34
Policy Usecases Sanjay Agrawal, Hari Sankar June 2014

Policy Usecases

  • Upload
    webb

  • View
    35

  • Download
    0

Embed Size (px)

DESCRIPTION

Policy Usecases. Sanjay Agrawal, Hari Sankar June 201 4. Usecases. Prestaged Policies Enterprise Access Control Enterprise Access Hierarchical resources Access Enterprise Access Hierarchical resources overlap Enterprise Access Hierarchical resources conflict - PowerPoint PPT Presentation

Citation preview

Page 1: Policy  Usecases

Policy Usecases

Sanjay Agrawal, Hari Sankar

June 2014

Page 2: Policy  Usecases

Cisco Confidential 2

Usecases1. Prestaged Policies

1. Enterprise Access Control

1. Enterprise Access Hierarchical resources Access

2. Enterprise Access Hierarchical resources overlap

3. Enterprise Access Hierarchical resources conflict

4. Enterprise user accessing multiple resources

5. Exclusion for one user

6. Access based on hierarchical user-groups

7. Access based on overlapping user groups

8. Additional scan for high value end points.

9. Service inclusion in clause rule

10. Priority Among static and Dynamic rules

11. Enterprise Access Accounting

2. Multi-tier Cloud Access Control

2. On-Demand Policies1. Threat mitigation2. Application experience: Unified

Communication

Page 3: Policy  Usecases

Cisco Confidential 3

Usecase1.1.1: Enterprise Hierarchical Resource Access

HR(subgroup)

Wiki(subgroup)

India-Emp(subgroup)

EP

On PremOutside

EP

EP

EP

Users Contract A

Subject: HTTP Filter: Action: i.e. low Security

Local

LocalLocal Cloud

EP

US-Emp(subgroup)

EP

EP

HighReputation

LowReputation

Producer side:SubgroupType of site: HR, WikiConditions:-Hosting: Local or Cloud-Reputation: High or Low

Consuming Side:Subgroup: India-Emp, US-EmpConditions: On Prem, Outside

Web

Clauses:

Page 4: Policy  Usecases

Cisco Confidential 4

Usecase1.1.1: Enterprise Hierarchical Resource Access

HR

Wiki

EP

EP

Contract ASubject: HTTP_lowAction: i.e. Low Security Local

LocalLocal Cloud

Clauses:1. India-Emp & On prem HR hosted Local -> Subject HTTP_low

2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

3. US emp to HR & Cloud-> Subject HTTP_low

EP

Condition Matcher: & Local

Selector:Name= “A”Match= named

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Subject: HTTP_HiAction: i.e. High Security

Condition Matcher: HR

Condition Matcher: Wiki

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named

Selector:Name= “A”Match= named

Condition Matcher:India-Emp

Condition Matcher:US-Emp

Selector: Name= “A”Match= named

Page 5: Policy  Usecases

Cisco Confidential 5

Usecase1.1.1: Enterprise Hierarchical Resource Access

HR EP

EP

Local

LocalLocal Cloud

EP

Condition Matcher: & Local

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Condition Matcher: & HighReputation

Condition Matcher: HR

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named

Selector:Name= “A”Match= named

Condition Matcher:India-Emp

Condition Matcher:US-Emp

Contract ASubject: HTTP_lowAction: i.e. Low Security

Clauses:India-Emp & On prem HR hosted Local -> Subject HTTP_low

India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

US emp to HR & (Cloud || High Reputation)-> Subject HTTP_low

Subject: HTTP_HiAction: i.e. High Security

Selector: Name= “A”Match= named

Wiki

Condition Matcher: Wiki

Selector: Name= “A”Match= named

Page 6: Policy  Usecases

Cisco Confidential 6

Usecase1.1.2: Enterprise Hierarchical Resource Access: Overlap

HR EP

EP

Local

LocalLocal Cloud

EP

Condition Matcher: & Local

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Condition Matcher: & HighReputation

Condition Matcher: HR

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named

Selector:Name= “A”Match= named

Condition Matcher:India-Emp

Condition Matcher:US-Emp

Contract ASubject: HTTP_lowAction: i.e. Low Security

Clauses:Cisco-Emp -> HR-> Subject HTTP_low

India-Emp & On prem HR & hosted Local -> Subject HTTP_low

US emp to HR & (Cloud || High Reputation)

