Policy Usecases Sanjay Agrawal, Hari Sankar June 2014
Cisco Confidential 2 1. Prestaged Policies 1.Enterprise Access Control 1.Enterprise Access Hierarchical resources Access 2.Enterprise Access Hierarchical resources overlap 3.Enterprise Access Hierarchical resources conflict 4.Enterprise user accessing multiple resources 5.Exclusion for one user 6.Access based on hierarchical user-groups 7.Access based on overlapping user groups 8.Additional scan for high value end points. 9.Service inclusion in clause rule 10.Priority Among static and Dynamic rules 11.Enterprise Access Accounting 2.Multi-tier Cloud Access Control 2. On-Demand Policies 1.Threat mitigation 2.Application experience: Unified Communication
Cisco Confidential 3 HR (subgroup) Wiki (subgroup) India-Emp (subgroup) EPEP EPEP On Prem Outside EPEP EPEP EPEP EPEP EPEP EPEP Users Contract A Subject: HTTP Filter: Action: i.e. low Security Local Cloud EPEP EPEP US-Emp (subgroup) EPEP EPEP EPEP EPEP High Reputation Low Reputation Producer side: Subgroup Type of site: HR, Wiki Quality: -Hosting: Local or Cloud -Reputation: High or Low Consuming Side: Subgroup: India-Emp, US-Emp Conditions: On Prem, Outside Web Clauses:
Cisco Confidential 4 HR Wiki EPEP EPEP EPEP EPEP Contract A Subject: HTTP_low Action: i.e. Low Security Local Cloud Clauses: 1. India-Emp & On prem HR hosted Local -> Subject HTTP_low 2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi 3. US emp to HR & Cloud -> Subject HTTP_low EPEP EPEP Quality Matcher: & Local Selector: Name= “A” Match= named Quality Matcher: & Cloud Quality Matcher: & Cloud Web Subject: HTTP_Hi Action: i.e. High Security Quality Matcher: HR Quality Matcher: Wiki India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Selector: Name= “A” Match= named
Cisco Confidential 5 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: India-Emp & On prem HR hosted Local -> Subject HTTP_low India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named
Cisco Confidential 6 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Condition Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem HR & hosted Local -> Subject HTTP_low US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Condition Matcher: Wiki Selector: Name= “A” Match= named Redundant
Cisco Confidential 7 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem HR hosted Local -> Subject HTTP_low IndiaEmp&Outside-> HR& hosted Local -> withdraw HTTP_low US emp to HR & Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named Redundant
Cisco Confidential 8 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Condition Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: 0. Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem HR hosted Local -> Subject HTTP_low IndiaEmp&Outside-> HR& hosted Local -> withdraw HTTP_low add HTTP_Hi US emp to HR & Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named Redundant
Cisco Confidential 9 Users in Group G1 get access to resources of Project P1 Users in Group G2 get access to resources of Project P2 User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access) G1 P1 G2 P2 U1U1 U1U1 Limited access
Cisco Confidential 10 Consumes P1 G1 Project-Access Subject: Full-Access Clauses: 1. U1 P2: Limited-Access 2. G1 P1 : Full-Access 3. G2 P2: Full-Access Clauses: 1. U1 P2: Limited-Access 2. G1 P1 : Full-Access 3. G2 P2: Full-Access Provides Selector: Name: Project- Access U1 Filter: Any Action: Permit Filter: Any Action: Permit Subject: Limited-Access Filter: Any Action: Permit Profile: Limited Filter: Any Action: Permit Profile: Limited P2 Provides Selector: Name: Project- Access G2 Selector: Name: Project- Access Consumes
