SlideShare a Scribd company logo

DEVNET-1010 Using Cisco pxGrid for Security Platform Integration

Download as PPTX, PDF
Cisco DevNet, profile picture
Cisco DevNet

The document discusses Cisco's PxGrid, a security platform integration designed to facilitate context-sharing and network mitigation among various security applications and partners. It highlights the architecture, features, and use cases of PxGrid, aiming to enhance security response and policy management through improved context awareness and integration capabilities. Additionally, it provides guidance for developers on how to implement and test PxGrid functionalities within their environments.

Technology
1 of 31
Downloaded 67 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration Nancy Cam-Winget Distinguished Engineer Brian Gonsalves Product Manager Chris Ceppi CEO, Identity Over IP
Agenda • Functional and Architectural Basics of Cisco Platform Exchange Grid (pxGrid) • DevNet Partner & Cisco Security Integration Use-Cases • First-hand pxGrid Developer Perspective from DevNet partner ID/IP pxGrid SECURITY THRU INTEGRATION
Context is the Currency of the Solution Integration Realm …but it’s not easy to execute I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions I have reputation info! I need threat data… I have application info! I need location & auth-group…SIO
I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have application info! I need location & auth-group…SIO pxGrid Context Sharing Event Response Context is the Currency of the Solution Integration Realm …but it’s not easy to execute…but pxGrid accomplishes this I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity…
WHY CUSTOMERS CARE Cisco pxGrid – Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy 1 2 3 Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM ECO-PARTNER CONTEXT CISCO PLATFORM ECO-PARTNER CONTEXT ECO-PARTNER CISCO PLATFORM CISCO NETWORK ACTION MITIGATE Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events
USE CASE: Contextual Awareness for Security/Network Event Prioritization, Response and Policy NETWORK ALERT! SRC/65.32.7.45 DST/165.1.4.9 : HTTP Is this event important? I need more info… Who is this? Is this a server? Smartphone? Is it still on the network? Where? Did this come over VPN? What’s their access level? What’s their posture? What else is on the network?
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8 “Sensitive Asset” “Other Asset” “Sensitive Asset” 87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report Access Criteria:  Who: User, Group USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9 ACCESS POLICY – “Critical Data”  WHO = Exec Group Only  WHAT = No Non- Registered Mobile  WHERE = UK Only  WHEN = UK Business Hours Only  HOW = No VPN Access Vary this gent’s application access privilege based on device enrollment, geo-location and access method “Financial Reports” “Café Menus” “HR Database” ISE Context Completes the Picture – Granular Application Data Control Access Criteria  Non-Sensitive  Sensitive  Critical Data
Vulnerability Assessment Packet Capture & Forensics SIEM & Threat Defense IAM & SSO pxGrid SECURITY THRU INTEGRATION pxGrid – Industry Adoption Critical Mass as of June 2015 18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago Net/App Performance IoT Security Cisco ISE Cisco WSA Cloud Access Security ?
I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… Cisco ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query
I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query Traditional APIs have many Limitations - pxGrid addresses these issues: • Single-purpose function = need for many APIs/dev (and lots of testing) • Not configurable = too much/little info for interface systems (scale issues) • Pre-defined data exchange = wait until next release if you need a change • Polling architecture = can’t scale beyond 1 or 2 system integrations • Security can be “loose”
“1-touch” network mitigation action – from 3rd party partner console pxGrid ANC API ISE as unified policy point User/Device Quarantine Dynamic ACLs, Increase Inspection Adaptive Network Control provides the ability to: • Quarantine user devices from 3rd party products, such as SIEM systems • Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels • Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica pxGrid: Adaptive Network Control Makes Cisco Infrastructure a Unified Event Response Network
pxGrid Architecture & Components pxGrid Controller pxGrid Controller Responsible for Control Plane: • Establishing the “grid” instance • Authenticating clients on to the grid • Authorizing what clients can do on the grid • Maintaining directory of context information “topics” available on the grid pxGrid Client pxGrid Clients (Eco-Partner Platforms) Responsible for: • Utilizing pxGrid Client Libraries (in SDK) to communicate with the pxGrid Controller • If sharing contextual information, publishing it to a “topic” • If consuming contextual information, subscribing to appropriate “topic” • Filtering “topics” to exclude unwanted information • Ad-hoc query to “topics” pxGrid Client
Example: Evolution from REST to pxGrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxGrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage No DB query with published events caching Bulk download takes more than 3 hours for 200,000 endpoints using REST API • pxGrid provides XML streaming of sessions with pagination • Provides semantic filtering capability (ex: location) to download only a subset Receiving all attributes per session To only send interested attributes through syntactic filtering Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent No visibility and mechanism to authorize, control who is accessing MnT • pxGrid provides single point of authentication and authorization, allowing only authorized systems to access the MnT • pxGrid provides visibility into topics, publishers, subscribers … Other issues: • requires opening up firewall ports for reverse web services calls • no support for federation • Lacks scale with endpoints increase • XMPP protocol supports bi-directionality with tunneling • XMPP supports federation • pxGrid scaling and HA is achieved by leveraging XMPP server architecture
