ISEpxGridTraining Foundation Aug2016

pxGrid Fundamentals
John Eppich
Technical Marketing Engineer
Agenda
Introduction
Operation
Proof of Concept (PoC)
Cisco Security Solution & Ecosystem
Partners
Threat Centric NAC-Qualys/AMP
2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Introduction
Overview: Cisco Identity Services Engine (ISE)
Delivering the Visibility, Context and Control for Secure Network Access
NETWORK / USER PARTNER CONTEXT

CONTEXT DATA
Who What
When Where How
CONSISTENT SECURE ACCESS POLICY

ACROSS WIRED, WIRELESS and VPN
Cisco ISE Integration
Contextual Awareness Key to Security/Network Event Response and Policy
Is it still on the Did this come over VPN?

Is this event
network? Where? important?
Whats their
I need more info access level?
Is this a server?
Smartphone? Whats their
posture?
Who is this? What else

is on the
network?
NETWORK ALERT!
SRC/65.32.7.45
DST/165.1.4.9 : HTTP
ISE Ecosystem Built Using Cisco pxGrid
The 1-2-3 FormulaISE Integrates with IT Platforms to do 3 Things
ISE Makes Customer IT Make ISE a Better Help Customer IT

1 Platforms User/Identity,
Device and Network Aware
2 Network Policy Platform
for Customers
3 Environments Reach into
the Cisco Network
ECO-PARTNER ISE
ISE ECO-PARTNER ISE ECO-PARTNER
ACTION
CONTEXT CONTEXT
ISE Shares User/Device & ISE Receives Context from Eco- MITIGATE
Network Context with IT
Partners to Make Better
Infrastructure CISCO NETWORK
Network Access Policy
BENEFITS
Puts Who, What Device, What Creates a Single Place for Decreases Time, Effort and Cost
Access with Events. Way Better Comprehensive Network Access to Responding to Security and
than Just IP Addresses! Policy thru Integration Network
2015 Cisco and/or its affiliates. Events
All rights reserved. Cisco Public 6
pxGrid How it Works, Why It Matters
Authenticate Authorize Publish Discover Subscribe Query
ISE as pxGrid Controller
CISCO ISE
I have location! I have application info!

Continuous Publish
Publish Flow
I need app & identity pxGrid
Directed Query I need location & device-type
Discover Topic
Discover
Continuous
ContextFlow Topic
Sharing
Directed Query
I have sec events! I have identity & device!

I need identity & device I need geo-location & MDM
I have MDM info!

