1 / 34

Policy Usecases

Policy Usecases. Sanjay Agrawal, Hari Sankar June 201 4. Usecases. Prestaged Policies Enterprise Access Control Enterprise Access Hierarchical resources Access Enterprise Access Hierarchical resources overlap Enterprise Access Hierarchical resources conflict

jaeger
Download Presentation

Policy Usecases

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy Usecases Sanjay Agrawal, HariSankar June 2014

  2. Usecases • Prestaged Policies • Enterprise Access Control • Enterprise Access Hierarchical resources Access • Enterprise Access Hierarchical resources overlap • Enterprise Access Hierarchical resources conflict • Enterprise user accessing multiple resources • Exclusion for one user • Access based on hierarchical user-groups • Access based on overlapping user groups • Additional scan for high value end points. • Service inclusion in clause rule • Priority Among static and Dynamic rules • Enterprise Access Accounting • Multi-tier Cloud Access Control • On-Demand Policies • Threat mitigation • Application experience: Unified Communication

  3. Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP Filter: Action: i.e. low Security India-Emp (subgroup) Local HR (subgroup) EP EP EP EP Clauses: US-Emp (subgroup) High Reputation Producer side: Subgroup Type of site: HR, Wiki Quality: -Hosting: Local or Cloud -Reputation: High or Low Consuming Side: Subgroup: India-Emp, US-Emp Conditions: On Prem, Outside EP Low Reputation Wiki (subgroup) EP EP Cloud Local Web Local On Prem Outside

  4. Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp QualityMatcher: HR Subject: HTTP_Hi Action: i.e. High Security EP EP Clauses: 1. India-Emp & On prem HR hosted Local -> Subject HTTP_low 2. India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi 3. US emp to HR & Cloud -> Subject HTTP_low Selector: Name= “A”, Match= named Selector: Name= “A” Match= named US-Emp Condition Matcher: US-Emp EP Wiki QualityMatcher: Wiki QualityMatcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  5. Usecase1.1.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp QualityMatcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP Clauses: India-Emp & On prem HR hosted Local -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi US emp to HR & (Cloud || High Reputation) -> Subject HTTP_low Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki QualityMatcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  6. Usecase1.1.2: Enterprise Hierarchical Resource Access: Overlap Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud QualityMatcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR & hosted Local • -> Subject HTTP_low • US emp to HR & (Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki QualityMatcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  7. Usecase1.1.3: Enterprise Hierarchical Resource Access: Conflict Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP QualityMatcher: & Cloud Quality Matcher: & Local Condition Matcher: India-Emp Quality Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw HTTP_low • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Quality Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Quality Matcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  8. Usecase1.1.3: Enterprise Hierarchical Access: Conflict Action Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Quality Matcher: & Cloud Quality Matcher: & Local Condition Matcher: India-Emp Quality Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Clauses: • 0. Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw • HTTP_low • add HTTP_Hi • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Quality Matcher: Wiki Quality Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  9. Usecase1.1.4: User on multiple projects • Users in Group G1 get access to resources of Project P1 • Users in Group G2 get access to resources of Project P2 • User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access) G1 P1 U1 Limited access P2 G2

  10. Usecase1.1.4: User on multiple projects Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Subject: Limited-Access Filter: Any Action: Permit Profile: Limited U1 P2 G2 Clauses: 1. U1  P2: Limited-Access 2. G1  P1 : Full-Access 3. G2  P2: Full-Access Selector: Name: Project-Access Provides Consumes Selector: Name: Project-Access

  11. Usecase1.1.5: Exclusion for one user • Users in Group G1 get access to resources of Project P1 • User U1 who is part of G1 is excluded from P1 resources G1 P1 U1

  12. Usecase1.1.5: Exclusion for one user Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Clauses: 1. NOT(U1) P1: Full-Access U1

  13. Use case 1.1.6: Access based on hierarchical user-groups • User Group1 has access to all web categories • Everyone else has access to only “Acceptable” web categories All Web Acceptable Web All Users Group1

  14. Use case 1.1.6: Access based on hierarchical user-groups Web-Access All-Users All-Web Selector: Name: Web-Access Subject: Full-Access Selector: Name: Web-Access Filter: Any Action: Permit Consumes Provides Clauses: Group1 All-Web: Full-Access All-Users  Acceptable: Full Access Group1 Producer EP Labels: Acceptable

  15. Use case 1.1.7: Access based on overlapping user-groups • Only PE/Des have access to all wiki • Everyone else has access to only Wiki areas for their own groups All Wiki Engg Wiki All Users PE/DE Engg MktgWiki Mktg

  16. Use case 1.1.7: Access based on overlapping user-groups Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Permit Consumes Provides Engg-Wiki Clauses: 1. PE/DE  Wiki: Full-Access 2. Engg-Users  Engg-wiki : Full-Access 3. Mktg-Users  Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE

