Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Usecases Sanjay Agrawal, Hari Sankar June 2014.

PublishMaud McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy Usecases Sanjay Agrawal, Hari Sankar June 2014."— Presentation transcript:

1 Policy Usecases Sanjay Agrawal, Hari Sankar June 2014

2 Cisco Confidential 2 1. Prestaged Policies 1.Enterprise Access Control 1.Enterprise Access Hierarchical resources Access 2.Enterprise Access Hierarchical resources overlap 3.Enterprise Access Hierarchical resources conflict 4.Enterprise user accessing multiple resources 5.Exclusion for one user 6.Access based on hierarchical user-groups 7.Access based on overlapping user groups 8.Additional scan for high value end points. 9.Service inclusion in clause rule 10.Priority Among static and Dynamic rules 11.Enterprise Access Accounting 2.Multi-tier Cloud Access Control 2. On-Demand Policies 1.Threat mitigation 2.Application experience: Unified Communication

3 Cisco Confidential 3 HR (subgroup) Wiki (subgroup) India-Emp (subgroup) EPEP EPEP On Prem Outside EPEP EPEP EPEP EPEP EPEP EPEP Users Contract A Subject: HTTP Filter: Action: i.e. low Security Local Cloud EPEP EPEP US-Emp (subgroup) EPEP EPEP EPEP EPEP High Reputation Low Reputation Producer side: Subgroup Type of site: HR, Wiki Quality: -Hosting: Local or Cloud -Reputation: High or Low Consuming Side: Subgroup: India-Emp, US-Emp Conditions: On Prem, Outside Web Clauses:

4 Cisco Confidential 4 HR Wiki EPEP EPEP EPEP EPEP Contract A Subject: HTTP_low Action: i.e. Low Security Local Cloud Clauses: 1. India-Emp & On prem  HR hosted Local -> Subject HTTP_low 2. India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi 3. US emp to HR & Cloud -> Subject HTTP_low EPEP EPEP Quality Matcher: & Local Selector: Name= “A” Match= named Quality Matcher: & Cloud Quality Matcher: & Cloud Web Subject: HTTP_Hi Action: i.e. High Security Quality Matcher: HR Quality Matcher: Wiki India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Selector: Name= “A” Match= named

5 Cisco Confidential 5 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: India-Emp & On prem  HR hosted Local -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named

6 Cisco Confidential 6 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Condition Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem  HR & hosted Local -> Subject HTTP_low US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Condition Matcher: Wiki Selector: Name= “A” Match= named Redundant

7 Cisco Confidential 7 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Quality Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem  HR hosted Local -> Subject HTTP_low IndiaEmp&Outside-> HR& hosted Local -> withdraw HTTP_low US emp to HR & Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named Redundant

8 Cisco Confidential 8 HR EPEP EPEP EPEP EPEP Local Cloud EPEP EPEP Quality Matcher: & Local Quality Matcher: & Cloud Quality Matcher: & Cloud Web Condition Matcher: & High Reputation Quality Matcher: HR India-Emp EPEP EPEP On Prem Outside EPEP EPEP Users US-Emp EPEP EPEP EPEP EPEP Selector: Name= “A”, Match= named Selector: Name= “A” Match= named Condition Matcher: India-Emp Condition Matcher: US-Emp Contract A Subject: HTTP_low Action: i.e. Low Security Clauses: 0. Cisco-Emp -> HR -> Subject HTTP_low India-Emp & On prem  HR hosted Local -> Subject HTTP_low IndiaEmp&Outside-> HR& hosted Local -> withdraw HTTP_low add HTTP_Hi US emp to HR & Cloud || High Reputation) -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi Subject: HTTP_Hi Action: i.e. High Security Selector: Name= “A” Match= named Wiki Quality Matcher: Wiki Selector: Name= “A” Match= named Redundant

9 Cisco Confidential 9 Users in Group G1 get access to resources of Project P1 Users in Group G2 get access to resources of Project P2 User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access) G1 P1 G2 P2 U1U1 U1U1 Limited access

10 Cisco Confidential 10 Consumes P1 G1 Project-Access Subject: Full-Access Clauses: 1. U1  P2: Limited-Access 2. G1  P1 : Full-Access 3. G2  P2: Full-Access Clauses: 1. U1  P2: Limited-Access 2. G1  P1 : Full-Access 3. G2  P2: Full-Access Provides Selector: Name: Project- Access U1 Filter: Any Action: Permit Filter: Any Action: Permit Subject: Limited-Access Filter: Any Action: Permit Profile: Limited Filter: Any Action: Permit Profile: Limited P2 Provides Selector: Name: Project- Access G2 Selector: Name: Project- Access Consumes

