cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Secure Dynamic Attribute Connector (CSDAC)

1005
Views
0
Helpful
0
Comments

Introduction

Cisco Secure Dynamic Attribute Connector or CSDAC is an interface that imports attribute maps from a dynamic environment such as Azure, AWS, VMware vCenter, & NSX-T  and reliably provides these dynamic feeds to FMC to enforce access policy without requiring policy deployment. This document describes CSADC components and demonstrate how to integrate it FMC and VMware. This document is not goint to list CSDAC installation steps. Please refer to Cisco and Ansible documentation as following for installation steps and guidelines:

 

Ansible collection install cisco.csdac 

Cisco Secure Dynamic Attributes Connector Configuration Guide

Requirements

  • Cisco FMC version 7.0 or later
  • Cisco FTD Version 7.0 or later
  • Ubuntu 18.04 or later

Note: CSDAC with FDM is not supported

What problem does CSDAC solve?

Network constructs such as IP address are not reliable in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.

 

Also, managing Policy objects In big enterprise and Service provider network environments involves a lot of administrative overhead. This task is more cumbersome if you have objects enforcing access policy from multiple dynamic environments such as VMware and Cloud Providers (AWS, Azure). This is where CSDAC comes and solves this problem by providing a programmatic interface to integrate and keep up to date with changes to external dynamic environment providers. It also provides the ability to filter the labels using AND (match-all) and OR (match-any), logical operators, to construct different mappings for that dynamic object from the device manager.

CSDAC Components

Connector: AWS, Azure, VMware vCenter or NSX

Controller: CSDAC

Consumer: FMC

Configuration

  CSDAC Login

CSDAC tool supports a single ‘admin’ user to access the tool. By default, the password is ‘admin' It should be changed at first login.

  Connector

  • After you login, click on ‘Connectors’ tab and add a ‘AWS’ or ‘vCenter’ or ‘Azure’ connector by clicking on the ‘+’ button.
  • Enter the provider credentials and certificate to get the tag attributes of the instances.
  • Add the vCenter web server certificate.

Screen Shot 2021-10-23 at 1.59.10 AM.png

  Adapters

  • Similarly, click on ‘Adapters’ tab and add a ‘FMC’ adapter by clicking on the ‘+’ button.
  • Enter the credentials of primary FMC (and secondary FMC in case of High Availability) to receive the filtered attribute mappings.
  • Add FMC certificate.
  • The filtered attributes are sent as dynamic objects to FMC (using dynamic objects REST API)

Screen Shot 2021-10-23 at 2.02.37 AM.png

CSDAC Workflow

 

CSDAC Workflow.png

1. Connectors gets the attributes from AWS, Azure and vCenter cloud servers.

Screen Shot 2021-10-23 at 1.07.30 AM.png

Screen Shot 2021-10-23 at 1.06.19 AM.png
2. Attribute Filter is used to streamline the attributes using “AND” or “OR” Boolean expression.

Screen Shot 2021-10-23 at 1.13.52 AM.png
3. Adapters are then used to send these streamlined attributes and its IP mappings to FMC as dynamic objects.

Screen Shot 2021-10-24 at 12.31.28 AM.png
4. FMC sends the mappings real time to FTD (without deploy for an existing policy with dynamic objects)

FMC Policy Configuration with Dynamic Objects

Once CSDAC is connected with FMC and starts sending object feed, FMC policy rules can be configured with dynamic objects.

Screen Shot 2021-10-24 at 12.40.50 AM.png

 

Once a policy with dynamic objects is deployed, all the subsequent changes to the dynamic objects (adding or removing of new IP addresses) is pushed to the FTD without any policy push.

Use Case: Blocking IP address using dynamic object without a policy push

As mentioned in this document that once a policy with dynamic objects in access-rule is deployed, all subsequent feed updates within dynamic object does not need policy push every time there is a new change. This brings up another useful use case where a dynamic object can be used within an access-rule and deployed beforehand which will block traffic from based on either source or destination. In future, if there is a need of blocking one or more IP addresses it can be achieved by simply making changes in the dynamic attributes filter on CSDAC which will update the dynamic object on FMC via rest-api and FMC will update the object used within access-policy without a policy push. This can be helpful to 3rd party vendors like Tufin and Algosec where their Security Policy Management frameworks rely on FMC/FTD API for policy deployments.

 

Note: FMC can also block an IP or a list of IP address by following two methods which does not require any policy push:

  • Connection > Analysis, right click and selecting "Add IP to Block-list", can not add "subnet" using this method.
  • FMC also allow you add an object group or feed list of IP's and URL's. But the list would have to be updated and uploaded manually in FMC. There is no API to update that list.
Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (39%)

Content for Community-Ad