Demo Lab: Using Cisco Cyber Vision to provide dynamic micro-segmentation using Cisco ISE

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello in this video i wanted to show you how you can integrate cisco cyber vision with cisco identity services engine using the px3 interface this interface will pass attribute information that is discovered by cisco cybervision from in operational domain assets and pass them into the policy engine of the identity services engine which can then profile and provide trustec segmentation capabilities to industrial switches that are connected to ice so let's have a quick look at the agenda for this demonstration um we're going to investigate peaks grid interface now it's configured on both platforms and then we'll have a quick look at how i've built a profile an authorization policy to trigger on changes that can be passed across this interface from cisco cybervision and then we'll have a look at a demo where i actually make some changes and we'll look at the implication of that and how it's visualized both on cisco ice and how it manifested itself from an endpoint perspective and finally we can look at the cli changes on the i-4000 and how this uh trusted capability manifests itself at the switch level so quick uh examination of the lab setup for this demonstration you can see from a platform perspective i've got the cisco cyber vision 3.2 uh connected over the ps4 interface to identity services 3.0 the cyber vision platform is collecting span data from an ic3000 sensor which is connected uh into into a port on the ie4000 the a4000 is radius connected for the trusex segmentation component into identity services engine and then i have three subtended devices that are acting as though they are really manufacturing cell one is a schneider plc the second is a unity pro programming workstation and the third is a modbus client this is collecting data from the schneider m340 plc so the starting position is that i've defined some groupings within cyber vision these are virtual groupings that allow devices to be compartmentalized and they're compartmentalized such that the information that goes across the picture interface will indicate to identity services engine um exactly where those devices reside such that policy can be built based upon some profiling so the default state is all endpoints are in cell one and you can see i have this hierarchy where i've got a main plant group in it and i've got a cell one grouping inside that so in the first part of the demo we'll have a quick look at the profiling around that and how it looks within ice so let's move forward and take a look at how we're going to do some segmentation so i have a second grouping defined called cell 2 which is in this main plant and what we'll do is we'll take the modbus client endpoint and we'll move that from cell one into cell two that will correspond to a change in a dynamic attribute that cyber vision will send across once we make that grouping change and it'll send that attribute across to ice which in turn will affect the authorization that that is enabled against that endpoint that will then be assigned a different sgt sgt 18 that will be indicated down to the i-4000 and we'll see that there's actually a matrix a trussec matrix step that doesn't allow any connections between cell 1 and cell 2. so first let's take a look at cyber vision in a small lab network let's look at the ps3 interface and show how it's possible to configure the connection between cyber vision and another device like identity services engine and then we'll take a look at that side and see what the configuration looks like we'll then take a look at the way the attributes are passed across from these devices that discovered the ps group interface is configured under administration and so if we click this we'll drill down and we'll see that there's actually a menu item for px grid and very simply you add in a certificate from the ps grid side you generate a certificate locally here and that download will give you locally to upload into uh the identity service engine or another platform you need to have a node name that appears on ice as the service derivation and then you can see you need the host name and you absolutely do need to have name resolution working between these components and then you've got the address of the i server so something that's unique about this integration is the fact that we're able to translate uh asset information for an operational domain that is values that would typically not be seen or understood by an i.t level uh management platform we can pass those attributes across a link and effectively identity service engine will be able to profile upon those attributes we'll be able to use that profile in policy to generate policy decisions that can affect meant in a very dynamic way so let's take a look at what's actually running in this small lab and let's drill into the data that's actually being provided so if we do an explore on the data that's there you can see i've i've already done some pre-filtering by defining the preset called cell one and if it drills that you'll see there's a much reduced number of devices so uh if we look at the component list for this you'll see there's actually really only three devices in the particular grouping that are enabled for modbus one is a schneider m340 plc the second is a pc during unity pro for programming which is the cisco sch device and then i've got a client that's actually pulling data from the modicon controller and those devices i've arranged into kind of grouping so let's have a look at the way i've arranged them into groupings by looking at a map view of the same data i've created some groupings to subtend these devices into i have main plant grouping and then under that i've got a cell one grouping and you can do this nested grouping in version 3.2 of cybervision so each of these devices when they're discovered contains a number of attributes so if i click on any of these devices or links i'm going to get more data about the device and as you can see this is a windows 7 machine i've click on the technical data sheet you'll see more information about what the netbuys name is and we have the ability to pass quite a lot this attributes information across to to actually do the profile and then ultimately build policy so let's move across and take a look at identity service engine this is actually room version three the latest version of ice has released in 2020 um and you can see that i've actually got some end points discovered um these endpoints are the same endpoints that we're actually discovering with cyber vision in this case these devices have been authenticated into ice already from a cisco ie4000 using map so they're already discovered and what i'm going to do is overlay information that's now discovered on top of that based upon attribute values that are provided by cyber vision simply when you're defining the psg interface and let me just drill quickly into that if i go to administration based grid services um you have client management and you will see uh with within the clients cv32 if you remember is the name that i'd configured in the ps grid interface on on subavision to enable the interface between the two devices by generating a certificate which i then populated back in cyber vision as well as importing a client certificate from that side into the trusted certificates that existed already on identity services engine in the certificate store so if i just jump to certificate trusted certificates you'll see uh this side version c2 is the certificate i imported from an export from the cyber vision platform so if we look at the plc first which i know is this 10076 address and we kind of drill into the attribute that ice knows about it let me just slide down to the bottom of this list at the bottom of the list you'll see a number of these values to start asset asset device type controller these are all attributes that are passed across that pxp