This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid), the new publish/subscribe/query contextual information exchange framework for creating integration between DevNet partner platforms and Cisco security products; Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet partners analytics, forensics and reporting; First-hand developer perspective from DevNet partner ID/IP who used pxGrid to integrate Ping Identity and Cisco Identity Services Engine.
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
1.
2. DEVNET-1010
Using Cisco pxGrid for
Security Platform
Integration
Nancy Cam-Winget
Distinguished Engineer
Brian Gonsalves
Product Manager
Chris Ceppi
CEO, Identity Over IP
4. Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
But Integration
Burden is on IT
Departments
We Need
to Share
Context &
Take Network
Actions
I have reputation info!
I need threat data…
I have application info!
I need location & auth-group…SIO
5. I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have application info!
I need location & auth-group…SIO
pxGrid
Context Sharing
Event Response
Context is the Currency of the Solution Integration Realm
…but it’s not easy to execute…but pxGrid accomplishes this
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have identity & device-type!
I need app inventory & vulnerability…
I have threat data!
I need reputation…
I have location!
I need identity…
6. WHY CUSTOMERS CARE
Cisco pxGrid – Context-Sharing & Network Mitigation
Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners
Cisco Provides Network
Context to Customer IT
Platforms
Use Eco-Partner Context
for Cisco Network Policy
for Customers
Cisco Shares User/Device &
Network Context with IT
Infrastructure
Cisco Receives Context from Eco-
Partners to Make Better Network
Access Policy
1 2 3
Help Customer IT
Environments Reach into
the Cisco Network
CISCO PLATFORM ECO-PARTNER
CONTEXT
CISCO PLATFORM ECO-PARTNER
CONTEXT
ECO-PARTNER CISCO PLATFORM
CISCO NETWORK
ACTION
MITIGATE
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Creates a Single Place for
Comprehensive Network Access
Policy thru Integration
Decreases Time, Effort and Cost
to Responding to Security and
Network Events
7. USE CASE: Contextual Awareness for Security/Network Event Prioritization,
Response and Policy
NETWORK ALERT!
SRC/65.32.7.45
DST/165.1.4.9 : HTTP
Is this event important?
I need more info…
Who is this?
Is this a server?
Smartphone?
Is it still on the
network? Where?
Did this come over VPN?
What’s their
access level?
What’s their
posture?
What else
is on the
network?
10. Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
pxGrid
SECURITY THRU
INTEGRATION
pxGrid – Industry Adoption Critical Mass as of June 2015
18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago
Net/App
Performance
IoT
Security
Cisco ISE Cisco WSA
Cloud Access
Security
?
11. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
Cisco ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate Authorize Publish Discover Subscribe Query
12. I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Publish Publish
Discover TopicDiscover Topic
Continuous Flow
Directed QuerypxGrid
Context
Sharing
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners
Authenticate Authorize Publish Discover Subscribe Query
Traditional APIs have many Limitations - pxGrid addresses these
issues:
• Single-purpose function = need for many APIs/dev (and lots of testing)
• Not configurable = too much/little info for interface systems (scale issues)
• Pre-defined data exchange = wait until next release if you need a change
• Polling architecture = can’t scale beyond 1 or 2 system integrations
• Security can be “loose”
13. “1-touch” network mitigation action –
from 3rd party partner console
pxGrid ANC API
ISE as unified
policy point
User/Device Quarantine
Dynamic ACLs, Increase
Inspection
Adaptive Network Control provides the ability to:
• Quarantine user devices from 3rd party products, such as SIEM systems
• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA
or increase IPS inspection levels
• Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica
pxGrid: Adaptive Network Control
Makes Cisco Infrastructure a Unified Event Response Network
14. pxGrid Architecture & Components
pxGrid
Controller
pxGrid Controller Responsible for Control Plane:
• Establishing the “grid” instance
• Authenticating clients on to the grid
• Authorizing what clients can do on the grid
• Maintaining directory of context information “topics”
available on the grid
pxGrid
Client
pxGrid Clients (Eco-Partner Platforms) Responsible for:
• Utilizing pxGrid Client Libraries (in SDK) to communicate with the
pxGrid Controller
• If sharing contextual information, publishing it to a “topic”
• If consuming contextual information, subscribing to appropriate “topic”
