In this blog post, I'll go over StealthWatch and ISE integration with pxGrid. With this integration, ISE will share contextual information such as username and device information with StealthWatch and it adds the ability to do rapid threat containment to quarantine misbehaving endpoints. I'm going to use a CA-signed certificate in this post and later I'll add a post with self-signed certificates.
The first thing I'm going to do is upload the CA Root certificate to StealthWatch. In order to download this, navigate to https://<CA-IP-address>/certsrv
Click on Download a CA certificate, certificate chain, or CRL and download the CA certificate in Base64 format.
Open StealthWatch Management Console in your browser and navigate to Admin User>Administer Appliance>Configuration>Certificate Authority Certificates
On this screen, choose the root certificate you previously downloaded from the CA and add it to Stealthwatch.
After you have completed this, you should see the following:
Next we will need to create an SMC private key and a certificate-signing request (CSR) to be signed by the CA authority.
To do this, SSH or console into the StealthWatch Management Console Root shell and create the private key:
openssl genrsa -out smc.key 4096
Then create the SMC CSR request that will be signed by the CA server with the key file:
openssl req -new -key smc.key -out smc.csr
Use an SCP client of your choice to copy the SMC.csr and SMC.key files over to your secure PC. Open the CSR in Notepad on your desktop.
Go back to your CA server in your browser and click on Request a certificate:
On the next page, click on advanced certificate request. You will be taken to the following page:
Copy and paste the contents of the CSR from Notepad into the Base-64-encoded certificate request and choose the pxGrid Certificate Template. To see instructions on how to create this template, see my previous blog post here
After creating the certificate, download it in Base 64 format and change the extension of the certificate that you just downloaded to .crt.
In SMC, navigate to Admin User>Administer Appliance>Configuration>SSL Certificates and scroll to the bottom of the page where you can upload an identity.
In previous versions of Stealthwatch, it was required that you replace the entire SSL certificate in order to utilize pxGrid. As of version 6.7.1, Stealthwatch has separated the SSL certificate functions. On this page, you have the option to upload an SSL Server Identity but if you scroll down, you also have the option to upload a SSL Client identity. This is where we would upload the certificate we previously created
Upload the CA-signed certificate to the Target Certificate field, upload the CA Root certificate in the Certificate Chain, and upload the SMC.key file into the Private Key field.
In order to utilize ISE to quarantine endpoints, we need to create a Quarantine ANC policy in ISE and add it to the exception policy.
In ISE, we will need to create the dACL that will be used for our Quarantine policy. Navigate to Policy>Policy Elements>Authorization>Downloadable ACLs and click Add to create a new dACL that will be our Quarantine ACL for this policy. This dACL should limit access to the network in order to rapidly contain a threat.
One thing to note: Since Cisco Wireless Controllers do not support dACLs, you would also need to create an ACL on the wireless controller and reference it in your Authorization Profile by name under the Airespace ACL Name field
Next we will need to create the Authorization Profile. After creating your dACL, navigate to Policy>Policy Elements>Authorization>Authorization Profiles and click Add. On the Authorization Profile, choose the dACL previously created and any Airespace ACL (if applicable)
Create the Adaptive Network Control Policy List. In ISE, navigate to Operations>Adaptive Network Control>Policy List and click Add. Create a list with the action of Quarantine:
Create a Global Exception Policy. Under your Policy in ISE, create the following Global Exception
In the next step, we will create a remote log exporter in ISE and exporter certain logs to the SMC. In ISE, navigate to Administration>System>Logging>Remote Logging Targets and click Add. Create a logging target with the following:
- Name: <Name-you-would-like-to-give-this-exporter>
- IP/Host Address: <SMC-IP-Address>
- Port: 3514
- Facility Code: Local6
- Maximum Length: 1024
Click Save when completed.
Navigate to Administration>System>Logging>Logging Categories and add your new remote logging target to the following categories:
- Passed Authentications
- RADIUS Accounting
- Administrative and Operational Audit
The pxGrid ANC Mitigation capabilities enable the SMC to register as a pxGrid client to the ISE pxGrid node and subscribe to the EndpointProtectionService Capability invoking quarantine/un-quarantine mitigation actions on ISE authenticated endpoints. The first thing we will need to do is add ISE in the SMC. To do so, navigate to Tools>Settings>Cisco ISE Configuration in the SMC. You will have the following fields available:
This section will allow you to add ISE MnT and PSN nodes. After adding them, you should see the following pop-up to indicate that your connection to ISE was successful:
The next thing to do is to add ISE Mitigation. On this same page, there should be a button to add ISE Mitigation. After clicking on this button, there will be the following fields to fill out:
From the Certificate Selection drop-down, chose the SSL Client Identity certificate that you previously uploaded and add the ISE PAN node information. If everything is done correctly, you should see a pop-up that states that the connected to the ISE mitigation node(s) was successful.
On ISE, navigate to Administration>pxGrid Services and you should see the SMC registered. If it is not registered, ensure that the pxGrid service is enabled, that there is a pxGrid certificate configured, and that there are no pending approvals on this page. If all of this has been done correctly, you should see the following in the list:
Check the box next to the SMC on this page and click on the Group button.
Type EPS into the pop-up and Save.
To test out the mitigation, look up an endpoint in the SMC and you should see the Quarantine and UnQuarantine buttons
When you click on the Quarantine button, you should see a pop-up in the SMC that states that the Quarantine request was successfully sent to ISE.
Navigate to the ISE RADIUS LiveLog page to view that the endpoint has been quarantined.
To unquarantine an endpoint, go back to the host page in SMC and click on the UnQuarantine button. You should see ISE trigger a CoA request in the RADIUS Livelog and apply the previously policy to the endpoint.
Congratulations! You just set up Lancope and ISE in Pxgrid and were able to quarantine threats on your network!