Cisco pxgrid: A New Architecture for Security Platform Integration

Similar documents
Using Cisco pxgrid for Security Platform Integration

Using Cisco pxgrid for Security Platform Integration

Using Cisco pxgrid for Security Platform Integration

Using Cisco pxgrid for Security Platform Integration

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

DevNet Workshop-Learning Cisco platform Exchange Grid (pxgrid) Dynamic Topics

Integrate the Cisco Identity Services Engine

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Stop Threats Before They Stop You

PSOACI Tetration Overview. Mike Herbert

Network Deployments in Cisco ISE

Simulating Networks Using Cisco Modelling Labs

SACM Information Model Based on TNC Standards. Lisa Lorenzin & Steve Venema

Network Deployments in Cisco ISE

Set Up Cisco ISE in a Distributed Environment

UCS Management Architecture Deep Dive

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Automation with Meraki Provisioning API

Optimising SP Networks with WAN Automation Engine

2013 Cisco and/or its affiliates. All rights reserved. 1

There are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:

Cisco Next Generation Firewall Services

Set Up Cisco ISE in a Distributed Environment

Optimizing and Modeling SAP Business Analytics for SAP HANA. Iver van de Zand, Business Analytics

Comodo SecureBox Management Console Software Version 1.9

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

Reactive Microservices Architecture on AWS

N. Cam-Winget, Ed. Intended status: Standards Track. October 8, 2015

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

70-532: Developing Microsoft Azure Solutions

70-532: Developing Microsoft Azure Solutions

Tanium Network Quarantine User Guide

Developing Microsoft Azure Solutions (70-532) Syllabus

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Cisco Unified Presence 8.0

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Policy Driven Data Centre with ACI

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

Developing Microsoft Azure Solutions (70-532) Syllabus

Developing Microsoft Azure Solutions: Course Agenda

Design and Deployment of SourceFire NGIPS and NGFWL

Internet of Things Field Network Director

Developing Microsoft Azure Solutions (70-532) Syllabus

Exam : Implementing Microsoft Azure Infrastructure Solutions

Network Configuration Example

The API is dead. Long live the protocol.

ForeScout Extended Module for VMware AirWatch MDM

Venafi Server Agent Agent Overview

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Interdomain Federation for the IM and Presence Service, Release 10.x

Setup Adaptive Network Control

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

McAfee Data Exchange Layer Product Guide. (McAfee epolicy Orchestrator)

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Hands-On with IoT Standards & Protocols

Cloud Mobility: Meraki Wireless & EMM

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

McAfee epolicy Orchestrator

Dell Boomi Cloud MDM Overview

Cisco Spark Widgets Technical drill down

Real time Location Services Overview and Use cases

Port Usage Information for the IM and Presence Service

ForeScout Extended Module for MaaS360

Service Manager. Database Configuration Guide

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

Insights into your WLC with Wireless Streaming Telemetry

Port Usage Information for the IM and Presence Service

Implementing a Big Data Strategy PRASA Passenger Rail Agency of South Africa

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Next Generation Computing Architectures for Cloud Scale Applications

Finesse APIs: Getting started with the REST APIs and XMPP events

Secret Server Demo Outline

StratusLab Cloud Distribution Installation. Charles Loomis (CNRS/LAL) 3 July 2014

Contents. Introduction

OpenIAM Identity and Access Manager Technical Architecture Overview

IAM. Shopping Cart. IAM Description PM OM CM IF. CE SC USM Common Web CMS Reporting. Review & Share. Omnichannel Frontend...

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Architecting Microsoft Azure Solutions (proposed exam 535)

MOBILE SECURITY, SECURE ACCESS AND BYOD AS A SERVICE. Jonas Gyllenhammar NNTF 2012

Network Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014

Cisco Tetration Analytics

Cisco ISE Ports Reference

Oracle Identity and Access Management

Polycom RealPresence Access Director System

IBM Integration Bus v9.0 System Administration: Course Content By Yuvaraj C Panneerselvam

Tetration Hands-on Lab from Deployment to Operations Support

NXOS in the Real World Using NX-API REST

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

What s new in PI System Security?