Cisco pxGrid SDK Components & Function Component Function Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system • Connects partner system to the pxGrid Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection to test with Sample Data Generator • Generates live session data across a pxGrid connection • Uses Cisco ISE user/device session data pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local testing in your lab Hosted Testing Sandbox • Enables developer to connect to an already setup test environment pxGrid Documentation: Tutorials, Development Guides, testing guides, • Complete documentation to guide the developer from concept to implementation to verification testing
A Closer Look at the pxGrid Connection Library… • Connection to pxGrid Server • Multiple pxGrid servers • Round-robin auto retries • Reports connection status • Client certificate based authentication • A root cert is installed in pxGrid server • pxGrid server verifies client certs are signed by the root cert • Capability subscription and publishing • Capability is a set of queries and notifications supported • pxGrid provides discovery of Capability • Notifications are sent to XMPP pub/sub • Queries are directly sent to Capability provider
How to Get Only the Context You Need… pxGrid Message Filtering • Allows subscriber to filter/restrict messages based on specified filter criteria. • Two kinds of filters: • Content Based Filters • Restrict messages based on the content of the message • e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet • Schema Based Filter • Allows clients to receive only a subset of attributes instead of the full message object • Not supported in this phase
How to Install and Test Using the pxGrid SDK 1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxGrid client for mutual authentication to the pxGrid controller. 3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE. 4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
Using the pxGrid Client Libraries Developer platforms interact with pxGrid by registering the appropriate query and notification callers and handlers as detailed below: • Query Handler: A provider must register query handler with the pxGrid client library to service a query that it needs to expose over pxGrid. • Query Caller: A query caller is created by assembling a request and calling the query method on the pxGrid connection. • Notification Handler: Registers a notification handler with the pxGrid connection to receive notifications for a capability. • Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.
pxGrid Sample Scripts Currently Available in the SDK • Sample pxGrid scripts provide development partners with executable example code for how to use the API • These scripts can also be useful in demos with customers • Most commonly used pxGrid API scripts on Cisco ISE: • Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group. • Session Subscribe: pxGrid client subscribes to capability • Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE • Session Query by IP: retrieves all active session from ISE based on IP address • Session Download: downloads all active sessions from ISE • ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address • ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address • Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in this case)
pxGrid on DevNet
pxGrid Sandbox now available on DevNet • DevNet Sandbox pxGrid environment allows users to integrate with pxGrid services on Cisco ISE
• ID over IP is Venture backed Cisco Ecosystem Partner • Deep expertise in Identity and Access Management • Context Sharing Enables Enforcement of Security Policy • Two key use cases: • dot1x based Single Sign On • Device driven application security Security Integration At Work
• Use Case: Single Sign On based on dot1x Authentication • Example: Single network authentication provides secure authenticated access to cloud and web applications • Solution: Integrate Network Session with Application Sign On Security Integration At Work
• Use Case: Restrict application access based on device context • Example policy: Only employees using managed laptops can access patent research data stored in cloud application. • Solution: Integrate Network Access Control Policy and Identity and Access Management Security Integration At Work
• Technical Detail • Develop pxGrid Integration based on Session Query • Asociate Client with User Session • Leverage User Identity and Session Attributes in IAM Standards including SAML Security Integration At Work
• Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
• Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
In Summary…and How to Get Started Cisco pxGrid Enables: • Integration between development partners and the Cisco security products • Many-to-many integration scalability • The ability to integrate once to pxGrid and re- use that implementation to interface with any other pxGrid platform (even other Cisco development partners) • Integrations with the Cisco Identity Services Engine (ISE) are available today Get Started: • Cisco Identity Services Engine (ISE) integrations available today • Use user-to-IP address bindings answer “who” in your platforms • Use device identification to answer “what type of device” in your platforms • Use mitigation capabilities to take actions on users/device from your platform • Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/
Thank you

