devnet workshop-learning cisco platform exchange...

DevNet Workshop-Learning Cisco platform Exchange Grid (pxGrid) Dynamic Topics

Syam Appala, Principal Engineer

DEVNET-2433

• Introduction to pxGrid

• pxGrid Operation

• Lab on Dynamic Topics

Agenda

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

PotentialBreachEvent

Associate User to Event

Check Endpoint Posture

How Do I Mitigate?

Where is it on the Network?

What Kind of Device is it?

Associate User to Authorization

MANY SCREENS, MISSING DATA

COMPLICATED MITIGATION

Security Event

AAA Logs

IAM NAC ??

??

??

Contextual Awareness Key to Security Event Prioritization and Response

4


What is Cisco Platform Exchange Grid (pxGrid)

• It is a framework for sharing ISE contextual information with other security solutions

• Allows security vendors to share topic of information via Dynamic Topics

• Provides enforcement of an organization’s security policy rules violation using

Adaptive Network Control Mitigation Actions (ANC)

DEVNET-2433 5


I have identity & device!

I need geo-location & MDM…

I have application info!

I need location & device-type

I have location!

I need app & identity…

ISE as pxGrid Controller

pxGridContext

Sharing

CISCO ISE

I have sec events!

I need identity & device…

I have MDM info!

I need location…

pxGrid with Context Sharing

DEVNET-2433 6






I have location!



pxGridContext

Sharing

CISCO ISE

I have sec events!


I have MDM info!

I need location…

pxGrid with Context Sharing

Publish

Topics

DEVNET-2433 7

Operation


pxGrid ComponentsPublisher

Pusblisher - ISE Admin & MnT node publishes Topic information

DEVNET-2433 9


pxGrid ComponentsPublisher

Pusblisher - pxGrid client can publish Topics

Dynamic Topics introduced in ISE 2.0DEVNET-2433 10


pxGrid ComponentsSubscriber

Subscriber- Cisco Security Solution or Ecosystem Partner subscribes to Topic

DEVNET-2433 11


• Authorizes and enforces client registration

• Performs client management

• Manages Publisher/Subscriber & Topics

pxGrid ComponentsController

DEVNET-2433 12


ISE pxGrid ControllerEnforces and Autho

DEVNET-2433 13


Capabilities or Topics of Information• Schema for context sharing with registered pxGrid clients

Session Directory – provides ISE contextual attributes

Session={ip=[192.168.1.15], Audit Session Id=0A000001000000170001B0AB, UserName=jeppich,

ADUserDNSDomain=lab10.com, ADUserNetBIOSName=LAB10,

[email protected], ADUserResolvedDNs=CN=John

Eppich,CN=Users,DC=lab10,DC=com, MacAddresses=[00:50:56:86:C9:92], State=STARTED,

ANCstatus=ANC_Quarantine, SecurityGroup=Quarantined_Systems, EndpointProfile=VMWare-

Device, NAS IP=192.168.1.3, NAS Port=GigabitEthernet1/0/11, RADIUSAVPairs=[ Acct-Session-

Id=0000002E], Posture Status=null, Posture Timestamp=, LastUpdateTime=Sat Jan 21 11:49:04

EST 2017, Session attributeName=Authorization_Profiles, Session

attributeValue=Quarantined_Systems, Providers=[None], EndpointCheckResult=none,

IdentitySourceFirstPort=0, IdentitySourcePortStart=0, IdentitySourcePortEnd=0,

IsMachineAuthentocation=false}

DEVNET-2433 15


pxGrid Client Groups

DEVNET-2433 16

Basic – provides ISE pxGrid node connectivity. The pxGrid admin, must manually move the registered

pxGrid client into the other client groups, most likely the Session group, which provides access to the pxGrid

session objects

Administrator – reserved for ISE published node clients

Session- provides access to pxGrid session objects

ANC- subscribes to ANC AdaptiveNetworkControlService

EPS- subscribes to EPS EndpointProtectionService

Publisher, Action, Subscribe Group for dynamic topics

Lab on Dynamic Topics


Dynamic Topics- Benefits

• Allow pxGrid client to interact with other clients and enforce a more accurate organizationalsecurity policy by including contextual information from the other security vendors

• Can help reduce false positives and false negatives in a security vendor’s solution

DEVNET-2433 18



CISCO ISE

pxgrid with Dynamic Topics

DEVNET-2433 19



pxGridContext

Sharing

CISCO ISE


DEVNET-2433 20


I have location!



CISCO ISE


DEVNET-2433 21




I have location!



Publish

CISCO ISE


DEVNET-2433 22




I have location!



Publish

CISCO ISE


DEVNET-2433 23




I have location!



Discover Topic

CISCO ISE


DEVNET-2433 24




I have location!



Discover Topic

CISCO ISE


DEVNET-2433 25




I have location!



Continuous Flow

Directed Query

CISCO ISE


DEVNET-2433 26






I have location!



CISCO ISE


DEVNET-2433 27






I have location!



CISCO ISE


DEVNET-2433 28






I have location!



CISCO ISE


DEVNET-2433 29






I have location!



CISCO ISE

I have sec events!


I have MDM info!

I need location…


DEVNET-2433 30






I have location!



CISCO ISE

Continuous Flow

Directed Query

I have sec events!


I have MDM info!

I need location…


DEVNET-2433 31


Workbench Lab Example Scenario:

Detection Networks is a ficticious company that uses honeypots to lure intruders into

false security of the companies crown jewels.

