Videos

hello uncle and today we will be talking about tips for adding capacity without changing security policies so to put us into context we're thinking of a DevOps environment imagine you have a web farm with multiple web servers supporting your website and you need you're anticipating a need for increased capacity perhaps the marketing department is about to launch a new campaign and you expect a lot of more traffic and you need additional servers to support this traffic now since this is something that happens often you want to have an elastic and dynamic process for adding and removing such capacity you want to minimize any type of security review and you want to minimize the need for making any kind of changes to security policies and filtering policies in your environment because that would slow you down and what I would like to do is to think about ways where you could make such changes add additional servers with minimal changes to security policies allowing this traffic so here's a set up that I want us to think about here's the web farm over here there is a red firewall separating it from the Internet and then there's an orange fire wall separating the web farm from internal resources inside the network and now we want to add another server to the web farm cluster right over there and we want to do this with making as few possible changes as we can to the red and orange filtering policies so the first thing that comes to our help is the load balancer in front of the web farm we have a load balancer that balances the traffic across all the members of the farm and it uses a virtual IP address this is the external address of the load balancer all incoming traffic from the outside going towards the web farm reluck uses the virtual IP address that is the way the web farm is advertised outside and conveniently the firewall the red firewall that is allowing in filtering traffic from the outside is configured to allow traffic to the virtual IP address which means that we don't need to make any changes to the red firewall if we want to add another member to the farm so the load balancer is our friend in this north-south pipe traffic what about east-west traffic adding this extra server over here means that we need to allow traffic from the inside network to it for instance to allow its content to be updated from the internal databases this is something that we need to take care of there is no load balancer here to assist us so how can we do this with making a few possible changes as we can I'd like to offer two possible directions of doing this the first is to use careful IP allocation so imagine you have inside your webform all the IP addresses of all the existing cluster members in the same subnet in this case one 7200 0/24 and you can see that the security policy in the orange firewall uses this subnet as a destination it does not list the individual IP addresses what this means is that as long as you add the new server and give it an address in this subnet so it's going to be lucky 13 that IP address is still within the subnet this rule that's already in the orange policy is already allowing the necessary traffic from the inside to that new server and you don't need to make any changes to the security policies if you can make the IP allocation in this fashion this has both positive and negative properties the positive is that you don't need to make any changes to the security policy the negative is that you have to know in advance how many IP addresses you might need in the farm if you over allocated IP addresses then you're wasting IP address space if you're under allocating and you only plan for having eight maximum number of servers in the farm and now you need the ninth one then you're out of luck in this this won't work anymore if that is the situation and you either don't want to or cannot pre allocate IP addresses for the farm in this way and you want to use other IP addresses perhaps you want to associate an address that is in a completely different subnet then you need to do something else and in this case I suggest relying on the concept of network objects so if your orange security policy does not use royalty addresses using a subnet but instead has an object called let's say web servers and the definition of this object is the list of all the individual servers that were in the cluster before plus the new one now they don't these addresses don't need to be in a contiguous subnet they can be any IP addresses then when you're adding a new server you don't really need to change a rule in the security policy you only need to make a change to the object which is a lower impact change and requires much faster review by security teams and in some technologies depending on the vendors that help you build the farm and the firewall it's even possible to completely automate this autumn this object definition so that when you add a server to the farm this object is automatically updated through an integration between these two technologies and no human needs to make a change to this object if you are not using such technologies then you need to make a change request to modify the security policy but it's a smaller change request it only requires making change to an object rather then a rule so when you're building out your webform and you're anticipating the need for such elasticity in the capacity choose the direction that you want to use either use careful IP address of address location or use Network objects in your security policy and that way if you anticipate this form of usage you can minimize making changes when you need to move rapidly and add capacity to your environment thank you for your attention and see you next time