Ansible interface to Cisco Tetration Network Policy Publisher
This solution exposes the security policy generated from Tetration Analytics Application Dependency Mapping (ADM) Network Policy Publisher to data center switches, firewalls, load balancers and other network devices supported by the Ansible network modules. Ansible playbooks can call the module tetration_network_policy to retrieve policy from the Tetration Kafka broker. The module returns the policy to the playbook as ansible_facts - which can be referenced by subsequent tasks to apply the policy to devices, write it to a file, or load it to CMDB for reference.
This repository is featured on the Cisco DevNet Code Exchange.
Cisco has featured this solution in several blog posts published in the developer section of blogs.cisco.com and in ComputerWeekly.com leading to DevNet Create 2019.
- Introducing Cisco DevNet Exchange
- Using Tetration for Application Security and Policy Enforcement
- Coders and developers: The new heroes of the network?
- Interview with DevNet Creator – Joel W. King
At devnetcreate.io this solution is part of the Tech Talk on Wednesday Apr 24, 2019 2:20pm - 2:40pm at the Computer History Museum titled Analytics for Application Security and Policy Enforcement in Cloud Managed Networks.
The presentation and session video are available at:
Development of this solution gained recognition as a DevNet Creator community contributor during the Key Note session.
There is a video interview hosted by Silvia K. Spiva, community manager DevNet with DevNet Creator Joel King.
Enabling policy migration in the Data Center with Ansible - Wednesday, April 17, 2019 - Slides
The internal World Wide Technology IT department is migrating from a traditional Nexus fabric to Application Centric Infrastructure (ACI). This talk describes how Ansible is used to migrate policy to, and automate the configuration of, the new data center fabric.
This repository is a companion to the AnsibleFest 2018 network breakout session, Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds.
The focus of the session illustrates using Ansible to facilitate installation of the software sensor on Linux hosts, how Cisco Tetration can be used as a dynamic inventory source for Ansible Playbooks and how policy generated from Tetration Application Dependency Mapping (ADM) Network Policy Publisher can be used to apply policy to a Cisco ACI fabric, Cisco ASA firewall, and other network devices.
A recap of AnsibleFest in this blog post summarizes the concepts presented in this session at the live event.
The AnsibleFest 2018 presentation slides are available on Slideshare.
On 2 November 2018, an update to the presentation was given to the WWT Network Solutions virtual team meeting, Using Tetration for application security and policy enforcement in multi-vendor environments. A recording of this session is available.
Red Hat has published the collateral from AnsibleFest Austin 2018 this session is at https://www.ansible.com/using-ansible-tower-to-implement-security-policies-telemetry-streaming.
This solution has been verified and tested using Ansible 2.8.1 running with Ansible Tower 3.5.0. The CONFIGURATION_GUIDE.md provides a reference for installing the software for the target environment. The group referenced by Ansible Tower 'projects' is at this URL: https://gitlab.com/tetration-network-policy-publisher.
To aid in validating messages are being published, library/kafka_debugger.py has been developed. The program uses Python classes and methods from library/tetration_network_policy.py to attach to the Kafka broker address and report the beginning and ending offset counters, the available topic(s), and the message offset number and length of returned messages. Refer to the CONFIGURATION_GUIDE.md.
To extend the functionality of the Network Policy Publisher, included is an Ansible Lookup Plugin tetration_scope, which uses the Tetration REST API to return one or more Scopes (or AppScopes) to enrich data from the Network Policy Publisher.
Refer to Adding modules and plugins locally to install tetration_scope on your local system. Once installed, review the documentation by referring to the documentation.
$ ansible-doc -t lookup tetration_scopeTo map Tetration cluster and Scope names to the corresponding ACI End Point Groups, included is an Ansible Filter Plugin aci_epg which can be used to translate the names used in Tetration to ACI naming conventions.
In addition to extracting policy from the Kafka broker, the Tetration API provides access to detailed application data relating to application dependency mapping.
This module returns the detailed data associated with a specified application name using the Tetration API. It provides an alternative viewpoint to the Network Policy Publisher. Refer to library/tetration_application.py for more information.
Several sample Ansible playbooks are included and are described in the following section.
This playbook retrieves network policy from the Tetration Network Policy Publisher and creates a file to view the results. It is a data visualization and debugging tool.
This playbook resides on GitLab, as view_network_policy_decrypt.yml. The GitLab repo, https://gitlab.com/tetration-network-policy-publisher/policy-stream-12-pub-vrf is an example of how to organize credentials and playbooks for multiple applications, under a single 'group', tetration-network-policy-publisher. For example, under the group, each application identifed by an Application Dependency Mapping (ADM), is identified by the topic assigned by Tetration. One example is the 'producer-tnp-12' repo in the group.
This is a public repo and the credentials are AES256 encrypted with Ansible Vault. The playbook provides an example of how to decrypt and temporarily store the credentials on Tower, execute the playbook and then delete the decrypted files at the end of the playbook.
This playbook resides on GitLab, as asa_create_acl_decrypt.yml. It illustrates how to apply policy from Tetration to a Cisco ASA firewall as an access-list. The tenant name from the policy is used as the access-list name in the ASA configuration
The network policy returned from the publisher is used to create Filters and Filter entries in an ACI fabric. The AnsibleFest presentation includes screen snapshots of this use case.
Configuring a firewall using the published network policy is the primary use case of the Cisco Tetration Analytics Network Policy Publisher. This playbook illustrates how automation can be used to implement a zero-trust policy model on a firewall for defense in depth.
This playbook demonstrates how Ansible can be used to assist in deploying the Tetration software agent on a CentOS virtual machine. Large customers may have hundereds of thousands of virtual machines which require the installation of the agent.
In Tetration release 3.1.1.x, there is a simplified software agent install, which eliminates much of the complexity of installing agents addressed by this playbook.
This Python program interfaces to the Tetration API to retrieve and create a dynamic inventory file which can be used for Ansible playbooks. One benefit of deploying the Tetration agent on workloads, is using Tetration as another source of truth for network inventory.
The file sensors.ini is used to identify the target Tetration cluster and other parameters.
Tetration publishes policy to the Kafka message buffer encoded as protocol buffers. Protobufs provide better speed and efficiency for processing large amounts of data between publisher and subscriber. The source file files/tetration_network_policy.proto is the protobuf declaration of Tetration Network Policy's data structures published to Kafka. This file is compiled and imported by the module tetration_network_policy.py.
If you have questions, concerns, bug reports, etc., please file an issue in this repository's Issue Tracker.
Joel W. King joel.king@wwt.com GitHub/GitLab: @joelwking Principal Architect at World Wide Technology