This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid), the new publish/subscribe/query contextual information exchange framework for creating integration between DevNet partner platforms and Cisco security products; Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet partners analytics, forensics and reporting; First-hand developer perspective from DevNet partner ID/IP who used pxGrid to integrate Ping Identity and Cisco Identity Services Engine.

2. DEVNET-1010
Using Cisco pxGrid for
Security Platform
Integration
Nancy Cam-Winget
Distinguished Engineer
Brian Gonsalves
Product Manager
Chris Ceppi
CEO, Identity Over IP

3. Agenda
• Functional and Architectural Basics of
Cisco Platform Exchange Grid (pxGrid)
• DevNet Partner & Cisco Security
Integration Use-Cases
• First-hand pxGrid Developer
Perspective from DevNet partner ID/IP
pxGrid
SECURITY THRU
INTEGRATION

4. Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
But Integration
Burden is on IT
Departments
We Need
to Share
Context &
Take Network
Actions
I have reputation info!
I need threat data…
I have application info!
I need location & auth-group…SIO

5. I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have application info!
I need location & auth-group…SIO
pxGrid
Context Sharing
Event Response
Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute…but pxGrid accomplishes this
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…

6. WHY CUSTOMERS CARE
Cisco pxGrid – Context-Sharing & Network Mitigation
Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners
Cisco Provides Network
Context to Customer IT
Platforms
Use Eco-Partner Context
for Cisco Network Policy
for Customers
Cisco Shares User/Device &
Network Context with IT
Infrastructure
Cisco Receives Context from Eco-
Partners to Make Better Network
Access Policy
1 2 3
Help Customer IT
Environments Reach into
the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for
Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost
to Responding to Security and
Network Events

7. USE CASE: Contextual Awareness for Security/Network Event Prioritization,
Response and Policy
NETWORK ALERT!
SRC/65.32.7.45
DST/165.1.4.9 : HTTP
Is this event important?
I need more info…
Who is this?
Is this a server?
Smartphone?
Is it still on the
network? Where?
Did this come over VPN?
What’s their
access level?
What’s their
posture?
What else
is on the
network?

8. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8
“Sensitive Asset”
“Other Asset”
“Sensitive Asset”
87% of data breaches involve poor access rules…
we need to do this better.
Verizon Data Breach Report
Access Criteria:
 Who: User, Group
USE CASE: Context from Cisco Identity Services Engine (ISE)
to Application Control System to Increase Application Security

9. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9
ACCESS POLICY –
“Critical Data”
 WHO = Exec Group Only
 WHAT = No Non-
Registered Mobile
 WHERE = UK Only
 WHEN = UK Business
Hours Only
 HOW = No VPN Access
Vary this gent’s application access
privilege based on device enrollment,
geo-location and access method
“Financial Reports”
“Café Menus”
“HR Database”
ISE Context Completes the Picture – Granular Application
Data Control
Access Criteria
 Non-Sensitive
 Sensitive
 Critical Data

10. Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
pxGrid
SECURITY THRU
INTEGRATION
pxGrid – Industry Adoption Critical Mass as of June 2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App
Performance
IoT
Security
Cisco ISE Cisco WSA
Cloud Access
Security
?

11. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate  Authorize  Publish  Discover  Subscribe  Query

12. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate  Authorize  Publish  Discover  Subscribe  Query
Traditional APIs have many Limitations - pxGrid addresses these
issues:
• Single-purpose function = need for many APIs/dev (and lots of testing)
• Not configurable = too much/little info for interface systems (scale issues)
• Pre-defined data exchange = wait until next release if you need a change
• Polling architecture = can’t scale beyond 1 or 2 system integrations
• Security can be “loose”

13. “1-touch” network mitigation action –
from 3rd party partner console
pxGrid ANC API
ISE as unified
policy point
User/Device Quarantine
Dynamic ACLs, Increase
Inspection
Adaptive Network Control provides the ability to:
• Quarantine user devices from 3rd party products, such as SIEM systems
• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA
or increase IPS inspection levels
• Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica
pxGrid: Adaptive Network Control
Makes Cisco Infrastructure a Unified Event Response Network

14. pxGrid Architecture & Components
pxGrid
Controller
pxGrid Controller Responsible for Control Plane:
• Establishing the “grid” instance
• Authenticating clients on to the grid
• Authorizing what clients can do on the grid
• Maintaining directory of context information “topics”
available on the grid
pxGrid
Client
pxGrid Clients (Eco-Partner Platforms) Responsible for:
• Utilizing pxGrid Client Libraries (in SDK) to communicate with the
pxGrid Controller
• If sharing contextual information, publishing it to a “topic”
• If consuming contextual information, subscribing to appropriate “topic”
• Filtering “topics” to exclude unwanted information
• Ad-hoc query to “topics”
pxGrid
Client

