A session in the DevNet Zone at Cisco Live, Berlin. This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid), the new publish/subscribe/query contextual information exchange framework for creating integration between DevNet Zone partner platforms and Cisco security products; Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet Zone partners analytics, forensics and reporting; First-hand developer perspective from DevNet Zone partner ID/IP who used pxGrid to integrate Ping Identity and Cisco Identity Services Engine.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Using Cisco pxGrid for Security Platform Integration: a deep dive
1.
2. DEVNET-1124
Using Cisco pxGrid for
Security Platform
Integration
John Eppich
Technical Marketing Engineer
David Koenig
Head of Business Development and
Strategy, Situational Corp.
Ranjan Jain
Security Architect, Cisco IT
3. Agenda
• Functional and Architectural Basics of
Cisco Platform Exchange Grid (pxGrid)
• DevNet Partner & Cisco Security
Integration Use-Cases
• First-hand pxGrid Developer
Perspective from DevNet partner
Situational Corp
• Customer Deployment perspective –
Cisco IT
pxGrid
SECURITY
THRU
INTEGRATI
ON
4. Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
But Integration
Burden is on IT
Departments
We Need
to Share
Context &
Take Network
Actions
I have reputation info!
I need threat data…
I have application info!
I need location & auth-group…SIO
5. I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have application info!
I need location & auth-group…SIO
pxGrid
Context Sharing
Event Response
Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute…but pxGrid accomplishes this
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
6. WHY CUSTOMERS CARE
Cisco pxGrid – Context-Sharing & Network Mitigation
Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners
Cisco Provides Network
Context to Customer IT
Platforms
Use Eco-Partner Context
for Cisco Network Policy
for Customers
Cisco Shares User/Device &
Network Context with IT
Infrastructure
Cisco Receives Context from Eco-
Partners to Make Better Network
Access Policy
1 2 3
Help Customer IT
Environments Reach into
the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for
Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost
to Responding to Security and
Network Events
7. USE CASE: Contextual Awareness for Security/Network Event Prioritization,
Response and Policy
NETWORK ALERT!
SRC/65.32.7.45
DST/165.1.4.9 : HTTP
Is this event important?
I need more info…
Who is this?
Is this a server?
Smartphone?
Is it still on the
network? Where?
Did this come over VPN?
What’s their
access level?
What’s their
posture?
What else
is on the
network?
10. Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
pxGrid
SECURITY THRU
INTEGRATION
pxGrid – Industry Adoption Critical Mass as of June 2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App
Performance
IoT
Security
Cisco ISE Cisco WSA
Cloud Access
Security
?
11. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate Authorize Publish Discover Subscribe Query
12. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate Authorize Publish Discover Subscribe Query
Traditional APIs have many limitations - pxGrid addresses these
issues:
•Single-purpose function = need for many APIs/dev (and lots of testing)
•Not configurable = too much/little info for interface systems (scale issues)
•Pre-defined data exchange = wait until next release if you need a change
•Polling architecture = can’t scale beyond 1 or 2 system integrations
•Security can be “loose”
13. “1-touch” network mitigation action –
from 3rd party partner console
pxGrid ANC API
ISE as unified
policy point
User/Device Quarantine
Dynamic ACLs, Increase
Inspection
Adaptive Network Control provides the ability to:
•Quarantine user devices from 3rd party products, such as SIEM systems
•Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or
increase IPS inspection levels
•Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica
pxGrid: Adaptive Network Control
Makes Cisco Infrastructure a Unified Event Response Network
14. pxGrid Architecture & Components
pxGrid
Controller
pxGrid Controller Responsible for Control Plane:
•Establishing the “grid” instance
•Authenticating clients on to the grid
•Authorizing what clients can do on the grid
•Maintaining directory of context information “topics”
available on the grid
pxGrid
Client
pxGrid Clients (Eco-Partner Platforms) Responsible for:
•Utilizing pxGrid Client Libraries (in SDK) to communicate with the
pxGrid Controller
•If sharing contextual information, publishing it to a “topic”
•If consuming contextual information, subscribing to appropriate “topic”
•Filtering “topics” to exclude unwanted information
•Ad-hoc query to “topics”
pxGrid
Client
15. Example: Evolution from REST to pxGrid
Cisco ISE User/Device Context-Sharing Example
Session Context sharing from ISE MnT Issues pxGrid Solution
Periodic polling using REST API Publish & Subscribe notification push
DB queries causing high I/O usage No DB query with published events caching
Bulk download takes more than 3 hours for 200,000 endpoints
using REST API
• pxGrid provides XML streaming of sessions with pagination
• Provides semantic filtering capability (ex: location) to download
only a subset
Receiving all attributes per session To only send interested attributes through syntactic filtering
Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent
No visibility and mechanism to authorize, control who is accessing
MnT
• pxGrid provides single point of authentication and authorization,
allowing only authorized systems to access the MnT
• pxGrid provides visibility into topics, publishers, subscribers …
Other issues:
•requires opening up firewall ports for reverse web services calls
•no support for federation
•Lacks scale with endpoints increase
• XMPP protocol supports bi-directionality with tunneling
• XMPP supports federation
• pxGrid scaling and HA is achieved by leveraging XMPP server
architecture
16. Cisco pxGrid SDK Components & Function
Component Function
Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system
• Connects partner system to the pxGrid
Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection
to test with
Sample Data Generator • Generates live session data across a pxGrid connection
• Uses Cisco ISE user/device session data
pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local
testing in your lab
Hosted Testing Sandbox • Enables developer to connect to an already setup test
environment
pxGrid Documentation: Tutorials, Development Guides,
testing guides,
• Complete documentation to guide the developer from
concept to implementation to verification testing
17. A Closer Look at the pxGrid Connection Library…
• Connection to pxGrid Server
• Multiple pxGrid servers
• Round-robin auto retries
• Reports connection status
• Client certificate based authentication
• A root cert is installed in pxGrid server
• pxGrid server verifies client certs are signed by the root cert
• Capability subscription and publishing
• Capability is a set of queries and notifications supported
• pxGrid provides discovery of Capability
• Notifications are sent to XMPP pub/sub
• Queries are directly sent to Capability provider
18. How to Get Only the Context You Need…
pxGrid Message Filtering
• Allows subscriber to filter/restrict messages based on specified filter
criteria.
