340 likes | 433 Views
Policy Usecases. Sanjay Agrawal, Hari Sankar June 201 4. Usecases. Prestaged Policies Enterprise Access Control Enterprise Access Hierarchical resources Access Enterprise Access Hierarchical resources overlap Enterprise Access Hierarchical resources conflict
E N D
Policy Usecases Sanjay Agrawal, HariSankar June 2014
Usecases • Prestaged Policies • Enterprise Access Control • Enterprise Access Hierarchical resources Access • Enterprise Access Hierarchical resources overlap • Enterprise Access Hierarchical resources conflict • Enterprise user accessing multiple resources • Exclusion for one user • Access based on hierarchical user-groups • Access based on overlapping user groups • Additional scan for high value end points. • Service inclusion in clause rule • Priority Among static and Dynamic rules • Enterprise Access Accounting • Multi-tier Cloud Access Control • On-Demand Policies • Threat mitigation • Application experience: Unified Communication
Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP Filter: Action: i.e. low Security India-Emp (subgroup) Local HR (subgroup) EP EP EP EP Clauses: US-Emp (subgroup) High Reputation Producer side: Subgroup Type of site: HR, Wiki Quality: -Hosting: Local or Cloud -Reputation: High or Low Consuming Side: Subgroup: India-Emp, US-Emp Conditions: On Prem, Outside EP Low Reputation Wiki (subgroup) EP EP Cloud Local Web Local On Prem Outside
Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp QualityMatcher: HR Subject: HTTP_Hi Action: i.e. High Security EP EP Clauses: 1. India-Emp & On prem HR hosted Local -> Subject HTTP_low 2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi 3. US emp to HR & Cloud -> Subject HTTP_low Selector: Name= “A”, Match= named Selector: Name= “A” Match= named US-Emp Condition Matcher: US-Emp EP Wiki QualityMatcher: Wiki QualityMatcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside
Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp QualityMatcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP Clauses: India-Emp & On prem HR hosted Local -> Subject HTTP_low India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki QualityMatcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside
Usecase1.1.2: Enterprise Hierarchical Resource Access: Overlap Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR & hosted Local • -> Subject HTTP_low • US emp to HR & (Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki QualityMatcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside
Usecase1.1.3: Enterprise Hierarchical Resource Access: Conflict Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud Quality Matcher: & Local Condition Matcher: India-Emp Quality Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw HTTP_low • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Quality Matcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside
Usecase1.1.3: Enterprise Hierarchical Access: Conflict Action Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Quality Matcher: & Cloud Quality Matcher: & Local Condition Matcher: India-Emp Quality Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • 0. Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw • HTTP_low • add HTTP_Hi • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Quality Matcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside
Usecase1.1.4: User on multiple projects • Users in Group G1 get access to resources of Project P1 • Users in Group G2 get access to resources of Project P2 • User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access) G1 P1 U1 Limited access P2 G2
Usecase1.1.4: User on multiple projects Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Subject: Limited-Access Filter: Any Action: Permit Profile: Limited U1 P2 G2 Clauses: 1. U1 P2: Limited-Access 2. G1 P1 : Full-Access 3. G2 P2: Full-Access Selector: Name: Project-Access Provides Consumes Selector: Name: Project-Access
Usecase1.1.5: Exclusion for one user • Users in Group G1 get access to resources of Project P1 • User U1 who is part of G1 is excluded from P1 resources G1 P1 U1
Usecase1.1.5: Exclusion for one user Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Clauses: 1. NOT(U1) P1: Full-Access U1
Use case 1.1.6: Access based on hierarchical user-groups • User Group1 has access to all web categories • Everyone else has access to only “Acceptable” web categories All Web Acceptable Web All Users Group1
Use case 1.1.6: Access based on hierarchical user-groups Web-Access All-Users All-Web Selector: Name: Web-Access Subject: Full-Access Selector: Name: Web-Access Filter: Any Action: Permit Consumes Provides Clauses: Group1 All-Web: Full-Access All-Users Acceptable: Full Access Group1 Producer EP Labels: Acceptable
