Using Cisco pxGrid for Security Platform Integration: a deep dive

DEVNET-1124

Using Cisco pxGrid for Security Platform

Integration

John EppichTechnical Marketing Engineer

David KoenigHead of Business Development and

Strategy, Situational Corp.

Ranjan JainSecurity Architect, Cisco IT

Agenda

• Functional and Architectural Basics of Cisco Platform Exchange Grid (pxGrid)

• DevNet Partner & Cisco Security Integration Use-Cases

• First-hand pxGrid Developer Perspective from DevNet partner Situational Corp

• Customer Deployment perspective –Cisco IT

pxGrid

SECURITY THRU

INTEGRATION

Context is the Currency of the Solution Integration Realm…but it’s not easy to execute

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events!I need reputation…

I have NetFlow!

I need entitlement…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have threat data!

I need reputation…

I have location!

I need identity…

But Integration

Burden is on IT

Departments

We Need

to Share

Context &

Take Network

Actions

I have reputation info!I need threat data…

I have application info!

I need location & auth-group…SIO

I have reputation info!I need threat data…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have application info!

I need location & auth-group…SIO

pxGridContext Sharing

Event Response

Context is the Currency of the Solution Integration Realm…but it’s not easy to execute…but pxGrid accomplishes this

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events!I need reputation…

I have NetFlow!

I need entitlement…

I have identity & device-type!

I need app inventory & vulnerability…

I have threat data!

I need reputation…

I have location!

I need identity…

WHY CUSTOMERS CARE

Cisco pxGrid – Context-Sharing & Network MitigationConnecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners

Cisco Provides Network

Context to Customer IT

Platforms

Use Eco-Partner Context

for Cisco Network Policy

for Customers

Cisco Shares User/Device &

Network Context with IT

Infrastructure

Cisco Receives Context from Eco-

Partners to Make Better Network

Access Policy

1 2 3Help Customer IT

Environments Reach into

the Cisco Network

CISCO PLATFORM ECO-PARTNER

CONTEXT

CISCO PLATFORM ECO-PARTNER

CONTEXT

ECO-PARTNER CISCO PLATFORM

CISCO NETWORK

ACTION

MITIGATE

Puts “Who, What Device, What

Access” with Events. Way Better

than Just IP Addresses!

Creates a Single Place for

Comprehensive Network Access

Policy thru Integration

Decreases Time, Effort and Cost

to Responding to Security and

Network Events

USE CASE: Contextual Awareness for Security/Network Event Prioritization, Response and Policy

NETWORK ALERT!

SRC/65.32.7.45

DST/165.1.4.9 : HTTP

Is this event important?

I need more info…

Who is this?

Is this a server?

Smartphone?

Is it still on the

network? Where?Did this come over VPN?

What’s their

access level?

What’s their

posture?

What else

is on the

network?

©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8

“Sensitive Asset”

“Other Asset”

“Sensitive Asset”

87% of data breaches involve poor access rules…

we need to do this better.Verizon Data Breach Report

Access Criteria:

Who: User, Group

USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security

©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9

ACCESS POLICY –

“Critical Data”

WHO = Exec Group Only

WHAT = No Non-Registered

Mobile

WHERE = UK Only

WHEN = UK Business Hours

Only

HOW = No VPN Access

Vary this gent’s application access

privilege based on device enrollment,

geo-location and access method

“Financial Reports”

“Café Menus”

“HR Database”

ISE Context Completes the Picture – Granular Application Data Control

Access Criteria

Non-Sensitive

Sensitive

Critical Data

Vulnerability

Assessment

Packet Capture

& Forensics

SIEM &

Threat Defense

IAM & SSO

pxGrid

SECURITY THRUINTEGRATION

pxGrid – Industry Adoption Critical Mass as of June 201518 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago

Net/App

Performance

IoT

Security

Cisco ISE Cisco WSA

Cloud Access

Security

?

I have identity & device!

I need geo-location & MDM…

I have application info!

I need location & device-type

I have location!

I need app & identity…

Cisco ISE as pxGrid Controller

Publish Publish

Discover TopicDiscover Topic

Continuous Flow

Directed QuerypxGridContext

Sharing

CISCO ISE

Continuous Flow

Directed Query

I have sec events!

I need identity & device…

I have MDM info!

I need location…

How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other PartnersAuthenticate Authorize Publish Discover Subscribe Query

I have identity & device!

I need geo-location & MDM…

I have application info!

I need location & device-type

I have location!