• Filtering “topics” to exclude unwanted information
• Ad-hoc query to “topics”
pxGrid
Client
15. Example: Evolution from REST to pxGrid
Cisco ISE User/Device Context-Sharing Example
Session Context sharing from ISE MnT Issues pxGrid Solution
Periodic polling using REST API Publish & Subscribe notification push
DB queries causing high I/O usage No DB query with published events caching
Bulk download takes more than 3 hours for 200,000 endpoints
using REST API
• pxGrid provides XML streaming of sessions with pagination
• Provides semantic filtering capability (ex: location) to download
only a subset
Receiving all attributes per session To only send interested attributes through syntactic filtering
Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent
No visibility and mechanism to authorize, control who is accessing
MnT
• pxGrid provides single point of authentication and authorization,
allowing only authorized systems to access the MnT
• pxGrid provides visibility into topics, publishers, subscribers …
Other issues:
• requires opening up firewall ports for reverse web services
calls
• no support for federation
• Lacks scale with endpoints increase
• XMPP protocol supports bi-directionality with tunneling
• XMPP supports federation
• pxGrid scaling and HA is achieved by leveraging XMPP server
architecture
16. Cisco pxGrid SDK Components & Function
Component Function
Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system
• Connects partner system to the pxGrid
Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection
to test with
Sample Data Generator • Generates live session data across a pxGrid connection
• Uses Cisco ISE user/device session data
pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local
testing in your lab
Hosted Testing Sandbox • Enables developer to connect to an already setup test
environment
pxGrid Documentation: Tutorials, Development Guides,
testing guides,
• Complete documentation to guide the developer from
concept to implementation to verification testing
17. A Closer Look at the pxGrid Connection Library…
• Connection to pxGrid Server
• Multiple pxGrid servers
• Round-robin auto retries
• Reports connection status
• Client certificate based authentication
• A root cert is installed in pxGrid server
• pxGrid server verifies client certs are signed by the root cert
• Capability subscription and publishing
• Capability is a set of queries and notifications supported
• pxGrid provides discovery of Capability
• Notifications are sent to XMPP pub/sub
• Queries are directly sent to Capability provider
18. How to Get Only the Context You Need…
pxGrid Message Filtering
• Allows subscriber to filter/restrict messages based on specified filter
criteria.
• Two kinds of filters:
• Content Based Filters
• Restrict messages based on the content of the message
• e.g. an ASA device interested in receiving session information from ISE only for end
points belonging to a subnet
• Schema Based Filter
• Allows clients to receive only a subset of attributes instead of the full message object
• Not supported in this phase
19. How to Install and Test Using the pxGrid SDK
1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM.
2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples
certificates from SDK. These certificates will be used by the pxGrid client for mutual
authentication to the pxGrid controller.
3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE.
4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing
client libraries in your platform or hosting on an external test client (linux box, e.g.
CentOS).
5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or
the linux client, and add to keystore.
6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
20. Using the pxGrid Client Libraries
Developer platforms interact with pxGrid by registering the appropriate query and
notification callers and handlers as detailed below:
• Query Handler: A provider must register query handler with the pxGrid client library to
service a query that it needs to expose over pxGrid.
• Query Caller: A query caller is created by assembling a request and calling the query
method on the pxGrid connection.
• Notification Handler: Registers a notification handler with the pxGrid connection to
receive notifications for a capability.
• Notifier: To be able to publish notifications, the developer platform must first invoke a
publish capability method.
21. pxGrid Sample Scripts Currently Available in the SDK
• Sample pxGrid scripts provide development partners with executable example
code for how to use the API
• These scripts can also be useful in demos with customers
• Most commonly used pxGrid API scripts on Cisco ISE:
• Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group.
