Policy Usecases
description
Transcript of Policy Usecases
Policy Usecases
Sanjay Agrawal, Hari Sankar
June 2014
Cisco Confidential 2
Usecases1. Prestaged Policies
1. Enterprise Access Control
1. Enterprise Access Hierarchical resources Access
2. Enterprise Access Hierarchical resources overlap
3. Enterprise Access Hierarchical resources conflict
4. Enterprise user accessing multiple resources
5. Exclusion for one user
6. Access based on hierarchical user-groups
7. Access based on overlapping user groups
8. Additional scan for high value end points.
9. Service inclusion in clause rule
10. Priority Among static and Dynamic rules
11. Enterprise Access Accounting
2. Multi-tier Cloud Access Control
2. On-Demand Policies1. Threat mitigation2. Application experience: Unified
Communication
Cisco Confidential 3
Usecase1.1.1: Enterprise Hierarchical Resource Access
HR(subgroup)
Wiki(subgroup)
India-Emp(subgroup)
EP
On PremOutside
EP
EP
EP
Users Contract A
Subject: HTTP Filter: Action: i.e. low Security
Local
LocalLocal Cloud
EP
US-Emp(subgroup)
EP
EP
HighReputation
LowReputation
Producer side:SubgroupType of site: HR, WikiQuality:-Hosting: Local or Cloud-Reputation: High or Low
Consuming Side:Subgroup: India-Emp, US-EmpConditions: On Prem, Outside
Web
Clauses:
Cisco Confidential 4
Usecase1.1.1: Enterprise Hierarchical Resource Access
HR
Wiki
EP
EP
Contract ASubject: HTTP_lowAction: i.e. Low Security Local
LocalLocal Cloud
Clauses:1. India-Emp & On prem HR hosted Local -> Subject HTTP_low
2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
3. US emp to HR & Cloud-> Subject HTTP_low
EP
Quality Matcher: & Local
Selector:Name= “A”Match= named
Quality Matcher: & Cloud
Quality Matcher:& Cloud
Web
Subject: HTTP_HiAction: i.e. High Security
Quality Matcher: HR
Quality Matcher: Wiki
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Selector: Name= “A”Match= named
Cisco Confidential 5
Usecase1.1.1: Enterprise Hierarchical Resource Access
HR EP
EP
Local
LocalLocal Cloud
EP
Quality Matcher: & Local
Quality Matcher: & Cloud
Quality Matcher:& Cloud
Web
Quality Matcher: & HighReputation
Quality Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract ASubject: HTTP_lowAction: i.e. Low Security
Clauses:India-Emp & On prem HR hosted Local -> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
US emp to HR & (Cloud || High Reputation)-> Subject HTTP_low
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Quality Matcher: Wiki
Selector: Name= “A”Match= named
Cisco Confidential 6
Usecase1.1.2: Enterprise Hierarchical Resource Access: Overlap
HR EP
EP
Local
LocalLocal Cloud
EP
Quality Matcher: & Local
Quality Matcher: & Cloud
Quality Matcher:& Cloud
Web
Quality Matcher: & HighReputation
Condition Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract ASubject: HTTP_lowAction: i.e. Low Security
Clauses:Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR & hosted Local -> Subject HTTP_low
US emp to HR & (Cloud || High Reputation)
-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Condition Matcher: Wiki
Selector: Name= “A”Match= named
Redundant
Cisco Confidential 7
HR EP
EP
Local
LocalLocal Cloud
EP
Quality Matcher: & Local
Quality Matcher: & Cloud
Quality Matcher:& Cloud
Web
Quality Matcher: & HighReputation
Quality Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract ASubject: HTTP_lowAction: i.e. Low Security
Clauses:Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR hosted Local -> Subject HTTP_low
IndiaEmp&Outside-> HR& hosted Local
-> withdraw HTTP_lowUS emp to HR & Cloud || High Reputation)
-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Quality Matcher: Wiki
Selector: Name= “A”Match= named
Redundant
Usecase1.1.3: Enterprise Hierarchical Resource Access: Conflict
Cisco Confidential 8
HR EP
EP
Local
LocalLocal Cloud
EP
Quality Matcher: & Local
Quality Matcher: & Cloud
Quality Matcher:& Cloud
Web
Condition Matcher: & HighReputation