More Related Content

PPTX
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
PDF
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet
 
PPTX
Microsoft Azure IoT Hub (Sam Vanhoutte @TechdaysNL 2017)
Codit
 
PPTX
The user s identities
Giuliano Latini
 
PDF
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
Gilles Legoux
 
PDF
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
PDF
FIWARE Global Summit - FIWARE Implementation of IDS Reference Architecture Co...
FIWARE
 
PDF
Kernel Con 2022: Securing Cloud Native Workloads
Gabriel Schuyler
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
Cisco DevNet
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet
 
Microsoft Azure IoT Hub (Sam Vanhoutte @TechdaysNL 2017)
Codit
 
The user s identities
Giuliano Latini
 
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
Gilles Legoux
 
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
FIWARE Global Summit - FIWARE Implementation of IDS Reference Architecture Co...
FIWARE
 
Kernel Con 2022: Securing Cloud Native Workloads
Gabriel Schuyler
 

What's hot (19)

PDF
Tech Job Conference: Software Engineer @Criteo
Gilles Legoux
 
PPTX
Azure IoT Camp
Vadim Kacherov
 
PPTX
Architecting Azure IoT Solutions
GlobalLogic Ukraine
 
PDF
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE
 
PPTX
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Codit
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PPTX
Getting started with Azure Event Grid - Webinar with Steef-Jan Wiggers
Codit
 
PDF
FIWARE Global Summit - Building Personalized FIWARE Enabled IoT Sandbox Solution
FIWARE
 
PDF
Connecting to the internet of things (IoT)
Fernando Lopez Aguilar
 
PDF
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
PPTX
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
PPTX
Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Microsoft Tech Community
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
PPTX
Introduction to Microsoft IoT Central
Codit
 
PPTX
FIWARE IoT Introduction 1
Fernando Lopez Aguilar
 
PPTX
A Complete IoT Backend Infrastructure in FIWARE
FIWARE
 
PPTX
Azure IoT hub
Basavaraj Mulaveesala
 
PDF
Microservices: A Security Nightmare?
Container Solutions
 
PPTX
Azure IoT Platform services - The modern IoT developer toolbox
Microsoft Tech Community
 
Tech Job Conference: Software Engineer @Criteo
Gilles Legoux
 
Azure IoT Camp
Vadim Kacherov
 
Architecting Azure IoT Solutions
GlobalLogic Ukraine
 
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Codit
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Getting started with Azure Event Grid - Webinar with Steef-Jan Wiggers
Codit
 
FIWARE Global Summit - Building Personalized FIWARE Enabled IoT Sandbox Solution
FIWARE
 
Connecting to the internet of things (IoT)
Fernando Lopez Aguilar
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Microsoft Tech Community
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
Introduction to Microsoft IoT Central
Codit
 
FIWARE IoT Introduction 1
Fernando Lopez Aguilar
 
A Complete IoT Backend Infrastructure in FIWARE
FIWARE
 
Azure IoT hub
Basavaraj Mulaveesala
 
Microservices: A Security Nightmare?
Container Solutions
 
Azure IoT Platform services - The modern IoT developer toolbox
Microsoft Tech Community
 
Ad

Viewers also liked (11)

PDF
Building a Security Architecture
Cisco Canada
 
PPTX
Urban Health and Resilience in the Lagos Metropolis (2) ( A Presentation By E...
Dr. Ebele Mogo
 
