Cisco Platform Exchange Grid pxGrid

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right so good morning stationed on Cisco platform change grid or px grid for short so how's your Cisco live experience so far I hope you folks having a nice time and I also wanted to thank you for being a valued Cisco customers because that's really important to us so my name is Brian Gonzalez and out here I have my distinguished colleague Nancy can vignette and today we're going to talk to you about Cisco px grid why we developed that what it can do for you and then also go into some use cases how to get started and use dev net to basically come on board and expand our ecosystem so BX grid basically is an instantiation of Cisco identity services engine today and there are three use cases or three reasons why we came up with the X grid so the first one is that we can provide our ecosystem partners with context see that there is a benefit of one plus one equal to three when you partner with third party vendors and and that's all a benefit to the end customer so from the first use case what we do is so an example if we have an SS tenable necess scanner that's connected to our ecosystem typically what would happen is that the scanner would find a vulnerability on IP address 192 not 128 on one on one and this there's some des malware going on there but that's not really actionable what ice provides us that context so now we know it's not just an IP address but it's Brian he's part of the marketing team he's on a jailbroken ipad so you got this context that basically can help make the system even more meaningful to take action on that the other use cases we also get benefit from a third-party ecosystem players where we can enrich our our systems with more information so case in point is our MDM play so we have a slew MVM partners that connect into ice so now we can create policies such that we learn from the MDM that John over there has an iPad but it's jailbroken so now we can write policy in Cisco ice saying if if an iPad is the L bro can put them on the quarantine VLAN so that telemetry we learned from our third-party vendors so that's the second kind of use case and why customers care is is because it's now a single place where you can have confidence of network access and the third most interesting thing that we've we've come to find out is that we can use a third-party ecosystem partners to you now reach in back to the Cisco Network so what I mean by reaching in back to the Cisco Network take for example this use case of the scanner the volume early scanner you run the very scared you find out that there is a high risk vulnerability on an endpoint using our ecosystem and px grid the scanner admin doesn't have to pick up a call and call his counterpart who's on the network side but from the 10 from the NASA skooby itself can launch a quarantine request to ice that in turn changes changes in towards a radius chain of authorization and he can move the VLAN from regular VLAN to a quarantine VLAN so now we're giving the power of reaching back into the Cisco networks to our third-party vendors so we call this adaptive Network control so now it's not just one plus one is two but I would say one plus one is five so the decree so basically what happens and the reasons why people like this is that it decreases time and insecurities insecurities space you know that time is of essence right the faster you respond to threats the better you are at containing things and responding to security network events is what this feature enables you to do to take mitigation actions so how do we do all of this we have we created this concept and this technology called px grid and by V I mean Nancy because she is one of the chief architects so she's here to talk to you and she'll talk to you about details wait for word but think of P X grid as a messaging superhighway it's an information bus where you have third-party ecosystems connecting to this grid and sharing contextual information so what happens is Cisco ice you know it's it's our flagship Mac product but it also behaves as the PX grid controller it's it's the device that sets up the whole grid and after you set up the grid you have say for example I have you know I have devices that connect to the grid say something that wants location information there's another there's another that has application information that does not have location so these elements connect into the grid and ice acts as a broker you basically get authorized you get authenticated first then you get authorized and then after you basically authorize you can publish what you want to share with the rest of the come of the be extra community so venerates publishes Wetherby publishes and then what you do is you you discover what is there available on the grid and then you can pick and choose what your interest what is interest to you so what we also see is that ice besides being the grid controller can also get a benefit from this because it can act also as a consumer of this information so in this way the grid is set up and we've got multiple partners that can participate in this grid so you may ask us why we came up with this grid this grid concept and the thing is that traditionally you can do this with api's the rest api is or you know of that sort but there are limitations to vs cisco to could step back and said if you're gonna have many of these API integrations it's not going to be scalable you got to know vendor is API you need to know vendor B's API and when Derby if when you're a and B want to talk to each other and they need to then there will up api's so what we decided to do was when you join the grid you you basically include in your product what is call as a grid control library when you plug that in you can basically talk grid language so you have got if you have all partners talk in the same language it's easier to do business so also with api's they are kind of kind of static so if you have a release of an API in one version of the code and if you want to make changes you gotta wait for the next version to make changes to that code for the api's whereas with bx grid because it's very flexible and configurable you can change what you want to share or not just based on how we set up the whole grid infrastructure also another important thing is that when you have many of these systems connecting api's traditionally are a polling mechanism so you have vendor a say you know I need this information I need this information I need this information it keeps polling so that has a toll on the system if you have a lot