Quality Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract ASubject: HTTP_lowAction: i.e. Low Security
Clauses:0. Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR hosted Local -> Subject HTTP_low
IndiaEmp&Outside-> HR& hosted Local
-> withdraw HTTP_low add HTTP_HiUS emp to HR & Cloud || High Reputation)
-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Quality Matcher: Wiki
Selector: Name= “A”Match= named
Redundant
Usecase1.1.3: Enterprise Hierarchical Access: Conflict Action
Cisco Confidential 9
• Users in Group G1 get access to resources of Project P1
• Users in Group G2 get access to resources of Project P2
• User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access)
G1 P1
G2 P2
U1 Limited access
Usecase1.1.4: User on multiple projects
Cisco Confidential 10
Consumes
P1G1Project-Access
Subject: Full-Access
Clauses:1. U1 P2: Limited-Access2. G1 P1 : Full-Access3. G2 P2: Full-Access
ProvidesSelector: Name: Project-Access
Selector: Name: Project-Access
U1
Filter: AnyAction: Permit
Subject: Limited-AccessFilter: Any
Action: Permit Profile:
Limited
P2
Provides Selector: Name: Project-Access
G2Selector: Name: Project-Access
Consumes
Usecase1.1.4: User on multiple projects
Cisco Confidential 11
• Users in Group G1 get access to resources of Project P1
• User U1 who is part of G1 is excluded from P1 resources
G1 P1U1
Usecase1.1.5: Exclusion for one user
Cisco Confidential 12
Consumes
P1G1Project-Access
Subject: Full-Access
Clauses:1. NOT(U1) P1: Full-Access
ProvidesSelector: Name: Project-Access
Selector: Name: Project-Access
U1
Filter: AnyAction: Permit
Usecase1.1.5: Exclusion for one user
Cisco Confidential 13
All WebAll Users
Use case 1.1.6: Access based on hierarchical user-groups
• User Group1 has access to all web categories
• Everyone else has access to only “Acceptable” web categories
Group1
Acceptable Web
Cisco Confidential 14
Consumes
All-WebAll-UsersWeb-Access
Subject: Full-Access
Clauses:1. Group1 All-Web: Full-
Access2. All-Users Acceptable:
Full Access
ProvidesSelector: Name: Web-Access
Selector: Name: Web-Access
Group1
Filter: AnyAction: Permit
Producer EP Labels:Acceptable
Use case 1.1.6: Access based on hierarchical user-groups
Cisco Confidential 15
All WikiAll Users
Use case 1.1.7: Access based on overlapping user-groups
• Only PE/Des have access to all wiki
• Everyone else has access to only Wiki areas for their own groups
Engg Wiki
Engg
MktgMktgWiki
PE/DE
Cisco Confidential 16
Consumes
WikiUsersWiki-Access
Subject: Full-Access
Clauses:1. PE/DE Wiki: Full-Access2. Engg-Users Engg-wiki : Full-Access3. Mktg-Users Mktg-wiki : Full-Access
ProvidesSelector: Name: Wiki-Access
Selector: Name: Wiki-Access
Filter: Wiki-PortAction: Permit
Consumer EP Labels:Engg-UsersMktg-UsersPE/DE
Engg-Wiki
Mktg-Wiki
Use case 1.1.7: Access based on overlapping user-groups
Cisco Confidential 17
All InternetAll Users
Use case 1.1.8: Additional scans for high value endpoints
• Do Additional IPS scans for traffic from these endpoints
High Value
Endpoints
Extra IPS scans
Permit
Cisco Confidential 18
Consumes
internetUsersWeb-Access
Subject: Normal-Access
Clauses:1. High-Value Internet : Access-with-Scan2. Users Internet : Normal-Access
ProvidesSelector: Name: Web-Access
Selector: Name: Web-Access
Filter: WebAction: Permit
Consumer EP Labels:High-Value
Subject: Access-with-ScanFilter: Web
Action: PermitProfile: Hi-IPS-Scan
Option 1: Single Contract
Use case 1.1.8: Additional scans for high value endpoints
Cisco Confidential 20
WikiCisco Usr
Usecase 1.1.9: Service inclusion in clauses
SalesUsr
HTTP Hi-Scan
(HTTP| FTP) -> Low-Scan
Cisco Confidential 21
WikiCisco Usr
Problem: Priority among Rules
SalesUsr
Subject: HI_Sec_HTTP
Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP
R2: Cisco ->Wiki: Subject: Low_sec_HTTPSubject: Low_sec_FTP
Filter: HTTPAction: Hi-Scan
Subject: Low_Sec_HTTP
Filter: HTTPAction: Low-Scan
Subject: Low_Sec_FTP
Filter: FTPAction: Low-Scan
Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2.
