Cisco Secure Dynamic Attribute Connector
Using Dynamic Attributes in Cisco Secure Firewall Policies
Introduction
The Cisco Secure Dynamic Attributes Connector (CSDAC) is a feature of the Cisco Secure Firewall Management Center (FMC) that brings agility and intelligence into your security policy management.
CSDAC enables your firewall policy to adapt in real-time to the changes in public and private cloud workloads and business-critical SaaS applications. The Firewall Management Center and CSDAC integration simplify management through firewall policy automation by keeping the rules up-to-date without tedious manual updates and policy deployment. With CSDAC, you can centrally manage workload attribute feeds obtained from multiple public and private cloud environments, enabling firewalls to adapt to changes instantaneously to help accelerate Cisco Secure Firewall integration with your complex and dynamic environment. CSDAC provides a set of predefined connectors for importing IP prefixes of commonly used SaaS applications: Office365, GitHub, WebEx, and Zoom. You can also configure a Generic TXT connector to subscribe to IP prefix feeds in a flat text format. See the summary of supported CSDAC connectors in Figure 2.
CSDAC significantly improves network security with automatic endpoint attribute and contextual awareness propagation simultaneously, preventing the build-up of outdated firewall rules over time. With CSDAC the firewall policy becomes more dynamic, secure, and much easier to manage. As illustrated in Figure 3, the CSDAC discovers resources and IP addresses in the cloud and translates this information to dynamic network objects consumed by firewall deployment. The CSDAC keeps track of the changes on the cloud side and updates dynamic objects accordingly in near real time.
CSDAC in Action
CSDAC maps IP addresses of cloud resources to Dynamic Objects, which are then used in Access Control Policy rules. Changes in the cloud detected by CSDAC are cascaded in real-time to the FMC, and in turn, to the managed firewalls without any administrator action. CSDAC makes firewall policy dynamic, more secure, and easier to manage. Figure 4 illustrates step-by-step, how CSDAC dynamically updates firewall policy.
- The firewall protects a Workload and is configured with an Access Control Policy containing the dynamic object Workload_A representing cloud resources.
- CSDAC monitors changes to the workload constantly and detects when a new instance is spun up.
- CSDAC detects the workload change and evaluates the user-created attribute filters.
- Then CSDAC triggers a REST request to update the Workload_A dynamic attribute with the 10.0.0.5 IP address of the new server.
- The Firewall Management Center adds the new IP address to the dynamic object.
- Immediately after the Workload_A object change, the FMC pushes an update to all the managed firewalls using that object in deployed Access Control Policies. The dynamic object update happens automatically and does not require a policy deployment.
- The firewall updates the new IP address in Snort's identity memory and its policy to allow the new server access.
Architecture
Cisco Secure Dynamic Attributes Connector is a modular, containerized application comprised of three main components:
- Connectors – a connector is a software interface that interacts with a public or private cloud provider to retrieve up-to-date network information, categories, and tags. CSDAC translates information provided by the connectors to Dynamic Objects used in firewall access control policies on the FMC. Architecturally the connectors are software plug-in modules installed in CSDAC, which allows the straightforward addition of new connectors in future releases.
- Dynamic Attribute Filters – a set of conditions configured by an administrator, defining how cloud resources are mapped to Dynamic Objects. The filters are built with AND/OR boolean expressions matching attributes specific to the source Provider. For example, you can configure a Dynamic Object with VM IP addresses assigned with a particular tag in Azure or running in a specific VMWare port group.
- Adapters – represent a secure connection to an FMC configured with Dynamic Objects by CSDAC and periodically updated with changes detected via configured cloud Connectors.
Dynamic objects are the cornerstone of the solution in the Firewall Management Center introduced in the Secure Firewall 7.0 release. Dynamic objects provide a new approach to building and keeping the access control policy up to date. The dynamic objects are a special flavor of network objects that can be configured and updated on-the-fly with the Firewall Management Center’s programmatic interface. With dynamic objects, the Access Control Policy is auto-updated in real-time without policy deployment.
If you want to learn more about dynamic objects watch the Cisco Secure Firewall 7.0 Release: Identity - Dynamic Objects video on the Cisco Secure Firewall YouTube channel:
Deployment Scenarios
Cisco Secure Dynamic Attribute Connector provides flexible deployment options depending on the nature of the firewall installation. You can use CSDAC in one of the three form factors:
- Native (FMC integrated) - running as a container in Firewall Management Center.