11 Cisco Confidential 11 Users in Group G1 get access to resources of Project P1 User U1 who is part of G1 is excluded from P1 resources G1 P1 U1U1 U1U1

12 Cisco Confidential 12 Consumes P1 G1 Project-Access Subject: Full-Access Clauses: 1. NOT(U1)  P1: Full- Access Clauses: 1. NOT(U1)  P1: Full- Access Provides Selector: Name: Project- Access U1 Filter: Any Action: Permit Filter: Any Action: Permit

13 Cisco Confidential 13 All Web All Users User Group1 has access to all web categories Everyone else has access to only “Acceptable” web categories Group1 Accep table Web

14 Cisco Confidential 14 Consumes All-Web All-Users Web-Access Subject: Full-Access Clauses: 1.Group1  All-Web: Full- Access 2.All-Users  Acceptable: Full Access Clauses: 1.Group1  All-Web: Full- Access 2.All-Users  Acceptable: Full Access Provides Selector: Name: Web- Access Group1 Filter: Any Action: Permit Filter: Any Action: Permit Producer EP Labels: Acceptable

15 Cisco Confidential 15 All Wiki All Users Only PE/Des have access to all wiki Everyone else has access to only Wiki areas for their own groups Engg Wiki Engg Mktg Mktg Wiki PE/DEPE/DE PE/DEPE/DE

16 Cisco Confidential 16 Consumes Wiki Users Wiki-Access Subject: Full-Access Clauses: 1. PE/DE  Wiki: Full- Access 2. Engg-Users  Engg- wiki : Full-Access 3. Mktg-Users  Mktg-wiki : Full-Access Clauses: 1. PE/DE  Wiki: Full- Access 2. Engg-Users  Engg- wiki : Full-Access 3. Mktg-Users  Mktg-wiki : Full-Access Provides Selector: Name: Wiki- Access Filter: Wiki-Port Action: Permit Filter: Wiki-Port Action: Permit Consumer EP Labels: Engg-Users Mktg-Users PE/DE Engg-Wiki Mktg-Wiki

17 Cisco Confidential 17 All Internet All Users Do Additional IPS scans for traffic from these endpoints High Value Endpoints Extra IPS scans Permit

18 Cisco Confidential 18 Consumes internet Users Web-Access Subject: Normal-Access Clauses: 1. High-Value  Internet : Access-with-Scan 2. Users  Internet : Normal-Access Clauses: 1. High-Value  Internet : Access-with-Scan 2. Users  Internet : Normal-Access Provides Selector: Name: Web- Access Filter: Web Action: Permit Filter: Web Action: Permit Consumer EP Labels: High-Value Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Option 1: Single Contract

19 Cisco Confidential 19 Consumes internet Users Normal-Web- Access Priority = 0 Subject: Normal-Access Rules: (First-match) 1. Users  Internet : Normal-Access Rules: (First-match) 1. Users  Internet : Normal-Access Provides Selector: Name: Normal- Web- Access, Hi- Scan-Web- Access Filter: Web Action: Permit Filter: Web Action: Permit Consumer EP Labels: High-Value Option 2: Multiple Contracts Hi-Scan-Web-Access Priority = 100 Subject: Access-with-Scan Clauses: 1. High-Value  Internet : Access-with-Scan Clauses: 1. High-Value  Internet : Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Consumes Provides

20 Cisco Confidential 20 Wiki Cisco Usr Sales Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan

21 Cisco Confidential 21 Wiki Cisco Usr Sales Usr Sales Usr Subject: HI_Sec_HTTP Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTP Subject: Low_sec_FTP Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTP Subject: Low_sec_FTP Filter: HTTP Action: Hi-Scan Filter: HTTP Action: Hi-Scan Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan Filter: HTTP Action: Low-Scan Subject: Low_Sec_FTP Filter: FTP Action: Low-Scan Filter: FTP Action: Low-Scan Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2.

22 Cisco Confidential 22 Wiki Cisco Usr Sales Usr Sales Usr Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Subject: Low Scan Action: Low-Scan Contract wide Subject: HI_Scan Action: Hi-Scan Recommended solution

23 Cisco Confidential 23 Wiki Cisco Usr Sales Usr Sales Usr Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Subject: Low Scan Action: Low-Scan Contract wide Sales Usr at Enemy Nation Sales Usr at Enemy Nation Subject: Hi_Hi_scan Action: Hi-Hi-Scan Subject: HI_Scan Action: Hi-Scan Recommended solution

24 Cisco Confidential 24 Wiki Cisco Usr Subject: HI_Sec_HTTP Clause: R0: * -> * Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scan Subject: FTP + Low-scan Clause: R0: * -> * Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scan Subject: FTP + Low-scan Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Anomaly Detection App Anomaly Detection App Usr X Wiki site A Contract A

