1 / 36

Policy Usecases

Policy Usecases. May 201 4. Usecases. Prestaged Policies Multi -tier Cloud Access Control Enterprise Access Control Enterprise Access Hierarchical resources Access Enterprise Access Hierarchical resources overlap Enterprise Access Hierarchical resources conflict

gracie
Download Presentation

Policy Usecases

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy Usecases May 2014

  2. Usecases • Prestaged Policies • Multi-tier Cloud Access Control • Enterprise Access Control • Enterprise Access Hierarchical resources Access • Enterprise Access Hierarchical resources overlap • Enterprise Access Hierarchical resources conflict • Enterprise user accessing multiple resources • Exclusion for one user • Access based on hierarchical user-groups • Access based on overlapping user groups • Additional scan for high value end points. • Enterprise Access Accounting • On-Demand Policies • WAN routing optimization • Threat itigation • Application experience: Unified Communication

  3. Usecase 1.1: Multi-tier Cloud Access Control VMM Domain Bridge Domain vCenter Subnets Application External Network Web App DB Middleware Oracle HTTP VM VM VM

  4. Usecase 1.1: Multi-tier Cloud Access Control: Broad Access Control Example

  5. Usecase 1.1: Multi-tier Cloud Access Control: Web-tier access PCI-Access PCI-User PCI-Web-Svr Selector: Name: PCI-Access Subject: Web Consumes Provides Selector: Name: PCI-Access Filter: Web Ports Action: Permit Profiles: Firewall, IPS, Premium Path EPg EPg Contract Rule 1:

  6. Usecase 1.1: Multi-tier Cloud Access Control: App-tier access PCI-App-Access PCI-Web-Svr PCI-App-Svr Selector: Name: PCI-App-Access • Subject: App Consumes Provides Selector: Name: PCI-App-Access Filter: App-ports Action: Permit EPg EPg Contract Rule 2

  7. Usecase 1.1: Multi-tier Cloud Access Control: DB-tier access PCI-DB-Access PCI-App-Svr PCI-DB Selector: Name: PCI-DB-Access Subject: DB Consumes Provides Selector: Name: PCI-DB-Access Filter: DB-ports Action: Permit EPg EPg Contract Rule 3

  8. Usecase 1.1: Multi-tier Cloud Access Control: User-tier access PCI-User-Access Employee PCI-User Selector: Name: PCI—User-Access Subject: non-anti-malware Consumes Provides Selector: Name: PCI-User-Access Filter: NOT (Anti-malware (ssh, telnet, snmp, ping)) Action: Permit EPg EPg Contract Rule 4 Open issue on Action & Filters on contracts

  9. Usecase1.2: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP Cons Label: Producer Label Action: i.e. low Security India-Emp Local HR EP EP EP EP US-Emp High Reputation 3 Dimensions on Producer side: -Type of site: HR, Wiki -Hosting: Local or Cloud -Reputation: High or Low EP Low Reputation Wiki EP EP Cloud Local Web Local On Prem Outside

  10. Usecase1.2.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Condition Matcher: & Cloud Condition Matcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP EP Rules: 1. India-Emp & On prem HR hosted Local -> Subject HTTP_low 2. India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi 3. US emp to HR & Cloud -> Subject HTTP_low Selector: Name= “A”, Match= named Selector: Name= “A” Match= named US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki Condition Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  11. Usecase1.2.1: Enterprise Hierarchical Resource Access Contract A Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Condition Matcher: & Cloud Condition Matcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP Rules: India-Emp & On prem HR hosted Local -> Subject HTTP_low India-Emp anywhere  Wiki hosted Cloud -> Subject HTTP_Hi US emp to HR & Cloud || High Reputation) -> Subject HTTP_low Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki Condition Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  12. Usecase1.2.2: Enterprise Hierarchical Resource Access: Overlap Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Condition Matcher: & Cloud Condition Matcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Rules: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki Condition Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  13. Usecase1.2.3: Enterprise Hierarchical Resource Access: Conflict Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Condition Matcher: & Cloud Condition Matcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Rules: • Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw HTTP_low • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki Condition Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  14. Usecase1.2.3: Enterprise Hierarchical Resource Access: Conflict Contract A Redundant Users Subject: HTTP_low Action: i.e. Low Security India-Emp Local HR EP EP Condition Matcher: & Cloud Condition Matcher: & Local Condition Matcher: India-Emp Condition Matcher: HR Subject: HTTP_Hi Action: i.e. High Security EP Selector: Name= “A” Match= named EP • Rules: • 0. Cisco-Emp -> HR • -> Subject HTTP_low • India-Emp & On prem • HR hosted Local • -> Subject HTTP_low • IndiaEmp&Outside-> HR& hosted Local • -> withdraw • HTTP_low • add HTTP_Hi • US emp to HR & Cloud || High Reputation) • -> Subject HTTP_low • India-Emp anywhere  Wiki hosted Cloud • -> Subject HTTP_Hi Selector: Name= “A”, Match= named Condition Matcher: & High Reputation US-Emp Condition Matcher: US-Emp EP Wiki Condition Matcher: Wiki Condition Matcher: & Cloud EP Selector: Name= “A” Match= named EP Selector: Name= “A” Match= named Cloud Local Web Local On Prem Outside

