Cisco pxgrid: A New Architecture for Security Platform Integration

Transcription

1

2 Cisco pxgrid: A New Architecture for Security Platform Integration Brian Gonsalves Product Manager #clmel

3 Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using pxgrid Getting Started

4 Cisco pxgrid Context-Sharing & Network Mitigation Connecting Partners to Cisco Security Platforms Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM CONTEXT ECO-PARTNER CISCO PLATFORM CONTEXT ECO-PARTNER ECO-PARTNER ACTION CISCO PLATFORM Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy MITIGATE CISCO NETWORK WHY CUSTOMERS CARE Puts Who, What Device, What Access with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events

5 pxgrid: Partners Connecting to Cisco Security Platforms and to Other Partners Authenticate Authorise Publish Discover Subscribe Query Cisco ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location

6 pxgrid: Partners Connecting to Cisco Security Platforms and to Other Partners Authenticate Authorise Publish Discover Subscribe Query I have location! I need app & identity ISE as pxgrid Controller CISCO ISE Traditional APIs have many Limitations - pxgrid addresses these issues: Single-purpose function = need for many APIs/dev (and lots of testing) I have sec events! I need identity & device Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type Not configurable = too much/little info for interface systems (scale issues) Pre-defined data exchange = wait until next release if you need a change I have identity & device! I need geo-location & MDM Polling architecture = can t scale beyond 1 or 2 system integrations Security can be loose I have MDM info! I need location

7 USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security Sensitive Asset Access Criteria: Who: User, Group Other Asset Sensitive Asset 87% of data breaches involve poor access rules we need to do this better. Verison Data Breach Report 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

8 ISE Context Completes the Picture Granular Application Data Control Vary this gent s application access privilege based on device enrollment, geo-location and access method Financial Reports ACCESS POLICY Critical Data WHO = Exec Group Only WHAT = No Non- Registered Mobile WHERE = UK Only WHEN = UK Business Hours Only HOW = No VPN Access Café Menus HR Database Access Criteria Non-Sensitive Sensitive Critical Data 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9 pxgrid Architecture and Components pxgrid Controller pxgrid Controller Responsible for Control Plane: Establishing the grid instance Authenticating clients on to the grid Authorising what clients can do on the grid Maintaining directory of context information topics available on the grid pxgrid Client pxgrid Client pxgrid Clients (Eco-Partner Platforms) Responsible for: Utilising pxgrid Client Libraries (in SDK) to communicate with the pxgrid Controller If sharing contextual information, publishing it to a topic If consuming contextual information, subscribing to appropriate topic Filtering topics to exclude unwanted information Ad-hoc query to topics

10 Example: Evolution from REST to pxgrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxgrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage Bulk download takes more than 3 hours for 200,000 endpoints using REST API Receiving all attributes per session Use of syslog as interim approach - All events are processed No DB query with published events caching pxgrid provides XML streaming of sessions with pagination Provides semantic filtering capability (ex: location) to download only a subset To only send interested attributes through syntactic filtering Pubsub notification - only relevant events will be sent No visibility and mechanism to authorise, control who is accessing MnT Other issues: requires opening up firewall ports for reverse web services calls no support for federation Lacks scale with endpoints increase pxgrid provides single point of authentication and authorisation, allowing only authorised systems to access the MnT pxgrid provides visibility into topics, publishers, subscribers XMPP protocol supports bi-directionality with tunnelilng XMPP supports federation which can be used for identify federation use-cases pxgrid, through XMPP, can provide cluster-based scaling and HA

11 Cisco pxgrid SDK Components and Function Component Function Grid Client Library (GCL) in C and Java Sample pxgrid Data Output Sample Data Generator pxgrid Controller Virtual Machine for Testing Hosted Testing Sandbox pxgrid Documentation: Tutorials, Development Guides, testing guides, Software libraries for embedding in partner system Connects partner system to the pxgrid Sample data from Cisco ISE across a pxgrid connection to test with Generates live session data across a pxgrid connection Uses Cisco ISE user/device session data ISO of bundled Cisco ISE and pxgrid Controller for local testing in your lab Enables developer to connect to an already setup test environment Complete documentation to guide the developer from concept to implementation to verification testing

12 A Closer Look at the pxgrid Connection Library Connection to XCP (Jabber Extensible Communications Platform) Multiple XCP servers Round-robin auto retries Reports connection status Client certificate based authentication A root cert is installed in XCP XCP verifies client certs are signed by the root cert Capability subscription and publishing Capability is a set of queries and notifications supported pxgrid provides discovery of Capability Notifications are sent to XCP pubsub Queries are directly sent to Capability provider

13 How to Get Only the Context You Need pxgrid Message Filtering Allows subscriber to filter/restrict messages based on specified filter criteria. Two kinds of filters: Content Based Filters Restrict messages based on the content of the message e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet Schema Based Filter Allows clients to receive only a subset of attributes instead of the full message object Not supported in this phase

14 How to Install and Test Using the pxgrid SDK 1. Install pxgrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxgrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxgrid client for mutual authentication to the pxgrid controller. 3. Enable pxgrid Controller: Enable pxgrid persona in Cisco ISE. 4. Setup pxgrid Test Client: Download SDK onto pxgrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxgrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxgrid sample scripts included in the SDK

15 Using the pxgrid Client Libraries Developer platforms interact with pxgrid by registering the appropriate query and notification callers and handlers as detailed below: Query Handler: A provider must register query handler with the pxgrid client library to service a query that it needs to expose over pxgrid. Query Caller: A query caller is created by assembling a request and calling the query method on the pxgrid connection. Notification Handler: Registers a notification handler with the pxgrid connection to receive notifications for a capability. Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.

16 pxgrid Sample Scripts Currently Available in the SDK Sample pxgrid scripts provide development partners with executable example code for how to use the API These scripts can also be useful in demos with customers Most commonly used pxgrid API scripts on Cisco ISE: Register: registers pxgrid client to the pxgrid controller to an authorised session or ANC/EPS group. Session Subscribe: pxgrid client subscribes to capability Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE Session Query by IP: retrieves all active session from ISE based on IP address Session Download: downloads all active sessions from ISE ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address Capability: queries the registered pxgrid client name for available topic provided by the publisher (ISE in this case)

17 Integration Demos Cisco ISE + Tenable Nessus

18 In Summary and How to Get Started Cisco pxgrid Enables: Integration between development partners and the Cisco security products Many-to-many integration scalability The ability to integrate once to pxgrid and reuse that implementation to interface with any other pxgrid platform (even other Cisco development partners) Integrations with the Cisco Identity Services Engine (ISE) are available today, with other platforms to follow in 2015 Get Started: Cisco Identity Services Engine (ISE) integrations available today Use user-to-ip address bindings answer who in your platforms Use device identification to answer what type of device in your platforms Use mitigation capabilities to take actions on users/device from your platform Access SDK, client libraries and tutorials at:

19 Q & A

20 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

21 Coming Up Next! Enterprise IOT Development Kit An Introduction and Deep Dive Session With Himanshu Mehra Introducing the Enterprise IOT DevKit, discussing use cases and using the SDK and interfaces.

22 Thank you. Join us on DevNet at developer.cisco.com Follow DevNet on

23