Solved: Re: TC NAC and Qualys

rroulhac · ‎10-25-2016

All,

With TC NAC does Qualys communicate CVSS Scores to ISE via pxGrid or via a private API?

In this doc we see pxGrid Mentioned:

"Threat-Centric NAC technologies: You can use the standard expressions of of the Structured Threat Information Expression (STIX) for threats and the Common Vulnerability Scoring System (CVSS) for vulnerabilities to help ensure consistent categorization and responses. Qualys is integrated with pxGrid for vulnerabilities and Cisco AMP for threats."

In the Admin guide we see:

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Configure Threat Centric NAC Service [Cisco Identity…

"Qualys Vulnerability Assessment Flow:

The endpoint sends a request to the NAD
The NAD sends an authentication request to Cisco ISE.
The endpoint gets authenticated, and is granted access to the network.
The VA Service (process that runs on Cisco ISE) sends a request to Qualys to scan the endpoint. Based on the Qualys adapter instance configuration in Cisco ISE, Qualys does one of the following:
1. Scans the endpoint.
2. Fetches the last scan results from its database based on the endpoint IP address. Optionally, you can use the MAC address of the endpoint when using the last scan results.
Qualys returns a CVSS score to Cisco ISE.
Based on the CVSS score returned by Qualys and the policies that you have configured in Cisco ISE, the TC-NAC Core Engine Container (process that runs on Cisco ISE) can issue a Change of Authorization (CoA) to grant full, limited, or no access to the endpoint. "

Not really clear as to whether it uses pxGrid to send the CVSS Score or not.

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

Jason Kunst · ‎10-25-2016

Each vendor has their own special API

View solution in original post

Jason Kunst · ‎10-25-2016

Each vendor has their own special API

rroulhac · ‎10-25-2016

So Jason where does pxGrid come in if each vendor still has to have their own special API?

--

Grace and Peace,

Robert E Roulhac Jr

Jason Kunst · ‎10-25-2016

PXGrid is used for other types of integration not associated with TC-NAC.

Here is an overview of PXGrid https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728420.pdf

hariholla · ‎10-25-2016

Hi Robert,

APIs are interim solution until our technology partners adapt pxGrid (more form time-to-market perspective). That mention about pxGrid for Qualys and ISE integration is a doc bug IMO. Brian ( bgonsalv) / John (jeppich) should have clarity on the future developments in this regard.

cheers!

-Hari

rroulhac · ‎10-25-2016

Thanks Hari!

This is good to know and clarifies a lot.

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

imbashir · ‎10-25-2016

Hello Robert

TC-NAC integration in ISE has 2 major offerings

VA -- Venerability Assessment (Qualys, Rapid 7 and Tennable)

The integration is on REST based API’s (consuming vendor's public API’s from VA vendors).
ISE pull’s the VA information from the Vendors at a configured interval.
API’s are not exposed for public consumption (once in ISE, ISE does not expose API’s for public consumption)

TC-NAC Threat based (AMP, CTA)

Vendor specific API’s (consuming vendor's public APIs) which are not generic e.g. AMP leverage API’s which are based on AMQP (message-oriented middleware)
Once this information is in ISE, its not meant for public consumption e.g. ISE does not expose API’s publicly.
Incase of Threat AMP, AMP cloud will push information in to ISE
Incase of CTA, ISE pulls information from CTA for an endpoint by using API’s which are available from CTA.

Hope this helps address the questions

Thanks

Imran.