of integrations so with bx grid you can subscribe to certain topics and of interest to you and just wait for that alert to come in you don't have to keep polling so that decreases your workload and decrease it increases performance of the system that's the reason why we chose VX Trin also because VR Cisco and the Securities are concerned pH turret is a very secure environment so just as how we authorize and authenticate users and devices we authorize an authenticator party systems onto the grid so you first need to authenticate you get authorized of what you can do and you can't do and also the infrastructure is secured with encryption so those are the reasons why we chose to go down this path what happens is in an a give an example or a use case where we kind of use be extra today so today we see that a lot of folks have moved to mobility and you want to access applications the cloud say salesforce.com and typically what does SSO applications look at we look at the user and you know once you know who the user is what ad group you belong to you allow him access onto the cloud but with mobility comes challenges no is the device a corporate device is a jailbroken how do you can kind of control that so what we do is with ice and the PX grid we are able to provide a little more context to what that user can do so the same user who is going to connect to a Salesforce from his iPad now we basically say you know you can only access this if you're on the network if you're part of say an exact group as long as you're in the Europe region as long as you're during the your business hours so we can provide granular control to cloud-based applications as well and we do this with one of our vendors is called ping identity we do that and we have more as ISO vendors that are coming coming to the fold so with that I'll hand the baton to you so brian has kind of set up the stage I wanted to just take a quick poll how many of you are familiar with the ice product oh good and security I don't think I can catch you and ER security based products ok a few so I'm presuming you guys are mainly knowledgeable on the IT space what we've been encountering is the need to provide you better tooling for how to get better visibility and as Brian was explaining through the ANC's through the adaptive network control how to provide better control for you to improve operations and especially we're in the security group so we're very security focused the PX grid can allow you better control not just from a security perspective but in general of your overall framework how we do that is through the platform exchange grid or the PX grid so I'm gonna walk you through very quickly into the architecture and I can hang around a little bit afterwards because I'm sure I tend to ramble if we run out of time if you have questions please come by and ask more so Brian alluded to the notion of ice acting as the plot as the PX grid controller okay so for those of you who are familiar with ice ice takes on different personas if you will or different roles so one of the roles that now it can take is it can act as that control function to help facilitate the security aspects of how you share that information so in general terms the way I describe the controller is is it's affecting the two major sets of functions one is it's going to affect who's allowed to share what information and how they share it so that's number one the second one is the aspiration and the px4 it is while today we're showcasing the information the data that gets aggregated out of ice so if you look at the management and troubleshooting we're already aggregating through that richer policy control what I call the end couple right the who what when where is coming in through the network as we're now partnering with companies like Splunk net IQ and so on they can also do further aggregations and share that and make that visible to you and then again through the anc you can now be better informed and take better control of saying hey Nancy's doing some suspicious behavior maybe I better switch her to her VLAN or terminate that session because she really shouldn't be using that iPad as an example right if you go to our station you'll see how we've integrated improved security controls if you will with our partners so this slide is basically showing you the main role of the controller what you'll get out of the definite zone is basically the tools that you need to function to extract or share your own information and that's for the px the grid client so next slide please so if you look at the evolution why did we do this to me it was twofold and ice we already recognized the fact that we were a data aggregator we could provide that richer information so that when you looked at your report so for example with the partnership of land Co you're now not just seeing the traffic based on IP address but now you can filter and look at it based on the different types of users or different types of devices or different type levels of compliance okay when we did this a nice one dotto we did it using a REST API we very quickly found out through our partner feedback one we were flooding the network because of that polling mechanism right - what we really needed to do was provide in some cases just the updates so from that standpoint we needed a dynamic way to provide those updates or allow for what I call a directed query so if you're looking at a specific vulnerability some suspicious behavior you could just say let me just query what Nancy is doing as opposed to just tell me what's out at the edge of the network so that's how we evolved it and there are many other examples we're just trying to use how we evolve the ice one data set of API to be much more flexible and agile using the P X grid ecosystem next slide please so what you will see in the definite zone and the toolkit is you're gonna get the client library itself and that's to help facilitate and abstract how we may be doing the pub/sub messaging how we may be doing the query but that abstraction is helping you get to that scalability and without you having to go through the management configuration of I know I need to get confirm a ssin from the ice that's in the UK versus Italy versus us or from all three so trying to extract the knowledge of where your sources of information may be so that's one of the components the other component is trying to abstract we may have different protocols in the data plane trying to extract that through a single API in that toolkit also you're gonna get sample information and I'll be repeating that a little bit for the