EDITORIAL UPDATE: During her keynote address on April 24, Cisco’s Susie Wee presented Joel with the DevNet Creator award for his contributions to DevNet Code Exchange (discussed below). Congrats, Joel!
On April 24 and 25, World Wide Technology (WWT) will be contributing to Cisco DevNet Create 2019 at the Computer History Museum in Mountain View, CA. WWT has sponsored and contributed tech talks to this conference since its inception in 2017. As one of many Session Speakers, I will be presenting a talk titled “Analytics for Application Security and Policy Enforcement in Cloud Managed Networks.”
This article provides some backstory on the genesis of my presentation.
If you are familiar with the DevNet Zone at Cisco Live, you know that DevNet Create is more about software and DevOps and less about hardware. DevNet Create’s focus is enabling developers, infrastructure and DevOps engineers to write software that integrates with the application programming interfaces (APIs) of Cisco products. The conference is really about building a community of infrastructure engineers and software developers to integrate disparate systems through a combination of open-source software projects and closed-source hardware and software.
To promote the work of the open source community, Cisco created DevNet Code Exchange—a curated clearinghouse for software which integrates with Cisco products. Fostering this type of community (which I belong to) indicates that Cisco is indeed moving toward a software-based future.
DevNet Code Exchange
A recent ComputerWeekly.com article, “Coders and Developers: The New Heroes of the Network?”, featured an interview with Susie Wee, founder, executive VP and CTO of Cisco’s DevNet. In the article, Wee explains how coders have adapted to open-source resources like DevNet Code Exchange to share ideas and code. Her prime example highlighted one of my own DevNet Code Exchange contributions titled “Ansible Interface to the Tetration Network Policy Publisher.”
The project of mine Wee highlighted actually began last summer. My goal was to demonstrate how Ansible can be used to enhance security postures by implementing a policy to create a whitelist-based segmentation and zero-trust model. I presented this use case at AnsibleFest Austin 2018 in my talk “Using Ansible Tower to Implement Security Policies and Telemetry Streaming for Hybrid Clouds.”
My initial development foray into this solution provided a learning exercise on Kafka, Protocol Buffers and the schema used by the Network Policy Publisher of the Tetration Analytics platform, which is designed to scale. The software architecture uses two open-source initiatives: Kafka (developed by LinkedIn) and Protocol Buffers (developed by Google). Protocol Buffers are used for most machine-to-machine communication at Google.
The Tetration platform gathers telemetry from servers and the network in a data center or cloud and analyzes the communication between applications. The network and security administrators enable Tetration to “publish” the results of the data analysis to the Kafka message bus. Protocol Buffers are a means of serializing that structured data. The code I developed periodically connects to the message bus, retrieves the network policy and returns structured data to the calling Ansible playbook as a variable. The playbook can then iterate over the variable and apply the policy using Ansible modules for Cisco ACI or ASA firewalls, as well as other network devices or load balancers.
This use case aligns with the design goal of the Tetration Network Policy Publisher—namely, defense in depth by applying the same policy in the data center or cloud to supporting network devices.
From Demo to Production at WWT
When WWT’s internal IT department recently embarked on a project to migrate applications to Cisco ACI, I had the opportunity to support their effort. We used the code I published on DevNet Code Exchange, downloaded the security certificates from the IT production Tetration cluster, successfully connected to Kafka and retrieved the network policy supporting the migration. Only one change was required when going from demonstration to production: we modified the calling playbook to randomly select one of the three Kafka broker IP addresses rather than use the single address offered by the Tetration-M (small form factor deployment option) in WWT’s Advanced Technology Center.
As someone who enjoys coding, you gain a great deal of satisfaction when what you develop in the lab is valuable to those supporting production applications. Here, the number of policy entries was too large to migrate manually, so we provided the network engineer with a programmatic means to do their job.
To Learn More
For a preview of DevNet Create 2019, check out WWT’s Tec17 Podcast:
Or if you’re near the Research Triangle in North Carolina this week, come see me at Red Hat’s Ansible Durham Meetup on April 17, where I’ll be presenting a companion talk called “Enabling Policy Migration in the Data Center with Ansible.”