Allahabad Bank. Page 1 of 6

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Self-driving Datacenter: Analytics

Integration with McAfee DXL

UCS Firmware Management Architecture

Microsoft Architecting Microsoft Azure Solutions.

Managing Cisco UCS with the Python SDK

Vlad Vinogradsky

Cisco UCS Director and ACI Advanced Deployment Lab

Transcription:

Cisco pxgrid: A New Architecture for Security Platform Integration Brian Gonsalves Product Manager #clmel

Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using pxgrid Getting Started

Cisco pxgrid Context-Sharing & Network Mitigation Connecting Partners to Cisco Security Platforms 1 2 3 Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM CONTEXT ECO-PARTNER CISCO PLATFORM CONTEXT ECO-PARTNER ECO-PARTNER ACTION CISCO PLATFORM Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy MITIGATE CISCO NETWORK WHY CUSTOMERS CARE Puts Who, What Device, What Access with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events

pxgrid: Partners Connecting to Cisco Security Platforms and to Other Partners Authenticate Authorise Publish Discover Subscribe Query Cisco ISE as pxgrid Controller CISCO ISE I have location! I need app & identity Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type I have sec events! I need identity & device I have identity & device! I need geo-location & MDM I have MDM info! I need location

pxgrid: Partners Connecting to Cisco Security Platforms and to Other Partners Authenticate Authorise Publish Discover Subscribe Query I have location! I need app & identity ISE as pxgrid Controller CISCO ISE Traditional APIs have many Limitations - pxgrid addresses these issues: Single-purpose function = need for many APIs/dev (and lots of testing) I have sec events! I need identity & device Publish Continuous Publish Flow Directed pxgrid Query Discover Continuous TopicDiscover Context Flow Topic Directed Sharing Query I have application info! I need location & device-type Not configurable = too much/little info for interface systems (scale issues) Pre-defined data exchange = wait until next release if you need a change I have identity & device! I need geo-location & MDM Polling architecture = can t scale beyond 1 or 2 system integrations Security can be loose I have MDM info! I need location

USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security Sensitive Asset Access Criteria: Who: User, Group Other Asset Sensitive Asset 87% of data breaches involve poor access rules we need to do this better. Verison Data Breach Report 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

ISE Context Completes the Picture Granular Application Data Control Vary this gent s application access privilege based on device enrollment, geo-location and access method Financial Reports ACCESS POLICY Critical Data WHO = Exec Group Only WHAT = No Non- Registered Mobile WHERE = UK Only WHEN = UK Business Hours Only HOW = No VPN Access Café Menus HR Database Access Criteria Non-Sensitive Sensitive Critical Data 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

pxgrid Architecture and Components pxgrid Controller pxgrid Controller Responsible for Control Plane: Establishing the grid instance Authenticating clients on to the grid Authorising what clients can do on the grid Maintaining directory of context information topics available on the grid pxgrid Client pxgrid Client pxgrid Clients (Eco-Partner Platforms) Responsible for: Utilising pxgrid Client Libraries (in SDK) to communicate with the pxgrid Controller If sharing contextual information, publishing it to a topic If consuming contextual information, subscribing to appropriate topic Filtering topics to exclude unwanted information Ad-hoc query to topics

Example: Evolution from REST to pxgrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxgrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage Bulk download takes more than 3 hours for 200,000 endpoints using REST API Receiving all attributes per session Use of syslog as interim approach - All events are processed No DB query with published events caching pxgrid provides XML streaming of sessions with pagination Provides semantic filtering capability (ex: location) to download only a subset To only send interested attributes through syntactic filtering Pubsub notification - only relevant events will be sent No visibility and mechanism to authorise, control who is accessing MnT Other issues: requires opening up firewall ports for reverse web services calls no support for federation Lacks scale with endpoints increase pxgrid provides single point of authentication and authorisation, allowing only authorised systems to access the MnT pxgrid provides visibility into topics, publishers, subscribers XMPP protocol supports bi-directionality with tunnelilng XMPP supports federation which can be used for identify federation use-cases pxgrid, through XMPP, can provide cluster-based scaling and HA

