXAMPLES (ARISTA)
  38. 38. TOWER EXAMPLES (ARISTA)
  39. 39. 39 EXTERNAL LOGGING ANSIBLE TOWER
  40. 40. 40 1650+ Ansible modules 28,000+ Stars on GitHub 500,000+ Downloads por mês
  41. 41. 41 PLAYBOOK EXAMPLES LAMP + HAPROXY + NAGIOS github.com/ansible/ansible-examples/tree/master/lamp_haproxy WINDOWS github.com/ansible/ansible-examples/tree/master/windows SECURITY COMPLIANCE github.com/ansible/ansible-lockdown NETWORK github.com/privateip/network-demo MORE... galaxy.ansible.com github.com/ansible/ansible-examples
  42. 42. 42 AUTOMATION = ACCELERATION
  43. 43. 43 10,000 ROLES AT YOUR DISPOSAL Re-usable Roles and Container Apps that allow you to do more, faster Built into the Ansible CLI and Tower galaxy.ansible.com

×