-> Subject HTTP_low

India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

Subject: HTTP_HiAction: i.e. High Security

Selector: Name= “A”Match= named

Wiki

Condition Matcher: Wiki

Selector: Name= “A”Match= named

Redundant

Page 7: Policy  Usecases

Cisco Confidential 7

HR EP

EP

Local

LocalLocal Cloud

EP

Condition Matcher: & Local

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Condition Matcher: & HighReputation

Condition Matcher: HR

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named

Selector:Name= “A”Match= named

Condition Matcher:India-Emp

Condition Matcher:US-Emp

Contract ASubject: HTTP_lowAction: i.e. Low Security

Clauses:Cisco-Emp -> HR-> Subject HTTP_low

India-Emp & On prem HR hosted Local -> Subject HTTP_low

IndiaEmp&Outside-> HR& hosted Local

-> withdraw HTTP_lowUS emp to HR & Cloud || High Reputation)

-> Subject HTTP_low

India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

Subject: HTTP_HiAction: i.e. High Security

Selector: Name= “A”Match= named

Wiki

Condition Matcher: Wiki

Selector: Name= “A”Match= named

Redundant

Usecase1.1.3: Enterprise Hierarchical Resource Access: Conflict

Page 8: Policy  Usecases

Cisco Confidential 8

HR EP

EP

Local

LocalLocal Cloud

EP

Condition Matcher: & Local

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Condition Matcher: & HighReputation

Condition Matcher: HR

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named

Selector:Name= “A”Match= named

Condition Matcher:India-Emp

Condition Matcher:US-Emp

Contract ASubject: HTTP_lowAction: i.e. Low Security

Clauses:0. Cisco-Emp -> HR-> Subject HTTP_low

India-Emp & On prem HR hosted Local -> Subject HTTP_low

IndiaEmp&Outside-> HR& hosted Local

-> withdraw HTTP_low add HTTP_HiUS emp to HR & Cloud || High Reputation)

-> Subject HTTP_low

India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

Subject: HTTP_HiAction: i.e. High Security

Selector: Name= “A”Match= named

Wiki

Condition Matcher: Wiki

Selector: Name= “A”Match= named

RedundantUsecase1.1.3: Enterprise Hierarchical Resource Access: Conflict

Page 9: Policy  Usecases

Cisco Confidential 9

• Users in Group G1 get access to resources of Project P1

• Users in Group G2 get access to resources of Project P2

• User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access)

G1 P1

G2 P2

U1 Limited access

Usecase1.1.4: User on multiple projects

Page 10: Policy  Usecases

Cisco Confidential 10

Consumes

P1G1Project-Access

Subject: Full-Access

Clauses:1. U1 P2: Limited-Access2. G1 P1 : Full-Access3. G2 P2: Full-Access

ProvidesSelector: Name: Project-Access

Selector: Name: Project-Access

U1

Filter: AnyAction: Permit

Subject: Limited-AccessFilter: Any

Action: Permit Profile:

Limited

P2

Provides Selector: Name: Project-Access

G2Selector: Name: Project-Access

Consumes

Usecase1.1.4: User on multiple projects

Page 11: Policy  Usecases

Cisco Confidential 11

• Users in Group G1 get access to resources of Project P1

• User U1 who is part of G1 is excluded from P1 resources

G1 P1U1

Usecase1.1.5: Exclusion for one user

Page 12: Policy  Usecases

Cisco Confidential 12

Consumes

P1G1Project-Access

Subject: Full-Access

Clauses:1. NOT(U1) P1: Full-Access

ProvidesSelector: Name: Project-Access

Selector: Name: Project-Access

U1

Filter: AnyAction: Permit

Usecase1.1.5: Exclusion for one user

Page 13: Policy  Usecases

Cisco Confidential 13

All WebAll Users

Use case 1.1.6: Access based on hierarchical user-groups

• User Group1 has access to all web categories

• Everyone else has access to only “Acceptable” web categories

Group1

Acceptable Web

Page 14: Policy  Usecases

Cisco Confidential 14

Consumes

All-WebAll-UsersWeb-Access

Subject: Full-Access

Clauses:1. Group1 All-Web: Full-

Access2. All-Users Acceptable:

