devnet workshop-learning cisco platform exchange...
TRANSCRIPT
DevNet Workshop-Learning Cisco platform Exchange Grid (pxGrid) Dynamic Topics
Syam Appala, Principal Engineer
DEVNET-2433
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PotentialBreachEvent
Associate User to Event
Check Endpoint Posture
How Do I Mitigate?
Where is it on the Network?
What Kind of Device is it?
Associate User to Authorization
MANY SCREENS, MISSING DATA
COMPLICATED MITIGATION
Security Event
AAA Logs
IAM NAC ??
??
??
Contextual Awareness Key to Security Event Prioritization and Response
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Cisco Platform Exchange Grid (pxGrid)
• It is a framework for sharing ISE contextual information with other security solutions
• Allows security vendors to share topic of information via Dynamic Topics
• Provides enforcement of an organization’s security policy rules violation using
Adaptive Network Control Mitigation Actions (ANC)
DEVNET-2433 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
pxGridContext
Sharing
CISCO ISE
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxGrid with Context Sharing
DEVNET-2433 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
pxGridContext
Sharing
CISCO ISE
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxGrid with Context Sharing
Publish
Topics
DEVNET-2433 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid ComponentsPublisher
Pusblisher - ISE Admin & MnT node publishes Topic information
DEVNET-2433 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid ComponentsPublisher
Pusblisher - pxGrid client can publish Topics
Dynamic Topics introduced in ISE 2.0DEVNET-2433 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid ComponentsSubscriber
Subscriber- Cisco Security Solution or Ecosystem Partner subscribes to Topic
DEVNET-2433 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Authorizes and enforces client registration
• Performs client management
• Manages Publisher/Subscriber & Topics
pxGrid ComponentsController
DEVNET-2433 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE pxGrid ControllerEnforces and Autho
DEVNET-2433 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Capabilities or Topics of Information• Schema for context sharing with registered pxGrid clients
Session Directory – provides ISE contextual attributes
Session={ip=[192.168.1.15], Audit Session Id=0A000001000000170001B0AB, UserName=jeppich,
ADUserDNSDomain=lab10.com, ADUserNetBIOSName=LAB10,
[email protected], ADUserResolvedDNs=CN=John
Eppich,CN=Users,DC=lab10,DC=com, MacAddresses=[00:50:56:86:C9:92], State=STARTED,
ANCstatus=ANC_Quarantine, SecurityGroup=Quarantined_Systems, EndpointProfile=VMWare-
Device, NAS IP=192.168.1.3, NAS Port=GigabitEthernet1/0/11, RADIUSAVPairs=[ Acct-Session-
Id=0000002E], Posture Status=null, Posture Timestamp=, LastUpdateTime=Sat Jan 21 11:49:04
EST 2017, Session attributeName=Authorization_Profiles, Session
attributeValue=Quarantined_Systems, Providers=[None], EndpointCheckResult=none,
IdentitySourceFirstPort=0, IdentitySourcePortStart=0, IdentitySourcePortEnd=0,
IsMachineAuthentocation=false}
DEVNET-2433 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Client Groups
DEVNET-2433 16
Basic – provides ISE pxGrid node connectivity. The pxGrid admin, must manually move the registered
pxGrid client into the other client groups, most likely the Session group, which provides access to the pxGrid
session objects
Administrator – reserved for ISE published node clients
Session- provides access to pxGrid session objects
ANC- subscribes to ANC AdaptiveNetworkControlService
EPS- subscribes to EPS EndpointProtectionService
Publisher, Action, Subscribe Group for dynamic topics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Topics- Benefits
• Allow pxGrid client to interact with other clients and enforce a more accurate organizationalsecurity policy by including contextual information from the other security vendors
• Can help reduce false positives and false negatives in a security vendor’s solution
DEVNET-2433 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE as pxGrid Controller
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE as pxGrid Controller
pxGridContext
Sharing
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Publish
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Publish
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Discover Topic
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Discover Topic
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
Continuous Flow
Directed Query
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
pxgrid with Dynamic Topics
DEVNET-2433 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxgrid with Dynamic Topics
DEVNET-2433 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have identity & device!
I need geo-location & MDM…
I have application info!
I need location & device-type
I have location!
I need app & identity…
ISE as pxGrid Controller
CISCO ISE
Continuous Flow
Directed Query
I have sec events!
I need identity & device…
I have MDM info!
I need location…
pxgrid with Dynamic Topics
DEVNET-2433 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workbench Lab Example Scenario:
Detection Networks is a ficticious company that uses honeypots to lure intruders into
false security of the companies crown jewels.
- Publish “BAD_HOSTS_Table”
- Conatins: IPAddrss, MACAddress, FQDN, Username, and EndpointDevicr
information of infected host
-VA Scanners subscribe to the “BAD_HOSTS_Table” and include the
BAD_HOSTS_Table attributes in their security policy to scan for vulnerabilities
DEVNET-2433 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Topic Workflow
Publisher pxGrid Controller
Propose “BAD_HOST_Table Topic
Publisher added to topic
Admin approves topic
Publishes events to topic
Publisher, Session, Action
Groups Assigned
Publisher defines Query Action Topics
Subscriber defines what topics to subscribe to
Subscriber subscribes to topic
Communication Flows Directly
Subscriber
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Propose a New Topic/propose_capability.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseCA.jks -q
Cisco123 -g Session -d pxgrid New Publisher
------- properties -------
version=1.0.4.17
hostnames=192.168.1.230
username=DetectionNetworks
password=
group=Basic
description=pxgrid
keystoreFilename=mac22.jks
keystorePassword=Cisco123
truststoreFilename=rootiseCA.jks
truststorePassword=Cisco123
--------------------------
11:55:40.837 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager - Started
Connecting...