I need location
pxGrid Industry Adoption Critical Mass
40+ Partner Product Integrations and 12 Technology
Areas in 18 Months Since Production Release pxGrid-Enabled Partners:
IAM & SSO Cisco: WSA, FirePower, ISE,
StealthWatch
SIEM Vulnerability
UEBA RTC: Cisco FirePower, Cisco
Assessment
Threat Defense ? StealthWatch, Attivo, Bayshore, E8,
Elastica, Hawk, Huntsman, Infoblox,
Net/App Packet Capture
& Forensics
Intelliment, Invincea, Lemonfish,
Performance
LogRhythm, NetIQ, Rapid7, RedShift,
SAINT, Splunk, Tenable, ThreatTrack,
IoT
Cisco pxGrid Rapid Threat TrapX
Containment Firewall: Check Point, Infoblox,
Security SECURITY THRU (RTC) Intelliment, Bayshore
INTEGRATION DDI: Infoblox
Firewall & Cloud Access CASB: Elastica, Netskope, SkyHigh
Access Control Security Net/App: Lumeta, Savvius
SIEM/TD: LogRhythm, NetIQ, Splunk
DDI UEBA: E8, FortScale, Niara, Rapid7
IAM: NetIQ, Ping, SecureAuth, Situational
Cisco ISE Vulnerability: Rapid7, SAINT, Tenable
Cisco WSA
IoT Security: Bayshore Networks
Cisco FirePower
Cisco StealthWatch P-Cap/Forensics:
2015 Cisco and/or its affiliates. AllEmulex
rights reserved. Cisco Public 8
Summary: pxGrid Partner Use-Cases
Use-Case Description Partner
IAM/SSO: ISE device, posture context to IAM to control application access. Ping,
Device/Access-Aware Application SecureAuth,
Access NetIQ
IAM/SSO: ISE user, group, access, device context to drive escalate auth policy. ISE auth Ping,
Escalated Auth & SSO via Network state to SSO for network-to-application zero sign-on user experience. SecureAuth,
Auth NetIQ
Vulnerability Assessment: ISE identity and user role to vulnerability assessment platform to prioritize endpoint Tenable,
Prioritize Endpoint Vulnerabilities vulnerability remediation and drive Rapid Threat Containment quarantine actions Rapid 7, SAINT
via pxGrid Adaptive Network Control.
P-Cap/Forensics: ISE IP:user:device binding & related context to packet capture system to attribute Emulex
Simplify Packet Capture Forensics user, device, role, etc. to packet capture.
IoT Security: Associate TrustSec policy with IoT devices. ISE user/device context with DLP. Bayshore
Network Access Policy for IoT Rapid Threat Containment for quarantining non-compliant devices via pxGrid Networks
Devices Adaptive Network Control.
SIEM/TD: Same use-cases as existing SIEM/TD ecosystem, but utilizing pxGrid for context NetIQ, Lancope,
User/Device-Aware SIEM/ and Rapid Threat Containment. Splunk,
ThreatDefense Integration LogRhythm
Use-Case Description Example
Partners
Cloud Access Monitoring: ISE user, group, access, device context to enhance monitoring & SkyHigh,
User/Device-Aware Cloud-Hosted Resource Monitoring reporting of access to cloud services by end-users. Elastica
Network/App Performance Monitoring: User/device- ISE IP:user:device binding & related context to network data Savvius
aware network topology & performance management system to attribute user, device, role, etc. to visualization and
performance management data.
Threat Defense: Assess typical behavior of individual and groups of users and then FortScale,
User-behavior anomaly (UBA) detection look for anomalous behavior. Utilizes ISE user/device context in Rapid 7, E8
analytics and event reporting.
WSA+ISE: Web access decisions based on ISE user/device context. Enables Cisco WSA
User-aware web security policies customers to differentiate web content access policies based on
real-time user and device situational awareness.
FirePOWER+ISE: Utilizing FirePower mitigation module and pxGrid ANC to take Cisco
Rapid Threat Containment actions Rapid Threat Containment actions on threat events via pxGrid FirePOWER
Adaptive Network Control.
DNS, DHCP & IP Address Management: Associate users and user network privileges with DHCP leases, IP Infoblox
User, Group and Device Based DDI Monitoring & address assignments and domain name access by using ISE user/
Reporting network context. 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Use-Case Description Example Partners
Firewall & Access Control: ISE user, group and network privilege (role and TrustSec) Check Point, Infoblox, Bayshore
User/Network-Aware Firewall and Access context to enhance access control policies, monitoring &
Control Policies reporting in firewalls and other access control platforms
DNS Firewall: Visibility into what users and devices are communicating Infoblox
Mitigate Users/Devices Communicating with known bad domains (e.g. C&C server). User visibility
with Suspected Botnet Servers increases confidence in taking mitigation actions.
Quarantine users via Rapid Threat Containment using
pxGrid Adaptive Network Control.
Rapid Threat Containment Enables a variety of security platformsCisco FirePower, Cisco FirePower, Bayshore, E8,
SIEM, User-Behavior, NBAD, Vulnerability Management-- Elastica, Hawk, Huntsman,
to take investigation or mitigation actions on users/devices Infoblox, Invincea, Lancope,
on the network using pxGrid Adaptive Network Control. LogRhythm, NetIQ, Rapid7,
SAINT, Splunk and Tenable
pxGrid Adaptive Network Control Enables Rapid Threat Containment
Network-as-an-Enforcer - Makes Cisco Infrastructure a Unified Event Response Network
Quarantine devices or spawn investigations of events from:

