ansible share image

Security automation encompasses a wide variety of products and services designed to prevent loss or damage to data, applications, IT systems, and networks and to protect devices from malicious or unintended activities. Developers can use the Red Hat Ansible Automation Platform to pull together different security vendors and processes to speed up deployment and reduce errors from performing repetitive manual tasks.

This article explores five common security use cases that Ansible can automate:

  1. Enterprise firewalls
  2. Intrusion Detection and Prevention Systems, IDPS
  3. Security Information and Event Management (SIEM) systems
  4. Privileged Access Management (PAM) tools
  5. Endpoint Protection Platform (EPP)

Enterprise firewalls

Firewalls control the traffic allowed to traverse networks, protecting line-of-business applications exposed to the internet or intranet. With Ansible automation, developers can manipulate policies and log configurations to speed up investigation and remediation processes.

For example, the following Ansible configuration automates specific traffic blocking in a Check Point Next Generation Firewall (NGFW):

-hosts: checkpoint

connection: httpapi

tasks:

  - name: Create blocked IP

include role:

name: acl_manager

tasks_from: block_ip

vars:

source_ip: "{{ attacker_ip }}"

destination_ip: "{{ target_ip }}"

ansible_network_os: checkpoint

Intrusion detection and prevention systems

An intrusion detection and prevention system (IDPS) monitors network traffic for suspicious activity, issues alerts, and even blocks attacks when an attack pattern is discovered. Ansible simplifies rule and log management, making security operations more efficient.

Let's take a look at how automation works with a Snort IDPS:

- vars:

    ids_provider: snort

    protocol: tcp

    source_port: any

    source_ip: any

    dest_port: any

    dest_ip: any

- tasks:

    - name: Add snort password attack rule

      include_role:

        name: "ids_rule"

      vars:

        ids_rule: ‘alert {{protocol}} {{source_ip}} {{source_port}} -> {{dest_ip}}

          {{dest_port}} (msg: "Attempted DDoS Attack" ; uricontent:

          "/ddos_simulation"; classtype:successful-dos; sid:99000010;

          priority:1; rev:1;)'

        ids_rules_file: ‘etc/snort/rules/local.rules'

        ids_rules_state: present

Security information and event management

Security information and event management (SIEM) systems collect and analyze security events to detect and respond to threats. Ansible provides developers programmatic access to various data sources, giving security analysts as much data as possible to assess situations.

Take a look at automation for IBM QRadar XDR:

- name: Create a QRadar Log Source and Enable Offense Rule

  hosts: qradar

  collections:

    - ibm.qradar

  tasks:

    - name: Create QRadar Log Source - Checkpoint

      qradar_log_source_management:

        name: "CheckPoint LogSource: {{ chkpnt_ip_addr }}"

        type_name: "Check Point FireWall-1"

        state: present

        description: Automated Creation of CheckPoint LS

        identifier: "{{ chkpnt_ip_addr }}"

Privileged access management

Privileged access management (PAM) tools monitor and manage privileged accounts and access, provide single sign-on (SSO), and supersede hardcoded passwords for services and applications. Ansible allows developers to streamline the rotation and management of privileged credentials and automate the prevention and remediation of high-risk activities.

For more details about how to automate PAM with Ansible and CyberArk, check out the article, Automating Security with CyberArk and Red Hat Ansible Automation Platform.

Endpoint protection platform, EPP

An endpoint protection platform (EPP) detects, investigates, and remediates malicious activities on endpoint devices—the most numerous and vulnerable elements of an IT infrastructure. Ansible integrates EPP tools into larger security processes, providing event-driven detection, quarantining, and remediation.

For more details about how to automate EPP with Ansible and Trend Micro DeepSecurity, read Automating Endpoint Protection with Ansible.

Ansible Automation Platform is the common language between security tools

Automation plays a crucial role in identifying and analyzing security events. Ansible automates all security efforts. Learn more about security automation by downloading our ebook, Simplify your Security Operations CenterGet started with the Ansible Automation Platform by exploring interactive labs. For more documentation, please visit our Security Automation with Red Hat Ansible Automation Platform page.

Last updated: August 14, 2023