- Publish “BAD_HOSTS_Table”

- Conatins: IPAddrss, MACAddress, FQDN, Username, and EndpointDevicr

information of infected host

-VA Scanners subscribe to the “BAD_HOSTS_Table” and include the

BAD_HOSTS_Table attributes in their security policy to scan for vulnerabilities

DEVNET-2433 32


Dynamic Topic Workflow

Publisher pxGrid Controller

Propose “BAD_HOST_Table Topic

Publisher added to topic

Admin approves topic

Publishes events to topic

Publisher, Session, Action

Groups Assigned

Publisher defines Query Action Topics

Subscriber defines what topics to subscribe to

Subscriber subscribes to topic

Communication Flows Directly

Subscriber


Propose a New Topic/propose_capability.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseCA.jks -q

Cisco123 -g Session -d pxgrid New Publisher

------- properties -------

version=1.0.4.17

hostnames=192.168.1.230

username=DetectionNetworks

password=

group=Basic

description=pxgrid

keystoreFilename=mac22.jks

keystorePassword=Cisco123

truststoreFilename=rootiseCA.jks

truststorePassword=Cisco123

--------------------------

11:55:40.837 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager - Started

Connecting...

11:55:40.856 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connecting to host 192.168.1.230

11:55:41.193 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connected OK to host 192.168.1.230

11:55:41.194 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login to host 192.168.1.230

11:55:41.461 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login OK to host 192.168.1.230

Connected

DEVNET-2433 34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public


Adding BAD_HOST Topic and Query Items

New capability? (y/n): y

Enter capability name: BAD_HOSTS_Table

Enter capability version: 1.0

Enter capability description: Infected Hosts Table

Enter vendor platform: DetectionNetworks

Enter query name (<enter> to continue): ipAddress

Enter query name (<enter> to continue): macAddress

Enter query name (<enter> to continue): FQDN

Enter query name (<enter> to continue): Username

Enter query name (<enter> to continue): EndpointDevice

Enter query name (<enter> to continue):

Enter action name (<enter> to continue):

Proposing new capability...

Press <enter> to disconnect...change=CREATED; capability=BAD_HOSTS_Table, version=1.0

Authorization changed

Connection closed



The New Topic is Proposed



Admin Approves Topic



Topic is Created



Client Groups Added



Generic_publisher.properties

GENERIC_TOPIC_NAME="BAD_HOSTS_Table"

GENERIC_CLIENT_MODE="publisher"

GENERIC_QUERY_NAME_SET=""

GENERIC_ACTION_NAME_SET=""

GENERIC_PUBLISH_DATA_SET="pub-notif-001,pub-notif-002,pub-notif-003"

GENERIC_REQUEST_DATA_SET=""

GENERIC_RESPONSE_DATA_SET="resp-001,resp-002,resp-003,resp-004"

GENERIC_SLEEP_INTERVAL="500"

GENERIC_ITERATIONS="20"



Publishing Topic

/generic_client.sh -a 192.168.1.230 -u DetectionNetworks -k mac22.jks -p Cisco123 -t rootiseCA.jks -q Cisco123 -c

generic_publisher.properties

Initialized : GenericClient:

topicName=BAD_HOSTS_Table

clientMode=PUBLISHER

sleepInterval=500

iterations=20

queryNameSet=[]

actionNameSet=[]

publishDataSet=[pub-notif-001, pub-notif-002, pub-notif-003]

requestDataSet=[]

responseDataSet=[resp-001, resp-002, resp-003, resp-004]

---



Publishing BAD_HOSTS_Table and Query Items

Connected

12:11:19.020 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -

Connected

Publishing notification: GenericMessage:

messageType=NOTIFICATION

capabilityName=BAD_HOSTS_Table

operationName=sampleNotification

body:

content:

contentTags=[NOTIF-TAG-201]

contentType=PLAIN_TEXT

value=NOTIFICATION[1485105079225]pub-notif-001

Publishing notification: GenericMessage:



Publisher Successfully Registers as pxGrid Client



Generic_subscriber.properties

GENERIC_TOPIC_NAME="BAD_HOSTS_Table"

GENERIC_CLIENT_MODE="subscriber"

GENERIC_QUERY_NAME_SET="ipAddress,macaddress,FQDN,Username,EndpointDevice"

GENERIC_ACTION_NAME_SET=""

GENERIC_PUBLISH_DATA_SET=""

GENERIC_REQUEST_DATA_SET="req-001,req-002,req-003"

GENERIC_RESPONSE_DATA_SET=""

GENERIC_SLEEP_INTERVAL="500"

GENERIC_ITERATIONS="20"



Subscribing to Capability

./generic_client.sh -a 192.168.1.230 -u VA_Scanners -k mac22.jks -p Cisco123

-t rootiseCA.jks -c generic_subscriber.properties

Initialized : GenericClient:

topicName=BAD_HOSTS_Table

clientMode=SUBSCRIBER

sleepInterval=500

iterations=20

queryNameSet=[ipAddress, macaddress, FQDN, Username,

EndpointDevice]

actionNameSet=[]

publishDataSet=[]

requestDataSet=[req-001, req-002, req-003]

responseDataSet=[]



Subscribing to BAD_Hosts_Table and Query Items

Sending request: GenericMessage:

messageType=REQUEST


operationName=EndpointDevice

body:

content:

contentTags=[QUERY-TAG-301]


value=QUERY[1485105417176]req-002

Received response: GenericMessage:

messageType=RESPONSE


operationName=EndpointDevice

body:

content:

contentTags=[RESP-TAG-101]


value=RESPONSE[1485105417203]resp-004 - for request[QUERY[1485105417176]req-002]



Subscriber Consumes Topic



Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

48DEVNET-2433

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

49DEVNET-2433

Thank You

devnet workshop-learning cisco platform exchange...

Documents