Embed Size (px)
Citation preview
Policy Usecases
May 2014
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Usecases1. Prestaged Policies
1. Multi-tier Cloud Access Control
2. Enterprise Access Control
1. Enterprise Access Hierarchical resources Access
2. Enterprise Access Hierarchical resources overlap
3. Enterprise Access Hierarchical resources conflict
4. Enterprise user accessing multiple resources
5. Exclusion for one user
6. Access based on hierarchical user-groups
7. Access based on overlapping user groups
8. Additional scan for high value end points.
3. Enterprise Access Accounting
2. On-Demand Policies1. WAN routing optimization
2. Threat itigation
3. Application experience: Unified Communication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Application
External Network Web App DB
VMM Domain
vCenter
Bridge Domain
Subnets
Middleware OracleHTTP
VM VM VM
Usecase 1.1: Multi-tier Cloud Access Control
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Usecase 1.1: Multi-tier Cloud Access Control: Broad Access Control Example
Rule
Src Group Dst Group App Group
Action Service Target Network Device
1 PCI-User PCI-Web-Svr Web (80, 443) Permit Implicit Deny
Firewall, IPSPremiumPath
DC-NGFW-SJBranch-Rtr-NY
2 PCI-Web-Svr PCI-App-Svr PermitImplicit Deny
DC-Access-SJ
3 PCI-App-Svr PCI-DB PermitImplicit Deny
DC-Access-SJ
4 Employee PCI-User Anti-Malware (ssh, telnet, snmp, ping)
DenyImplicit Permit
Ent-Access-SJ
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Consumes
PCI-UserPCI-Web-Svr
Contract
PCI-Access
Subject: Web
Filter: Web PortsAction: PermitProfiles: Firewall, IPS, Premium Path
Provides
EPg EPg
Selector: Name: PCI-Access
Selector: Name: PCI-Access
Rule 1:
Usecase 1.1: Multi-tier Cloud Access Control: Web-tier access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Consumes
PCI-App-SvrPCI-Web-Svr
Contract
PCI-App-Access
Subject: App
Filter: App-portsAction: Permit
Provides
EPg EPg
Selector: Name: PCI-App-Access
Selector: Name: PCI-App-Access
Rule 2
Usecase 1.1: Multi-tier Cloud Access Control: App-tier access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Consumes
PCI-App-Svr PCI-DB
Contract
PCI-DB-Access
Subject: DB
Filter: DB-portsAction: Permit
Provides
EPg EPg
Selector: Name: PCI-DB-Access
Selector: Name: PCI-DB-Access
Rule 3
Usecase 1.1: Multi-tier Cloud Access Control: DB-tier access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Consumes
PCI-UserEmployee
Contract
PCI-User-Access
Subject: non-anti-malware
Filter: NOT (Anti-malware (ssh, telnet, snmp, ping))Action: Permit
Provides
EPg EPg
Selector: Name: PCI-User-Access
Selector: Name: PCI—User-Access
Rule 4 Open issue on Action & Filters on contracts
Usecase 1.1: Multi-tier Cloud Access Control: User-tier access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Usecase1.2: Enterprise Hierarchical Resource Access
HR
Wiki
India-EmpEP
On PremOutside
EP
EP
EP
Users Contract A
Subject: HTTP Cons Label: Producer Label Action: i.e. low Security
Local
LocalLocal Cloud
EP
US-Emp
EP
EP
HighReputation Low
Reputation
3 Dimensions on Producer side:-Type of site: HR, Wiki-Hosting: Local or Cloud-Reputation: High or Low
Web
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Usecase1.2.1: Enterprise Hierarchical Resource Access
HR
Wiki
EP
EP
Contract A
Subject: HTTP_lowAction: i.e. Low Security Local
LocalLocal Cloud
Rules:1. India-Emp & On prem HR hosted Local -> Subject HTTP_low
2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
3. US emp to HR & Cloud-> Subject HTTP_low
EP
Condition Matcher: & Local
Selector:Name= “A”Match= named
Condition Matcher: & Cloud
Condition Matcher:& Cloud
Web
Subject: HTTP_HiAction: i.e. High Security
Condition Matcher: HR
Condition Matcher: Wiki
