$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki

Joel W. KingEngineering and Innovations - Network Solutions, World Wide Technology, Inc.

[email protected]

2016 Phantom Cyber, Proprietary and Confidential,

Goal

How we got here?

Focus on ‘Why’ rather than ‘What’

Data Ingest

F5 App

Meraki App

Key Take-aways


whoami

Past ExperienceNetApp: Digital Video Surveillance | Big Data | E-SeriesCisco: Enterprise Systems Engineering (ESE) Cisco Validated Designs (CVDs)AMP Incorporated: Network Architect | CCIE No. 1846 (retired)

Joel W. King

[email protected]@joel_w_kinggithub.com/joelwkingwww.linkedin.com/in/programmablenetworks

4

World Wide Technology

Headquartered in St. Louis, Missouri 2015 revenue: $7.4 billion Integration labs in the U.S. and Europe 2 million+ square feet of warehousing,

distribution and integration space 3,000+ professionals 500+ engineers and technical resources Business classification: Minority Business

Enterprise (MBE) Ownership: Privately held


Why the Interest in Automation?

feature nx-api

Nexus 3000 | 9000

Nexus 9000ACI

APIC-EM



Why Start with Ingesting Data via REST API?

Prior experience with REST API calls

Provided a means to begin learning the architecture and Lexicon

Container

Artifact

Playbooks

Asset

Owners

CEF

Test data for apps andPlaybooks


IP Phone Metadata collectionREST Ingest to Phantom

VoIPRemoteAddr

REST API Phantom Server

REST API

SOHO – RTP NC

Advanced Technology Center

>python meta_data_collection.pyUsage:

python meta_data_collection.py <phone_ip_address> <token>

>python meta_data_collection.py 192.168.0.4 JWa4redactedRG2g=Created container: 7 and artifact: 4


PhantomIngest.py Class and methods to abstract creating a container and artifacts

https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest

import PhantomIngest as ingestfrom basic_test_constants import *## Initialize class#p = ingest.PhantomIngest(params['host'], params['token'])## Create container#kontainer = {"name": "Cras_scelerisque", "description": "characters bear no relation to living persons"}container_id = p.add_container(**kontainer)## Create artifact#art_i_fact = {"name": "Lorem Ipsum", "source_data_identifier": "IR_3458575"}cef = {'sourceAddress': '192.0.2.1', 'sourcePort': '6553'}meta_data = {"mock content": "Nunc in a velit eu, risus fusce leo ligula"}artifact_id = p.add_artifact(container_id, cef, meta_data, **art_i_fact)

print "%s \n%s \n%s" % (p.message, p.status_code, p.content)



Why develop an F5 app?

There wasn’t one! WWT is a F5 Platinum Partner and

2016 Unity™ U.S. Partner of the Year. Actively developing

automation solutions for deploying F5 using Ansible.

DC 2DC 1

F5 iControl – REST API

F5 Auto Config Sync

F5 Config.csv


F5 Appshares F5 iControl code base


F5 Network Firewall Policies



Why a Cisco Meraki app?

Meraki is Cloud Controlled WiFi, Routing and Security targeted at branch offices.

User interface primarily a GUI, provisioning APIs in Beta, now released.

Wireless APs, security (firewall) appliance, Ethernet switch.

Commonly deployed for both employee and guest access.

Goal:Demonstration of Meraki API,return output to the Phantom playbook.


Meraki “locate device”

OrganizationNetwork

DeviceClient(s)

Meraki dashboard provides a top down view of the topology

App walks the tree and locates device based on a match in MAC or Description


Key Take-aways

A community edition, extensible architecture is the ideal software delivery model in a Software-Defined world.

…select technologies that embrace open standards for ingesting data and enriching it.*

* https://blog.phantom.us/2016/07/14/series-defining-security-automation-orchestration-automatic-ingestion-enrichment-of-data/

Exploit regularity to create patterns, automate the patterns.

… Dinesh Dutt Chief Scientist at Cumulus Networks


References

github.com/joelwking/Phantom-Cyber

Thank You