- Cloud-Delivered (CDO embedded) - Cisco Defence Orchestrator cloud-delivered application.
- Standalone (on-prem) - an on-premises application running on a Linux server.
Firewall Management Center software release 7.4 and later highlights CSDAC deployment options when you navigate to Objects > External Attributes > Dynamic Objects as illustrated in (Figure 6). This quick-start page displays options, representing supported form factors, the required steps, and "how it works" pop-ups.
FMC displays the quick-start page presented in Figure 6 only until the first dynamic object is configured.
Native (Integrated) with Firewall Management Center
The Firewall Management Center integrated form factor provides out-of-the-box CSDAC capabilities. The CSDAC runs as a native service within the management center and allows configuring between 10-30 connectors depending on the FMC model. You can access the CSDAC in the Integration tab as illustrated in Figure 7.
The Dynamic Attributes Connector is disabled by default. Enabling CSDAC is a one time configuration.
CSDAC Internet connectivity
The Dynamic Attributes connector requires access to the internet to reach public cloud providers and download connector binaries. Remember to provide Firewall Management Center with either a direct or proxied Internet access.
The Dynamic Attributes Connector connects to your on-premises VMWare/NSX-T infrastructure and public providers using the management center's network interface (Figure 8).
The integrated Dynamic Attributes Connector runs as a containerized application on the Firewall Management Center. As the CSDAC shares resources with the hosting FMC, there are connector limits imposed depending on the management center.
Management Center Model | Maximum Dynamic Attribute Connectors |
---|---|
FMC1600, FMCv | 10 connectors |
FMC2600, FMCv300 | 20 connectors |
FMC4600 | 30 connector |
Connector count is enforced
The maximum number of connectors is enforced by software, to ensure you stay within recommended limits. Once you configure the maximum number of connectors, the new connector button is grayed out and the management center displays a warning message.
Additional memory requirements for FMCv/FMCv300
When running a virtual version of the management center (FMCv or FMCv300), remember to allocate an additional 1 GB of RAM memory for each 5 connectors configured.
You can check the status of CSDAC components running within the management center using CLI. Connect to the console of the FMC, enter expert mode, and change the directory to /usr/local/sf/csdac. Run muster-cli status command to display running core services and connector instances. In the example below you can see the list of Core Services and three connector instances in a healthy state.
Copyright 2004-2023, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Firepower Extensible Operating System (FX-OS) v2.14.0 (build 425)
Cisco Secure Firewall Management Center for VMware v7.4.0 (build 1888)
>expert
admin@fmc:~$ sudo su - root
root@fmc:~# cd /usr/local/sf/csdac/
root@fmc:/usr/local/sf/csdac# ./muster-cli status
=============================================== CORE SERVICES ===============================================
Name Command State Ports
---------------------------------------------------------------------------------------------------------
muster-bee /bin/sh -c /app/bee Up 127.0.0.1:15050->50050/tcp, 50443/tcp
muster-envoy /docker-entrypoint.sh runs ... Up 127.0.0.1:6443->8443/tcp
muster-local-fmc-adapter ./docker-entrypoint.sh run ... Up
muster-ui-backend ./docker-entrypoint.sh run ... Up 50031/tcp
muster-user-analysis ./docker-entrypoint.sh run ... Up 50070/tcp
=========================== CONNECTORS AND ADAPTERS ===========================
Name Command State Ports
-------------------------------------------------------------------------------------
muster-connector-github.4.muster ./docker-entrypoint.sh run ... Up 50070/tcp
muster-connector-webex.3.muster ./docker-entrypoint.sh run ... Up 50070/tcp
muster-connector-zoom.3.muster ./docker-entrypoint.sh run ... Up 50070/tcp
Native CSDAC Supports FMC High-Availability
The native Cisco Secure Dynamic Attributes Connector benefits from the high availability capabilities of the Firewall Management Center. When you deploy your management centers in high availability, a CSDAC standby instace runs on the secondary server, ready to pick up dynamic updates upon primary failure. You can run muster-cli status on the secondary FMC server to confirm the set of core services and connectors runs in the background.
