DevNet Workshop-Learning Cisco platform Exchange Grid (pxgrid) Dynamic Topics

Size: px

Start display at page:

Download "DevNet Workshop-Learning Cisco platform Exchange Grid (pxgrid) Dynamic Topics"

Gregory Hoover
6 years ago
Views:

2 DevNet Workshop-Learning Cisco platform Exchange Grid (pxgrid) Dynamic Topics Syam Appala, Principal Engineer DEVNET-2433

3 Agenda Introduction to pxgrid pxgrid Operation Lab on Dynamic Topics

What Kind of Device is it? Potential Breach Event Security Event AAA Logs?? How Do I Mitigate?

4 Contextual Awareness Key to Security Event Prioritization and Response Associate User to Event Associate User to Authorization IAM Check Endpoint Posture NAC?? Where is it on the Network? What Kind of Device is it? Potential Breach Event Security Event AAA Logs?? How Do I Mitigate??? MANY SCREENS, MISSING DATA COMPLICATED MITIGATION 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 What is Cisco Platform Exchange Grid (pxgrid) It is a framework for sharing ISE contextual information with other security solutions Allows security vendors to share topic of information via Dynamic Topics Provides enforcement of an organization s security policy rules violation using Adaptive Network Control Mitigation Actions (ANC) DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 pxgrid with Context Sharing ISE as pxgrid Controller CISCO ISE I have location! I need app & identity pxgrid Context Sharing I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 6

I need location & device-type I have sec events! I need identity & device I have identity & device!

7 pxgrid with Context Sharing ISE as pxgrid Controller CISCO ISE I have location! I need app & identity pxgrid Publish Context Sharing Topics I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Operation

pxgrid Components Publisher Pusblisher - ISE Admin & MnT node publishes Topic

pxgrid Components Publisher Pusblisher - pxgrid client can publish Topics Dynamic Topics

pxgrid Components Subscriber Subscriber- Cisco Security Solution or Ecosystem Partner

12 pxgrid Components Controller Authorizes and enforces client registration Performs client management Manages Publisher/Subscriber & Topics DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 12

ISE pxgrid Controller Enforces and Autho DEVNET-2433 2017

14 Capabilities or Topics of Information Schema for context sharing with registered pxgrid clients Session Directory provides ISE contextual attributes Session={ip=[ ], Audit Session Id=0A B0AB, UserName=jeppich, ADUserDNSDomain=lab10.com, ADUserNetBIOSName=LAB10, ADUserResolvedDNs=CN=John Eppich,CN=Users,DC=lab10,DC=com, MacAddresses=[00:50:56:86:C9:92], State=STARTED, ANCstatus=ANC_Quarantine, SecurityGroup=Quarantined_Systems, EndpointProfile=VMWare- Device, NAS IP= , NAS Port=GigabitEthernet1/0/11, RADIUSAVPairs=[ Acct-Session- Id= E], Posture Status=null, Posture Timestamp=, LastUpdateTime=Sat Jan 21 11:49:04 EST 2017, Session attributename=authorization_profiles, Session attributevalue=quarantined_systems, Providers=[None], EndpointCheckResult=none, IdentitySourceFirstPort=0, IdentitySourcePortStart=0, IdentitySourcePortEnd=0, IsMachineAuthentocation=false} DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15 pxgrid Client Groups Basic provides ISE pxgrid node connectivity. The pxgrid admin, must manually move the registered pxgrid client into the other client groups, most likely the Session group, which provides access to the pxgrid session objects Administrator reserved for ISE published node clients Session- provides access to pxgrid session objects ANC- subscribes to ANC AdaptiveNetworkControlService EPS- subscribes to EPS EndpointProtectionService Publisher, Action, Subscribe Group for dynamic topics DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 16

16 Lab on Dynamic Topics

17 Dynamic Topics- Benefits Allow pxgrid client to interact with other clients and enforce a more accurate organizationalsecurity policy by including contextual information from the other security vendors Can help reduce false positives and false negatives in a security vendor s solution DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 18

21 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish I have application info! I need location & device-type DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 22

22 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish I have application info! I need location & device-type DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 23

23 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Discover Topic I have application info! I need location & device-type DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 24

24 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Discover Topic I have application info! I need location & device-type DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 25

25 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Continuous Flow Directed Query I have application info! I need location & device-type DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 26

26 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 27

27 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 28

28 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 29

29 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 30

30 pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Continuous Flow Directed Query I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 31

31 Workbench Lab Example Scenario: Detection Networks is a ficticious company that uses honeypots to lure intruders into false security of the companies crown jewels. - Publish BAD_HOSTS_Table - Conatins: IPAddrss, MACAddress, FQDN, Username, and EndpointDevicr information of infected host -VA Scanners subscribe to the BAD_HOSTS_Table and include the BAD_HOSTS_Table attributes in their security policy to scan for vulnerabilities DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 32

32 Dynamic Topic Workflow Publisher pxgrid Controller Subscriber Propose BAD_HOST_Table Topic Admin approves topic Publishes events to topic Publisher added to topic Publisher defines Query Action Topics Publisher, Session, Action Groups Assigned Subscriber defines what topics to subscribe to Subscriber subscribes to topic Communication Flows Directly 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

