DevNet Workshop-Learning Cisco platform Exchange Grid (pxgrid) Dynamic Topics Syam Appala, Principal Engineer DEVNET-2433
Agenda Introduction to pxgrid pxgrid Operation Lab on Dynamic Topics
Contextual Awareness Key to Security Event Prioritization and Response Associate User to Event Associate User to Authorization IAM Check Endpoint Posture NAC?? Where is it on the Network? What Kind of Device is it? Potential Breach Event Security Event AAA Logs?? How Do I Mitigate??? MANY SCREENS, MISSING DATA COMPLICATED MITIGATION 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is Cisco Platform Exchange Grid (pxgrid) It is a framework for sharing ISE contextual information with other security solutions Allows security vendors to share topic of information via Dynamic Topics Provides enforcement of an organization s security policy rules violation using Adaptive Network Control Mitigation Actions (ANC) DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
pxgrid with Context Sharing ISE as pxgrid Controller CISCO ISE I have location! I need app & identity pxgrid Context Sharing I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
pxgrid with Context Sharing ISE as pxgrid Controller CISCO ISE I have location! I need app & identity pxgrid Publish Context Sharing Topics I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Operation
pxgrid Components Publisher Pusblisher - ISE Admin & MnT node publishes Topic information DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
pxgrid Components Publisher Pusblisher - pxgrid client can publish Topics Dynamic Topics introduced in ISE 2.0 DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
pxgrid Components Subscriber Subscriber- Cisco Security Solution or Ecosystem Partner subscribes to Topic DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
pxgrid Components Controller Authorizes and enforces client registration Performs client management Manages Publisher/Subscriber & Topics DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
ISE pxgrid Controller Enforces and Autho DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Capabilities or Topics of Information Schema for context sharing with registered pxgrid clients Session Directory provides ISE contextual attributes Session={ip=[192.168.1.15], Audit Session Id=0A000001000000170001B0AB, UserName=jeppich, ADUserDNSDomain=lab10.com, ADUserNetBIOSName=LAB10, ADUserResolvedIdentities=jeppich@lab10.com, ADUserResolvedDNs=CN=John Eppich,CN=Users,DC=lab10,DC=com, MacAddresses=[00:50:56:86:C9:92], State=STARTED, ANCstatus=ANC_Quarantine, SecurityGroup=Quarantined_Systems, EndpointProfile=VMWare- Device, NAS IP=192.168.1.3, NAS Port=GigabitEthernet1/0/11, RADIUSAVPairs=[ Acct-Session- Id=0000002E], Posture Status=null, Posture Timestamp=, LastUpdateTime=Sat Jan 21 11:49:04 EST 2017, Session attributename=authorization_profiles, Session attributevalue=quarantined_systems, Providers=[None], EndpointCheckResult=none, IdentitySourceFirstPort=0, IdentitySourcePortStart=0, IdentitySourcePortEnd=0, IsMachineAuthentocation=false} DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
pxgrid Client Groups Basic provides ISE pxgrid node connectivity. The pxgrid admin, must manually move the registered pxgrid client into the other client groups, most likely the Session group, which provides access to the pxgrid session objects Administrator reserved for ISE published node clients Session- provides access to pxgrid session objects ANC- subscribes to ANC AdaptiveNetworkControlService EPS- subscribes to EPS EndpointProtectionService Publisher, Action, Subscribe Group for dynamic topics DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Lab on Dynamic Topics
Dynamic Topics- Benefits Allow pxgrid client to interact with other clients and enforce a more accurate organizationalsecurity policy by including contextual information from the other security vendors Can help reduce false positives and false negatives in a security vendor s solution DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE pxgrid Context Sharing DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish I have application info! I need location & device-type DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish I have application info! I need location & device-type DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Discover Topic I have application info! I need location & device-type DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Discover Topic I have application info! I need location & device-type DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Continuous Flow Directed Query I have application info! I need location & device-type DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have identity & device! I need geo-location & MDM DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