I need app & identity…

ISE as pxGrid Controller

Publish Publish

Discover TopicDiscover Topic

Continuous Flow

Directed QuerypxGridContext

Sharing

CISCO ISE

Continuous Flow

Directed Query

I have sec events!

I need identity & device…

I have MDM info!

I need location…

How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other PartnersAuthenticate Authorize Publish Discover Subscribe Query

Traditional APIs have many limitations - pxGrid addresses these issues:

•Single-purpose function = need for many APIs/dev (and lots of testing)

•Not configurable = too much/little info for interface systems (scale issues)

•Pre-defined data exchange = wait until next release if you need a change

•Polling architecture = can’t scale beyond 1 or 2 system integrations

•Security can be “loose”

“1-touch” network mitigation action –

from 3rd party partner console

pxGrid ANC API

ISE as unified

policy point

User/Device Quarantine

Dynamic ACLs, Increase

Inspection

Adaptive Network Control provides the ability to:

•Quarantine user devices from 3rd party products, such as SIEM systems

•Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels

•Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica

pxGrid: Adaptive Network ControlMakes Cisco Infrastructure a Unified Event Response Network

pxGrid Architecture & Components

pxGrid

Controller

pxGrid Controller Responsible for Control Plane:•Establishing the “grid” instance•Authenticating clients on to the grid•Authorizing what clients can do on the grid•Maintaining directory of context information “topics” available on the grid

pxGrid

Client

pxGrid Clients (Eco-Partner Platforms) Responsible for:•Utilizing pxGrid Client Libraries (in SDK) to communicate with the pxGrid Controller•If sharing contextual information, publishing it to a “topic”•If consuming contextual information, subscribing to appropriate “topic”•Filtering “topics” to exclude unwanted information•Ad-hoc query to “topics”

pxGrid

Client

Example: Evolution from REST to pxGridCisco ISE User/Device Context-Sharing Example

Session Context sharing from ISE MnT Issues pxGrid Solution

Periodic polling using REST API Publish & Subscribe notification push

DB queries causing high I/O usage No DB query with published events caching

Bulk download takes more than 3 hours for 200,000 endpoints

using REST API

• pxGrid provides XML streaming of sessions with pagination

• Provides semantic filtering capability (ex: location) to download

only a subset

Receiving all attributes per session To only send interested attributes through syntactic filtering

Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent

No visibility and mechanism to authorize, control who is accessing

MnT

• pxGrid provides single point of authentication and authorization,

allowing only authorized systems to access the MnT

• pxGrid provides visibility into topics, publishers, subscribers …

Other issues:

•requires opening up firewall ports for reverse web services calls

•no support for federation

•Lacks scale with endpoints increase

• XMPP protocol supports bi-directionality with tunneling

• XMPP supports federation

• pxGrid scaling and HA is achieved by leveraging XMPP server

architecture

Cisco pxGrid SDK Components & Function

Component Function

Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system

• Connects partner system to the pxGrid

Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection

to test with

Sample Data Generator • Generates live session data across a pxGrid connection

• Uses Cisco ISE user/device session data

pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local

testing in your lab

Hosted Testing Sandbox • Enables developer to connect to an already setup test

environment

pxGrid Documentation: Tutorials, Development Guides,

testing guides,

• Complete documentation to guide the developer from

concept to implementation to verification testing

A Closer Look at the pxGrid Connection Library…

• Connection to pxGrid Server

• Multiple pxGrid servers

• Round-robin auto retries

• Reports connection status

• Client certificate based authentication

• A root cert is installed in pxGrid server

• pxGrid server verifies client certs are signed by the root cert

• Capability subscription and publishing

• Capability is a set of queries and notifications supported

• pxGrid provides discovery of Capability

• Notifications are sent to XMPP pub/sub

• Queries are directly sent to Capability provider

How to Get Only the Context You Need…pxGrid Message Filtering

• Allows subscriber to filter/restrict messages based on specified filter criteria.

• Two kinds of filters:

• Content Based Filters• Restrict messages based on the content of the message

• e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet

• Schema Based Filter• Allows clients to receive only a subset of attributes instead of the full message object

• Not supported in this phase

How to Install and Test Using the pxGrid SDK

1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM.

2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxGrid client for mutual authentication to the pxGrid controller.

3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE.

4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS).

5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore.

6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK

Using the pxGrid Client Libraries

Developer platforms interact with pxGrid by registering the appropriate query and notification callers and handlers as detailed below:

• Query Handler: A provider must register query handler with the pxGrid client library to service a query that it needs to expose over pxGrid.

• Query Caller: A query caller is created by assembling a request and calling the query method on the pxGrid connection.