PPTX
DEVNET-1132 Create B2B Exchanges with Cisco Connected Processes
Cisco DevNet
 
PPTX
DEVNET-1102 Introduction to the DevNet Sandbox and IVT
Cisco DevNet
 
PDF
Unveiling the gray emails: A Closer Look at Emails in the Gray Area
Jelena Isachenkova
 
PPTX
DEVNET-1164 Using OpenDaylight for Notification Driven Workflows
Cisco DevNet
 
PDF
DEVNET-1147 Energizing Your Career with Cloud Technologies
Cisco DevNet
 
PPTX
Vasant Vihar Homes Derabassi Plots-Brochure
propertychd
 
PPTX
Naizak presentation
Faisal Jiwani
 
PDF
DEVNET-1129 WAN Automation Engine - Develop Traffic Aware Applications Using ...
Cisco DevNet
 
PPT
Menu ppt
Lailin Luthfiana
 
Building a Security Architecture
Cisco Canada
 
Urban Health and Resilience in the Lagos Metropolis (2) ( A Presentation By E...
Dr. Ebele Mogo
 
DEVNET-1132 Create B2B Exchanges with Cisco Connected Processes
Cisco DevNet
 
DEVNET-1102 Introduction to the DevNet Sandbox and IVT
Cisco DevNet
 
Unveiling the gray emails: A Closer Look at Emails in the Gray Area
Jelena Isachenkova
 
DEVNET-1164 Using OpenDaylight for Notification Driven Workflows
Cisco DevNet
 
DEVNET-1147 Energizing Your Career with Cloud Technologies
Cisco DevNet
 
Vasant Vihar Homes Derabassi Plots-Brochure
propertychd
 
Naizak presentation
Faisal Jiwani
 
DEVNET-1129 WAN Automation Engine - Develop Traffic Aware Applications Using ...
Cisco DevNet
 
Menu ppt
Lailin Luthfiana
 
Ad

Similar to DEVNET-1010 Using Cisco pxGrid for Security Platform Integration (20)

PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
PDF
ISE_FireJumper_Design.pdf---------------------------
Jarita6
 
PPTX
Sem cis ise
Lino Quivén
 
PDF
CIS14: Network-Aware IAM
CloudIDSummit
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
PDF
Application Centric Infrastructure (ACI), the policy driven data centre
Cisco Canada
 
PDF
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
 
PDF
philip_industry zero trust presentation ppt
JayLewis40
 
PPTX
ISE_2.1_BDM_v3a.pptx
Yaser330700
 
PDF
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend
 
PDF
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
PDF
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
PDF
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
PPTX
Cisco Security DNA
Matteo Masi
 
PDF
Brkaci 1090
almaz tt
 
PPTX
Inside Cisco IT: Secure and Simplified Cloud Services with ACI
Cisco IT
 
PDF
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
PPT
Cisco Security Technical Alliances
Cisco DevNet
 
PPTX
Enterprise Network Design and Deployment
Sandeep Yadav
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
ISE_FireJumper_Design.pdf---------------------------
Jarita6
 
Sem cis ise
Lino Quivén
 
CIS14: Network-Aware IAM
CloudIDSummit
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
Veronica916344
 
Application Centric Infrastructure (ACI), the policy driven data centre
Cisco Canada
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
 
philip_industry zero trust presentation ppt
JayLewis40
 
ISE_2.1_BDM_v3a.pptx
Yaser330700
 
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
Cisco Security DNA
Matteo Masi
 
Brkaci 1090
almaz tt
 
Inside Cisco IT: Secure and Simplified Cloud Services with ACI
Cisco IT
 
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
Cisco Security Technical Alliances
Cisco DevNet
 
Enterprise Network Design and Deployment
Sandeep Yadav
 

More from Cisco DevNet (20)

PPTX
How to Contribute to Ansible
Cisco DevNet
 
PPTX
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
PPTX
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
PPTX
Cisco Spark and Tropo and the Programmable Web
Cisco DevNet
 
PPTX
Device Programmability with Cisco Plug-n-Play Solution
Cisco DevNet
 
PPTX
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Cisco DevNet
 
PPTX
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
PPTX
WAN Automation Engine API Deep Dive
Cisco DevNet
 