11:55:40.856 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connecting to host 192.168.1.230
11:55:41.193 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connected OK to host 192.168.1.230
11:55:41.194 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login to host 192.168.1.230
11:55:41.461 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login OK to host 192.168.1.230
Connected
DEVNET-2433 34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Adding BAD_HOST Topic and Query Items
New capability? (y/n): y
Enter capability name: BAD_HOSTS_Table
Enter capability version: 1.0
Enter capability description: Infected Hosts Table
Enter vendor platform: DetectionNetworks
Enter query name (<enter> to continue): ipAddress
Enter query name (<enter> to continue): macAddress
Enter query name (<enter> to continue): FQDN
Enter query name (<enter> to continue): Username
Enter query name (<enter> to continue): EndpointDevice
Enter query name (<enter> to continue):
Enter action name (<enter> to continue):
Proposing new capability...
Press <enter> to disconnect...change=CREATED; capability=BAD_HOSTS_Table, version=1.0
Authorization changed
Connection closed
DEVNET-2433 35© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The New Topic is Proposed
DEVNET-2433 36© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Admin Approves Topic
DEVNET-2433 37© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Topic is Created
DEVNET-2433 38© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client Groups Added
DEVNET-2433 39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Generic_publisher.properties
GENERIC_TOPIC_NAME="BAD_HOSTS_Table"
GENERIC_CLIENT_MODE="publisher"
GENERIC_QUERY_NAME_SET=""
GENERIC_ACTION_NAME_SET=""
GENERIC_PUBLISH_DATA_SET="pub-notif-001,pub-notif-002,pub-notif-003"
GENERIC_REQUEST_DATA_SET=""
GENERIC_RESPONSE_DATA_SET="resp-001,resp-002,resp-003,resp-004"
GENERIC_SLEEP_INTERVAL="500"
GENERIC_ITERATIONS="20"
DEVNET-2433 40© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Publishing Topic
/generic_client.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseCA.jks -q Cisco123 -c
generic_publisher.properties
Initialized : GenericClient:
topicName=BAD_HOSTS_Table
clientMode=PUBLISHER
sleepInterval=500
iterations=20
queryNameSet=[]
actionNameSet=[]
publishDataSet=[pub-notif-001, pub-notif-002, pub-notif-003]
requestDataSet=[]
responseDataSet=[resp-001, resp-002, resp-003, resp-004]
---
DEVNET-2433 41© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Publishing BAD_HOSTS_Table and Query Items
Connected
12:11:19.020 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -
Connected
Publishing notification: GenericMessage:
messageType=NOTIFICATION
capabilityName=BAD_HOSTS_Table
operationName=sampleNotification
body:
content:
contentTags=[NOTIF-TAG-201]
contentType=PLAIN_TEXT
value=NOTIFICATION[1485105079225]pub-notif-001
Publishing notification: GenericMessage:
DEVNET-2433 42© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Publisher Successfully Registers as pxGrid Client
DEVNET-2433 43© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Generic_subscriber.properties
GENERIC_TOPIC_NAME="BAD_HOSTS_Table"
GENERIC_CLIENT_MODE="subscriber"
GENERIC_QUERY_NAME_SET="ipAddress,macaddress,FQDN,Username,EndpointDevice"
GENERIC_ACTION_NAME_SET=""
GENERIC_PUBLISH_DATA_SET=""
GENERIC_REQUEST_DATA_SET="req-001,req-002,req-003"
GENERIC_RESPONSE_DATA_SET=""
GENERIC_SLEEP_INTERVAL="500"
GENERIC_ITERATIONS="20"
DEVNET-2433 44© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Subscribing to Capability
./generic_client.sh -a 192.168.1.230 -u VA_Scanners -k mac22.jks -p Cisco123
-t rootiseCA.jks -c generic_subscriber.properties
Initialized : GenericClient:
topicName=BAD_HOSTS_Table
clientMode=SUBSCRIBER
sleepInterval=500
iterations=20
queryNameSet=[ipAddress, macaddress, FQDN, Username,
EndpointDevice]
actionNameSet=[]
publishDataSet=[]
requestDataSet=[req-001, req-002, req-003]
responseDataSet=[]
DEVNET-2433 45© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Subscribing to BAD_Hosts_Table and Query Items
Sending request: GenericMessage:
messageType=REQUEST
capabilityName=BAD_HOSTS_Table
operationName=EndpointDevice
body:
content:
contentTags=[QUERY-TAG-301]
contentType=PLAIN_TEXT
value=QUERY[1485105417176]req-002
Received response: GenericMessage:
messageType=RESPONSE
capabilityName=BAD_HOSTS_Table
operationName=EndpointDevice
body:
content:
contentTags=[RESP-TAG-101]
contentType=PLAIN_TEXT
value=RESPONSE[1485105417203]resp-004 - for request[QUERY[1485105417176]req-002]
DEVNET-2433 46© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Subscriber Consumes Topic
DEVNET-2433 47© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
48DEVNET-2433
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
49DEVNET-2433