AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type
Posts

DevOpsifying network connectivity with the AlgoSec SDK for Python

by

In my previous blog posts, I described how the DevOps process is broken as soon as it comes to some network security changes, and how you can use AlgoSec to close this gap and live the DevOps dream to its fullest. I also gave a detailed example on how to make network security DevOps-able using the AlgoSec role for Ansible.

But what if you don’t use Ansible? What if you use another orchestration and configuration management framework, or perhaps even some home-grown automation scripts…?

The answer is simple – just follow the same concepts, utilizing AlgoSec’s rich API set.
Feeling a bit lazy about reading the API guides and writing all that “glue” code yourself? As a recovering software developer myself, I can obviously relate. That’s why we created the AlgoSec Python package.

AlgoSec for Python is an open-source Python SDK, wrapping AlgoSec’s official APIs, and providing exactly the functionality you need for the DevOps use case I described, easily usable in any Python integration script.

All you need to do is install the AlgoSec Python package (e.g. using pip), and script away (obviously you need AlgoSec BusinessFlow and AlgoSec FireFlow too)

You can use the same logic as per the Ansible role – it actually uses that same open-source SDK too. What you need to do:

  1. Decide on a format for the application’s connectivity flows inventory. This is typically a json or a YAML file containing a list of flows. Each flow has a name, source, destination and service (either names or IP addresses/subnets/ports). You can optionally define network applications (if using a layer 7 next generation firewall), and even add a comment describing the flow. The file can describe a single application or multiple applications – whatever makes more sense in your DevOps environment.

Something like this:

{  “applications”: [

{

“app_name”: “Billing”,

“app_flows”: {

“flow1”: {

“sources”: [“HR Payroll server”, “192.168.0.0/16”],

“destinations”: [“16.47.71.62”],

“services”: [“HTTPS”]

},

“flow2”: {

“sources”: [“10.0.0.1”],

“destinations”: [“10.0.0.2”],

“services”: [“udp/501”]

},

“flow3”: {

“sources”: [“1.2.3.4”],

“destinations”: [“3.4.5.6”],

“services”: [“SSH”]

}

}

},

{

“app_name”: “Payroll”,

“app_flows”: {

“new-flow”: {

“sources”: [“1.2.3.4”],

“destinations”: [“3.4.5.6”],

“services”: [“SSH”]

}

}

}

]

}

Then, write some Python code to read that file into Python as a list (you can check out the AlgoSec Ansible role code as a reference).

Don’t forget to specify the connectivity requirements in all environments (dev/test/prod) – either in the same application or as separate applications. That way there won’t be any surprises when deploying in production.

  1. Use the AlgoSec BusinessFlow API methods in the SDK to check if the required connectivity is already up to date in AlgoSec BusinessFlow, or it needs to be updated, and If needed, update it using the relevant methods. Again, the Ansible role open-source code can serve as an excellent reference for implementing this logic using the SDK. If an update is required – AlgoSec BusinessFlow will automatically open a FireFlow change request (if needed), and then detect the exact path in the network the new flow needs to go through, will verify no security risks will be created by this change, plan the best way to implement it, and then go ahead and push the changes to all firewalls, cloud security groups, or SDN solutions, as needed. Automatically.
  2. Last, it’s a good idea to also verify that the connectivity described in the json file is actually allowed by the different security devices (even if no change was made just now). If all is good – return SUCCESS to the DevOps pipeline.

That’s it. You’re done. You have now successfully leveraged AlgoSec to DevOpsify network connectivity, using the AlgoSec Python SDK.

Feel free to share, with me at  or with the world) your implementation! We’d love to see your variants, and hopefully get some great ideas to further improve the existing capabilities and integrations.

Subscribe to Blog

Receive notifications of new posts by email.