o Cisco FireSIGHT 5.4 and 3rd party products, such as SIEM and vulnerability management systems
Enlist other Cisco infrastructure in the network response such as dynamic ACLs on switches and ASA
or increase IPS inspection levels
Who supports today: Cisco FireSIGHT 5.4, Bayshore, E8, Elastica, Hawk, Huntsman, Infoblox, Invincea,
Lancope, LogRhythm, NetIQ, Rapid7, SAINT, Splunk and Tenable
User/Device Quarantine
Network mitigation action from 3rd ISE as unified

party console policy point
pxGrid ANC API
Dynamic
2015 CiscoACLs, Increase
and/or its affiliates. All rights reserved. Cisco Public 12
Inspection
Rapid Threat Containment Use Cases
Rapid Threat Containment with Ecosystem Partners and ISE
Benefits
Corporate user Scans user Detects suspicious Based on the new Access based on
downloads file activity and file file and alerts ISE tag, ISE enforces organizations
Detect threats early security policy
Malware Behavioral using pxGrid by policy on the
ANC Mitigation actions sent to detected on Analysis changing the network
ISE for real-time response device Vulnerability Security Group Tag
Scans (SGT) to
Automate alerts SIEM/TD suspicious
Leveraging ISE ANC to alert the
network of suspicious activity
according to policy
Leverage a growing ecosystem

of partners that provide rapid
threat containment by integrating
with ISE
ANC Mitigation Actions

ISE EPS RESTful API
pxGrid (EndpointProtectionService/
AdaptiveNetwork Control
STIX- Threat Centric NAC- AMP/Qualys
Rapid Threat Containment through pxGrid
Obtain Session Information, SGT (Security Group Tags) from ISE
Perform ANC Mitigation Actions
Cisco FirePOWER Management Center
ISE EPS quarantine rule results in ISE FMC Portal redirection
Rapid Threat Containment Ecosystem
Enabling 3 Parties to Use pxGrid Adaptive Network Control for Network Mitigation Actions
rd
Whats new for ISE 2.0? Rapid Threat Containment Ecosystem

The pxGrid framework enables Utilizing integration via pxGrid Adaptive Network Control, ISE enables security
Cisco to integrate with ecosystem ecosystem partners from a range of technology areas to take network mitigation
partners to provide customers with
a solution that suits their existing
and investigation actions in response to security events.
infrastructure.
A host of new partners to join our flourishing Rapid Threat Containment ecosystem.
Benefits
Simplified management
Create a single place for policy
management by integrating ISE
with vendor solutions
Minimize costs
Reduce the resources required
to security and network events
by facilitating access to the
Cisco network
Operation
pxGrid Components
Cisco Platform Exchange Grid (pxGrid)
ISE Admin/MnT node
pxGrid publishes Topics
Controller
SessionDirectory
TrustSecMetaData
pxGrid Controller
EndpointProfileMetadata
EndpointProtectionService
AdpativeNetworkControl
pxGrid client
IdentityGroup
pxGrid
Core
ISE clients
GridControllerAdminService Publisher
Topics
ISE pxGrid Controller
- PAN and MnT node publish topics of information
- Authenticates and authorizes pxGrid clients
Published Nodes
Capabilities or Topics of Information in ISE 2.0/ISE 2.1
GridControllerAdminService provides pxGrid services to subscriber
AdaptiveNetworkControl - provides enhanced pxGrid ANC mitigation capabilities to subscriber
Core provides pxGrid client the capability to query all the registered capabilities on the ISE pxGrid node
EndpointProfileMetada provides pxGrid clients with available device information from ISE.
EndpointProtectionService provides compatible EPS/ANC pxGrid mitigation actions from ISE 1.3/1.4.
TrustSecMetaData provides pxGrid clients with exposed security group tag (SGT) information
IdentityGroup provides pxGrid clients with Identity Group information that may not be available via 802.1X
authentications
SessionDirectory provides pxGrid clients with ISE published session information, or available session objects.
pxGrid clients
- Authenticates to ISE pxGrid node using self-signed or CA-signed certificates
- Subscribe or direct queries
- Communicate TCP/5222 to ISE pxGrid node
pxGrid clients
pxGrid client subscribes to capabilities or topics
Subscribes
pxGrid Client Groups
Basic provides ISE pxGrid node connectivity. The pxGrid admin, must manually move the registered
pxGrid client into the other client groups, most likely the Session group, which provides access to the pxGrid
session objects
Administrator reserved for ISE published node clients
Session- provides access to pxGrid session objects
ANC- subscribes to ANC AdaptiveNetworkControlService
EPS- subscribes to EPS EndpointProtectionService
Cisco Architecture: pxGrid Control Flow and Data Flow
Publisher GCL Client pxGrid Controller XCP Server GCL Client Subscriber
Authenticates & Allow pxGrid Cont Conm