• Two kinds of filters:
• Content Based Filters
• Restrict messages based on the content of the message
• e.g. an ASA device interested in receiving session information from ISE only for end
points belonging to a subnet
• Schema Based Filter
• Allows clients to receive only a subset of attributes instead of the full message object
• Not supported in this phase
19. How to Install and Test Using the pxGrid SDK
1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM.
2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples
certificates from SDK. These certificates will be used by the pxGrid client for mutual
authentication to the pxGrid controller.
3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE.
4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing
client libraries in your platform or hosting on an external test client (linux box, e.g.
CentOS).
5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or
the linux client, and add to keystore.
6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
20. Using the pxGrid Client Libraries
Developer platforms interact with pxGrid by registering the appropriate query and
notification callers and handlers as detailed below:
• Query Handler: A provider must register query handler with the pxGrid client library to
service a query that it needs to expose over pxGrid.
• Query Caller: A query caller is created by assembling a request and calling the query
method on the pxGrid connection.
• Notification Handler: Registers a notification handler with the pxGrid connection to
receive notifications for a capability.
• Notifier: To be able to publish notifications, the developer platform must first invoke a
publish capability method.
21. pxGrid Sample Scripts Currently Available in the SDK
• Sample pxGrid scripts provide development partners with executable example
code for how to use the API
• These scripts can also be useful in demos with customers
• Most commonly used pxGrid API scripts on Cisco ISE:
• Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group.
• Session Subscribe: pxGrid client subscribes to capability
• Identity Group download: Downloads user identity information such as the user and profiled group
information from active sessions in ISE
• Session Query by IP: retrieves all active session from ISE based on IP address
• Session Download: downloads all active sessions from ISE
• ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given
IP address
• ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address
• Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in
this case)
25. • Situational is Venture backed Cisco Ecosystem Partner
• Deep expertise in Identity and Access Management
• Context Sharing Enables Enforcement of Security Policy
• Two key use cases:
• dot1x based Single Sign On
• Device driven application security
Security Integration At Work
26. • Use Case: Single Sign On based on dot1x Authentication
• Example: Single network authentication provides secure authenticated
access to cloud and web applications
• Solution: Integrate Network Session with Application Sign On
Security Integration At Work
27. • Use Case: Restrict application access based on device context
• Example policy: Only employees using managed laptops can access
patent research data stored in cloud application.
• Solution: Integrate Network Access Control Policy and Identity and
Access Management
Security Integration At Work
28. • Technical Detail
• Develop pxGrid Integration based on Session Query
• Associate Client with User Session
• Leverage User Identity and Session Attributes in IAM Standards including
SAML
Security Integration At Work
29. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work
30. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work
32. About me
32
• Security Architect (IT)
• Cisco IT Identity & Access team : 12 years
• 11 years in core Identity and Access
• 1 year in web and cloud security
• Industry speaker at RSA, Gartner, CIS, OOW, IRM
Goal for this session: Idea exchange among peers
Questions: Interrupt as needed
Ranjan Jain
#identity_guy
33. ACCESS POLICY – “Critical Data”
WHO = Exec Group Only
Financial Reports
Café Menus
HR Database
CFO
Current Access Management
Access Criteria
Sensitive
Non-Sensitive
Critical Data
35. ACCESS POLICY – “Critical Data”
WHO = Exec Group Only
WHAT = Registered Corp device only
WHERE = US Only
WHEN = US Business Hours Only
HOW = No VPN Access
Access Criteria
Sensitive
Non-Sensitive
Critical Data
1. Data sensitive access
policies
Financial Reports
Café Menus
HR Database
Context Aware Security Use Cases
CFO
37. Internet Only
Access
Full access
No
restrictions
Limited Access
Fully Compliant
Trusted devices
Manager
Doesn’t meet
Trusted Device
Standard
IT Analyst
Engineer/Coder
Some Trusted
Device Elements Policy
Decision
Point
Identity and Device drive Access Permission
38. Key Takeaways
• Federated and Contextual security is the only secure way
for Cloud and Mobility
• ISE is the glue for contextual security
• Visibility is important – into both network and endpoint
• Standard based access management is the key
Picture credit: http://www.impulse.com/
39. In Summary…and How to Get Started
Cisco pxGrid Enables:
• Integration between development partners and
the Cisco security products
• Many-to-many integration scalability
• The ability to integrate once to pxGrid and re-
use that implementation to interface with any
other pxGrid platform (even other Cisco
development partners)
• Integrations with the Cisco Identity Services
Engine (ISE) are available today
Get Started:
•Cisco Identity Services Engine (ISE) integrations
available today
•Use user-to-IP address bindings answer “who” in
your platforms
•Use device identification to answer “what type of
device” in your platforms
•Use mitigation capabilities to take actions on
users/device from your platform
•Access SDK, client libraries and tutorials at:
https://developer.cisco.com/site/pxgrid/