(Physical, Virtualized and Cloud) Security Automation – An API Example
The premise of my Commode Computing presentation was to reinforce that we desperately require automation in all aspects of “security” and should work toward leveraging APIs in stacks and products to enable not only control but also audit and compliance across physical and virtualized solutions.
There are numerous efforts underway that underscore both this need and the industry’s response to such. Platform providers (virtualization and cloud) are leading this charge given that much of their stacks rely upon automation to function and the ecosystem of third party solutions which provide value are following suit, also.
Most of the work exists around ensuring that the latest virtualized versions of products/solutions are API-enabled while the CLI/GUI-focused configuration of older products rely in many cases still on legacy management consoles or intermediary automation and orchestration “middlemen” to automate.
Here’s a great example of how one might utilize (Perl) scripting and RESTful APIs against VMware’s vShield Edge solution to provision, orchestrate and even audit firewall policies using their API. It’s a fantastic write-up from Richard Park of SourceFire (h/t to Davi Ottenheimer for the pointer):
Here is an overview of how to use perl code to work with VMware’s vShield API.
vShield App and Edge are two security products offered by VMware. vShield Edge has a broad range of functionality such as firewall, VPN, load balancing, NAT, and DHCP. vShield App is a NIC-level firewall for virtual machines.
We’ll focus today on how to use the API to programatically make firewall rule changes. Here are some of the things you can do with the API:
- List the current firewall ruleset
- Add new rules
- Get a list of past firewall revisions
- Revert back to a previous ruleset revision
Awesome post, Richard. Very useful. Thanks!
- Can IPS Appliances Remain Useful in a Virtual-machine World? (pcworld.com)
- Clouds, WAFs, Messaging Buses and API Security… (rationalsurvivability.com)
- AWS’ New Networking Capabilities – Sucking Less (rationalsurvivability.com)
- Sourcefire Enables Application Control Within Virtual Environments (it-sideways.com)
- Using The Cloud To Manage The Cloud (informationweek.com)
- Virtualizing Your Appliance Is Not Cloud Security (securecloudreview.com)
- OpenFlow & SDN – Looking forward to SDNS: Software Defined Network Security (rationalsurvivability.com)