C Publisher Auth &
Status & Account Authenticate & allow pxGrid Cont.Comml
O Subscriber Auth &
N Status & Account
T Authorize Publisher To Topic Sequence Add Publisher to

topic
R Authorize Subscriber to Topic Sequence
O Add Subscriber to
L topic
Publish Message to Topic
Publish Success
I Published Message to Subscriber
N Subscribe Success
F Publisher Capability & JID Query
R Publisher JID
A XMPP:Bulk Download Query

Builk Data Stream Over REST API 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Component & Operations Overview
Port Connectivity
Primary PxGrid
PAN Controller pxGrid Client
XCP Server
3rd party
TLS /5222
HTTP/443
Subscriber or pxGrid Client to
pxGrid Controller listens on ports:
7400: connection from internal processes
5222: accepts connection from pGrid Clients
1521: accepts connections to DB from XCP
694: heartbeat traffic between pxGrid nodes
Proof of Concept (PoC)
PoC
What Ecosystem Partner or Cisco Security Solution is the customer integrating with
pxGrid ?
Decide on Self-Signed or CA-Signed certificates
Is customer using ISE 1.3, 1.4, 2.0, 2.1
ISE Stand-Alone Environment
PoC
Configuring ISE 1.3/1.4 Self Signed Certificate Operation
Export ISE Identity

Certificate
into ISE
Certificates Store
ISE needs to
trust the
certificate
not required for

ISE 2.0 +
PoC
Import ISE Identity

certificate into
ISE trusted system store
Enable pxGrid
PoC
Verify pxGrid published nodes appear
Verify pxGrid
Connectivity
PoC
Troubleshooting
May take a little awhile before pxGrid published nodes appear
Use sh application status ise to verify pxGrid services are initializing
If pxGrid services are stuck initializing
Use application stop ise stop ise
Use application start ise start ise
PoC
Configuring ISE 2.0+ CA-Signed Certificate Operation
Use Admin as certificate

Purpose
Allow bulk session downloads
Use
Customized
pxGrid
Template
PoC
Configuring ISE 2.0 + CA-Signed Certificate Operation
Download CA root
certificate
Upload CA Root certificate

into trusted system
certificate store
PoC
Configuring ISE 2.0+ CA-Signed Certificate Operation
Bind ISE Identity

Certificate to CSR
Request
Upload certificate
PoC
Configuring ISE 2.0+ CA Signed Certificate Operation
Enable pxGrid
PoC
Verify published nodes appear
Enable Enable Auto Registration
Verify there is pxGrid connectivity
PoC
Troubleshooting
Services may take a little while to appear
Certs need to 64 base encoded
Signing template must contain an EKU of client authentication and server authentication
Use admin for certificate purpose
sh application status ise verify pxGrid services are up
If pxGrid services are stuck initializing
Use application stop ise stop ise
Use application start ise start ise
Cisco Security Solution &
Ecosystem Partners
Cisco Security Solutions & Ecosystem
Partners
Use certificates for authentication and registration with ISE pxGrid node
UI configuration for generating certificates
Java Key stores
Cisco Security Solution & Ecosystem Partners
Self-Signed Certificate Procedure
Create private key

Generate CSR request from private key
Generate Self Signed Certificates
Import Certificate into ISE trusted certificate store
Import ISE Identity Certificates into Ecosystem Partners trust store
Test connection between Ecosystem Partner and pxGrid connection
Generating Self-Signed Certificates
Generate Private Key

openssl genrsa out self.key 4096
Generate CSR Request

openssl req -new key self.key -out wsa_self.csr
Generate Self Signed Certificate

openssl req -x509 -days 365 key self.key in self.csr out self.cer
CA-Signed Certificates Procedure
Create private key