  15. Usecase1.2.4: User on multiple projects • Users in Group G1 get access to resources of Project P1 • Users in Group G2 get access to resources of Project P2 • User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access) G1 P1 U1 Limited access P2 G2

  16. Usecase1.2.4: User on multiple projects Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Subject: Limited-Access Filter: Any Action: Permit Profile: Limited U1 P2 G2 Rules: (First-match) 1. U1  P1: Limited-Access 2. G1  P1 : Full-Access 3. G2  P2: Full-Access Selector: Name: Project-Access Provides Consumes Selector: Name: Project-Access

  17. Usecase1.2.5: Exclusion for one user • Users in Group G1 get access to resources of Project P1 • User U1 who is part of G1 is excluded from P1 resources G1 P1 U1

  18. Usecase1.2.5: Exclusion for one user Project-Access G1 P1 Selector: Name: Project-Access Subject: Full-Access Selector: Name: Project-Access Filter: Any Action: Permit Consumes Provides Rules: (First-match) 1. NOT(U1) P1: Full-Access U1

  19. Use case 1.2.6: Access based on hierarchical user-groups • User Group1 has access to all web categories • Everyone else has access to only “Acceptable” web categories All Web Acceptable Web All Users Group1

  20. Use case 1.2.6: Access based on hierarchical user-groups Web-Access All-Users All-Web Selector: Name: Web-Access Subject: Full-Access Selector: Name: Web-Access Filter: Any Action: Permit Consumes Provides Rules: (First-match) Group1 All-Web: Full-Access All-Users  Acceptable: Full Access Group1 Producer EP Labels: Acceptable

  21. Use case 1.2.7: Access based on overlapping user-groups • Only PE/Des have access to all wiki • Everyone else has access to only Wiki areas for their own groups All Wiki Engg Wiki All Users PE/DE Engg MktgWiki Mktg

  22. Use case 1.2.7: Access based on overlapping user-groups Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Permit Consumes Provides Engg-Wiki Rules: (First-match) 1. PE/DE  Wiki: Full-Access 2. Engg-Users  Engg-wiki : Full-Access 3. Mktg-Users  Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE

  23. Use case 1.2.8: Additional scans for high value endpoints • Do Additional IPS scans for traffic from these endpoints All Internet All Users Extra IPS scans High Value Endpoints Permit

  24. Use case 1.2.8: Additional scans for high value endpoints Web-Access Users internet Selector: Name: Web-Access Subject: Normal-Access Selector: Name: Web-Access Filter: Web Action: Permit Consumes Provides Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Rules: (First-match) 1. High-Value  Internet : Access-with-Scan 2. Users  Internet : Normal-Access Consumer EP Labels: High-Value Option 1: Single Contract

  25. Use case 1.2.8: Additional scans for high value endpoints Normal-Web-Access Priority = 0 Users internet Subject: Normal-Access Selector: Name: Normal-Web-Access, Hi-Scan-Web-Access Selector: Name: Normal-Web-Access, Hi-Scan-Web-Access Filter: Web Action: Permit Consumes Provides Rules: (First-match) 1. Users  Internet : Normal-Access Provides Hi-Scan-Web-Access Priority = 100 Consumes Subject: Access-with-Scan Filter: Web Action: Permit Profile: Hi-IPS-Scan Consumer EP Labels: High-Value Rules: (First-match) 1. High-Value  Internet : Access-with-Scan Option 2: Multiple Contracts