  17. Use case 1.1.8: Additional scans for high value endpoints • Do Additional IPS scans for traffic from these endpoints All Internet All Users Extra IPS scans High Value Endpoints Permit

  18. Use case 1.1.8: Additional scans for high value endpoints Web-Access Users internet Selector: Name: Web-Access Subject: Normal-Access Selector: Name: Web-Access Filter: Web Action: Permit Consumes Provides Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Clauses: 1. High-Value  Internet : Access-with-Scan 2. Users  Internet : Normal-Access Consumer EP Labels: High-Value Option 1: Single Contract

  19. Usecase 1.1.9: Service inclusion in clauses Wiki Cisco Usr Sales Usr HTTP Hi-Scan (HTTP| FTP) -> Low-Scan

  20. Problem: Priority among Rules Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan Problem: If Sales guy is accessing FTP he would match R1 that will deny him access. He should match R2. Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan Subject: Low_Sec_FTP Wiki Cisco Usr Filter: FTP Action: Low-Scan Sales Usr Clause: R1: Sales->Wiki: Subject: Hi_sec_HTTP R2: Cisco ->Wiki: Subject: Low_sec_HTTPSubject: Low_sec_FTP

  21. Usecase 1.1.9: 2 level Priority resolution with clause rules matching port ranges Recommended solution Subject: HI_Scan Action: Hi-Scan Subject: Low Scan Wiki Cisco Usr Action: Low-Scan Sales Usr Clauses: R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP): Subject: Low-scan Contract wide

  22. Usecase 1.1.9: 3 level Priority resolution with clause rules matching port ranges Recommended solution Subject: Hi_Hi_scan Action: Hi-Hi-Scan Subject: HI_Scan Action: Hi-Scan Subject: Low Scan Wiki Cisco Usr Action: Low-Scan Sales Usr Sales Usrat Enemy Nation Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Low-scan Contract wide

  23. Usecase 1.1.10: Priority among Static and Dynamic Rules Subject: HI_Sec_HTTP Filter: Usr X ->Wiki site A, HTTP Action: Hi-Scan, Rate_limit Anomaly Detection App Wiki Wiki site A Cisco Usr Usr X Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Clause: R0: * -> *Subject: Hi_sec_HTTP R1: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan Contract A

  24. Usecase 1.1.11: Enterprise Access Accounting • Account for all accesses All Wiki Engg Wiki All Users Engg MktgWiki Mktg

  25. Use case 1.1.11: Accounting Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Count Transactions Count Pkts Consumes Provides Engg-Wiki Clauses: 1. Engg-Users  Engg-wiki : Full-Access 2. Mktg-Users  Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE

  26. Usecase 1.2: Multi-tier Cloud Access Control VMM Domain Bridge Domain vCenter Subnets Application External Network Web App DB Middleware Oracle HTTP VM VM VM

  27. Usecase1.2: Multi-tier Cloud Access Control: Broad Access Control Example

  28. Usecase1.2: Multi-tier Cloud Access Control: Web-tier access PCI-Access PCI-User PCI-Web-Svr Selector: Name: PCI-Access Subject: Web Consumes Provides Selector: Name: PCI-Access Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path EPg EPg Contract Rule 1:

  29. Usecase1.2: Multi-tier Cloud Access Control: App-tier access PCI-App-Access PCI-Web-Svr PCI-App-Svr Selector: Name: PCI-App-Access • Subject: App Consumes Provides Selector: Name: PCI-App-Access Filter: App-ports Action: Permit EPg EPg Contract Rule 2

  30. Usecase1.2: Multi-tier Cloud Access Control: DB-tier access PCI-DB-Access PCI-App-Svr PCI-DB Selector: Name: PCI-DB-Access Subject: DB Consumes Provides Selector: Name: PCI-DB-Access Filter: DB-ports Action: Permit EPg EPg Contract Rule 3

  31. Usecase1.2: Multi-tier Cloud Access Control: User-tier access PCI-User-Access Employee PCI-User Selector: Name: PCI—User-Access Subject: non-anti-malware Consumes Provides Selector: Name: PCI-User-Access Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit EPg EPg Contract Rule 4 Open issue on Action & Filters on contracts

  32. On Demand Usecase 2.1: Threat Mitigation Applications Business Routing Rules Threat Detection Topology Security Policy 4 Controller 2 Traffic flows through network. Network and security devices send telemetry to Controller Threat Intelligence monitors and analyzes. Attack is identified, mitigation is determined. Administrator sent recommendation. Policy distributed, drop packets from threat source. Inspect flows from same ISP. Data Center 2 6 5 6 6 6 6 TrafficScrubber 1

  33. On Demand usecase 2.2: Unified Communications UC Applications Flow Quality Identification Flow Programming Topology Security Policy 4 Controller 2 • UC application moniters user calls • identifies issue with the call • Notifies SDN application of the flow ID and the associated action: • High COS marking • BW reservation Data Center 2 6 5 6 6 6 6 1

More Related