Ansible Tower for Implementing Security Policy
Take a look back on WWT Principal Architect Joel King’s Network Automation presentation at AnsibleFest 2018.
How to view network as a system with Ansible Tower automating security policy configuration
WWT was a proud champion sponsor of AnsibleFest 2018, held on October 2-3 in in Austin, Texas. The event showcased a comprehensive agenda for the Ansible community and Red Hat Ansible Automation users, whether they are just getting started or experts in “automating all the things.”
AnsibleFest now supports multiple tracts of content: best practices, community and culture, tech deep dives, business solutions, Ansible integrations and network automation. My talk was cataloged in the network automation track, and the core message is to view the network as a software system, using Ansible Tower to automate the configuration of security policies on the individual network components.
An exciting time to be a network engineer
Today’s network engineer can work with, and influence, a broad range of technologies enabling the digital business model. Compute resources (or workloads) are expanding to the three major cloud providers, AWS, Azure and the Google Cloud platform, augmenting the traditional internal data center. This shift is both a challenge and opportunity for the network engineer.
Managing these workloads, extended across four environments, requires enabling telemetry streaming on both the compute resources and network components. This function is one of the three use cases I covered: how to use Ansible Tower to simplify the installation of agents on servers to enable telemetry streaming to a central database.
Network engineers with an interest in Linux administration, DevOps, the ability to code and think like a computer scientist, along with a familiarity with big data and analytics platforms, will be a valuable resource and important to the success of the business.
Inventory is foundational
The role of analytics in the security landscape is to help answer three simple questions: what’s on my network, what is it doing, and should it be doing that? To answer those questions, we first must address foundational issues. Can you name the assets you are defending? To answer this question, you must have an accurate inventory.
Our second use case is enabling dynamic inventory by leveraging meta data about the agents streaming telemetry to the central database. To supplement my presentation, I included some sample code which generates a dynamic inventory for Ansible Tower. From this dynamic, accurate inventory, along with the associated asset tags, the network engineer and Linux administrators can more effectively manage the compute resources in their multicloud network.
Using automation to implement policy
The central database is Cisco Tetration Analytics. There are two means of enforcing a security policy derived from analysis of the telemetry data: using the agents installed on the workloads and using network resources, firewalls, routers, switches and load balancers. Tetration has a new feature called Network Policy Publisher, which “publishes” network policy to a message bus, allowing northbound applications to subscribe to, and retrieve, the published policies.
I provided sample code which can be initiated using Ansible Tower to retrieve these messages and inject them into automation playbooks. Once the policy is exposed to an Ansible playbook, Ansible modules can be invoked to configure the policy on a broad range of networking devices.
The goal of this presentation is to understand how Ansible Tower can be used as a tool to implement a security policy on network devices while envisioning the network and compute resources as one software system.
The three Ansible Tower use case examples are:
- Using playbooks to be more efficient in deploying telemetry agents on workloads in multicloud environments.
- Capitalizing on the meta data of the sources of the telemetry data as a dynamic and accurate inventory of the enterprise assets.
- Consuming the published network policy to provide security in depth by configuring network to augment the security posture of the workloads.