Cisco Confidential 22
WikiCisco Usr
Usecase 1.1.9: 2 level Priority resolution with clause rules matching port ranges
SalesUsr Clauses:
R1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scan
R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan
Subject: Low Scan
Action: Low-Scan
Contract wide
Subject: HI_ScanAction: Hi-Scan
Recommended solution
Cisco Confidential 23
WikiCisco Usr
Usecase 1.1.9: 3 level Priority resolution with clause rules matching port ranges
SalesUsr
Clauses: R0: Sales, Enemy Nation -> Wiki, HTTPSubject: Hi_Hi_scan
R1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scan
R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan
Subject: Low Scan
Action: Low-Scan
Contract wide
SalesUsr at Enemy Nation
Subject: Hi_Hi_scanAction: Hi-Hi-Scan
Subject: HI_ScanAction: Hi-Scan
Recommended solution
Cisco Confidential 24
WikiCisco Usr
Usecase 1.1.10: Priority among Static and Dynamic Rules
Subject: HI_Sec_HTTP
Clause: R0: * -> *Subject: Hi_sec_HTTPR1: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan
Filter: Usr X ->Wiki site A, HTTPAction: Hi-Scan, Rate_limit
Subject: Low_Sec_HTTPFilter: HTTPAction: Low-Scan, QoS HiAccounting: Pkt, transaction
Anomaly Detection
App
Usr XWiki site A
Contract A
Cisco Confidential 25
All WikiAll Users
Usecase 1.1.11: Enterprise Access Accounting
• Account for all accesses
Engg Wiki
Engg
MktgMktgWiki
Cisco Confidential 26
Consumes
WikiUsersWiki-Access
Subject: Full-Access
Clauses:1. Engg-Users Engg-wiki : Full-Access2. Mktg-Users Mktg-wiki : Full-Access
ProvidesSelector: Name: Wiki-Access
Selector: Name: Wiki-Access
Filter: Wiki-PortAction: Count Transactions
Count Pkts
Consumer EP Labels:Engg-UsersMktg-UsersPE/DE
Engg-Wiki
Mktg-Wiki
Use case 1.1.11: Accounting
Cisco Confidential 27
Application
External Network Web App DB
VMM Domain
vCenter
Bridge Domain
Subnets
Middleware OracleHTTP
VM VM VM
Usecase 1.2: Multi-tier Cloud Access Control
Cisco Confidential 28
Usecase 1.2: Multi-tier Cloud Access Control: Broad Access Control Example
Rule
Src Group Dst Group App Group
Action Service Target Network Device
1 PCI-User PCI-Web-Svr Web (80, 443) Permit Implicit Deny
Firewall, IPSPremiumPath
DC-NGFW-SJBranch-Rtr-NY
2 PCI-Web-Svr PCI-App-Svr PermitImplicit Deny
DC-Access-SJ
3 PCI-App-Svr PCI-DB PermitImplicit Deny
DC-Access-SJ
4 Employee PCI-User Anti-Malware (ssh, telnet, snmp, ping)
DenyImplicit Permit
Ent-Access-SJ
Cisco Confidential 29
Consumes
PCI-User PCI-Web-Svr
Contract
PCI-Access
Subject: WebFilter: Web PortsAction: PermitProfiles: Firewall, IPS, Premium Path
Provides
EPg EPg
Selector: Name: PCI-Access
Selector: Name: PCI-Access
Rule 1:
Usecase 1.2: Multi-tier Cloud Access Control: Web-tier access
Cisco Confidential 30
Consumes
PCI-App-SvrPCI-Web-Svr
Contract
PCI-App-Access
Subject: App
Filter: App-portsAction: Permit
Provides
EPg EPg
Selector: Name: PCI-App-Access
Selector: Name: PCI-App-Access
Rule 2
Usecase 1.2: Multi-tier Cloud Access Control: App-tier access
Cisco Confidential 31
Consumes
PCI-App-Svr PCI-DB
Contract
PCI-DB-Access
Subject: DB
Filter: DB-portsAction: Permit
Provides
EPg EPg
Selector: Name: PCI-DB-Access
Selector: Name: PCI-DB-Access
Rule 3
Usecase 1.2: Multi-tier Cloud Access Control: DB-tier access
Cisco Confidential 32
Consumes
PCI-UserEmployee
Contract
PCI-User-Access
Subject: non-anti-malware
Filter: NOT (Anti-malware (ssh, telnet, snmp, ping))Action: Permit
Provides
EPg EPg
Selector: Name: PCI-User-Access
Selector: Name: PCI—User-Access
Rule 4 Open issue on Action & Filters on contracts
Usecase 1.2: Multi-tier Cloud Access Control: User-tier access
Cisco Confidential 33
Data Center
2
1
6
4
5
1. Traffic flows through network.2. Network and security devices send
telemetry to Controller3. Threat Intelligence monitors and
analyzes.4. Attack is identified, mitigation is
determined.5. Administrator sent recommendation.6. Policy distributed, drop packets from
threat source. Inspect flows from same ISP.
6
6
6
62
ApplicationsBusiness Routing Rules Threat Detection
Controller
TopologySecurity Policy
TrafficScrubber
On Demand Usecase 2.1: Threat Mitigation
Cisco Confidential 34
Data Center
2
1
6
4
5
1. UC application moniters user calls
2. identifies issue with the call3. Notifies SDN application of
the flow ID and the associated action:
1. High COS marking2. BW reservation
6
6
6
62
UC ApplicationsFlow Programming
Controller
TopologySecurity Policy
On Demand usecase 2.2: Unified Communications
Flow Quality Identification
Thank you.