Cisco Confidential 11 Users in Group G1 get access to resources of Project P1 User U1 who is part of G1 is excluded from P1 resources G1 P1 U1U1 U1U1
Cisco Confidential 12 Consumes P1 G1 Project-Access Subject: Full-Access Clauses: 1. NOT(U1) P1: Full- Access Clauses: 1. NOT(U1) P1: Full- Access Provides Selector: Name: Project- Access U1 Filter: Any Action: Permit Filter: Any Action: Permit
Cisco Confidential 13 All Web All Users User Group1 has access to all web categories Everyone else has access to only “Acceptable” web categories Group1 Accep table Web
Cisco Confidential 14 Consumes All-Web All-Users Web-Access Subject: Full-Access Clauses: 1.Group1 All-Web: Full- Access 2.All-Users Acceptable: Full Access Clauses: 1.Group1 All-Web: Full- Access 2.All-Users Acceptable: Full Access Provides Selector: Name: Web- Access Group1 Filter: Any Action: Permit Filter: Any Action: Permit Producer EP Labels: Acceptable
Cisco Confidential 15 All Wiki All Users Only PE/Des have access to all wiki Everyone else has access to only Wiki areas for their own groups Engg Wiki Engg Mktg Mktg Wiki PE/DEPE/DE PE/DEPE/DE
Cisco Confidential 16 Consumes Wiki Users Wiki-Access Subject: Full-Access Clauses: 1. PE/DE Wiki: Full- Access 2. Engg-Users Engg- wiki : Full-Access 3. Mktg-Users Mktg-wiki : Full-Access Clauses: 1. PE/DE Wiki: Full- Access 2. Engg-Users Engg- wiki : Full-Access 3. Mktg-Users Mktg-wiki : Full-Access Provides Selector: Name: Wiki- Access Filter: Wiki-Port Action: Permit Filter: Wiki-Port Action: Permit Consumer EP Labels: Engg-Users Mktg-Users PE/DE Engg-Wiki Mktg-Wiki
Cisco Confidential 17 All Internet All Users Do Additional IPS scans for traffic from these endpoints High Value Endpoints Extra IPS scans Permit
Cisco Confidential 18 Consumes internet Users Web-Access Subject: Normal-Access Clauses: 1. High-Value Internet : Access-with-Scan 2. Users Internet : Normal-Access Clauses: 1. High-Value Internet : Access-with-Scan 2. Users Internet : Normal-Access Provides Selector: Name: Web- Access Filter: Web Action: Permit Filter: Web Action: Permit Consumer EP Labels: High-Value Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Option 1: Single Contract
Cisco Confidential 19 Consumes internet Users Normal-Web- Access Priority = 0 Subject: Normal-Access Rules: (First-match) 1. Users Internet : Normal-Access Rules: (First-match) 1. Users Internet : Normal-Access Provides Selector: Name: Normal- Web- Access, Hi- Scan-Web- Access Filter: Web Action: Permit Filter: Web Action: Permit Consumer EP Labels: High-Value Option 2: Multiple Contracts Hi-Scan-Web-Access Priority = 100 Subject: Access-with-Scan Clauses: 1. High-Value Internet : Access-with-Scan Clauses: 1. High-Value Internet : Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Consumes Provides
Cisco Confidential 20 Wiki Cisco Usr Sales Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan
Cisco Confidential 21 Wiki Cisco Usr Sales Usr Sales Usr Subject: HI_Sec_HTTP Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTP Subject: Low_sec_FTP Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTP Subject: Low_sec_FTP Filter: HTTP Action: Hi-Scan Filter: HTTP Action: Hi-Scan Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan Filter: HTTP Action: Low-Scan Subject: Low_Sec_FTP Filter: FTP Action: Low-Scan Filter: FTP Action: Low-Scan Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2.
