policy usecases

Policy Usecases

May 2014

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Usecases1. Prestaged Policies

1. Multi-tier Cloud Access Control2. Enterprise Access Control

1. Enterprise Access Hierarchical resources Access

2. Enterprise Access Hierarchical resources overlap

3. Enterprise Access Hierarchical resources conflict

4. Enterprise user accessing multiple resources

5. Exclusion for one user

6. Access based on hierarchical user-groups

7. Access based on overlapping user groups

8. Additional scan for high value end points.

3. Enterprise Access Accounting

2. On-Demand Policies1. WAN routing optimization2. Threat itigation3. Application experience: Unified Communication


Application

External Network Web App DB

VMM Domain

vCenter

Bridge Domain

Subnets

Middleware OracleHTTP

VM VM VM

Usecase 1.1: Multi-tier Cloud Access Control


Usecase 1.1: Multi-tier Cloud Access Control: Broad Access Control Example

Rule

Src Group Dst Group App Group

Action Service Target Network Device

1 PCI-User PCI-Web-Svr Web (80, 443) Permit Implicit Deny

Firewall, IPSPremiumPath

DC-NGFW-SJBranch-Rtr-NY

2 PCI-Web-Svr PCI-App-Svr PermitImplicit Deny

DC-Access-SJ

3 PCI-App-Svr PCI-DB PermitImplicit Deny

DC-Access-SJ

4 Employee PCI-User Anti-Malware (ssh, telnet, snmp, ping)

DenyImplicit Permit

Ent-Access-SJ


Consumes

PCI-User PCI-Web-Svr

Contract

PCI-Access

Subject: WebFilter: Web PortsAction: PermitProfiles: Firewall, IPS, Premium Path

Provides

EPg EPg

Selector: Name: PCI-Access

Selector: Name: PCI-Access

Rule 1:

Usecase 1.1: Multi-tier Cloud Access Control: Web-tier access


Consumes

PCI-App-SvrPCI-Web-Svr

Contract

PCI-App-Access

Subject: App

Filter: App-portsAction: Permit

Provides

EPg EPg

Selector: Name: PCI-App-Access

Selector: Name: PCI-App-Access

Rule 2

Usecase 1.1: Multi-tier Cloud Access Control: App-tier access


Consumes

PCI-App-Svr PCI-DB

Contract

PCI-DB-Access

Subject: DB

Filter: DB-portsAction: Permit

Provides

EPg EPg

Selector: Name: PCI-DB-Access

Selector: Name: PCI-DB-Access

Rule 3

Usecase 1.1: Multi-tier Cloud Access Control: DB-tier access


Consumes

PCI-UserEmployee

Contract

PCI-User-Access

Subject: non-anti-malware

Filter: NOT (Anti-malware (ssh, telnet, snmp, ping))Action: Permit

Provides

EPg EPg

Selector: Name: PCI-User-Access

Selector: Name: PCI—User-Access

Rule 4 Open issue on Action & Filters on contracts

Usecase 1.1: Multi-tier Cloud Access Control: User-tier access


Usecase1.2: Enterprise Hierarchical Resource Access

HR

Wiki

India-EmpEP

On PremOutside

EP

EP

EP

Users Contract A

Subject: HTTP Cons Label: Producer Label Action: i.e. low Security

Local

LocalLocal Cloud

EP

US-Emp

EP

EP

HighReputation Low

Reputation

3 Dimensions on Producer side:-Type of site: HR, Wiki-Hosting: Local or Cloud-Reputation: High or Low

Web


Usecase1.2.1: Enterprise Hierarchical Resource Access

HR

Wiki

EP

EP

Contract ASubject: HTTP_lowAction: i.e. Low Security Local

LocalLocal Cloud

Rules:1. India-Emp & On prem HR hosted Local -> Subject HTTP_low

2. India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

3. US emp to HR & Cloud-> Subject HTTP_low

EP

Condition Matcher: & Local

Selector:Name= “A”Match= named

Condition Matcher: & Cloud

Condition Matcher:& Cloud

Web

Subject: HTTP_HiAction: i.e. High Security

Condition Matcher: HR

Condition Matcher: Wiki

India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP

Selector:Name= “A”,Match= named


Condition Matcher:India-Emp

Condition Matcher:US-Emp

Selector: Name= “A”Match= named


Usecase1.2.1: Enterprise Hierarchical Resource Access

HR EP

EP

Local

LocalLocal Cloud

EP




Web

Condition Matcher: & HighReputation


India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP





Contract ASubject: HTTP_lowAction: i.e. Low Security

Rules:India-Emp & On prem HR hosted Local -> Subject HTTP_low

India-Emp anywhere Wiki hosted Cloud -> Subject HTTP_Hi

US emp to HR & Cloud || High Reputation)-> Subject HTTP_low



Wiki




Usecase1.2.2: Enterprise Hierarchical Resource Access: Overlap

HR EP

EP

Local

LocalLocal Cloud

EP




Web



India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP






Rules:Cisco-Emp -> HR-> Subject HTTP_low

India-Emp & On prem HR hosted Local -> Subject HTTP_low

US emp to HR & Cloud || High Reputation)

