Using Cisco pxgrid for Security Platform Integration

Transcription

1

2 Using Cisco pxgrid for Security Platform Integration Brian Gonsalves Sr. Product Manager Nancy Cam-Winget Distinguished Engineer DEVNET-1010

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#devnet Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using pxgrid Getting Started pxgrid SECURITY THRU INTEGRATION

5 Context is the Currency of the Solution Integration Realm but it s not easy to execute I have reputation info! I need threat data I have sec events! I need reputation SIO I have application info! I need location & auth-group I have NBAR info! I need identity I have NetFlow! I need entitlement I have threat data! I need reputation I have firewall logs! I need identity We Need But to Integration Share Burden Context is on & IT Take Departments Network Actions I have location! I need identity I have MDM info! I need location I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Context is the Currency of the Solution Integration Realm but it s not easy to execute but pxgrid accomplishes this I have reputation info! I need threat data I have sec events! I need reputation SIO I have application info! I need location & auth-group I have NBAR info! I need identity I have NetFlow! I need entitlement I have threat data! I need reputation I have firewall logs! I need identity pxgrid Context Sharing Event Response I have location! I need identity I have MDM info! I need location I have app inventory info! I need posture I have identity & device-type! I need app inventory & vulnerability DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Cisco pxgrid Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners 1 ISE Makes Customer IT Platforms User/Identity, Device and Network Aware 2 Make ISE a Better Network Policy Platform for Customers 3 Help Customer IT Environments Reach into the Cisco Network ISE ECO-PARTNER ISE ECO-PARTNER ECO-PARTNER ISE CONTEXT CONTEXT ACTION ISE Shares User/Device & Network Context with IT Infrastructure Puts Who, What Device, What Access with Events. Way Better than Just IP Addresses! ISE Receives Context from Eco-Partners to Make Better Network Access Policy BENEFITS Creates a Single Place for Comprehensive Network Access Policy thru Integration MITIGATE CISCO NETWORK Decreases Time, Effort and Cost to Responding to Security and Network Events DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 USE CASE: Contextual Awareness for Security/Network Event Prioritization, Response and Policy Is it still on the network? Is Where? this event important? I need more info Is this a server? Smartphone? Did this come over VPN? What s their access level? What s their posture? Who is this? What else is on the network? NETWORK ALERT! SRC/ DST/ : HTTP DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Application Access Controls Today Operating with Less than Half the Picture Sensitive Asset ACCESS CRITERIA: Who: User, Group Other Asset Sensitive Asset 87% of data breaches involve poor access rules we need to do this better. Verizon Data Breach Report DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Application Access Controls Today Operating with Less than Half the Picture Vary this gent s application access privilege based on device enrollment, network-location and access method Financial Reports ACCESS POLICY Critical Data WHO = Exec Group Only WHAT = No Non-Registered Mobile WHERE = US Only WHEN = US Business Hours Only HOW = No VPN Access Data from Cisco ISE Café Menus HR Database Access Criteria Non-Sensitive Sensitive Critical Data DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 pxgrid Industry Adoption Critical Mass 50 Partner Product Integrations and 12 Technology Areas in 2 Years Since Production Release Net/App Performance UEBA Firewall & Policy Management SIEM & Analytics Cisco ISE IAM & SSO Endpoint & Custom Detection? pxgrid Application Protection Vulnerability Management Forensics and IR Rapid Threat Containment (RTC) CASB EMM/MDM Deception Application Protection: Arxan SIEM and Analytics: HanSight, Hawk*, Huntsman*, LogRhythm*, Micro Focus NetIQ*, Splunk*, TripWire* CASB: Elastica*, NetSkope, Skyhigh Deception: Attivo, illusive*, TrapX* Endpoint and Custom Detection: Invincea*, Redshift*, ThreatTrack Firewall and Policy Management: Bayshore*, Check Point, InfoBlox*, Intelliment, Cisco FMC* Forensics and IR: Cisco Cognitive Threat Analytics*, Lumeta, Endace, Cisco Stealthwatch*, Lemonfish*, TripWire* IAM/SSO: Ping Identity, Secureauth*, Situational Other: Cisco WSA, Ark NSS****, Cisco ISE PIC Threat Intelligence: Infocyte* UEBA: E8*, Exabeam*, Fortscale*, Niara, Greenlight**** Vulnerability Management: Rapid 7*, SAINT*, Tenable*, Tripwire* Solutions * Rapid Threat Containment, ** Regulatory and Compliance Solution ***IoT, ****Regulatory and Compliance DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 How pxgrid Works: Partners Connecting to Cisco Security Platforms and to Other Partners Publisher: Authenticate Authorize Publish Subscriber: Authenticate Authorize Discover Subscribe Query Cisco ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 How pxgrid Works: Partners Connecting to Cisco Security Platforms and to Other Partners Publisher: Authenticate Authorize Publish Subscriber: Authenticate Authorize Discover Subscribe Query I have location! I need app & identity ISE as pxgrid Controller CISCO ISE Traditional APIs have many limitations - pxgrid addresses these issues: Single-purpose function = need for many APIs/dev (and lots of testing) I have sec events! I need identity & device Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type Not configurable = too much/little info for interface systems (scale issues) Pre-defined data exchange = wait until next release if you need a change I have identity & device! I need geo-location & MDM Polling architecture = can t scale beyond 1 or 2 system integrations Security can be loose I have MDM info! I need location DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 pxgrid: Adaptive Network Control Makes Cisco Infrastructure a Unified Event Response Network Adaptive Network Control provides the ability to: Quarantine user devices from 3 rd party products, such as SIEM systems Enlist other Cisco infrastructure in the network response such as dynamic ACLs on switches and ASA or increase IPS inspection levels User/Device Quarantine 1-touch network mitigation action from 3 rd party partner console ISE as unified policy point pxgrid ANC API Dynamic ACLs, Increase Inspection DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Cisco pxgrid Framework in Summary Bi-directional data-exchange and network services integration framework Any-to-any partner platform integration designed for multiple platforms to share data and call network service functions simultaneously Take only the data you need, share only what you want make changes without software/api revisions Integrate once, re-use with any pxgrid-enabled partner Integrated authentication, privilege authorization, and data encryption Open to entire Cisco Developer community DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 How to Develop Using pxgrid

