Copyright © 2016 World Wide Technology, Inc. All rights reserved.

Phantom app: Ansible Tower

18 August 2016 Building And Automating The Next Generation Network

Joel W. King Engineering and Innovations Network Solutions

Abstract

Ansible Tower by RedHat provides a visual dashboard (GUI) with role-based access control and inventory management of the open source Ansible orchestration and automation software. Tower provides an API which can be used to launch job templates, while passing extra variables into the template in the body of the REST POST.

The Phantom app for Ansible Tower is a force multiplier for Phantom, providing a means to consume Ansible modules and playbooks without writing the module functionality as an app in Phantom.

FOR YOUR REFERENCE

Phantom app

Solution ArchitectureRemote Triggered Black Hole

PHANTOM2.0.67

ANSIBLETOWER

3.0

ansible-tower.sandbox.wwtatc.localphantom.sandbox.wwtatc.local

github.wwt.com

router bgp 65536……

ISR-2911-D.sandbox.wwtatc.local

Phantom Playbook

Job Template IDJob template name or id number can be specified

Ansible Playbook

"ip route {{malicious_ip}} 255.255.255.255 Null0 tag 66 name BGP_RTBH"

Ansible Job Template

Select Prompt on Launch

Ansible Job

extra varsprovided from Phantomwhen job is launched

Router Configurationafter playbook has executed

[phantom@localhost ansible_tower]$ ssh admin@isr-2911-d.sandbox.wwtatc.localPassword:

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action.

WAN Edge (Outside) router

ISR-2911-D>enPassword:ISR-2911-D#show run | inc RTBHip route 192.0.2.1 255.255.255.255 Null0 tag 66 name BGP_RTBHip route 198.200.139.176 255.255.255.255 Null0 tag 66 name BGP_RTBH

Solution ArchitectureIncorporating ACI app

PHANTOM2.0.67

ANSIBLETOWER

3.0

github.wwt.com

router bgp 65536……

dbgacEpgToIp.ymlapply atomic counter configuration

atomic_counters.py

PhantomIngest.py

Create Incident in Phantom based on atomic counters exceeding threshold

Multiple variables can be passed to job template

Key Take-aways Launching job templates from Phantom provides access to existing

Ansible modules and playbooks.

Phantom F5 app used Python module written for Ansible.

Ideally, Remotely triggered black hole (RTBH) should be native Phantom app

Challenge, BGP speaking routers encompass wide range of vendors and operating systems.

References Ansible Tower

www.ansible.com/tower

Ansible Tower API Guide v3.0docs.ansible.com/ansible-tower/latest/html/towerapi/

Source Codegithub.com/joelwking/Phantom-Cyber/tree/master/ansible_tower