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Selector: Name= “A”Match= named
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Usecase1.2.1: Enterprise Hierarchical Resource Access
HR EP
EP
Local
LocalLocal Cloud
EP
Condition Matcher: & Local
Condition Matcher: & Cloud
Condition Matcher:& Cloud
Web
Condition Matcher: & HighReputation
Condition Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract A
Subject: HTTP_lowAction: i.e. Low Security
Rules:India-Emp & On prem HR hosted Local -> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
US emp to HR & Cloud || High Reputation)-> Subject HTTP_low
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Condition Matcher: Wiki
Selector: Name= “A”Match= named
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Usecase1.2.2: Enterprise Hierarchical Resource Access: Overlap
HR EP
EP
Local
LocalLocal Cloud
EP
Condition Matcher: & Local
Condition Matcher: & Cloud
Condition Matcher:& Cloud
Web
Condition Matcher: & HighReputation
Condition Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract A
Subject: HTTP_lowAction: i.e. Low Security
Rules:Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR hosted Local -> Subject HTTP_low
US emp to HR & Cloud || High Reputation)
-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Condition Matcher: Wiki
Selector: Name= “A”Match= named
Redundant
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
HR EP
EP
Local
LocalLocal Cloud
EP
Condition Matcher: & Local
Condition Matcher: & Cloud
Condition Matcher:& Cloud
Web
Condition Matcher: & HighReputation
Condition Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract A
Subject: HTTP_lowAction: i.e. Low Security
Rules:Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR hosted Local -> Subject HTTP_low
IndiaEmp&Outside-> HR& hosted Local
-> withdraw HTTP_low
US emp to HR & Cloud || High Reputation)-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Condition Matcher: Wiki
Selector: Name= “A”Match= named
Redundant
Usecase1.2.3: Enterprise Hierarchical Resource Access: Conflict
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
HR EP
EP
Local
LocalLocal Cloud
EP
Condition Matcher: & Local
Condition Matcher: & Cloud
Condition Matcher:& Cloud
Web
Condition Matcher: & HighReputation
Condition Matcher: HR
India-EmpEP
On PremOutside
EP
Users
US-Emp
EP
EP
Selector:Name= “A”,Match= named
Selector:Name= “A”Match= named
Condition Matcher:India-Emp
Condition Matcher:US-Emp
Contract A
Subject: HTTP_lowAction: i.e. Low Security
Rules:0. Cisco-Emp -> HR-> Subject HTTP_low
India-Emp & On prem HR hosted Local -> Subject HTTP_low
IndiaEmp&Outside-> HR& hosted Local
-> withdraw HTTP_low add HTTP_Hi
US emp to HR & Cloud || High Reputation)-> Subject HTTP_low
India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi
Subject: HTTP_HiAction: i.e. High Security
Selector: Name= “A”Match= named
Wiki
Condition Matcher: Wiki
Selector: Name= “A”Match= named
RedundantUsecase1.2.3: Enterprise Hierarchical Resource Access: Conflict
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Users in Group G1 get access to resources of Project P1
• Users in Group G2 get access to resources of Project P2
• User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access)
G1 P1
G2 P2
U1 Limited access
Usecase1.2.4: User on multiple projects
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Consumes
P1G1Project-Access
Subject: Full-Access
Rules: (First-match)1. U1 P1: Limited-Access2. G1 P1 : Full-Access3. G2 P2: Full-Access
ProvidesSelector: Name: Project-Access
Selector: Name: Project-Access
U1
Filter: AnyAction: Permit
Subject: Limited-AccessFilter: Any
Action: Permit Profile:
Limited
P2
Provides Selector: Name: Project-Access
G2Selector: Name: Project-Access
Consumes
Usecase1.2.4: User on multiple projects