Generate CSR request from private key
Get CSR request signed by CA server using customized pxGrid template
Import CA root certificate into ecosystem partner trusted store
Generating CA-Signed Certificates

openssl genrsa out caxgrid1.key 4096

openssl req -new key caxgrid1.key out caxgrid1.csr
CSR request signed by CA server using customized pxGrid template
Java Key stores- Self Signed Certificates

openssl genrsa out self.key 4096

openssl req -new key self.key -out wsa_self.csr
Generate Self Signed Certificate

openssl req -x509 -days 365 key self.key in self.csr out self.cer
Create PKCS12 file

openssl pkcs12 export out self1.p12 inkey self1.key in self1.cer
Import PKCS12 file into key store

keytool importkeystore srckeystore self1.p12 destkeystore self1.jks srcstoretype PKCS12
Exported ISE identity certificate PEM file converted to DER format

openssl x509 outform der in isemnt.pem out isemnt.der
Java Keystores- Self Signed Certificates continuation
Import the converted ISE MNT certificate in DER format to trusted file keystore
keytool import alias mnt1 keystore self1.jks file isemnt.der
Import the pxGrid client certificate into the trusted file keystore
keytool import alias pxGridclient keystore self1.jks file self1.cer
Import the converted ISE MNT certificate in DER format to the trusted root keystore
keytool import alias root1 keystore root1.jks file isemnt.der
Copy both the self1.jks and root1.jks JKS files into the applications folder
Java Keystores- CA Signed Certificates

openssl genrsa out caclient.key 4096

openssl req -new key self.key out caclient.csr
Get CSE request signed by CA serving using customized pxGrid template
Create PKCS12 file

openssl pkcs12 -export out caclient.p12 inkey caclient.key in caclient.cer -chain -CAfile ca_root.cer
Import PKCS12 file into keystore

keytool importkeystore srckeystore caclient.p12 destkeystore caclient.jks srcstoretype PKCS12
Exported ISE identity certificate PEM file converted to DER format

openssl x509 outform der in isemnt.pem out isemnt.der
Java Keystores- Self Signed Certificates continuation
Import the converted ISE MNT certificate in DER format to trusted root keystore
keytool import alias mnt1 keystore root.jks file isemnt.der
Import the pxGrid client certificate into the trusted file keystore
keytool import alias pxGridclient keystore caclient.jks file caclient.cer
Import the CA root certificate to trusted root keystore

keytool import alias root1 keystore root1.jks file caroot.cer
Copy both the caclient.jks and root1.jks JKS files into the applications folder
Threat Centric NAC Qualys/AMP
Threat Centric-Qualys
Procedures
-- Require a Qualys Manger account using API
-- Download & Configure Qualys VM Scanner
-- Configure Range of IP to Scan
-- Enable CVSS Scoring in Qualys Reports
-- Enable TC-NAC ISE Deployment Node
-- Configure Qualys Connecter and provide instance name
-- Configure Authorization Profile for Vulnerability Scanning
-- Create Exception rule for CVSS base score condition attribute
-- Add authorization profile for vulnerability scanning to Base Authenticated Access Rule
Threat Centric NAC-Qualys
Completed Scan Results
Report Results After Finished Scan of Endpoint
Enabling Qualys Scan on ISE
Create Authorization Profile to trigger the scan
ISE Authorization Policy
User Assigned an Employee SGT and triggers Qualys Scan
ISE Authorization Policy
Results of CVSS score 1 or higher assigned Vulnerable_Systems SGT
ISE RADIUS Live Logs
Vulnerable endpoint is assigned Vulnerable_Systems SGT
ISE Context Visibility for Vulnerable Endpoints
NAC Threat Containment-
AMP
Threat Centric NAC- AMP
Procedures
Require a Cloud AMP Account
Create AMP Instance and Configure AMP Connector
Assign Sourcefire Group to AMP Connector
Download AMP connector to PC
Threat Centric NAC- AMP
Use Case: pwdump malware detected
Threat Centric NAC-AMP
Compromised Host Detected
Assign ANC Policy or invoke COA actions
Assign ANC Policy