interface so you can see first of all to controller you can see the protocols it's using specifically modbus and umass and you can actually see the software revision of this particular plc controller so all this information can be used in ice to profile the endpoint and ultimately to build policy decisions in addition to these attributes at the bottom of the list there are some extended attributes these are values that are being added to the data dictionary specifically to support cyber vision and at the top you can see values that have come across the interface like the ones at the bottom but you can see some interesting extra information here first of all you can see an asset group in cell 1 and you can actually see a group path which is basically a tree of groupings we can use these values and we're going to go back and look at this in a sec to do dynamic changes of policy over on ice based upon changes that we make in cyber vision to where devices reside which particular groupings are in so let's take a look how we've built a very simple policy based upon the attributes that cyber vision is providing so here if we go back in ice and we take a look at the active endpoints you'll now see that there's a profile associated with this so how did that process work so that we can then use that value there as an active enabler to allow connectivity or not within a truesec enable switch so if we on the dashboard if we take if we go and take a look at the profiles you see i have a couple of profiles that i've defined at the top and the important value here is to look at the the rules a simple rule set in this profile that would make the profile active if it was true and effectively what you can see i have is i have that there's a custom attribute called asset group and if equals cell one this is the profile profiler policy name now you'll recall that those this actual value comes across as a as a dynamic attribute in the custom attributes at the top of uh you see it at the top of the the endpoint attribute list so if we take that value and we then go and look at the policy that's associated with uh with this in the policy set um if i move to the authorization policy section in the policy you'll see that if my endpoint profile equals 1.01 permit access uh and apply the security group to it conversely if it equals one dissolve two apply a different security group to it and if we look at how they're actually being used within the matrix which was sec within the platform um first of all i've got a couple of security groups defined here you can see modbus so one more we saw two and they're the the the values that are passed down in this case an ie4000 switch and if i actually look at the matrix that's defined for this particular policy i built a mini section and you can see that i'm saying if the traffic is from modbus so i'll want to sell one then permit it and i have a simple deny statement if it's between one and two and two in one so effectively if i move things into something called cell 2 then i would expect traffic to stop so if we do an explore on the system you'll see that i've got a preset defined called solo one within the preset if i click on it and we look at maybe a map you'll see that i have um a main plant grouping and then the subtended group called cell one and all these devices in cell one this reflects absolutely what you see in ice so so if i switch quickly twice um the profile is based upon the cell and if you recall the endpoint attribute showed those values so let's move back to cyber vision now should i should i should i take one of these devices and in the background i've actually got traffic running so here we have the actual uh program pc you can see attribute values changing as i'm dragging modbus values from the plc i'm also pinging out this device um to the uh to the unity ps plc that's uh the programming workstation and when we make some policy changes we should see the data on this screen stop as we're in a kind of a block situation and if i was to take this pc which is the same one that we're looking at and i uh click on it i've got this option here to manage groups so i can take this device and i can move it into a completely different group now i've already got a grouping called cell diff two defined as soon as that i okay you'll see the different grouping vehicle cell 2 that the device is in but that has made a dynamic change across the interface towards eyes that you will see as a knocking effect of impacting the policy decision engine so uh let's take a look at um the live session logs are always good to look at in this particular case and hopefully here we go you can see that now the profile has changed to one dash cell two for this endpoint which is the device i've moved we have a different policy and actually it's now been allocated into a completely different secured group tag so if we look at the actual endpoint itself you will find now that actually the modbus program has stopped pings have stopped because we've actually done a dynamic change that's now segmented of device from the other devices let's reverse the action let us move the device back into cell one and that should restore service uh we'll do it again and we'll take a look at what the switch sees uh from a cli perspective so if i move here i click on this device and i change its group and i move its group back to cell one what that should do is that should restore the the connectivity between the devices and a good place to always look for this kind of thing is in the live sessions log which will take a few seconds to catch up okay now you can see it's completed it's real honest on the end point it's back in that security group and i would hope that we have now restored service and you can see the pings have started and i can restart the reads for modbus let's go back and uh let's take a look at what the switch sees if we look at cyber vision everything is in the same virtual container as well cell one so the so here we have an i4k and all the end points are in the same uh actual switch and they've all been map authenticated in the first instance so they're actually these three devices on these three ports you can see they're all mapped um so what we can do is take a look at some of the trusted configuration um so from a uh a dynamic push i mean and i guess most people realize that we're using radius from the switch to ice to pass this information down so that's how the switch is able to do the segmentation piece but you can see that that particular rule set that we saw in policy has been pushed down to this particular switch and it has those end points to protect so it it's very well aware of what it needs to segment and how to segment if changes should happen um so if we look at the sgt map for the switch you'll see that all the devices in the same sgt this corresponds with the sgt values and the ice engine so now go back and we'll move again this device into a different grouping so we'll move it to cell 2 and this is what kicks off that whole process effectively so so let's now go across to the switch and see what impact i had when we made those changes as you can see it's obviously stopped the traffic so if we look at uh sgt map or we'll now see a difference so you can see that this endpoint which is the one that we're actually sitting on here has had a different sdt push to it and we know the effect of that we'll also see a change in the way the policies have been applied and this is all in line with what you kind of expect to see so ultimately what i'm trying to show you is how cybervision's integration with things like ice can really help various levels of segmentation this is effectively micro segmentation but but it could be used on a much more macro scale but it was to give you a kind of a lab example of how that integration works you

Info

Channel: Steve Matthews

Views: 677

Rating: 5 out of 5

Keywords:

Id: mlEc0NgO8gI

Channel Id: undefined

Length: 17min 39sec (1059 seconds)

Published: Wed Dec 09 2020