Security automation encompasses a wide variety of products and services designed to prevent loss or damage to data, applications, IT systems, and networks and to protect devices from malicious or unintended activities. Developers can use the Red Hat Ansible Automation Platform to pull together different security vendors and processes to speed up deployment and reduce errors from performing repetitive manual tasks.
This article explores five common security use cases that Ansible can automate:
- Enterprise firewalls
- Intrusion Detection and Prevention Systems, IDPS
- Security Information and Event Management (SIEM) systems
- Privileged Access Management (PAM) tools
- Endpoint Protection Platform (EPP)
Enterprise firewalls
Firewalls control the traffic allowed to traverse networks, protecting line-of-business applications exposed to the internet or intranet. With Ansible automation, developers can manipulate policies and log configurations to speed up investigation and remediation processes.
For example, the following Ansible configuration automates specific traffic blocking in a Check Point Next Generation Firewall (NGFW):
-hosts: checkpoint
connection: httpapi
tasks:
- name: Create blocked IP
include role:
name: acl_manager
tasks_from: block_ip
vars:
source_ip: "{{ attacker_ip }}"
destination_ip: "{{ target_ip }}"
ansible_network_os: checkpoint
Intrusion detection and prevention systems
An intrusion detection and prevention system (IDPS) monitors network traffic for suspicious activity, issues alerts, and even blocks attacks when an attack pattern is discovered. Ansible simplifies rule and log management, making security operations more efficient.
Let's take a look at how automation works with a Snort IDPS:
- vars:
ids_provider: snort
protocol: tcp
source_port: any
source_ip: any
dest_port: any
dest_ip: any
- tasks:
- name: Add snort password attack rule
include_role:
name: "ids_rule"
vars:
ids_rule: ‘alert {{protocol}} {{source_ip}} {{source_port}} -> {{dest_ip}}
{{dest_port}} (msg: "Attempted DDoS Attack" ; uricontent:
"/ddos_simulation"; classtype:successful-dos; sid:99000010;
priority:1; rev:1;)'
ids_rules_file: ‘etc/snort/rules/local.rules'
ids_rules_state: present
Security information and event management
Security information and event management (SIEM) systems collect and analyze security events to detect and respond to threats. Ansible provides developers programmatic access to various data sources, giving security analysts as much data as possible to assess situations.
Take a look at automation for IBM QRadar XDR:
- name: Create a QRadar Log Source and Enable Offense Rule
hosts: qradar
collections:
- ibm.qradar
tasks:
- name: Create QRadar Log Source - Checkpoint
qradar_log_source_management:
name: "CheckPoint LogSource: {{ chkpnt_ip_addr }}"
type_name: "Check Point FireWall-1"
state: present
description: Automated Creation of CheckPoint LS
identifier: "{{ chkpnt_ip_addr }}"
Privileged access management
Privileged access management (PAM) tools monitor and manage privileged accounts and access, provide single sign-on (SSO), and supersede hardcoded passwords for services and applications. Ansible allows developers to streamline the rotation and management of privileged credentials and automate the prevention and remediation of high-risk activities.
For more details about how to automate PAM with Ansible and CyberArk, check out the article, Automating Security with CyberArk and Red Hat Ansible Automation Platform.
Endpoint protection platform, EPP
An endpoint protection platform (EPP) detects, investigates, and remediates malicious activities on endpoint devices—the most numerous and vulnerable elements of an IT infrastructure. Ansible integrates EPP tools into larger security processes, providing event-driven detection, quarantining, and remediation.
For more details about how to automate EPP with Ansible and Trend Micro DeepSecurity, read Automating Endpoint Protection with Ansible.
Ansible Automation Platform is the common language between security tools
Automation plays a crucial role in identifying and analyzing security events. Ansible automates all security efforts. Learn more about security automation by downloading our ebook, Simplify your Security Operations Center. Get started with the Ansible Automation Platform by exploring interactive labs. For more documentation, please visit our Security Automation with Red Hat Ansible Automation Platform page.
Last updated: August 14, 2023