Use case 1.1.7: Access based on overlapping user-groups • Only PE/Des have access to all wiki • Everyone else has access to only Wiki areas for their own groups All Wiki Engg Wiki All Users PE/DE Engg MktgWiki Mktg
Use case 1.1.7: Access based on overlapping user-groups Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Permit Consumes Provides Engg-Wiki Clauses: 1. PE/DE Wiki: Full-Access 2. Engg-Users Engg-wiki : Full-Access 3. Mktg-Users Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE
Use case 1.1.8: Additional scans for high value endpoints • Do Additional IPS scans for traffic from these endpoints All Internet All Users Extra IPS scans High Value Endpoints Permit
Use case 1.1.8: Additional scans for high value endpoints Web-Access Users internet Selector: Name: Web-Access Subject: Normal-Access Selector: Name: Web-Access Filter: Web Action: Permit Consumes Provides Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Clauses: 1. High-Value Internet : Access-with-Scan 2. Users Internet : Normal-Access Consumer EP Labels: High-Value Option 1: Single Contract
Usecase 1.1.9: Service inclusion in clauses Wiki Cisco Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan
Problem: Priority among Rules Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2. Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan Subject: Low_Sec_FTP Wiki Cisco Usr Filter: FTP Action: Low-Scan Sales Usr Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTPSubject: Low_sec_FTP
Usecase 1.1.9: 2 level Priority resolution with clause rules matching port ranges Recommended solution Subject: HI_Scan Action: Hi-Scan Subject: Low Scan Wiki Cisco Usr Action: Low-Scan Sales Usr Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Contract wide
Usecase 1.1.9: 3 level Priority resolution with clause rules matching port ranges Recommended solution Subject: Hi_Hi_scan Action: Hi-Hi-Scan Subject: HI_Scan Action: Hi-Scan Subject: Low Scan Wiki Cisco Usr Action: Low-Scan Sales Usr Sales Usrat Enemy Nation Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Contract wide
Usecase 1.1.10: Priority among Static and Dynamic Rules Subject: HI_Sec_HTTP Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Anomaly Detection App Wiki Wiki site A Cisco Usr Usr X Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Clause: R0: * -> *Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan Contract A
Usecase 1.1.11: Enterprise Access Accounting • Account for all accesses All Wiki Engg Wiki All Users Engg MktgWiki Mktg
Use case 1.1.11: Accounting Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Count Transactions Count Pkts Consumes Provides Engg-Wiki Clauses: 1. Engg-Users Engg-wiki : Full-Access 2. Mktg-Users Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE
Usecase 1.2: Multi-tier Cloud Access Control VMM Domain Bridge Domain vCenter Subnets Application External Network Web App DB Middleware Oracle HTTP VM VM VM
Usecase1.2: Multi-tier Cloud Access Control: Broad Access Control Example
Usecase1.2: Multi-tier Cloud Access Control: Web-tier access PCI-Access PCI-User PCI-Web-Svr Selector: Name: PCI-Access Subject: Web Consumes Provides Selector: Name: PCI-Access Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path EPg EPg Contract Rule 1:
Usecase1.2: Multi-tier Cloud Access Control: App-tier access PCI-App-Access PCI-Web-Svr PCI-App-Svr Selector: Name: PCI-App-Access • Subject: App Consumes Provides Selector: Name: PCI-App-Access Filter: App-ports Action: Permit EPg EPg Contract Rule 2
Usecase1.2: Multi-tier Cloud Access Control: DB-tier access PCI-DB-Access PCI-App-Svr PCI-DB Selector: Name: PCI-DB-Access Subject: DB Consumes Provides Selector: Name: PCI-DB-Access Filter: DB-ports Action: Permit EPg EPg Contract Rule 3
Usecase1.2: Multi-tier Cloud Access Control: User-tier access PCI-User-Access Employee PCI-User Selector: Name: PCI—User-Access Subject: non-anti-malware Consumes Provides Selector: Name: PCI-User-Access Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit EPg EPg Contract Rule 4 Open issue on Action & Filters on contracts
On Demand Usecase 2.1: Threat Mitigation Applications Business Routing Rules Threat Detection Topology Security Policy 4 Controller 2 Traffic flows through network. Network and security devices send telemetry to Controller Threat Intelligence monitors and analyzes. Attack is identified, mitigation is determined. Administrator sent recommendation. Policy distributed, drop packets from threat source. Inspect flows from same ISP. Data Center 2 6 5 6 6 6 6 TrafficScrubber 1
On Demand usecase 2.2: Unified Communications UC Applications Flow Quality Identification Flow Programming Topology Security Policy 4 Controller 2 • UC application moniters user calls • identifies issue with the call • Notifies SDN application of the flow ID and the associated action: • High COS marking • BW reservation Data Center 2 6 5 6 6 6 6 1