of Quarantine to
the compromised
host
Possible Actions
Assign ANC Policy or invoke COA actions
Possible ANC Policy Actions
Assigned Quarantine SGT to the ThreatCentric_AMP Authorization Policy
Manual UnQuarantine
UnQuarantine results in full network access for Employee SGT
References
ISE/pxGrid Design and Integration Guides:
https://communities.cisco.com/docs/DOC-64012
Customized pxGrid template
Used for Certificate Authority (CA)-signed certificates for pxGrid client and ISE pxGrid
node certificate
Must contain an EKU of both client and server authentication
For MS Windows 2008 R2 CA template, please use Windows 2003 template,
otherwise it will not appear in Certificate Template dropdown
Select->Administrative Tools->Certificate Authority-> + dropdown next to CA server-

>Right-Click on Certificate Templates->Manage
Right-Click and Duplicate User template->Select->Windows 2003 Enterprise->OK
Enter name of certificate template, uncheck Publish certificate in Active Directory,

provide validity period and renewal period.
Click on Extensions->Add->Server Authentication->Ok->Apply
Click on Subject name, Enable Supply in request
Click on Extensions->Issuance Policies->Edit->All Issuance Policies
Leave the defaults for request handling
Right-click on Certificate
templates
Select->New Template to
issue and select pxGrid
Ok
You should see pxGrid template

ISEpxGridTraining Foundation Aug2016

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ISEpxGridTraining Foundation Aug2016

Diunggah oleh

Hak Cipta:

Format Tersedia

pxGrid Fundamentals

NETWORK / USER PARTNER CONTEXT

When Where How

CONSISTENT SECURE ACCESS POLICY

Is it still on the Did this come over VPN?

Who is this? What else

ISE Makes Customer IT Make ISE a Better Help Customer IT

ISE as pxGrid Controller

I have location! I have application info!

I have sec events! I have identity & device!

I have MDM info!

Quarantine devices or spawn investigations of events from:

Network mitigation action from 3rd ISE as unified

pxGrid ANC API

Leverage a growing ecosystem

ANC Mitigation Actions

STIX- Threat Centric NAC- AMP/Qualys

Whats new for ISE 2.0? Rapid Threat Containment Ecosystem

GridControllerAdminService provides pxGrid services to subscriber

AdaptiveNetworkControl - provides enhanced pxGrid ANC mitigation capabilities to subscriber

Authenticates & Allow pxGrid Cont Conm

T Authorize Publisher To Topic Sequence Add Publisher to

A XMPP:Bulk Download Query

Export ISE Identity

not required for

Import ISE Identity

Use Admin as certificate

Upload CA Root certificate

Bind ISE Identity

Verify published nodes appear

Enable Enable Auto Registration

Verify there is pxGrid connectivity

Create private key

Generate Private Key

Generate CSR Request

Generate Self Signed Certificate

Create private key

Generate Private Key

Generate CSR Request

CSR request signed by CA server using customized pxGrid template

Generate Private Key

Generate CSR Request

Generate Self Signed Certificate

Create PKCS12 file

Import PKCS12 file into key store

Exported ISE identity certificate PEM file converted to DER format

Generate Private Key

Generate CSR Request

Get CSE request signed by CA serving using customized pxGrid template

Create PKCS12 file

Import PKCS12 file into keystore

Exported ISE identity certificate PEM file converted to DER format

Import the CA root certificate to trusted root keystore

-- Download & Configure Qualys VM Scanner

-- Configure Range of IP to Scan

-- Enable CVSS Scoring in Qualys Reports

-- Enable TC-NAC ISE Deployment Node

-- Configure Qualys Connecter and provide instance name

-- Configure Authorization Profile for Vulnerability Scanning

-- Create Exception rule for CVSS base score condition attribute

Require a Cloud AMP Account

Create AMP Instance and Configure AMP Connector

Assign Sourcefire Group to AMP Connector

Download AMP connector to PC