Cisco Confidential 22 Wiki Cisco Usr Sales Usr Sales Usr Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Subject: Low Scan Action: Low-Scan Contract wide Subject: HI_Scan Action: Hi-Scan Recommended solution
Cisco Confidential 23 Wiki Cisco Usr Sales Usr Sales Usr Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Subject: Low Scan Action: Low-Scan Contract wide Sales Usr at Enemy Nation Sales Usr at Enemy Nation Subject: Hi_Hi_scan Action: Hi-Hi-Scan Subject: HI_Scan Action: Hi-Scan Recommended solution
Cisco Confidential 24 Wiki Cisco Usr Subject: HI_Sec_HTTP Clause: R0: * -> * Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scan Subject: FTP + Low-scan Clause: R0: * -> * Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scan Subject: FTP + Low-scan Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Anomaly Detection App Anomaly Detection App Usr X Wiki site A Contract A
Cisco Confidential 25 All Wiki All Users Account for all accesses Engg Wiki Engg Mktg Mktg Wiki
Cisco Confidential 26 Consumes Wiki Users Wiki-Access Subject: Full-Access Clauses: 1. Engg-Users Engg- wiki : Full-Access 2. Mktg-Users Mktg-wiki : Full-Access Clauses: 1. Engg-Users Engg- wiki : Full-Access 2. Mktg-Users Mktg-wiki : Full-Access Provides Selector: Name: Wiki- Access Filter: Wiki-Port Action: Count Transactions Count Pkts Filter: Wiki-Port Action: Count Transactions Count Pkts Consumer EP Labels: Engg-Users Mktg-Users PE/DE Engg-Wiki Mktg-Wiki
Cisco Confidential 27 Application External Network Web App DB VMM Domain vCenter Bridge Domain Subnets MiddlewareOracle HTTP VM
Cisco Confidential 28 Rul e Src GroupDst GroupApp Group ActionServiceTarget Network Device 1 PCI-UserPCI-Web-SvrWeb (80, 443)Permit Implicit Deny Firewall, IPS PremiumPath DC-NGFW-SJ Branch-Rtr-NY 2 PCI-Web-SvrPCI-App-Svr Permit Implicit Deny DC-Access-SJ 3 PCI-App-SvrPCI-DB Permit Implicit Deny DC-Access-SJ 4 EmployeePCI-UserAnti-Malware (ssh, telnet, snmp, ping) Deny Implicit Permit Ent-Access-SJ
Cisco Confidential 29 Consumes PCI-User PCI-Web- Svr Contract PCI-Access Subject: Web Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path Provides EPg Selector: Name: PCI- Access Rule 1:
Cisco Confidential 30 Consumes PCI-App-Svr PCI-Web- Svr Contract PCI-App-Access Subject: App Filter: App-ports Action: Permit Filter: App-ports Action: Permit Provides EPg Selector: Name: PCI- App-Access Rule 2
Cisco Confidential 31 Consumes PCI-App-Svr PCI-DB Contract PCI-DB-Access Subject: DB Filter: DB-ports Action: Permit Filter: DB-ports Action: Permit Provides EPg Selector: Name: PCI- DB-Access Rule 3
Cisco Confidential 32 Consumes PCI-User Employee Contract PCI-User-Access Subject: non-anti-malware Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit Provides EPg Selector: Name: PCI- User-Access Selector: Name: PCI—User- Access Rule 4 Open issue on Action & Filters on contracts
Cisco Confidential 33 Data Center Traffic flows through network. 2.Network and security devices send telemetry to Controller 3. Threat Intelligence monitors and analyzes. 4.Attack is identified, mitigation is determined. 5.Administrator sent recommendation. 6.Policy distributed, drop packets from threat source. Inspect flows from same ISP. 1.Traffic flows through network. 2.Network and security devices send telemetry to Controller 3. Threat Intelligence monitors and analyzes. 4.Attack is identified, mitigation is determined. 5.Administrator sent recommendation. 6.Policy distributed, drop packets from threat source. Inspect flows from same ISP Applications Business Routing RulesThreat Detection Controller Topology SecurityPolicy Traffic Scrubber
Cisco Confidential 34 Data Center UC application moniters user calls 2.identifies issue with the call 3.Notifies SDN application of the flow ID and the associated action: 1.High COS marking 2.BW reservation 1.UC application moniters user calls 2.identifies issue with the call 3.Notifies SDN application of the flow ID and the associated action: 1.High COS marking 2.BW reservation UC Applications Flow Programming Controller Topology SecurityPolicy Flow Quality Identification
Thank you.