Cloud-Delivered (CDO Embedded) CSDAC Deployment
The SaaS form factor provides the benefits of dynamic attribute updates without having to deploy and maintain a Linux server hosting the CSDAC application in your environment. The CSDAC application is available in Cisco Defense Orchestrator in the Tool & Services section.
The cloud-delivered CSDAC runs within Cisco Defence Orchestrator and can provide dynamic updates to both on-premises and cloud-delivered Firewall Management Center deployments. In the latter scenario, the communication between CSDAC and the cloud-delivered FMC is provided natively by the CDO's infrastructure as illustrated in Figure 10.
The communication between cloud-delivered CSDAC and the on-premises FMC, is established through a lightweight connector application, Secure Device Connector or SecureX as illustrated on Figure 11.
In order to use the cloud-delivered CSDAC with an on-premises firewall deployment, you need to add your Firewall Management Center to the Cisco Defence Orchestrator's (CDO) inventory. CDO supports two connection methods with on-premises Firewall Management Centers:
- SecureX based connection (SecureX on-boarding procedure)
- Secure Device Connector based connection (Credentials on-boarding procedure)
Figure 12 provides a screenshot of the initial step of the on-premises Firewall Management Center onboarding wizard in the Cisco Defense Orchestrator.
Cloud-delivered CSDAC can support on-premises and cloud-delivered Firewall Management Center adapters at the same time.
The following video provides an overview of the cloud-delivered CSDAC along with a demo covering integration with both on-premises and cloud-delivered FMC.
Standalone (On-premises) CSDAC Deployment
The on-premises CSDAC application can be installed on the following Linux distributions:
- Ubuntu 18.04 to 22.04.02
- Red Hat Enterprise Linux (RHEL) 7 or 8
- CentOS 7 Linux
The install and upgrade process is automated with Ansible Galaxy 2.9 or later and requires Python 3.6.x. The minimum requirements for the system are 4 CPUs, 8GB RAM, and 100 GB of available disk space.
Best Practice
Depending on your deployment scale and the number of the connectors consider following sizing recommendation for the CSDAC host system:
Max. Connectors
Avg. Number of Filters per Connector
Number of Workloads
Recommended System Setup 50
5
20 000
4 CPUs; 8GB RAM; 100 GB disk 125
5
50 000
8 CPUs; 16GB RAM; 100 GB disk
The on-premises CSDAC is typically deployed in a Data Center in close network proximity to the Firewall Management Center as illustrated in Figure 13. Depending on the providers you want to monitor, ensure the CSDAC has network connectivity to the programmatic interfaces on the Internet or locally in your Data Center. Use the on-premises CSDAC to provide dynamic objects to on-premises and cloud-delivered Firewall Management Centers.
If you are integrating an on-premises CSDAC with a cloud-delivered FMC, ensure you allow outbound network access towards Cisco Defense Orchestrator on your firewalls (Figure 6). To find the your cloud-delivered Firewall Management Center's URL, open the CDO console and navigate to "Tools & Services > Firewall Management Center" and select the desired FMC instance.
The CSDAC Ansible collection and detailed installation instructions are available on the Ansible Galaxy space and in the video below.
Configuration
Connectors
The connectors are the modules that interface with the public and private cloud providers to retrieve information about workload resources over a secure connection. CSDAC supports the import of mappings from the following:
- Microsoft Azure user-defined tags (Azure Connector YouTube Demo)
- Microsoft Azure service-tags public feed (Azure Service Tags Connector YouTube Demo)
- Amazon Web Services (AWS) user-defined tags (AWS Integration YouTube Demo)
- Amazon Web Services (AWS) service-tags public feed
- Amazon Web Services (AWS) Security-Group based objects
- Google Cloud Platform (GCP) labels and network tags (GCP Connector Setup YouTube Demo)
- Office 365 public feed (Office 365 Connector YouTube Demo)
- GitHub public feed (GitHub Connector Setup YouTube Demo)
- VMware categories and tags are managed by vCenter and NSX-T (VMWare Integration YouTube Demo)
- Zoom public feed (Zoom Connector Setup YouTube Demo)
- Webex public feed (Webex Connector Setup YouTube Demo)
- Generic TXT - generic connector for a flat public or private feed (Generic Text Connector Setup YouTube Demo)
- Cisco Cyber Vision - OT device groups (Cyber Vision Connector Setup YouTube Demo)
The new connectors are being added to CSDAC on a regular basis. Refer to Table 2 for the breakdown of supported connectors per CSDAC version and form factor.
