BRKCOC-2006

#CiscoLive
Inside Cisco IT
A GITOps Approach to Managing Firepower Firewall
ACLs
Ben Kelly – Network Architect

BRKCOC-2006
#CiscoLive
Agenda
• Introduction and Background
• GIT as Access-List SSOT
• GITOps Process
• GITOps Automation Pipelines
• GITOps Supporting Software
• Conclusion
#CiscoLive BRKCOC-2006 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
DC Security
Zones
Security Zones in the DC
web web app app app app

DMZ Secured Internal
Security Zones in the DC
DMZ Network Internal Network

DMZ Secured Internal
Firepower
Firewalls
Controller First Strategy
MAS
Firepower Mgmt Center
ACL Management Status Quo
DC Firewalls
Firepower
Linux RCS
Custom CLI scripts
! 06 JUL 2016 | ANILVARG | APPROVED | CRQ800000045188

permit tcp 64.100.244.16/28 any eq 8600
permit tcp 64.100.244.16/28 any eq 9090
permit tcp any 64.100.244.160/28 eq 443
permit tcp any 64.100.244.160/28 eq 9000
permit tcp 64.101.214.224/27 any eq 9090
permit tcp 64.101.217.224/27 any eq 9090
! 22 JUL 2016 | ANILVARG | APPROVED | CRQ800000048981
permit ip 10.226.108.137/32 any
! July26 CRQ800000049550 anilvarg
permit ip 64.101.214.224/27 any
permit ip 64.100.244.16/28 any
permit ip 64.101.217.224/27 any
permit ip 64.100.244.160/28 any
GITOps:
GIT as the Single
Source of Truth
Access Control List Management
Text file
Linux RCS
No validation
No process automation
• Modern version control
solution
- Officially IT supported platform
- Programmatic access
Goals - Support for client side

editors/IDEs
• Simplification & Re-use
• Path to process automation
• Device/solution agnostic
BRKCOC-2006 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Enhanced Access Control List Management
Atlassian
Bitbucket
Text file YAML file

Linux RCS GIT VCS
No validation Validation
No process automation Process Pipelines
ACL Format
ACL Format – Network Objects
network-objects:
- name: dns_all.bsh-devstage-autofs.esl.cisco.com
hosts:
- 10.115.62.195
- 10.226.85.6
- 10.31.64.5
- 173.36.154.142
- 64.103.211.40
- name: dns_rtpnbu1
hosts:
- 64.102.102.127
- 2001:420:adef:0b32::1
- name: dns_rtpnbu1ms1
hosts:
- 64.102.102.126
- name: rfc1918
networks:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: local_backup
hosts:
- 10.120.43.128/25
- 2001:420:16fe:9ba0::/64
- name: dns_firedrill.cisco.com
hosts:
- 171.70.139.30
ACL Format – Access Rules
access-list:
- action: trust
source:
zones:
- protected
destination:
objects:
- dns_all.bsh-devstage-autofs.esl.cisco.com
name: 4b6f3b_f4aa5a200ab89076
- action: trust
protocol: tcp
source:
zones:
- protected
destination:
ports:
- '1556'
- '13782'
- '13783'
- '13724'
- '13722'
objects:
- dns_rtpnbu1
- dns_rtpnbu1ms1
- dns_rtpnbu
- dns_rtpnbu2ms1
name: 4b6f3b_276a4eed4844b5b2
ACL Format - Modularization
global-repo/global-rules.yaml
global-repo/site-local-rules.yaml
global-repo/dc-firewall-1.yaml
client-1/rules.yaml
access-list:
client-2/rules.yaml - include: global-repo/global-rules.yaml
- include: global-repo/site-local-rules.yaml
- include: client-1/rules.yaml
client-3/rules.yaml
GITOps:
ACL Update
Process
ACL Update Process: Approval
Create Edit and Create pull
branch from commit request
master branch
Change Audit Trail
GIT commit history
GIT Commit History
Who? When?
What?
ACL Update Process: Approval
Create Edit and Create pull Pull request Merge
branch from commit request approval branch to
master branch master
Infosec Infosec
or or
Network Network
Lead Lead
GIT Pull Request - Approvals
Approvals
GITOps:
Pipelines
ACL Change Process: CI/CD Pipeline
Create Edit and Create pull Pull Merge

branch commit request request branch to
from branch approval master
master
Merge to
master branch
triggers check,
test, deploy
Infosec
or
Infosec
or pipeline
Network Network
Lead Lead
Commit triggers
ACL validation
pipeline #CiscoLive BRKCOC-2006 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Change Triggered Jenkins Pipeline
Stage-1
Change in repository
Stage-2
Stage-3
Atlassian
Bitbucket
Pipelines
Validation Pipeline
Validation Pipeline
ACL Manager
Software
ACL Manager
ACL Manager
Software Suite
User Install
ACL Manager
aclmgr
ACL Manager
ACL stored in modular repos/files
aclmgr
Simplifies GIT Interactions
ACL Manager
ACL stored in modular repos/files
aclmgr
Simplifies GIT Interactions
Firepower
Threat Defence
Deployment
Firepower
Mgmt Center
ACL Manager Container
Container
Repository
ACL Manager
Software Suite
Container
Event Triggered
Repository
Automation
ACL Manager
Software Suite
Container
Event Triggered
Repository
Automation
ACL Manager
Software Suite
Time Triggered
Cisco IT Container
Platform
Lessons Learnt
Not Everyone is
Familiar with
Software Practices
1 2 3
User Focused Deliver in Phases

Documentation
Easy install/setup Wrap GIT

Functions
Network Engineer
Wrap GIT Functions
Simple Interactive CLI
“I want to edit an ACL” aclmgr edit-policy
“I want to commit my changes” aclmgr commit
• Two weeks sprints
Agile Methodology: • Regular demos to key
stakeholders
Development & • Start with small

deployment scope
Deployment • You don’t get a second
chance at first impressions!
Conclusion
Thank you
#CiscoLive
#CiscoLive

BRKCOC-2006

Uploaded by

Copyright:

Available Formats

BRKCOC-2006

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCOC-2006

Uploaded by

Copyright:

Available Formats

#CiscoLive

Ben Kelly – Network Architect

web web app app app app

web web app app app app

web web app app app app

web web app app app app

Firepower Mgmt Center

! 06 JUL 2016 | ANILVARG | APPROVED | CRQ800000045188

Goals - Support for client side

Text file YAML file

GIT commit history

Create Edit and Create pull Pull Merge

User Focused Deliver in Phases

Easy install/setup Wrap GIT

Simple Interactive CLI

“I want to edit an ACL” aclmgr edit-policy

“I want to commit my changes” aclmgr commit

Development & • Start with small

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.