15. Example: Evolution from REST to pxGrid
Cisco ISE User/Device Context-Sharing Example
Session Context sharing from ISE MnT Issues pxGrid Solution
Periodic polling using REST API Publish & Subscribe notification push
DB queries causing high I/O usage No DB query with published events caching
Bulk download takes more than 3 hours for 200,000 endpoints
using REST API
• pxGrid provides XML streaming of sessions with pagination
• Provides semantic filtering capability (ex: location) to download
only a subset
Receiving all attributes per session To only send interested attributes through syntactic filtering
Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent
No visibility and mechanism to authorize, control who is accessing
MnT
• pxGrid provides single point of authentication and authorization,
allowing only authorized systems to access the MnT
• pxGrid provides visibility into topics, publishers, subscribers …
Other issues:
• requires opening up firewall ports for reverse web services
calls
• no support for federation
• Lacks scale with endpoints increase
• XMPP protocol supports bi-directionality with tunneling
• XMPP supports federation
• pxGrid scaling and HA is achieved by leveraging XMPP server
architecture

16. Cisco pxGrid SDK Components & Function
Component Function
Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system
• Connects partner system to the pxGrid
Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection
to test with
Sample Data Generator • Generates live session data across a pxGrid connection
• Uses Cisco ISE user/device session data
pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local
testing in your lab
Hosted Testing Sandbox • Enables developer to connect to an already setup test
environment
pxGrid Documentation: Tutorials, Development Guides,
testing guides,
• Complete documentation to guide the developer from
concept to implementation to verification testing

17. A Closer Look at the pxGrid Connection Library…
• Connection to pxGrid Server
• Multiple pxGrid servers
• Round-robin auto retries
• Reports connection status
• Client certificate based authentication
• A root cert is installed in pxGrid server
• pxGrid server verifies client certs are signed by the root cert
• Capability subscription and publishing
• Capability is a set of queries and notifications supported
• pxGrid provides discovery of Capability
• Notifications are sent to XMPP pub/sub
• Queries are directly sent to Capability provider

18. How to Get Only the Context You Need…
pxGrid Message Filtering
• Allows subscriber to filter/restrict messages based on specified filter
criteria.
• Two kinds of filters:
• Content Based Filters
• Restrict messages based on the content of the message
• e.g. an ASA device interested in receiving session information from ISE only for end
points belonging to a subnet
• Schema Based Filter
• Allows clients to receive only a subset of attributes instead of the full message object
• Not supported in this phase

19. How to Install and Test Using the pxGrid SDK
1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM.
2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples
certificates from SDK. These certificates will be used by the pxGrid client for mutual
authentication to the pxGrid controller.
3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE.
4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing
client libraries in your platform or hosting on an external test client (linux box, e.g.
CentOS).
5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or
the linux client, and add to keystore.
6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK

20. Using the pxGrid Client Libraries
Developer platforms interact with pxGrid by registering the appropriate query and
notification callers and handlers as detailed below:
• Query Handler: A provider must register query handler with the pxGrid client library to
service a query that it needs to expose over pxGrid.
• Query Caller: A query caller is created by assembling a request and calling the query
method on the pxGrid connection.
• Notification Handler: Registers a notification handler with the pxGrid connection to
receive notifications for a capability.
• Notifier: To be able to publish notifications, the developer platform must first invoke a
publish capability method.

21. pxGrid Sample Scripts Currently Available in the SDK
• Sample pxGrid scripts provide development partners with executable example
code for how to use the API
• These scripts can also be useful in demos with customers
• Most commonly used pxGrid API scripts on Cisco ISE:
• Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group.
• Session Subscribe: pxGrid client subscribes to capability
• Identity Group download: Downloads user identity information such as the user and profiled group
information from active sessions in ISE
• Session Query by IP: retrieves all active session from ISE based on IP address
• Session Download: downloads all active sessions from ISE
• ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given
IP address
• ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address
• Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in
this case)

22. pxGrid on DevNet

23. pxGrid Sandbox now available on DevNet
• DevNet Sandbox pxGrid
environment allows users
to integrate with pxGrid
services on Cisco ISE

24. • ID over IP is Venture backed Cisco Ecosystem Partner
• Deep expertise in Identity and Access Management
• Context Sharing Enables Enforcement of Security Policy
• Two key use cases:
• dot1x based Single Sign On
• Device driven application security
Security Integration At Work

25. • Use Case: Single Sign On based on dot1x Authentication
• Example: Single network authentication provides secure authenticated
access to cloud and web applications
• Solution: Integrate Network Session with Application Sign On
Security Integration At Work

26. • Use Case: Restrict application access based on device context
• Example policy: Only employees using managed laptops can access
patent research data stored in cloud application.
• Solution: Integrate Network Access Control Policy and Identity and
Access Management
Security Integration At Work

27. • Technical Detail
• Develop pxGrid Integration based on Session Query
• Asociate Client with User Session
• Leverage User Identity and Session Attributes in IAM Standards including
SAML
Security Integration At Work

28. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work

29. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work

30. In Summary…and How to Get Started
Cisco pxGrid Enables:
• Integration between development partners and
the Cisco security products
• Many-to-many integration scalability
• The ability to integrate once to pxGrid and re-
use that implementation to interface with any
other pxGrid platform (even other Cisco
development partners)
• Integrations with the Cisco Identity Services
Engine (ISE) are available today
Get Started:
• Cisco Identity Services Engine (ISE)
integrations available today
• Use user-to-IP address bindings answer “who”
in your platforms
• Use device identification to answer “what type
of device” in your platforms
• Use mitigation capabilities to take actions on
users/device from your platform
• Access SDK, client libraries and tutorials at:
https://developer.cisco.com/site/pxgrid/

31. Thank you