CSDAC Version/Platform | AWS | AWS Security Groups | AWS Service Tags | Azure | Azure Service Tags | Cisco Cyber Vision | GCP | Generic TXT | GitHub | Office365 | VMWare | Webex | Zoom |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Version 1.1 (on-premises) | YES | - | - | YES | YES | - | - | - | - | YES | YES | - | - |
Version 2.0 (on-premises) | YES | - | - | YES | YES | - | YES | - | YES | YES | YES | - | - |
Version 2.2 (Standalone) | YES | - | - | YES | YES | - | YES | - | YES | YES | YES | - | - |
Version 2.3 (Standalone) | YES | - | - | YES | YES | - | YES | - | YES | YES | YES | YES | YES |
Version 3.0 (Standalone) | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES |
Cloud-Delivered (CDO) | YES | - | - | YES | YES | - | YES | YES | YES | YES | -* | YES | YES |
Native FMC 7.4 | YES | - | - | YES | YES | - | YES | YES | YES | YES | YES | YES | YES |
Native FMC 7.6 | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES | YES |
* - in CDO deployments, you can use an on-premises CSDAC instance to provide VMWare sourced dynamic objects to your cloud-delivered Firewall Management Center as illustrated in **Figure 14**.
In Figure 15 below, you can see an example of a Google Cloud Platform Connector setup. The name uniquely identifies the connector instance and refers to the Dynamic Attribute Filters configuration to specify the provider for individual Dynamic Objects.
The pull interval value determines the frequency at which the CSDAC reaches out to the provider for the latest list of resources. This timer directly influences how quickly your firewalls pick up changes to the Dynamic Objects used in enforcing policies. The lower the pull interval, the quicker the firewall policy gets updated.
Warning
Some providers impose limits on the number of API calls in a unit of time and may throttle CSDAC requests if the pull interval is set to a low value.
Best Practice
When configuring the pull interval, ensure you find the right balance between the desired dynamic object update delay and the rate of requests supported by your providers. The CSDAC generates warnings messages when a provider throttles the requests. In such instances, gradually increase the pull interval timer to an acceptable value.
The attributes required to configure a connector are specific to the provider. Depending on the connector you are setting up, you may need a set the region where your services are deployed, as well as the API access credentials or username/password. Once you configure the required fields, you can run a connectivity test to confirm your setup is complete, and the CSDAC can reach the provider.
The Cisco Secure Dynamic Attributes Connector Configuration Guide gives a helping hand with provider-specific application account setup. In the documentation, you will find a set of step-by-step procedures for each provider supported by the CSDAC. The table below provides a list of quick links for your convenience.
Provider | Procedure for setting up an application account for CSDAC access |
---|---|
AWS and AWS Security Group Connector | Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector |
AWS Service Tags | No credentials required - CSDAC downloads IP ranges from a public Amazon URL. |
Azure and Azure Service Tags | Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector |
Cisco Cyber Vision | Configure an API key in the Cyber Vision management console |
GCP | Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector |
Generic TXT | No credentials required - CSDAC downloads IP addresses and rages from a custom HTTP/HTTPs feed. |
GitHub | No credentials required - CSDAC downloads IP ranges of GitHub content, webhooks, and actions from a public GitHub's API URL. |
Office365 | No credentials required - CSDAC downloads IP ranges of Skype for Business, Sharepoint, Exchange and Common Services from a public Microsoft's API URL. |
VMWare | vCenter Connector—About User Permissions and Imported Data |
Webex | No credentials required - CSDAC downloads IP ranges of Webex Meetings&Messaging and Calling from a public Webex Service Prefix Feed |
Zoom | No credentials required - CSDAC downloads IP ranges of Zoom components from public IP Ranges TXT Files |
Once you set up a connector you can review the configuration details as well as the current status. The Connectors tab provides a list of all provider instances configured in your CSDAC as illustrated in Figure 16.
Note
You can configure multiple connectors for each type AWS, Azure, GCP, and VMWare, should you have multiple public or private cloud instances of the same type.