-> Subject HTTP_low




Wiki



Redundant


HR EP

EP

Local

LocalLocal Cloud

EP




Web



India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP






Rules:Cisco-Emp -> HR-> Subject HTTP_low


IndiaEmp&Outside-> HR& hosted Local

-> withdraw HTTP_low





Wiki



Redundant

Usecase1.2.3: Enterprise Hierarchical Resource Access: Conflict


HR EP

EP

Local

LocalLocal Cloud

EP




Web



India-EmpEP

On PremOutside

EP

Users

US-Emp

EP

EP






Rules:0. Cisco-Emp -> HR-> Subject HTTP_low


IndiaEmp&Outside-> HR& hosted Local

-> withdraw HTTP_low add HTTP_Hi





Wiki



RedundantUsecase1.2.3: Enterprise Hierarchical Resource Access: Conflict


• Users in Group G1 get access to resources of Project P1


• User U1 who is part of G1 is on loan to P2 and needs access to its resources (with limited access)

G1 P1

G2 P2

U1 Limited access

Usecase1.2.4: User on multiple projects


Consumes

P1G1Project-Access

Subject: Full-Access

Rules: (First-match)1. U1 P1: Limited-Access2. G1 P1 : Full-Access3. G2 P2: Full-Access

ProvidesSelector: Name: Project-Access

Selector: Name: Project-Access

U1

Filter: AnyAction: Permit

Subject: Limited-AccessFilter: Any

Action: Permit Profile:

Limited

P2

Provides Selector: Name: Project-Access

G2Selector: Name: Project-Access

Consumes

Usecase1.2.4: User on multiple projects



• User U1 who is part of G1 is excluded from P1 resources

G1 P1U1

Usecase1.2.5: Exclusion for one user


Consumes

P1G1Project-Access


Rules: (First-match)1. NOT(U1) P1: Full-Access

ProvidesSelector: Name: Project-Access

Selector: Name: Project-Access

U1


Usecase1.2.5: Exclusion for one user


All WebAll Users

Use case 1.2.6: Access based on hierarchical user-groups

• User Group1 has access to all web categories

• Everyone else has access to only “Acceptable” web categories

Group1

Acceptable Web


Consumes

All-WebAll-UsersWeb-Access


Rules: (First-match)1. Group1 All-Web: Full-

Access2. All-Users Acceptable:

Full Access

ProvidesSelector: Name: Web-Access

Selector: Name: Web-Access

Group1


Producer EP Labels:Acceptable

Use case 1.2.6: Access based on hierarchical user-groups


All WikiAll Users

Use case 1.2.7: Access based on overlapping user-groups

• Only PE/Des have access to all wiki

• Everyone else has access to only Wiki areas for their own groups

Engg Wiki

Engg

MktgMktgWiki

PE/DE


Consumes

WikiUsersWiki-Access


Rules: (First-match)1. PE/DE Wiki: Full-Access2. Engg-Users Engg-wiki : Full-Access3. Mktg-Users Mktg-wiki : Full-Access

ProvidesSelector: Name: Wiki-Access

Selector: Name: Wiki-Access

Filter: Wiki-PortAction: Permit

Consumer EP Labels:Engg-UsersMktg-UsersPE/DE

Engg-Wiki

Mktg-Wiki

Use case 1.2.7: Access based on overlapping user-groups


All InternetAll Users

Use case 1.2.8: Additional scans for high value endpoints

• Do Additional IPS scans for traffic from these endpoints

High Value

Endpoints

Extra IPS scans

Permit


Consumes

internetUsersWeb-Access

Subject: Normal-Access

Rules: (First-match)1. High-Value Internet : Access-with-Scan2. Users Internet : Normal-Access

