In this blog, we walk through the implementation of a Python script that checks if the IP for a DNS A record has changed, then automatically updates the ISE DACL.

Understand the ISE API

As with any other automation, understanding the flow and data source requirements is useful.  In the attached diagram, I document the dataflow as well as important aspects of the scripts before writing it.  Reading through Cisco’s ISE ERS API documentation is extremely useful here.  The documentation includes enough information to get started, however,  involves some trial and error.  The “Update” PUT method allows you to update the DACL, and to my pleasure, it completely replaces the old DACL with a new one instead of simply appending lines to it. This makes life easier, as it simplifies regex substitution and insertion operations.  Now that we understand the specific call we need to make, lets review other aspects of the API call.  Some request fields are ISE version specific, such as the “ERS-Media-Type” header field. This field isn’t mandatory, however, it varies with ISE versions.

In order to get the DACL ID, you’ll first need to make a “Get-All” GET request. This will return all ACL IDs as well as their names in order to make identification easier. The PUT request is just a tad tricky and I’ll show you how to send the DACL in that request.

Get the right libraries

To make life easier, you’ll need a couple of libraries. Python’s “re”, “requests”, “json”, and “dns.resolver” libraries are needed in order to create requests, parse the JSON and finally, search through the dacl using “re”.  The “dns.resolver” library parses the IP address of the A record easily.

First Expressions Count

One of the more challenging aspects of updating a string such as the DACL is finding the item to replace.  I use remarks in the DACL to divide the larger piece into groups of IPs based on the application or server.  I use “start” and “end” in the remarks to accomplish this. For example, “remark start app1.site.com” and “remark end app1.site.com” to identify a set of IPs associated with app1.site.com.  I use regex101.com for helping parse and create expressions. The site can create expressions for a specific language which is extremely useful.  An example of an expression is r”(?<=remark start app1\.site\.com\n)([\s\S]+?)(?=remark\send\sapp1\.site\.com)”.

Wrapping it up

The great thing about dns.resolver is that it provides a class-based approach to retrieving the IP portion of an “A” record.  This saves us from using regex to search for the IP.  To start with, we search and isolate the group of IPs associated with the application.  Then, we find and replace those IPs with the ones returned by dns.resolver.  Finally, we use the UPDATE API to PUT the newly updated DACL into ISE.  The DACL goes in the payload and not the header section of the HTTP PUT, in another article, we’ll look at how we can use Postman to make our lives easier when testing out ISE APIs.

Data is everywhere within the organization, but few people know the significance of their data to the business. In this post, I discuss strategies for performing data classification.  What makes data classification complex is the sheer number of items that need classification.  Overall, the classification process should be outsourced to the document owners, this is the best approach and a strategy needs to be identified early. The information security team’s role here is to identify the data repository’s data classification capability.  Not all repositories have an easy and intuitive classification method. Let’s take a look at some possible approaches.

Identify current state

Data classification is a process by which information security and legal teams identify critical and sensitive organizational data.  In order to succeed in this endeavor, you’ll need to bite off small chunks and, work with patience and determination.  If you’re late to the game, start by identifying your repositories built-in capability to classify data.  Investigate whether you’re able to simply turn on the feature within the application. It might be offered in an enhanced version of the product that requires additional licensing or costs however data classification is important and the additional cost will be well worth it.

A data classification guide should be provided to all document owners. The classification guide should be simple to follow and understand. A typical classification system includes 3 classification levels including sensitive, secret, and unclassified, however, additional classification types might be useful depending on your specific business needs.  To begin with, classify your data directly in the document. This classification should be searchable and readable by search and regular expression engines.  This allows for a DLP solution to search the document to identify its classification level.

Fill in the gaps

Enterprise document storage solutions should have robust scripting and plugin capabilities. In-house development can help create data-classification add-ons and plugins for any document management solution that does not provide such capability.  Some collaboration suites include a marketplace that readily offers such extras, however, investigate the add-on for security issues before implementing.

Crowdsource your classification efforts

Off-course, this isn’t always possible and in that case, setting up a meeting with the document owners and walking them through the importance of the data classification program will be required.  Users are more willing to participate in mundane yet important tasks if the process is more engaging and rewarding. Identify ways in which you could gamify the process and provide rewards, provide a leaderboard and acknowledge those at the top during company meetings. Data classification is a critical process, therefore, participation should be part of everyone’s job responsibilities. Executive leadership needs to buy in and ensure that data classification is an essential part of everyone’s routine and not a burden on employee workload.