PPTX
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco DevNet
 
PPTX
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
PPTX
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
PPTX
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
PPTX
OpenStack Enabling DevOps
Cisco DevNet
 
PPTX
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
 
PPTX
Getting Started: Developing Tropo Applications
Cisco DevNet
 
PPTX
Cisco Spark & Tropo API Workshop
Cisco DevNet
 
PPTX
Coding 102 REST API Basics Using Spark
Cisco DevNet
 
PPTX
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
PPTX
DevNet Express - Spark & Tropo API - Lisbon May 2016
Cisco DevNet
 
PPTX
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
Cisco DevNet
 
How to Contribute to Ansible
Cisco DevNet
 
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
Cisco Spark and Tropo and the Programmable Web
Cisco DevNet
 
Device Programmability with Cisco Plug-n-Play Solution
Cisco DevNet
 
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Cisco DevNet
 
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
WAN Automation Engine API Deep Dive
Cisco DevNet
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
OpenStack Enabling DevOps
Cisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
 
Getting Started: Developing Tropo Applications
Cisco DevNet
 
Cisco Spark & Tropo API Workshop
Cisco DevNet
 
Coding 102 REST API Basics Using Spark
Cisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
DevNet Express - Spark & Tropo API - Lisbon May 2016
Cisco DevNet
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
Cisco DevNet
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