Full Access

ProvidesSelector: Name: Web-Access

Selector: Name: Web-Access

Group1

Filter: AnyAction: Permit

Producer EP Labels:Acceptable

Use case 1.1.6: Access based on hierarchical user-groups

Page 15: Policy  Usecases

Cisco Confidential 15

All WikiAll Users

Use case 1.1.7: Access based on overlapping user-groups

• Only PE/Des have access to all wiki

• Everyone else has access to only Wiki areas for their own groups

Engg Wiki

Engg

MktgMktgWiki

PE/DE

Page 16: Policy  Usecases

Cisco Confidential 16

Consumes

WikiUsersWiki-Access

Subject: Full-Access

Clauses:1. PE/DE Wiki: Full-Access2. Engg-Users Engg-wiki : Full-Access3. Mktg-Users Mktg-wiki : Full-Access

ProvidesSelector: Name: Wiki-Access

Selector: Name: Wiki-Access

Filter: Wiki-PortAction: Permit

Consumer EP Labels:Engg-UsersMktg-UsersPE/DE

Engg-Wiki

Mktg-Wiki

Use case 1.1.7: Access based on overlapping user-groups

Page 17: Policy  Usecases

Cisco Confidential 17

All InternetAll Users

Use case 1.1.8: Additional scans for high value endpoints

• Do Additional IPS scans for traffic from these endpoints

High Value

Endpoints

Extra IPS scans

Permit

Page 18: Policy  Usecases

Cisco Confidential 18

Consumes

internetUsersWeb-Access

Subject: Normal-Access

Clauses:1. High-Value Internet : Access-with-Scan2. Users Internet : Normal-Access

ProvidesSelector: Name: Web-Access

Selector: Name: Web-Access

Filter: WebAction: Permit

Consumer EP Labels:High-Value

Subject: Access-with-ScanFilter: Web

Action: PermitProfile: Hi-IPS-Scan

Option 1: Single Contract

Use case 1.1.8: Additional scans for high value endpoints

Page 19: Policy  Usecases

Cisco Confidential 20

WikiCisco Usr

Usecase 1.1.9: Service inclusion in clauses

SalesUsr

HTTP Hi-Scan

(HTTP| FTP) -> Low-Scan

Page 20: Policy  Usecases

Cisco Confidential 21

WikiCisco Usr

Problem: Priority among Rules

SalesUsr

Subject: HI_Sec_HTTP

Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP

R2: Cisco ->Wiki: Subject: Low_sec_HTTPSubject: Low_sec_FTP

Filter: HTTPAction: Hi-Scan

Subject: Low_Sec_HTTP

Filter: HTTPAction: Low-Scan

Subject: Low_Sec_FTP

Filter: FTPAction: Low-Scan

Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2.

Page 21: Policy  Usecases

Cisco Confidential 22

WikiCisco Usr

Usecase 1.1.9: 2 level Priority resolution with clause rules matching port ranges

SalesUsr Clauses:

R1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scan

R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan

Subject: Low Scan

Action: Low-Scan

Contract wide

Subject: HI_ScanAction: Hi-Scan

Recommended solution

Page 22: Policy  Usecases

Cisco Confidential 23

WikiCisco Usr

Usecase 1.1.9: 3 level Priority resolution with clause rules matching port ranges

SalesUsr

Clauses: R0: Sales, Enemy Nation -> Wiki, HTTPSubject: Hi_Hi_scan

R1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scan

R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan

Subject: Low Scan

Action: Low-Scan

Contract wide

SalesUsr at Enemy Nation

Subject: Hi_Hi_scanAction: Hi-Hi-Scan

Subject: HI_ScanAction: Hi-Scan

Recommended solution

Page 23: Policy  Usecases

Cisco Confidential 24

WikiCisco Usr

Usecase 1.1.10: Priority among Static and Dynamic Rules

Subject: HI_Sec_HTTP

Clause: R0: * -> *Subject: Hi_sec_HTTPR1: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan

Filter: Usr X ->Wiki site A, HTTPAction: Hi-Scan, Rate_limit

Subject: Low_Sec_HTTPFilter: HTTPAction: Low-Scan, QoS HiAccounting: Pkt, transaction

Anomaly Detection

App

Usr XWiki site A

Contract A

Page 24: Policy  Usecases

Cisco Confidential 25

All WikiAll Users

Usecase 1.1.11: Enterprise Access Accounting

• Account for all accesses

Engg Wiki

Engg

MktgMktgWiki

Page 25: Policy  Usecases

Cisco Confidential 26

Consumes

WikiUsersWiki-Access

Subject: Full-Access

Clauses:1. Engg-Users Engg-wiki : Full-Access2. Mktg-Users Mktg-wiki : Full-Access