• Session Subscribe: pxGrid client subscribes to capability
• Identity Group download: Downloads user identity information such as the user and profiled group
information from active sessions in ISE
• Session Query by IP: retrieves all active session from ISE based on IP address
• Session Download: downloads all active sessions from ISE
• ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given
IP address
• ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address
• Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in
this case)
23. pxGrid Sandbox now available on DevNet
• DevNet Sandbox pxGrid
environment allows users
to integrate with pxGrid
services on Cisco ISE
24. • ID over IP is Venture backed Cisco Ecosystem Partner
• Deep expertise in Identity and Access Management
• Context Sharing Enables Enforcement of Security Policy
• Two key use cases:
• dot1x based Single Sign On
• Device driven application security
Security Integration At Work
25. • Use Case: Single Sign On based on dot1x Authentication
• Example: Single network authentication provides secure authenticated
access to cloud and web applications
• Solution: Integrate Network Session with Application Sign On
Security Integration At Work
26. • Use Case: Restrict application access based on device context
• Example policy: Only employees using managed laptops can access
patent research data stored in cloud application.
• Solution: Integrate Network Access Control Policy and Identity and
Access Management
Security Integration At Work
27. • Technical Detail
• Develop pxGrid Integration based on Session Query
• Asociate Client with User Session
• Leverage User Identity and Session Attributes in IAM Standards including
SAML
Security Integration At Work
28. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work
29. • Benefits
• Significantly lower risk of core business operations
• Extend value of in place security components
• Minimal operational impact
• Rapid development cycles
Security Integration At Work
30. In Summary…and How to Get Started
Cisco pxGrid Enables:
• Integration between development partners and
the Cisco security products
• Many-to-many integration scalability
• The ability to integrate once to pxGrid and re-
use that implementation to interface with any
other pxGrid platform (even other Cisco
development partners)
• Integrations with the Cisco Identity Services
Engine (ISE) are available today
Get Started:
• Cisco Identity Services Engine (ISE)
integrations available today
• Use user-to-IP address bindings answer “who”
in your platforms
• Use device identification to answer “what type
of device” in your platforms
• Use mitigation capabilities to take actions on
users/device from your platform
• Access SDK, client libraries and tutorials at:
https://developer.cisco.com/site/pxgrid/
ISE integrates with many networking & IT platforms to do 3 things:
Make customer IT platforms user/identity, device and network aware
How: Share ISE context with ecosystem partner products/platforms
Why this matters to customers: Answers “who, what authz group, what device, what type of access, where” associated with events. Enables use of all of those in policies and analytics. Way better than just using IP addresses and ports!
Make ISE a better network policy platform for customers
How: Ecosystem platforms share their context with ISE so ISE can use it in network policy
Why this matters to customers: Creates a single place for comprehensive network policy. ISE will never natively have all policy elements needed for this, but it can source them through ecosystem integrations.
Help customer IT environments integrate and reach into the Cisco network
How: Ecosystem platforms leverage ISE to take network actions on users and device (e.g. quarantine a device)
Why this matters to customers: Decreases time, effort and cost to responding to security and network events
This is an analogy slide to get the audience grasping the concept of ISE as a widely-applicable ecosystem context & control platform.
Build 1: Air traffic control tower, or any sort of command center, is in charge of knowing what is going on and helping a variety of systems stay coordinated by providing the right information and right instructions at the right time. They know everybody and every system in their “network” and how to get them the info and instructions they need to stay coordinated and take the right action at the appropriate time…in real-time…based on the applicable information.
Build 2: IT networks can benefit from this same concept…a control tower of sorts supplying them applicable information to help them make good decisions and also giving them specific instructions when applicable. This sort of coordination keeps the network running and operating optimally. A good example of this is when dealing with network events. Most IT systems only deliver the part of the picture they can see…and it’s rarely enough to really understand what the event means.
Rest of builds: These are typical pieces of contextual information needed to figure out what is going on in the network. Having a unified, accurate, real-time source of this contextual information is useful to pretty much any system in an IT infrastructure. Every system operates better and can serve more use-cases when they know “who, what, where, when, how”.
Applications are where the data theft jewels are
Application access only operates on “who”
So much of how data is compromised can be safe-guarded by extending application access with the right controls
We’re woefully unprepared for mobility, BYOD and cloud
Also state that you could use this same criteria to do escalated auth