DEVNET-1010 Using Cisco pxGrid for Security Platform Integration

  • 2. DEVNET-1010 Using Cisco pxGrid for Security Platform Integration Nancy Cam-Winget Distinguished Engineer Brian Gonsalves Product Manager Chris Ceppi CEO, Identity Over IP
  • 3. Agenda • Functional and Architectural Basics of Cisco Platform Exchange Grid (pxGrid) • DevNet Partner & Cisco Security Integration Use-Cases • First-hand pxGrid Developer Perspective from DevNet partner ID/IP pxGrid SECURITY THRU INTEGRATION
  • 4. Context is the Currency of the Solution Integration Realm …but it’s not easy to execute I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions I have reputation info! I need threat data… I have application info! I need location & auth-group…SIO
  • 5. I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have application info! I need location & auth-group…SIO pxGrid Context Sharing Event Response Context is the Currency of the Solution Integration Realm …but it’s not easy to execute…but pxGrid accomplishes this I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity…
  • 6. WHY CUSTOMERS CARE Cisco pxGrid – Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy 1 2 3 Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM ECO-PARTNER CONTEXT CISCO PLATFORM ECO-PARTNER CONTEXT ECO-PARTNER CISCO PLATFORM CISCO NETWORK ACTION MITIGATE Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events
  • 7. USE CASE: Contextual Awareness for Security/Network Event Prioritization, Response and Policy NETWORK ALERT! SRC/65.32.7.45 DST/165.1.4.9 : HTTP Is this event important? I need more info… Who is this? Is this a server? Smartphone? Is it still on the network? Where? Did this come over VPN? What’s their access level? What’s their posture? What else is on the network?
  • 8. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8 “Sensitive Asset” “Other Asset” “Sensitive Asset” 87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report Access Criteria:  Who: User, Group USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security
  • 9. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9 ACCESS POLICY – “Critical Data”  WHO = Exec Group Only  WHAT = No Non- Registered Mobile  WHERE = UK Only  WHEN = UK Business Hours Only  HOW = No VPN Access Vary this gent’s application access privilege based on device enrollment, geo-location and access method “Financial Reports” “Café Menus” “HR Database” ISE Context Completes the Picture – Granular Application Data Control Access Criteria  Non-Sensitive  Sensitive  Critical Data
  • 10. Vulnerability Assessment Packet Capture & Forensics SIEM & Threat Defense IAM & SSO pxGrid SECURITY THRU INTEGRATION pxGrid – Industry Adoption Critical Mass as of June 2015 18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago Net/App Performance IoT Security Cisco ISE Cisco WSA Cloud Access Security ?
  • 11. I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… Cisco ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query
  • 12. I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query Traditional APIs have many Limitations - pxGrid addresses these issues: • Single-purpose function = need for many APIs/dev (and lots of testing) • Not configurable = too much/little info for interface systems (scale issues) • Pre-defined data exchange = wait until next release if you need a change • Polling architecture = can’t scale beyond 1 or 2 system integrations • Security can be “loose”
  • 13. “1-touch” network mitigation action – from 3rd party partner console pxGrid ANC API ISE as unified policy point User/Device Quarantine Dynamic ACLs, Increase Inspection Adaptive Network Control provides the ability to: • Quarantine user devices from 3rd party products, such as SIEM systems • Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels • Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica pxGrid: Adaptive Network Control Makes Cisco Infrastructure a Unified Event Response Network
  • 14. pxGrid Architecture & Components pxGrid Controller pxGrid Controller Responsible for Control Plane: • Establishing the “grid” instance • Authenticating clients on to the grid • Authorizing what clients can do on the grid • Maintaining directory of context information “topics” available on the grid pxGrid Client pxGrid Clients (Eco-Partner Platforms) Responsible for: • Utilizing pxGrid Client Libraries (in SDK) to communicate with the pxGrid Controller • If sharing contextual information, publishing it to a “topic” • If consuming contextual information, subscribing to appropriate “topic” • Filtering “topics” to exclude unwanted information • Ad-hoc query to “topics” pxGrid Client
  • 15. Example: Evolution from REST to pxGrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxGrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage No DB query with published events caching Bulk download takes more than 3 hours for 200,000 endpoints using REST API • pxGrid provides XML streaming of sessions with pagination • Provides semantic filtering capability (ex: location) to download only a subset Receiving all attributes per session To only send interested attributes through syntactic filtering Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent No visibility and mechanism to authorize, control who is accessing MnT • pxGrid provides single point of authentication and authorization, allowing only authorized systems to access the MnT • pxGrid provides visibility into topics, publishers, subscribers … Other issues: • requires opening up firewall ports for reverse web services calls • no support for federation • Lacks scale with endpoints increase • XMPP protocol supports bi-directionality with tunneling • XMPP supports federation • pxGrid scaling and HA is achieved by leveraging XMPP server architecture
  • 16. Cisco pxGrid SDK Components & Function Component Function Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system • Connects partner system to the pxGrid Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection to test with Sample Data Generator • Generates live session data across a pxGrid connection • Uses Cisco ISE user/device session data pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local testing in your lab Hosted Testing Sandbox • Enables developer to connect to an already setup test environment pxGrid Documentation: Tutorials, Development Guides, testing guides, • Complete documentation to guide the developer from concept to implementation to verification testing
  • 17. A Closer Look at the pxGrid Connection Library… • Connection to pxGrid Server • Multiple pxGrid servers • Round-robin auto retries • Reports connection status • Client certificate based authentication • A root cert is installed in pxGrid server • pxGrid server verifies client certs are signed by the root cert • Capability subscription and publishing • Capability is a set of queries and notifications supported • pxGrid provides discovery of Capability • Notifications are sent to XMPP pub/sub • Queries are directly sent to Capability provider
  • 18. How to Get Only the Context You Need… pxGrid Message Filtering • Allows subscriber to filter/restrict messages based on specified filter criteria. • Two kinds of filters: • Content Based Filters • Restrict messages based on the content of the message • e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet • Schema Based Filter • Allows clients to receive only a subset of attributes instead of the full message object • Not supported in this phase
  • 19. How to Install and Test Using the pxGrid SDK 1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxGrid client for mutual authentication to the pxGrid controller. 3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE. 4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
  • 20. Using the pxGrid Client Libraries Developer platforms interact with pxGrid by registering the appropriate query and notification callers and handlers as detailed below: • Query Handler: A provider must register query handler with the pxGrid client library to service a query that it needs to expose over pxGrid. • Query Caller: A query caller is created by assembling a request and calling the query method on the pxGrid connection. • Notification Handler: Registers a notification handler with the pxGrid connection to receive notifications for a capability. • Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.
  • 21. pxGrid Sample Scripts Currently Available in the SDK • Sample pxGrid scripts provide development partners with executable example code for how to use the API • These scripts can also be useful in demos with customers • Most commonly used pxGrid API scripts on Cisco ISE: • Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group. • Session Subscribe: pxGrid client subscribes to capability • Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE • Session Query by IP: retrieves all active session from ISE based on IP address • Session Download: downloads all active sessions from ISE • ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address • ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address • Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in this case)
  • 23. pxGrid Sandbox now available on DevNet • DevNet Sandbox pxGrid environment allows users to integrate with pxGrid services on Cisco ISE
  • 24. • ID over IP is Venture backed Cisco Ecosystem Partner • Deep expertise in Identity and Access Management • Context Sharing Enables Enforcement of Security Policy • Two key use cases: • dot1x based Single Sign On • Device driven application security Security Integration At Work
  • 25. • Use Case: Single Sign On based on dot1x Authentication • Example: Single network authentication provides secure authenticated access to cloud and web applications • Solution: Integrate Network Session with Application Sign On Security Integration At Work
  • 26. • Use Case: Restrict application access based on device context • Example policy: Only employees using managed laptops can access patent research data stored in cloud application. • Solution: Integrate Network Access Control Policy and Identity and Access Management Security Integration At Work
  • 27. • Technical Detail • Develop pxGrid Integration based on Session Query • Asociate Client with User Session • Leverage User Identity and Session Attributes in IAM Standards including SAML Security Integration At Work
  • 28. • Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
  • 29. • Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
  • 30. In Summary…and How to Get Started Cisco pxGrid Enables: • Integration between development partners and the Cisco security products • Many-to-many integration scalability • The ability to integrate once to pxGrid and re- use that implementation to interface with any other pxGrid platform (even other Cisco development partners) • Integrations with the Cisco Identity Services Engine (ISE) are available today Get Started: • Cisco Identity Services Engine (ISE) integrations available today • Use user-to-IP address bindings answer “who” in your platforms • Use device identification to answer “what type of device” in your platforms • Use mitigation capabilities to take actions on users/device from your platform • Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/