17 pxgrid Architecture & Components pxgrid Controller pxgrid Controller Responsible for Control Plane: Establishing the grid instance Authenticating clients on to the grid Authorizing what clients can do on the grid Maintaining directory of context information topics available on the grid pxgrid Client pxgrid Client pxgrid Clients (Eco-Partner Platforms) Responsible for: Utilizing pxgrid Client Libraries (in SDK) to communicate with the pxgrid Controller If sharing contextual information, publishing it to a topic If consuming contextual information, subscribing to appropriate topic Filtering topics to exclude unwanted information Ad-hoc query to topics DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Example: Evolution from REST to pxgrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues Periodic polling using REST API pxgrid Solution Publish & Subscribe notification push DB queries causing high I/O usage No DB query with published events caching Bulk download takes more than 3 hours for 200,000 endpoints using REST API Receiving all attributes per session Use of syslog as interim approach - All events are processed No visibility and mechanism to authorize, control who is accessing MnT Other issues: requires opening up firewall ports for reverse web services calls no support for federation Lacks scale with endpoints increase pxgrid provides XML streaming of sessions with pagination Provides semantic filtering capability (ex: location) to download only a subset To only send interested attributes through syntactic filtering Pubsub notification - only relevant events will be sent pxgrid provides single point of authentication and authorization, allowing only authorized systems to access the MnT pxgrid provides visibility into topics, publishers, subscribers XMPP protocol supports bi-directionality with tunneling XMPP supports federation pxgrid scaling and HA is achieved by leveraging XMPP server architecture DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Cisco pxgrid SDK Components & Function Component Function Grid Client Library (GCL) in C and Java Software libraries for embedding in partner system Connects partner system to the pxgrid Sample pxgrid Data Output Sample data from Cisco ISE across a pxgrid connection to test with Sample Data Generator pxgrid Controller Virtual Machine for Testing Hosted Testing Sandbox pxgrid Documentation: Tutorials, Development Guides, testing guides, Generates live session data across a pxgrid connection Uses Cisco ISE user/device session data ISO of bundled Cisco ISE and pxgrid Controller for local testing in your lab Enables developer to connect to an already setup test environment Complete documentation to guide the developer from concept to implementation to verification testing DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 A Closer Look at the pxgrid Connection Library Connection to pxgrid Server Multiple pxgrid servers Round-robin auto retries Reports connection status Client certificate based authentication A root cert is installed in pxgrid server pxgrid server verifies client certs are signed by the root cert Added Pre-Shared Key (PSK) authentication in ISE 2.1 Capability subscription and publishing Capability is a set of queries and notifications supported pxgrid provides discovery of Capability Notifications are sent to XMPP pub/sub Queries are directly sent to Capability provider DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 How to Get Only the Context You Need pxgrid Message Filtering Allows subscriber to filter/restrict messages based on filter criteria specified by the Publisher Two kinds of filters: Content Based Filters Restrict messages based on the content of the message e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet Schema Based Filter Allows clients to receive only a subset of attributes instead of the full message object Not supported in this phase DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Topic Extensibility with Dynamic Topics PxGrid Topic Extensibility feature allows a pxgrid client to programmatically setup a topic for sharing information and providing actions as part of the service. This allows a partner system to become of producer of context. Setting up the topic In order for the grid clients to participate in a service, the topic needs to be setup with appropriate operations and authorizations. Any pxgrid client can send a request to the pxgrid controller to setup a topic by giving the metadata that describes the service. The Administrator (ISE) will approve / deny the request As the Administrator takes an action (approves / denies), a topic status change notification will be sent to the grid clients with appropriate status. DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Topic Extensibility with Dynamic Topics Once the topic is approved, three authorization groups will be available for the Administrator to assign the privileges for the clients whether they will be allowed for publish, subscribe / query and send action requests. dynamictopic_publish Gives permission for publishing messages dynamictopic_subscribe Gives permission to subscribe to the events and send query requests dynamictopic_action Gives permission to send action requests Once the topic is created and Administrator assigns the subscriber group to a client, it can send query requests and subscribe to the topic. DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 How to Install and Test Using the pxgrid SDK 1. Install pxgrid Controller: Install Cisco ISE 2.x ISO on a VM. 2. Setup pxgrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxgrid client for mutual authentication to the pxgrid controller 3. Enable pxgrid Controller: Enable pxgrid persona in Cisco ISE 4. Setup pxgrid Test Client: Download SDK onto pxgrid client. This can be installing client libraries in your platform or hosting on an external test client (Linux box, e.g. CentOS) 5. Authenticate pxgrid Client: Import the ISE identity sample cert into your platform or the Linux client, and add to key store 6. Test with SDK Scripts: Run pxgrid sample scripts included in the SDK DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 pxgrid Sample Scripts Currently Available in the SDK Sample pxgrid scripts provide development partners with executable example code for how to use the API These scripts can also be useful in demos with customers Most commonly used pxgrid API scripts on Cisco ISE: Register: registers pxgrid client to the pxgrid controller to an authorized session or ANC/EPS group. Session Subscribe: pxgrid client subscribes to capability Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE Session Query by IP: retrieves all active session from ISE based on IP address Session Download: downloads all active sessions from ISE ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address Capability: queries the registered pxgrid client name for available topic provided by the publisher (ISE in this case) DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 26

26 Getting Started

27 pxgrid on Cisco DevNet Access to Documentation, tutorials, SDKs Developer focused Video series DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 28

28 pxgrid Sandbox Available on Cisco DevNet DevNet Sandbox pxgrid environment allows users to integrate with pxgrid services on Cisco ISE DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 29

29 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

30 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions DEVNET Cisco and/or its affiliates. All rights reserved. Cisco Public 31

31 Q & A

32 Thank you

33