25 Cisco Confidential 25 All Wiki All Users Account for all accesses Engg Wiki Engg Mktg Mktg Wiki

26 Cisco Confidential 26 Consumes Wiki Users Wiki-Access Subject: Full-Access Clauses: 1. Engg-Users  Engg- wiki : Full-Access 2. Mktg-Users  Mktg-wiki : Full-Access Clauses: 1. Engg-Users  Engg- wiki : Full-Access 2. Mktg-Users  Mktg-wiki : Full-Access Provides Selector: Name: Wiki- Access Filter: Wiki-Port Action: Count Transactions Count Pkts Filter: Wiki-Port Action: Count Transactions Count Pkts Consumer EP Labels: Engg-Users Mktg-Users PE/DE Engg-Wiki Mktg-Wiki

27 Cisco Confidential 27 Application External Network Web App DB VMM Domain vCenter Bridge Domain Subnets MiddlewareOracle HTTP VM

28 Cisco Confidential 28 Rul e Src GroupDst GroupApp Group ActionServiceTarget Network Device 1 PCI-UserPCI-Web-SvrWeb (80, 443)Permit Implicit Deny Firewall, IPS PremiumPath DC-NGFW-SJ Branch-Rtr-NY 2 PCI-Web-SvrPCI-App-Svr Permit Implicit Deny DC-Access-SJ 3 PCI-App-SvrPCI-DB Permit Implicit Deny DC-Access-SJ 4 EmployeePCI-UserAnti-Malware (ssh, telnet, snmp, ping) Deny Implicit Permit Ent-Access-SJ

29 Cisco Confidential 29 Consumes PCI-User PCI-Web- Svr Contract PCI-Access Subject: Web Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path Provides EPg Selector: Name: PCI- Access Rule 1:

30 Cisco Confidential 30 Consumes PCI-App-Svr PCI-Web- Svr Contract PCI-App-Access Subject: App Filter: App-ports Action: Permit Filter: App-ports Action: Permit Provides EPg Selector: Name: PCI- App-Access Rule 2

31 Cisco Confidential 31 Consumes PCI-App-Svr PCI-DB Contract PCI-DB-Access Subject: DB Filter: DB-ports Action: Permit Filter: DB-ports Action: Permit Provides EPg Selector: Name: PCI- DB-Access Rule 3

32 Cisco Confidential 32 Consumes PCI-User Employee Contract PCI-User-Access Subject: non-anti-malware Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit Provides EPg Selector: Name: PCI- User-Access Selector: Name: PCI—User- Access Rule 4 Open issue on Action & Filters on contracts

33 Cisco Confidential 33 Data Center 2 2 1 1 6 6 4 4 5 5 1.Traffic flows through network. 2.Network and security devices send telemetry to Controller 3. Threat Intelligence monitors and analyzes. 4.Attack is identified, mitigation is determined. 5.Administrator sent recommendation. 6.Policy distributed, drop packets from threat source. Inspect flows from same ISP. 1.Traffic flows through network. 2.Network and security devices send telemetry to Controller 3. Threat Intelligence monitors and analyzes. 4.Attack is identified, mitigation is determined. 5.Administrator sent recommendation. 6.Policy distributed, drop packets from threat source. Inspect flows from same ISP. 6 6 6 6 2 2 Applications Business Routing RulesThreat Detection Controller Topology SecurityPolicy Traffic Scrubber

34 Cisco Confidential 34 Data Center 2 2 1 1 6 6 4 4 5 5 1.UC application moniters user calls 2.identifies issue with the call 3.Notifies SDN application of the flow ID and the associated action: 1.High COS marking 2.BW reservation 1.UC application moniters user calls 2.identifies issue with the call 3.Notifies SDN application of the flow ID and the associated action: 1.High COS marking 2.BW reservation 6 6 6 6 2 2 UC Applications Flow Programming Controller Topology SecurityPolicy Flow Quality Identification

35 Thank you.

Download ppt "Policy Usecases Sanjay Agrawal, Hari Sankar June 2014."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Priority between clause rules. Wiki Cisco Usr Sales Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan.

Priority between clause rules. Wiki Cisco Usr Sales Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Lecture 25: Firewalls Introduce several types of firewalls

Lecture 25: Firewalls Introduce several types of firewalls
Policy Based Routing using ACL & Route Map By Group 7 Nischal (304360958) Pranali (304378534)

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )
Controlling access with packet filters and firewalls.

Controlling access with packet filters and firewalls.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.

Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WiNG 5.3.

WiNG 5.3.
Department Of Computer Engineering

Department Of Computer Engineering
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google