Editor's Notes

  • #7: ISE integrates with many networking & IT platforms to do 3 things: Make customer IT platforms user/identity, device and network aware How: Share ISE context with ecosystem partner products/platforms Why this matters to customers: Answers “who, what authz group, what device, what type of access, where” associated with events. Enables use of all of those in policies and analytics. Way better than just using IP addresses and ports! Make ISE a better network policy platform for customers How: Ecosystem platforms share their context with ISE so ISE can use it in network policy Why this matters to customers: Creates a single place for comprehensive network policy. ISE will never natively have all policy elements needed for this, but it can source them through ecosystem integrations. Help customer IT environments integrate and reach into the Cisco network How: Ecosystem platforms leverage ISE to take network actions on users and device (e.g. quarantine a device) Why this matters to customers: Decreases time, effort and cost to responding to security and network events
  • #8: This is an analogy slide to get the audience grasping the concept of ISE as a widely-applicable ecosystem context & control platform. Build 1: Air traffic control tower, or any sort of command center, is in charge of knowing what is going on and helping a variety of systems stay coordinated by providing the right information and right instructions at the right time. They know everybody and every system in their “network” and how to get them the info and instructions they need to stay coordinated and take the right action at the appropriate time…in real-time…based on the applicable information. Build 2: IT networks can benefit from this same concept…a control tower of sorts supplying them applicable information to help them make good decisions and also giving them specific instructions when applicable. This sort of coordination keeps the network running and operating optimally. A good example of this is when dealing with network events. Most IT systems only deliver the part of the picture they can see…and it’s rarely enough to really understand what the event means. Rest of builds: These are typical pieces of contextual information needed to figure out what is going on in the network. Having a unified, accurate, real-time source of this contextual information is useful to pretty much any system in an IT infrastructure. Every system operates better and can serve more use-cases when they know “who, what, where, when, how”.
  • #9: Applications are where the data theft jewels are Application access only operates on “who” So much of how data is compromised can be safe-guarded by extending application access with the right controls We’re woefully unprepared for mobility, BYOD and cloud
  • #10: Also state that you could use this same criteria to do escalated auth
  • #22: Adaptive Network Control new term for (EPS),