types of inputs and outputs to expect out of the client next slide please okay so a little bit about the innards if you're curious about how we built the px4 client how many of you are familiar with jabber not very many okay so that's one of our collaboration tools instant messaging which has video and audio so that lended itself to a natural architecture for how we could scale both in the number so if you look at our jabber services we can support upwards of millions of users we expect the ecosystem to grow to that length as well as well as the time latencies in which you may need to obtain the information meaning as soon as a new presence comes into the network you want to know that right away that's what I mean by real-time so from all of that the jabber architecture was constructed based on an open source set of protocols called XMPP the XMPP architecture and code base is instantiated using the xcp as the control server and then the XMPP is the actual protocol one of the biggest features in the XMPP architecture and the xep is the notion of using flexible but strong mutual authentication okay so through that mechanism in the first release you see that we are attempting not attempting but we are enforcing that if an ice wants to share for instance information with a Lancope solution they both have to use certificates to mutual authenticate to the controller all right second is trying to abstract and give you the agility and option of do you want dynamic notifications or do you want directed queries or both and so from that capability we needed to provide the agility and allowing both functionalities from a time sensitivity standpoint it's like these okay so basically what you're gonna see in the toolkit is the ability to help you connect into this ecosystem securely and share the information now from a policy perspective as I mentioned earlier the controller is really being that agent that's monitoring the who's allowed to do what and how okay the how is the different ways in which we may be filtering the data so the filtering could be done by content or it could be done by schema so within the content it could be that a Lancope could only get information from a nice but perhaps not from a necess that's the content the schema would be if you think about a regulatory right it may be that you want to extract the who what when where and how out of ice but for privacy reasons we may not be authorized to disclose the who okay so this is what you're gonna see in the toolkit and in in the definite zone when you load up I'm not gonna be labor and read all the points but this is basically what to expect and we're trying to make it as easy as possible the advantage with the definite if you don't have a nice or you don't want to try it with in your particular installation right the PX grid was released as part of the ice 1.3 release so if you're not quite ready to do that the definite zone has already instantiated a test environment that includes the ice the px Creek controller so all you have to focus on is the work that you need to do so this is how you go about getting access to the toolkit through the def net zone next slide please this is how you may expect to use it in a high-level terms I've already mentioned you can do directed queries if you know that you have that ice information you might just say I'm curious to find out all of the users that are running MacBook Pros for example okay so that could be a type of directed query you may actually want to do continuous monitoring so you may want to register and say tell me and notify me as soon as new prescence comes into the network okay so two different ways in obtaining the data with different time latencies involved next slide please all of how you connect into the grid how you do the directed queries how you register to get the dynamic notifications are also provided to you as scripts or depending on whether I'm still a see an assembly programmer that's how old I am but the toolkit provides you both C and Java interfaces there's both sample scripts and codes and schemas to show you the examples for how you might go about getting this level of work done next slide please from a very high-level perspective what we're trying to do is facilitate and again recognizing that ice already gives you that richness of of that n-tuple we're beginning with that as the first start of we want to be able to share that so that you can get better visibility better reporting whether it's for security or asset management or configuration okay to do that in a scalable way okay so from a security perspective you may be working with different security vendors nessus mandiant picked your you know compliance vulnerability the different dimensions and security so we know that there's going to be an echo system where it's not just you coming into one but it may be a many-to-many connection okay so we're trying to enable all of this in as easy a way as possible from the Cisco perspective we're providing the framework and the tool kits to allow you to do that the partners have already started to harvest on that information and improve upon their solutions that's number one number two if you're not there and ready to do that development there are partners for instance like identity over IP who are already helping build those modules if you will and portals and gooeys to help you get where you need to be i can maybe take one or two questions if you guys have any please but I only have lung cope in one location can I use this information to share it with the other countries for example if you could repeat the question for everyone yes so her question was she has ice distributed basically in a clustered environment globally but she only has one Lancope instantiation so can you use the px4 deco system to allow for that sharing and that is the perfect example for what we mean by the many-to-many and building the abstraction so if you're building a Lancope application for example right Lancope doesn't need to know that there are many instances of ice the controller would know that okay so the Lancope application could just say I just want to know from my enterprise all of the users across my enterprise the controller would handle the brokering and the knowledge they're there multiple ices there okay do we have time for one more question yeah nope alright thank you [Applause] you
Info
Channel: Cisco DevNet
Views: 5,099
Rating: 4.75 out of 5
Keywords:
Id: 1qOaBaiO3xI
Channel Id: undefined
Length: 25min 0sec (1500 seconds)
Published: Mon Mar 09 2015
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.