ProvidesSelector: Name: Web-Access

Selector: Name: Web-Access

Filter: WebAction: Permit

Consumer EP Labels:High-Value

Subject: Access-with-ScanFilter: Web

Action: PermitProfile: Hi-IPS-Scan

Option 1: Single Contract



Consumes

internetUsersNormal-Web-AccessPriority = 0Subject: Normal-Access

Rules: (First-match)1. Users Internet : Normal-Access

ProvidesSelector: Name: Normal-Web-Access, Hi-Scan-Web-Access

Selector: Name: Normal-Web-Access, Hi-Scan-Web-Access


Consumer EP Labels:High-Value

Option 2: Multiple Contracts

Hi-Scan-Web-AccessPriority = 100Subject: Access-with-Scan

Rules: (First-match)1. High-Value Internet : Access-with-Scan


Profile: Hi-IPS-Scan

Consumes

Prov

ides



WikiCisco Usr

Problem: Priority among Rules

SalesUsr

Subject: HI_Sec_HTTP

Clause: R1: Sales->Wiki: Subject: HTTP + Hi-scan

R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan

Filter: HTTPAction: Hi-Scan

Subject: Low_Sec_HTTP

Filter: HTTPAction: Low-Scan

Subject: Low_Sec_FTP

Filter: FTPAction: Low-Scan


WikiCisco Usr

Usecase: Priority resolution with contract Hierarchy

SalesUsr

Clauses: (First-match)R2: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan

Subject: Low_Sec_HTTP

Filter: HTTPAction: Low-Scan

Subject: Low_Sec_FTP

Filter: FTPAction: Low-Scan


Clauses: (First-match)R1: Sales->Wiki: Subject: HTTP + Hi-scan


Contract wide

Contract Restricted


WikiCisco Usr

Usecase: 3 level Priority resolution with contract Hierarchy

SalesUsr

Clauses: (First-match)R2: Cisco ->Wiki: Subject: HTTP + No-scanSubject: FTP + No-scanSubject: SSH+ No-scan

Subject: Lo_Sec_HTTPFilter: HTTPAction: Lo-Scan

Subject: Lo_Sec_FTPFilter: FTPAction: Lo-Scan


Clauses: (First-match)R1: Sales->Wiki: Subject: Hi_sec_HTTPSubject: Hi_sec_FTP


Contract wide

Contract Restricted

Sales Usr Enemy Nation

Contract Further Restricted

Subject: HI_Hi_Sec_HTTP

Clauses: R1: Sales & Outside ->Wiki: Subject: HTTP + Hi-Hi-scan

Filter: HTTPAction: Hi-Hi-Scan

Subject: HI_Sec_FTPFilter: HTTPAction: Hi-Scan

Subject: Lo_Sec_SSHFilter: SSHAction: Lo-Scan


WikiCisco Usr

Usecase: 3 level Priority resolution with simple priority

SalesUsr

Clauses: R0: Sales, Enemy Nation -> Wiki, HTTPSubject: Hi_Hi_scanR1: Sales, -> Wiki, (HTTP | FTP)Subject: Hi_scanR2: Cisco ->Wiki, (HTTP | FTP|SSH): Subject: Lo-scanSubject: FTP + No-scan

Subject: Low Scan

Action: Hi-Scan

Contract wide

SalesUsr at Enemy Nation

Subject: Hi_Hi_scanAction: Hi-Hi-Scan

Subject: HI_ScanAction: Hi-Scan


WikiCisco Usr

Problem: Priority among RulesSubject: HI_Sec_HTTP

Clause: R0: Cisco ->Wiki: Subject: HTTP + Low-scanSubject: FTP + Low-scan

Filter: HTTPAction: Hi-Scan, Rate_limit

Subject: Low_Sec_HTTPFilter: HTTPAction: Low-Scan, QoS HiAccounting: Pkt, transaction

Contract Static

Contract Dynamic

Anomaly Detection

AppClause: R0: Usr X ->Wiki site A: Subject: Hi_sec_HTTP

Usr XWiki site A

Contract Static_base


All WikiAll Users

Usecase 1.3: Enterprise Access Accounting

• Account for all accesses

Engg Wiki

Engg

MktgMktgWiki


Consumes

WikiUsersWiki-Access


Rules: (First-match)1. Engg-Users Engg-wiki : Full-Access2. Mktg-Users Mktg-wiki : Full-Access

ProvidesSelector: Name: Wiki-Access

Selector: Name: Wiki-Access

Filter: Wiki-PortAction: Count Transactions

Count Pkts

Consumer EP Labels:Engg-UsersMktg-UsersPE/DE

Engg-Wiki

Mktg-Wiki

Use case 9: Accounting


Central Site

BR2

BR1

ISP1

Branch-1

Branch-2

Branch-3

ISP2

TrafficScrubber

Controller

ApplicationsBusiness Routing Rules Threat Detection

TopologySecurity Policy

On Demand Usecase 2.1: IWAN Routing


Data Center

2

1

6

4

5

1. Traffic flows through network.2. Network and security devices send

telemetry to Controller3. Threat Intelligence monitors and

analyzes.4. Attack is identified, mitigation is

determined.5. Administrator sent recommendation.6. Policy distributed, drop packets from

threat source. Inspect flows from same ISP.

6

6

6

62

ApplicationsBusiness Routing Rules Threat Detection

Controller


TrafficScrubber

On Demand Usecase 2.2: Threat Mitigation


Data Center

2

1

6

4

5

1. UC application moniters user calls

2. identifies issue with the call3. Notifies SDN application of

the flow ID and the associated action:

1. High COS marking2. BW reservation

6

6

6

62

UC ApplicationsFlow Programming

Controller


On Demand usecase 2.3: Unified Communications

Flow Quality Identification

Thank you.

policy usecases

Documents

apptier access

usertier access

webtier access

dbtier access

cisco confidential

cisco andor

svrperm denydcaccess

app db