ProvidesSelector: Name: Wiki-Access

Selector: Name: Wiki-Access

Filter: Wiki-PortAction: Count Transactions

Count Pkts

Consumer EP Labels:Engg-UsersMktg-UsersPE/DE

Engg-Wiki

Mktg-Wiki

Use case 1.1.11: Accounting

Page 26: Policy  Usecases

Cisco Confidential 27

Application

External Network Web App DB

VMM Domain

vCenter

Bridge Domain

Subnets

Middleware OracleHTTP

VM VM VM

Usecase 1.2: Multi-tier Cloud Access Control

Page 27: Policy  Usecases

Cisco Confidential 28

Usecase 1.2: Multi-tier Cloud Access Control: Broad Access Control Example

Rule

Src Group Dst Group App Group

Action Service Target Network Device

1 PCI-User PCI-Web-Svr Web (80, 443) Permit Implicit Deny

Firewall, IPSPremiumPath

DC-NGFW-SJBranch-Rtr-NY

2 PCI-Web-Svr PCI-App-Svr   PermitImplicit Deny

  DC-Access-SJ

3 PCI-App-Svr PCI-DB   PermitImplicit Deny

  DC-Access-SJ

4 Employee PCI-User Anti-Malware (ssh, telnet, snmp, ping)

DenyImplicit Permit

  Ent-Access-SJ

Page 28: Policy  Usecases

Cisco Confidential 29

Consumes

PCI-User PCI-Web-Svr

Contract

PCI-Access

Subject: WebFilter: Web PortsAction: PermitProfiles: Firewall, IPS, Premium Path

Provides

EPg EPg

Selector: Name: PCI-Access

Selector: Name: PCI-Access

Rule 1:

Usecase 1.2: Multi-tier Cloud Access Control: Web-tier access

Page 29: Policy  Usecases

Cisco Confidential 30

Consumes

PCI-App-SvrPCI-Web-Svr

Contract

PCI-App-Access

Subject: App

Filter: App-portsAction: Permit

Provides

EPg EPg

Selector: Name: PCI-App-Access

Selector: Name: PCI-App-Access

Rule 2

Usecase 1.2: Multi-tier Cloud Access Control: App-tier access

Page 30: Policy  Usecases

Cisco Confidential 31

Consumes

PCI-App-Svr PCI-DB

Contract

PCI-DB-Access

Subject: DB

Filter: DB-portsAction: Permit

Provides

EPg EPg

Selector: Name: PCI-DB-Access

Selector: Name: PCI-DB-Access

Rule 3

Usecase 1.2: Multi-tier Cloud Access Control: DB-tier access

Page 31: Policy  Usecases

Cisco Confidential 32

Consumes

PCI-UserEmployee

Contract

PCI-User-Access

Subject: non-anti-malware

Filter: NOT (Anti-malware (ssh, telnet, snmp, ping))Action: Permit

Provides

EPg EPg

Selector: Name: PCI-User-Access

Selector: Name: PCI—User-Access

Rule 4 Open issue on Action & Filters on contracts

Usecase 1.2: Multi-tier Cloud Access Control: User-tier access

Page 32: Policy  Usecases

Cisco Confidential 33

Data Center

2

1

6

4

5

1. Traffic flows through network.2. Network and security devices send

telemetry to Controller3. Threat Intelligence monitors and

analyzes.4. Attack is identified, mitigation is

determined.5. Administrator sent recommendation.6. Policy distributed, drop packets from

threat source. Inspect flows from same ISP.

6

6

6

62

ApplicationsBusiness Routing Rules Threat Detection

Controller

TopologySecurity Policy

TrafficScrubber

On Demand Usecase 2.1: Threat Mitigation

Page 33: Policy  Usecases

Cisco Confidential 34

Data Center

2

1

6

4

5

1. UC application moniters user calls

2. identifies issue with the call3. Notifies SDN application of

the flow ID and the associated action:

1. High COS marking2. BW reservation

6

6

6

62

UC ApplicationsFlow Programming

Controller

TopologySecurity Policy

On Demand usecase 2.2: Unified Communications

Flow Quality Identification

Page 34: Policy  Usecases

Thank you.