33 Propose a New Topic /propose_capability.sh -a u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseca.jks -q Cisco123 -g Session -d pxgrid New Publisher properties version= hostnames= username=detectionnetworks password= group=basic description=pxgrid keystorefilename=mac22.jks keystorepassword=cisco123 truststorefilename=rootiseca.jks truststorepassword=cisco :55: [Thread-1] INFO com.cisco.pxgrid.reconnectionmanager - Started Connecting... 11:55: [Thread-1] INFO com.cisco.pxgrid.configuration - Connecting to host :55: [Thread-1] INFO com.cisco.pxgrid.configuration - Connected OK to host :55: [Thread-1] INFO com.cisco.pxgrid.configuration - Client Login to host :55: [Thread-1] INFO com.cisco.pxgrid.configuration - Client Login OK to host Connected DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 34

34 Adding BAD_HOST Topic and Query Items New capability? (y/n): y Enter capability name: BAD_HOSTS_Table Enter capability version: 1.0 Enter capability description: Infected Hosts Table Enter vendor platform: DetectionNetworks Enter query name (<enter> to continue): ipaddress Enter query name (<enter> to continue): macaddress Enter query name (<enter> to continue): FQDN Enter query name (<enter> to continue): Username Enter query name (<enter> to continue): EndpointDevice Enter query name (<enter> to continue): Enter action name (<enter> to continue): Proposing new capability... Press <enter> to disconnect...change=created; capability=bad_hosts_table, version=1.0 Authorization changed Connection closed DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Admin Approves Topic DEVNET-2433 2017 Cisco and/or

Topic is Created DEVNET-2433 2017 Cisco and/or

Client Groups Added DEVNET-2433 2017 Cisco and/or

39 Generic_publisher.properties GENERIC_TOPIC_NAME="BAD_HOSTS_Table" GENERIC_CLIENT_MODE="publisher" GENERIC_QUERY_NAME_SET="" GENERIC_ACTION_NAME_SET="" GENERIC_PUBLISH_DATA_SET="pub-notif-001,pub-notif-002,pub-notif-003" GENERIC_REQUEST_DATA_SET="" GENERIC_RESPONSE_DATA_SET="resp-001,resp-002,resp-003,resp-004" GENERIC_SLEEP_INTERVAL="500" GENERIC_ITERATIONS="20" DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40 Publishing Topic /generic_client.sh -a u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseca.jks -q Cisco123 -c generic_publisher.properties Initialized : GenericClient: topicname=bad_hosts_table clientmode=publisher sleepinterval=500 iterations=20 querynameset=[] actionnameset=[] publishdataset=[pub-notif-001, pub-notif-002, pub-notif-003] requestdataset=[] responsedataset=[resp-001, resp-002, resp-003, resp-004] --- DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 41

41 Publishing BAD_HOSTS_Table and Query Items Connected 12:11: [Thread-1] INFO com.cisco.pxgrid.reconnectionmanager - Connected Publishing notification: GenericMessage: messagetype=notification capabilityname=bad_hosts_table operationname=samplenotification body: content: contenttags=[notif-tag-201] contenttype=plain_text value=notification[ ]pub-notif-001 Publishing notification: GenericMessage: DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Publisher Successfully Registers as pxgrid Client DEVNET-2433

43 Generic_subscriber.properties GENERIC_TOPIC_NAME="BAD_HOSTS_Table" GENERIC_CLIENT_MODE="subscriber" GENERIC_QUERY_NAME_SET="ipAddress,macaddress,FQDN,Username,EndpointDevice" GENERIC_ACTION_NAME_SET="" GENERIC_PUBLISH_DATA_SET="" GENERIC_REQUEST_DATA_SET="req-001,req-002,req-003" GENERIC_RESPONSE_DATA_SET="" GENERIC_SLEEP_INTERVAL="500" GENERIC_ITERATIONS="20" DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 44

44 Subscribing to Capability./generic_client.sh -a u VA_Scanners -k mac22.jks -p Cisco123 -t rootiseca.jks -c generic_subscriber.properties Initialized : GenericClient: topicname=bad_hosts_table clientmode=subscriber sleepinterval=500 iterations=20 querynameset=[ipaddress, macaddress, FQDN, Username, EndpointDevice] actionnameset=[] publishdataset=[] requestdataset=[req-001, req-002, req-003] responsedataset=[] DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 45

45 Subscribing to BAD_Hosts_Table and Query Items Sending request: GenericMessage: messagetype=request capabilityname=bad_hosts_table operationname=endpointdevice body: content: contenttags=[query-tag-301] contenttype=plain_text value=query[ ]req-002 Received response: GenericMessage: messagetype=response capabilityname=bad_hosts_table operationname=endpointdevice body: content: contenttags=[resp-tag-101] contenttype=plain_text value=response[ ]resp for request[query[ ]req-002] DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Subscriber Consumes Topic DEVNET-2433 2017 Cisco

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

47 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 48

48 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 49

49 Q & A

50 Thank You

Using Cisco pxgrid for Security Platform Integration

Using Cisco pxgrid for Security Platform Integration Brian Gonsalves Sr. Product Manager Syam Appala Principal Engineer DEVNET-1010 Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using