• Notification Handler: Registers a notification handler with the pxGrid connection to receive notifications for a capability.

• Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.

pxGrid Sample Scripts Currently Available in the SDK• Sample pxGrid scripts provide development partners with executable example

code for how to use the API

• These scripts can also be useful in demos with customers

• Most commonly used pxGrid API scripts on Cisco ISE:• Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group.

• Session Subscribe: pxGrid client subscribes to capability

• Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE

• Session Query by IP: retrieves all active session from ISE based on IP address

• Session Download: downloads all active sessions from ISE

• ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address

• ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address

• Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in this case)

pxGrid on DevNet

pxGrid Sandbox now available on DevNet

• DevNet Sandbox pxGrid environment allows users to integrate with pxGrid services on Cisco ISE

Developer perspective –Situational Corp.

• Situational is Venture backed Cisco Ecosystem Partner

• Deep expertise in Identity and Access Management

• Context Sharing Enables Enforcement of Security Policy

• Two key use cases:

• dot1x based Single Sign On

• Device driven application security

Security Integration At Work

• Use Case: Single Sign On based on dot1x Authentication

• Example: Single network authentication provides secure authenticated access to cloud and web applications

• Solution: Integrate Network Session with Application Sign On

Security Integration At Work

• Use Case: Restrict application access based on device context

• Example policy: Only employees using managed laptops can access patent research data stored in cloud application.

• Solution: Integrate Network Access Control Policy and Identity and Access Management

Security Integration At Work

• Technical Detail

• Develop pxGrid Integration based on Session Query

• Associate Client with User Session

• Leverage User Identity and Session Attributes in IAM Standards including SAML

Security Integration At Work

• Benefits

• Significantly lower risk of core business operations

• Extend value of in place security components

• Minimal operational impact

• Rapid development cycles

Security Integration At Work

• Benefits

• Significantly lower risk of core business operations

• Extend value of in place security components

• Minimal operational impact

• Rapid development cycles

Security Integration At Work

Customer Deployment Perspective – Cisco IT

About me

32

• Security Architect (IT)

• Cisco IT Identity & Access team : 12 years• 11 years in core Identity and Access

• 1 year in web and cloud security

• Industry speaker at RSA, Gartner, CIS, OOW, IRM

Goal for this session: Idea exchange among peers

Questions: Interrupt as needed

Ranjan Jain #identity_guy

ACCESS POLICY – “Critical Data”

WHO = Exec Group Only

Financial Reports

Café Menus

HR Database

CFO

Current Access Management

Access Criteria

Sensitive

Non-Sensitive

Critical Data

Who?

When?

Where?

How?

What?

Employee Customer/Partner Guest

Personal DeviceCompany

Asset

Wired Wireless VPN

@ Starbucks Headquarters

Weekends (8:00am – 5:00pm) PST

Context Aware Security: Classification Attributes

Kiosk

Extranet

Context Aware Security

ACCESS POLICY – “Critical Data”

WHO = Exec Group Only

WHAT = Registered Corp device only

WHERE = US Only

WHEN = US Business Hours Only

HOW = No VPN Access

Access Criteria

Sensitive

Non-Sensitive

Critical Data

1. Data sensitive access

policies

Financial Reports

Café Menus

HR Database

Context Aware Security Use Cases

CFO

2. Portable Assurance Level for

Cloud Apps

Context Aware Security Use Cases

Internet Only

Access

Full access

No

restrictions

Limited Access

Fully Compliant

Trusted devices

Manager

Doesn’t meet

Trusted Device

Standard

IT Analyst

Engineer/Coder

Some Trusted

Device ElementsPolicy

Decision

Point

Identity and Device drive Access Permission

Key Takeaways

• Federated and Contextual security is the only secure way for Cloud and Mobility

• ISE is the glue for contextual security

• Visibility is important – into both network and endpoint

• Standard based access management is the key

Picture credit: http://www.impulse.com/

In Summary…and How to Get Started

Cisco pxGrid Enables:

• Integration between development partners and the Cisco security products

• Many-to-many integration scalability

• The ability to integrate once to pxGrid and re-use that implementation to interface with any other pxGrid platform (even other Cisco development partners)

• Integrations with the Cisco Identity Services Engine (ISE) are available today

Get Started:

•Cisco Identity Services Engine (ISE) integrations available today

•Use user-to-IP address bindings answer “who” in your platforms

•Use device identification to answer “what type of device” in your platforms

•Use mitigation capabilities to take actions on users/device from your platform

•Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/

Thank you