InSpec goes networking

Recently we announced the release of InSpec for cloud platforms like AWS, Azure, and VMware. It demonstrates InSpec’s evolution in going from operating systems compliance to platforms and APIs compliance. During the keynote at ChefConf 2017, Christoph Hartmann highlighted another part of this evolution: InSpec’s support for network management APIs.

In this vein, we collaborated with Intelliment Security to bring InSpec closer to their network automation suite. This allows users to verify configuration of an heterogenous network equipment environment in a consistent manner. By combining Intelliment’s ability to define and read active network policies with InSpec’s ability to verify and report infrastructure, users are enabled to verify their network infrastructure continuously.

Intelliment Security Dashboard

One example is to ensure that no internet connections are allowed in a DMZ. The following InSpec rule will use Intelliment’s API to retrieve internet connections from a DMZ network segment. InSpec can then apply checks to determine if the rule is in the expected state (no connections, or the connection table is empty).

control 'nw03' do
 title 'All internet connections must be terminated in the DMZ'
 describe(internet_connections.where { destination['network']['name'] !~ /dmz/i }) do
 it { should be_empty }
InSpec Report

The state of this test will be visible in your InSpec report, as shown above. As with all of our new API integrations, you can leverage all of the InSpec features such as attributes, profiles and reporting. Since InSpec is embeddable in CI/CD pipelines we bring the same “shift-left” experience that we provide for server environments into the networking world. Network testing is no longer a point in time action, rather an ongoing quality gate in your Continuous Automation strategy.

Dominik Richter

Dominik is an Engineering Manager on the Core Engineering team at Chef.