  26. Problem: Priority among Rules Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan Subject: Low_Sec_FTP Wiki Cisco Usr Filter: FTP Action: Low-Scan Sales Usr Clause: R1: Sales->Wiki: Subject: HTTP + Hi-scan R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan

  27. Usecase: Priority resolution with contract Hierarchy Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan Clauses: (First-match) R1: Sales->Wiki: Subject: HTTP + Hi-scan Contract Restricted Subject: Low_Sec_HTTP Wiki Filter: HTTP Action: Low-Scan Cisco Usr Sales Usr Subject: Low_Sec_FTP Filter: FTP Action: Low-Scan Clauses: (First-match) R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan Contract wide

  28. Usecase: 3 level Priority resolution with contract Hierarchy Subject: HI_Hi_Sec_HTTP Filter: HTTP Action: Hi-Hi-Scan Clauses: R1: Sales & Outside ->Wiki: Subject: HTTP + Hi-Hi-scan Contract Further Restricted Subject: HI_Sec_FTP Filter: HTTP Action: Hi-Scan Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan Wiki Clauses: (First-match) R1: Sales->Wiki: Subject: Hi_sec_HTTP Subject: Hi_sec_FTP Cisco Usr Sales Usr Sales Usr Enemy Nation Contract Restricted Subject: Lo_Sec_HTTP Filter: HTTP Action: Lo-Scan Subject: Lo_Sec_FTP Subject: Lo_Sec_SSH Filter: FTP Action: Lo-Scan Filter: SSH Action: Lo-Scan Clauses: (First-match) R2: Cisco ->Wiki: Subject: HTTP + No-scanSubject: FTP + No-scan Subject: SSH+ No-scan Contract wide

  29. Usecase: 3 level Priority resolution with simple priority Subject: Hi_Hi_scan Action: Hi-Hi-Scan Subject: HI_Scan Action: Hi-Scan Subject: Low Scan Wiki Cisco Usr Action: Hi-Scan Sales Usr Sales Usrat Enemy Nation Clauses: R0: Sales, Enemy Nation -> Wiki, HTTP Subject: Hi_Hi_scan R1: Sales, -> Wiki, (HTTP | FTP) Subject: Hi_scan R2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Lo-scanSubject: FTP + No-scan Contract wide

  30. Problem: Priority among Rules Subject: HI_Sec_HTTP Filter: HTTP Action: Hi-Scan, Rate_limit Anomaly Detection App Clause: R0: Usr X ->Wiki site A: Subject: Hi_sec_HTTP Contract Dynamic Wiki Wiki site A Cisco Usr Usr X Subject: Low_Sec_HTTP Filter: HTTP Action: Low-Scan, QoS Hi Accounting: Pkt, transaction Clause: R0: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan Contract Static Contract Static_base

  31. Usecase 1.3: Enterprise Access Accounting • Account for all accesses All Wiki Engg Wiki All Users Engg MktgWiki Mktg

  32. Use case 9: Accounting Wiki-Access Users Wiki Selector: Name: Wiki-Access Subject: Full-Access Selector: Name: Wiki-Access Filter: Wiki-Port Action: Count Transactions Count Pkts Consumes Provides Engg-Wiki Rules: (First-match) 1. Engg-Users  Engg-wiki : Full-Access 2. Mktg-Users  Mktg-wiki : Full-Access Mktg-Wiki Consumer EP Labels: Engg-Users Mktg-Users PE/DE

  33. On Demand Usecase 2.1: IWAN Routing Applications Business Routing Rules Threat Detection Security Topology Policy Controller Branch-1 BR1 ISP1 Branch-2 Central Site ISP2 Branch-3 BR2 TrafficScrubber

  34. On Demand Usecase 2.2: Threat Mitigation Applications Business Routing Rules Threat Detection Topology Security Policy 4 Controller 2 Traffic flows through network. Network and security devices send telemetry to Controller Threat Intelligence monitors and analyzes. Attack is identified, mitigation is determined. Administrator sent recommendation. Policy distributed, drop packets from threat source. Inspect flows from same ISP. Data Center 2 6 5 6 6 6 6 TrafficScrubber 1

  35. On Demand usecase 2.3: Unified Communications UC Applications Flow Quality Identification Flow Programming Topology Security Policy 4 Controller 2 • UC application moniters user calls • identifies issue with the call • Notifies SDN application of the flow ID and the associated action: • High COS marking • BW reservation Data Center 2 6 5 6 6 6 6 1

More Related