Cisco Defense Orchestrator
Network Layer Security Policies
Network layer security policies are composed of rules for handling inbound and outbound traffic. Rule are structured as (permit | deny) <protocols> traffic from <sources> to <destinations> where values wrapped in <> are either primitive values or references to user-defined variables. Variables are either named primitive values or a named collection of other variables with compatible types.
Policies for Cisco ASA and ISR security appliances are defined as access groups. Rules are defined as access lists. Variables are defined as either object-groups or objects.
Managing Network Layer Security Policies with CDO
Traditionally, network layer security policies were redefined for every security appliance within a customers' network. There was no single source of truth, no central governance, and no easy way to deploy policy changes consistently across all devices.
With CDO, policies are centrally managed. Whenever a user modifies a policy, the changes are automatically staged to all affected security appliances by default. This ensures a consistent policy across the entire network, something nearly impossible to achieve before CDO.
Selectively Staging Changes
Policy changes are often staged and deployed to a single security appliance before rolling out to all devices. This use case prompted the need for a user to be able to selectively choose the devices for which the changes should be applied.
Originally, the user was presented a read-only list of the devices, access-groups, and object-groups which would be affected when modifying a policy.
Our solution builds on this model by allowing the user to select those affected devices for which the change should be staged.