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Users in Group G1 get access to resources of Project P1
• User U1 who is part of G1 is excluded from P1 resources
G1 P1U1
Usecase1.2.5: Exclusion for one user
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Consumes
P1G1Project-Access
Subject: Full-Access
Rules: (First-match)1. NOT(U1) P1: Full-Access
ProvidesSelector: Name: Project-Access
Selector: Name: Project-Access
U1
Filter: AnyAction: Permit
Usecase1.2.5: Exclusion for one user
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
All WebAll Users
Use case 1.2.6: Access based on hierarchical user-groups
• User Group1 has access to all web categories
• Everyone else has access to only “Acceptable” web categories
Group1
Acceptable Web
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Consumes
All-WebAll-UsersWeb-Access
Subject: Full-Access
Rules: (First-match)1. Group1 All-Web: Full-
Access2. All-Users Acceptable:
Full Access
ProvidesSelector: Name: Web-Access
Selector: Name: Web-Access
Group1
Filter: AnyAction: Permit
Producer EP Labels:Acceptable
Use case 1.2.6: Access based on hierarchical user-groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
All WikiAll Users
Use case 1.2.7: Access based on overlapping user-groups
• Only PE/Des have access to all wiki
• Everyone else has access to only Wiki areas for their own groups
Engg Wiki
Engg
MktgMktgWiki
PE/DE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Consumes
WikiUsersWiki-Access
Subject: Full-Access
Rules: (First-match)1. PE/DE Wiki: Full-Access2. Engg-Users Engg-wiki : Full-Access3. Mktg-Users Mktg-wiki : Full-Access
ProvidesSelector: Name: Wiki-Access
Selector: Name: Wiki-Access
Filter: Wiki-PortAction: Permit
Consumer EP Labels:Engg-UsersMktg-UsersPE/DE
Engg-Wiki
Mktg-Wiki
Use case 1.2.7: Access based on overlapping user-groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
All InternetAll Users
Use case 1.2.8: Additional scans for high value endpoints
• Do Additional IPS scans for traffic from these endpoints
High Value
Endpoints
Extra IPS scans
Permit
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Consumes
internetUsersWeb-Access
Subject: Normal-Access
Rules: (First-match)1. High-Value Internet : Access-with-Scan2. Users Internet : Normal-Access
ProvidesSelector: Name: Web-Access
Selector: Name: Web-Access
Filter: WebAction: Permit
Consumer EP Labels:High-Value
Subject: Access-with-Scan
Filter: WebAction: Permit
Profile: Hi-IPS-Scan
Option 1: Single Contract
Use case 1.2.8: Additional scans for high value endpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Consumes
internetUsersNormal-Web-AccessPriority = 0
Subject: Normal-Access
Rules: (First-match)1. Users Internet : Normal-Access
ProvidesSelector: Name: Normal-Web-Access, Hi-Scan-Web-Access
Selector: Name: Normal-Web-Access, Hi-Scan-Web-Access
Filter: WebAction: Permit
Consumer EP Labels:High-Value
Option 2: Multiple Contracts
Hi-Scan-Web-AccessPriority = 100
Subject: Access-with-Scan
Rules: (First-match)1. High-Value Internet : Access-with-Scan
Filter: WebAction: Permit
Profile: Hi-IPS-Scan
Consumes
Pro
vide
s
Use case 1.2.8: Additional scans for high value endpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
WikiCisco Usr
Problem: Priority among Rules
SalesUsr
Subject: HI_Sec_HTTP
Clause: R1: Sales->Wiki: Subject: HTTP + Hi-scan
R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan
Filter: HTTPAction: Hi-Scan
Subject: Low_Sec_HTTP
Filter: HTTPAction: Low-Scan
Subject: Low_Sec_FTP
Filter: FTPAction: Low-Scan
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
WikiCisco Usr
Usecase: Priority resolution with contract Hierarchy
SalesUsr
Clauses: (First-match)R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan
Subject: Low_Sec_HTTP
Filter: HTTPAction: Low-Scan
Subject: Low_Sec_FTP
Filter: FTPAction: Low-Scan
Subject: HI_Sec_HTTP
Clauses: (First-match)R1: Sales->Wiki: Subject: HTTP + Hi-scan
Filter: HTTPAction: Hi-Scan
Contract wide
Contract Restricted
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
WikiCisco Usr
Usecase: 3 level Priority resolution with contract Hierarchy
SalesUsr
Clauses: (First-match)R2: Cisco ->Wiki: Subject: HTTP + No-scanSubject: FTP + No-scanSubject: SSH+ No-scan
Subject: Lo_Sec_HTTP
Filter: HTTPAction: Lo-Scan
Subject: Lo_Sec_FTP
Filter: FTPAction: Lo-Scan
Subject: HI_Sec_HTTP
Clauses: (First-match)R1: Sales->Wiki: Subject: Hi_sec_HTTPSubject: Hi_sec_FTP
Filter: HTTPAction: Hi-Scan
Contract wide
Contract Restricted
Sales Usr Enemy Nation
Contract Further Restricted
Subject: HI_Hi_Sec_HTTP
Clauses: R1: Sales & Outside ->Wiki: Subject: HTTP + Hi-Hi-scan
Filter: HTTPAction: Hi-Hi-Scan
Subject: HI_Sec_FTPFilter: HTTPAction: Hi-Scan
Subject: Lo_Sec_SSH
Filter: SSHAction: Lo-Scan
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
WikiCisco Usr
Usecase: 3 level Priority resolution with simple priority
SalesUsr
Clauses: R0: Sales, Enemy Nation -> Wiki, HTTPSubject: Hi_Hi_scanR1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scanR2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Lo-scanSubject: FTP + No-scan
Subject: Low Scan
Action: Hi-Scan
Contract wide
SalesUsr at Enemy Nation
Subject: Hi_Hi_scan
Action: Hi-Hi-Scan
Subject: HI_Scan
Action: Hi-Scan
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
WikiCisco Usr
Problem: Priority among RulesSubject: HI_Sec_HTTP
Clause: R0: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan
Filter: HTTPAction: Hi-Scan, Rate_limit
Subject: Low_Sec_HTTPFilter: HTTPAction: Low-Scan, QoS HiAccounting: Pkt, transaction
Contract Static
Contract Dynamic
Anomaly Detection
AppClause: R0: Usr X ->Wiki site A: Subject: Hi_sec_HTTP
Usr XWiki site A
Contract Static_base
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
All WikiAll Users
Usecase 1.3: Enterprise Access Accounting
• Account for all accesses
Engg Wiki
Engg
MktgMktgWiki
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Consumes
WikiUsersWiki-Access
Subject: Full-Access
Rules: (First-match)1. Engg-Users Engg-wiki : Full-Access2. Mktg-Users Mktg-wiki : Full-Access
ProvidesSelector: Name: Wiki-Access
Selector: Name: Wiki-Access
Filter: Wiki-PortAction: Count Transactions
Count Pkts
Consumer EP Labels:Engg-UsersMktg-UsersPE/DE
Engg-Wiki
Mktg-Wiki
Use case 9: Accounting
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Central Site
BR2
BR1
ISP1
Branch-1
Branch-2
Branch-3
ISP2
TrafficScrubber
Controller
Applications
Business Routing Rules Threat Detection
Topology
Security Policy
On Demand Usecase 2.1: IWAN Routing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Data Center
2
1
6
4
5
1. Traffic flows through network.2. Network and security devices send
telemetry to Controller3. Threat Intelligence monitors and
analyzes.4. Attack is identified, mitigation is
determined.5. Administrator sent recommendation.6. Policy distributed, drop packets from
threat source. Inspect flows from same ISP.
6
6
6
62
Applications
Business Routing Rules Threat Detection
Controller
TopologySecurity Policy
TrafficScrubber
On Demand Usecase 2.2: Threat Mitigation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Data Center
2
1
6
4
5
1. UC application moniters user calls
2. identifies issue with the call3. Notifies SDN application of
the flow ID and the associated action:
1. High COS marking2. BW reservation
6
6
6
62
UC Applications
Flow Programming
Controller
TopologySecurity Policy
On Demand usecase 2.3: Unified Communications
Flow Quality Identification
Thank you.