Cisco pxgrid SDK Components and Function Component Function Grid Client Library (GCL) in C and Java Sample pxgrid Data Output Sample Data Generator pxgrid Controller Virtual Machine for Testing Hosted Testing Sandbox pxgrid Documentation: Tutorials, Development Guides, testing guides, Software libraries for embedding in partner system Connects partner system to the pxgrid Sample data from Cisco ISE across a pxgrid connection to test with Generates live session data across a pxgrid connection Uses Cisco ISE user/device session data ISO of bundled Cisco ISE and pxgrid Controller for local testing in your lab Enables developer to connect to an already setup test environment Complete documentation to guide the developer from concept to implementation to verification testing

A Closer Look at the pxgrid Connection Library Connection to XCP (Jabber Extensible Communications Platform) Multiple XCP servers Round-robin auto retries Reports connection status Client certificate based authentication A root cert is installed in XCP XCP verifies client certs are signed by the root cert Capability subscription and publishing Capability is a set of queries and notifications supported pxgrid provides discovery of Capability Notifications are sent to XCP pubsub Queries are directly sent to Capability provider

How to Get Only the Context You Need pxgrid Message Filtering Allows subscriber to filter/restrict messages based on specified filter criteria. Two kinds of filters: Content Based Filters Restrict messages based on the content of the message e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet Schema Based Filter Allows clients to receive only a subset of attributes instead of the full message object Not supported in this phase

How to Install and Test Using the pxgrid SDK 1. Install pxgrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxgrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxgrid client for mutual authentication to the pxgrid controller. 3. Enable pxgrid Controller: Enable pxgrid persona in Cisco ISE. 4. Setup pxgrid Test Client: Download SDK onto pxgrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxgrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxgrid sample scripts included in the SDK

Using the pxgrid Client Libraries Developer platforms interact with pxgrid by registering the appropriate query and notification callers and handlers as detailed below: Query Handler: A provider must register query handler with the pxgrid client library to service a query that it needs to expose over pxgrid. Query Caller: A query caller is created by assembling a request and calling the query method on the pxgrid connection. Notification Handler: Registers a notification handler with the pxgrid connection to receive notifications for a capability. Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.

pxgrid Sample Scripts Currently Available in the SDK Sample pxgrid scripts provide development partners with executable example code for how to use the API These scripts can also be useful in demos with customers Most commonly used pxgrid API scripts on Cisco ISE: Register: registers pxgrid client to the pxgrid controller to an authorised session or ANC/EPS group. Session Subscribe: pxgrid client subscribes to capability Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE Session Query by IP: retrieves all active session from ISE based on IP address Session Download: downloads all active sessions from ISE ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address Capability: queries the registered pxgrid client name for available topic provided by the publisher (ISE in this case)

Integration Demos Cisco ISE + Tenable Nessus

In Summary and How to Get Started Cisco pxgrid Enables: Integration between development partners and the Cisco security products Many-to-many integration scalability The ability to integrate once to pxgrid and reuse that implementation to interface with any other pxgrid platform (even other Cisco development partners) Integrations with the Cisco Identity Services Engine (ISE) are available today, with other platforms to follow in 2015 Get Started: Cisco Identity Services Engine (ISE) integrations available today Use user-to-ip address bindings answer who in your platforms Use device identification to answer what type of device in your platforms Use mitigation capabilities to take actions on users/device from your platform Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/clmelbourne2015 Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com

Coming Up Next! Enterprise IOT Development Kit An Introduction and Deep Dive Session With Himanshu Mehra Introducing the Enterprise IOT DevKit, discussing use cases and using the SDK and interfaces.

Thank you. Join us on DevNet at developer.cisco.com Follow DevNet on Twitter: @ciscodevnet

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback