Security

Teams,

Please find enclosed information and details related to a new ClearPass Extension and TechNote Release – ServiceNow [SNOW] Common Management DB [CMDB] Integration. This integration leverages the ClearPass Extension Framework to allow ClearPass to utilize the device-asset database of SNOW as an authorization-source. Companies are interested in knowing if devices that are connecting to the corporate network are known devices be that BYOD or Corporately issued before they are permitted access. 

In this TechNote read how to setup and configure ClearPass Policy Manager to deploy, configure and utilize the SNOW CMDB as an authZ source as part of a service-policy to ensure what is connecting should be on the network.

You can find the document on the support site located herehttps://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=24201

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted. 

Thanks Danny,

Would it be possible to have Snow periodically update the Endpoints repository on CPPM with specific attributes gathered to utilize this data within an enforcement policy?  This would be in the case that "Snow" is hosted in the Cloud and to avoid having CPPM query the external systems.

Regards,

Angelo

Hi Angelo,

The short answer is Yes, we expose a number of REST API's that you can use to update endpoint attributes.

The challenge is getting this info into the CPPM node normally buried on the TRUST side of corporate firewalls. If you can convince a customer to open a pin-hole to permit SNOW to POST against an exposed API, your gold, and good to go.

Danny,

Followup on Angelo’s question, just to clarify for me:

Intent:
We intend to have ServiceNow be the central asset repository by having its fields updated from various backends such as MI, SCCP etc. to indicate if a device is encrypted, tagged, if user is active, etc etc

Consensus from our ServiceNow admin is that our SN implementation could not keep up with a large and sustained influx of individual pull queries from CPPM to SN and be able to respond within an acceptable time period. Seems in our environment this would require multiple recursive queries per because of how we nest our fields, as I recall. Therefore one approach being discussed is to have a separate DB get periodic pushes from SN matching the fields we need CPPM to check against. CPPM would then query the separate DB for determining if all criteria for a particular Role are met.

Question(s):
1. Could we use the CPPM local DB for this purpose
2. Could SN periodically push as a dump (or CPPM pull as a periodic dump) selective attributes, that we create and customize on SN, from various fields within SN to the CPPM local DB
3. Would there be a threshold we would have to be aware of where the CPPM internal DB may not be able to scale to in relation to date store or query rates?
4. What would be a realistic refresh time for this so we have an idea of the period that stale data may exist between refreshes

Any other caveats we would have to take into consideration?

Thanks

Chris

Chris,

In theory Yes, you could potentially use the CPPM LocalDB as a datastore. We have exposed REST API's that you could use to orchestrate adding endpoint and endpoint data into this DB, this could cater for the 'special' SN fields as described.

This would need to be a SN PUSH into CPPM, but you'll have the same issue of getting than pin-hole opened in the firewall to allow inbound REST calls.

What is the expected number of endpoints {API calls} you want to make?

Re data freshness, how do you want to use this data?

Hi Danny,

Sorry for hijacking this old thread.

I would like to check if there is any kind of attribute caching that is done when we use the extension which can probably reduce the number of lookups done against ServiceNow.

Given that we define the internal IP used by the extension as HTTP Auth source, there is no caching available for the same.

We are in process of integrating our Clearpass servers with ServiceNow. Given the number of devices & lookups which might needs to be done, I am bit worried about any performance issues that ServiceNow might experience.

Well your timing is on-point. We have a major update right around the corner for SNOW Integration.

We're delivering

1. Sync CMDB down to CPPM Endpoint

2. Sync CPPM Endpoint upto CMDB

3. The ability to update SNOW CMDB with real-time attributes if you choose

4. If necessary still provide a real-time check in SNOW and cache the results

Hi Danny,

This is awesome news. Would it be possible to share any concrete timelines around when we can expect it to be available ?

for anyone else who was waiting for this:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00106089en_us

gathered from https://www.arubanetworks.com/clearpassdocs

This was "announced" here:

https://community.arubanetworks.com/t5/Security/CLEARPASS-POLICY-MANAGER-ARUBA-360-SECURITY-EXCHANGE-QUARTERLY/td-p/675405