pxgrid with Dynamic Topics ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Continuous Flow Directed Query I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Workbench Lab Example Scenario: Detection Networks is a ficticious company that uses honeypots to lure intruders into false security of the companies crown jewels. - Publish BAD_HOSTS_Table - Conatins: IPAddrss, MACAddress, FQDN, Username, and EndpointDevicr information of infected host -VA Scanners subscribe to the BAD_HOSTS_Table and include the BAD_HOSTS_Table attributes in their security policy to scan for vulnerabilities DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Dynamic Topic Workflow Publisher pxgrid Controller Subscriber Propose BAD_HOST_Table Topic Admin approves topic Publishes events to topic Publisher added to topic Publisher defines Query Action Topics Publisher, Session, Action Groups Assigned Subscriber defines what topics to subscribe to Subscriber subscribes to topic Communication Flows Directly 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Propose a New Topic /propose_capability.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseca.jks -q Cisco123 -g Session -d pxgrid New Publisher ------- properties ------- version=1.0.4.17 hostnames=192.168.1.230 username=detectionnetworks password= group=basic description=pxgrid keystorefilename=mac22.jks keystorepassword=cisco123 truststorefilename=rootiseca.jks truststorepassword=cisco123 -------------------------- 11:55:40.837 [Thread-1] INFO com.cisco.pxgrid.reconnectionmanager - Started Connecting... 11:55:40.856 [Thread-1] INFO com.cisco.pxgrid.configuration - Connecting to host 192.168.1.230 11:55:41.193 [Thread-1] INFO com.cisco.pxgrid.configuration - Connected OK to host 192.168.1.230 11:55:41.194 [Thread-1] INFO com.cisco.pxgrid.configuration - Client Login to host 192.168.1.230 11:55:41.461 [Thread-1] INFO com.cisco.pxgrid.configuration - Client Login OK to host 192.168.1.230 Connected DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Adding BAD_HOST Topic and Query Items New capability? (y/n): y Enter capability name: BAD_HOSTS_Table Enter capability version: 1.0 Enter capability description: Infected Hosts Table Enter vendor platform: DetectionNetworks Enter query name (<enter> to continue): ipaddress Enter query name (<enter> to continue): macaddress Enter query name (<enter> to continue): FQDN Enter query name (<enter> to continue): Username Enter query name (<enter> to continue): EndpointDevice Enter query name (<enter> to continue): Enter action name (<enter> to continue): Proposing new capability... Press <enter> to disconnect...change=created; capability=bad_hosts_table, version=1.0 Authorization changed Connection closed DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
The New Topic is Proposed DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Admin Approves Topic DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Topic is Created DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Client Groups Added DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Generic_publisher.properties GENERIC_TOPIC_NAME="BAD_HOSTS_Table" GENERIC_CLIENT_MODE="publisher" GENERIC_QUERY_NAME_SET="" GENERIC_ACTION_NAME_SET="" GENERIC_PUBLISH_DATA_SET="pub-notif-001,pub-notif-002,pub-notif-003" GENERIC_REQUEST_DATA_SET="" GENERIC_RESPONSE_DATA_SET="resp-001,resp-002,resp-003,resp-004" GENERIC_SLEEP_INTERVAL="500" GENERIC_ITERATIONS="20" DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Publishing Topic /generic_client.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseca.jks -q Cisco123 -c generic_publisher.properties Initialized : GenericClient: topicname=bad_hosts_table clientmode=publisher sleepinterval=500 iterations=20 querynameset=[] actionnameset=[] publishdataset=[pub-notif-001, pub-notif-002, pub-notif-003] requestdataset=[] responsedataset=[resp-001, resp-002, resp-003, resp-004] --- DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Publishing BAD_HOSTS_Table and Query Items Connected 12:11:19.020 [Thread-1] INFO com.cisco.pxgrid.reconnectionmanager - Connected Publishing notification: GenericMessage: messagetype=notification capabilityname=bad_hosts_table operationname=samplenotification body: content: contenttags=[notif-tag-201] contenttype=plain_text value=notification[1485105079225]pub-notif-001 Publishing notification: GenericMessage: DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Publisher Successfully Registers as pxgrid Client DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Generic_subscriber.properties GENERIC_TOPIC_NAME="BAD_HOSTS_Table" GENERIC_CLIENT_MODE="subscriber" GENERIC_QUERY_NAME_SET="ipAddress,macaddress,FQDN,Username,EndpointDevice" GENERIC_ACTION_NAME_SET="" GENERIC_PUBLISH_DATA_SET="" GENERIC_REQUEST_DATA_SET="req-001,req-002,req-003" GENERIC_RESPONSE_DATA_SET="" GENERIC_SLEEP_INTERVAL="500" GENERIC_ITERATIONS="20" DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Subscribing to Capability./generic_client.sh -a 192.168.1.230 -u VA_Scanners -k mac22.jks -p Cisco123 -t rootiseca.jks -c generic_subscriber.properties Initialized : GenericClient: topicname=bad_hosts_table clientmode=subscriber sleepinterval=500 iterations=20 querynameset=[ipaddress, macaddress, FQDN, Username, EndpointDevice] actionnameset=[] publishdataset=[] requestdataset=[req-001, req-002, req-003] responsedataset=[] DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Subscribing to BAD_Hosts_Table and Query Items Sending request: GenericMessage: messagetype=request capabilityname=bad_hosts_table operationname=endpointdevice body: content: contenttags=[query-tag-301] contenttype=plain_text value=query[1485105417176]req-002 Received response: GenericMessage: messagetype=response capabilityname=bad_hosts_table operationname=endpointdevice body: content: contenttags=[resp-tag-101] contenttype=plain_text value=response[1485105417203]resp-004 - for request[query[1485105417176]req-002] DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Subscriber Consumes Topic DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions DEVNET-2433 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Q & A
Thank You