Adapters
Adapters are secure connections to the Firewall Management Center that CSDAC uses to configure and update dynamic objects. When configuring the adapter on your on-premises CSDAC (see an example in Figure 17) you need to provide the IP address, username, and password, as well as, your FMC's trusted certificate chain.
It is strongly recommended to create a dedicated user on the FMC for the CSDAC REST API access.
When running native CSDAC, adapter configuration is not available. The hosting Firewall Management Center is implicitly configured to injest dynamic objects configured in the on-board CSDAC.
Starting from the on-premises CSDAC release 2.0, you can configure an adapter connecting to the cloud-delivered FMC. The adapter setup requires a base URL and the API token, which are available in your Cisco Defense Orchestrator tenant. The step-by-step procedure is available in the CSDAC Configuration Guide in the Get Your Base URL and API Token section.
In the cloud-delivered CSDAC, you simply select the on-premises FMC from your inventory or the cloud-delivered FMC. You don't have to specify access credentials as the connection is already secured by the Cisco Defense Orchestrator management channel.
Dynamic Attributes Filters
The Dynamic Attribute Filters are conditions used to map public and private cloud resources to Dynamic Objects. Each filter contains:
- The Dynamic Object name to be programmed on the Firewall Management Center
- The source connector provides information about the workload
- A query string defining the matching criteria for VMs and instances in which IP addresses will be dynamically added to the objects pushed to the firewalls
CSDAC pulls the list of resources using configured connectors with provider-specific meta-data. The information is made available to the administrator within the Dynamic Attribute Filter configuration in the form of Key/Value pairs. The Keys are the attributes associated with a VM or an instance running in a cloud, such as user-defined tags in AWS/Azure/GCP, network, power status, or VM name on vCenter.
In the sample condition depicted in Figure 21, the CSDAC provides a drop-down of available Keys that one can use for the vCenter connector.
After selecting a Key, CSDAC displays the available set of Values an administrator can use as the matching criteria. In Figure 22, after selecting "os" key, CSDAC provides the list of operating systems running in the VMware infrastructure.
You can use Equals and Contains operands, as well as, select multiple values with ANY/ALL matching logic.
CSDAC gives you the flexibility to configure a query with multiple conditions to match many Key/Value pairs at the same time.
Once your query is complete you can observe the list of IP addresses in the preview that match the conditions.
Note
You cannot configure dynamic attributes filters for GitHub, Office 365, WebEx, Zoom, Azure Service Tags nor Generic TXT connectors. For these public feeds connectors, the CSDAC creates automatic filters, organizing IP prefixes into dynamic objects as per categories provided within the feeds.
Using CSDAC-Provided Objects in the Firewall Rules
CSDAC polls the cloud providers periodically for a list of available VMs/instances and their attributes. When a change in a workload is detected, CSDAC sends an update to the FMC. You can review the list of IP addresses assigned to dynamic objects in the Firewall Management Center in Objects > Object Management > External Attributes > Dynamic Object.
You can use Dynamic objects in the firewall rules in your Access Control Policy as both source and destination matching criteria.
The Firewall Management Center distributes the change to the managed firewalls seamlessly, without deploying the policy or performing a Snort reload. This way, the firewall policy remains up-to-date, without any action from the administrator and with no interruption to traffic. The updates to dynamic objects propagate to the firewall in near real time.
📚Additional Resources
Cisco Blogs:
Documentation and Configuration guides:
- Cisco Secure Dynamic Attributes Connector Configuration Guide
- Managing the Cisco Secure Dynamic Attributes Connector with the Cisco Defense Orchestrator
- Ansible CSDAC Collection
CSDAC videos on Cisco Secure Firewall YouTube channel:
- New integration between Cisco Secure Firewall and Cisco Cyber Vision
- Firewall Management Center with integrated Cisco Secure Dynamic Attributes Connector
- Cisco Secure Firewall 7.2 Release - Cloud Delivered Dynamic Attributes Connector
- Cisco Secure Firewall 7.1 Release - Dynamic Attributes Connector Update
- Cisco Secure Firewall 7.0 Release - Deployment of CSDAC
- Cisco Secure Firewall 7.0 Release - Dynamic Attributes Connector Integration with AWS
- Cisco Secure Dynamic Attributes Connector - VMware vCenter Integration
- Cisco Secure Firewall 7.0 Release: Identity - Dynamic Objects
Cisco Live! Security Sessions:
Updated 2 months ago