Владимир Илибман
CISSP, CCSP
Cisco Identity Services Engine
Эволюция модели сетевой безопасности
Эволюция доступаЭпоха сетей без границ
Кампусная
сетьЦОД.
Внутренние
ресурсы
Филиал
Интернет
Рабочие
места
сотрудников
Сотрудники
VPN
Рабочие
места
внешних
сервисов
КонтрактникиГостиIP камера
Партнерские
подключения
VPN
VPN
Мобильные сотрудники
Сотрудники с WiFI-
устройствами
Системы
безопасности
Принтеры
Банкоматы
Cisco ISE and Anyconnect
ACCESS POLICY
WHO
WHAT
HOW
WHEN
WHERE
HEALTH
THREATS
CISCO ISE
CVSS Partner Eco System
PxGRID& APIs
Cisco ISE
Context aware policy service, to control access and threat across wired, wireless and VPN networks
Cisco Anyconnect
Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.
SIEM, MDM, NBA, IPS, IPAM, etc.
WIRED WIRELESS VPN
Role-based Access Control | Guest Access | BYOD | Secure Access
FOR ENDPOINTS FOR NETWORK
Managing policy based on ‘Trust’
✕ ✕ ✓ ✓ ✕ ✕
✕ ✓ ✓ ✓ ✓ ✕
✓ ✕ ✓ ✓ ✓ ✓Trusted Asset
Trusted User
Partners
Tru
ste
d U
se
r
Pa
rtn
ers
Clo
ud
Ap
p A
Clo
ud
Ap
p B
Se
rve
r A
Se
rve
r B
Cloud
On Prem
Tru
ste
d A
pp /
Serv
ices
No
n-T
ruste
d A
pp /
Se
rvic
es
Improved Visibility and DecisionSoftware-Defined Segmentation,
Service Access & Entitlement
Location-Free App/Service
Access
Vulnerability
Threats
Posture
Behavior
Time
Location
User-Groups Device-type
CISCO IDENTITY SERVICES ENGINE
Connecting Trusted Users and Devices to Trusted Services
Rapid Threat
Containment
Always-on Policy
Compliance
Guest Access
Simplified Firewall Rule
management with TrustSec
Risk Level Policy
Enforcement
Visibility
ISE Use CasesThe competitive advantages are built-in!
Showing customers who and what is on their network and to share with FMC and
Stealthwatch for better threat and behavioral clarity
When there is a security outbreak customers have one button to push to activate
different policies network-wide – using software-defined segmentation
The number and complications of firewall rule can be reduced up to 80% which reduces
errors and costs
Assurance that your network, devices and their behaviors are compliant with company
and regulatory compliance requirements
Stop threats anywhere in the network from one console
Easily create segments on the network and NGFW to increase protection and reduce
malware proliferation.
-Defined Segmentation
TrustSec Software-Defined
Segmentation
Ecosystem IntegrationOne framework to integrate different security products, share intel, see threats faster and
take an action from the customer’s preferred product, such as FMC or Splunk.
Next Gen Access Control Control access to network and resources based on context for more accurate access
policy options and enforcement
Security starts with ‘Visibility’
Visibility
ISE can Collect Contextual Information from the Network
The Contextual information can then be shared with
systems
Network
Cisco ISE
ISE Dashboard: SummaryVisibility
Discover the network for Devices and Users ISE Visibility Setup Wizard
Discover network
assets and
endpoints in mins
using a Wizard.
Connect to Identity
Stores e.g(Join an Active
Directory)
Visibility
Context Visibility
• Context Tabs
• Interactive
Charts
• Action Bar for
endpoints
• Breadcrumbs
for filters
• Dynamically
updated table
based on filter
Visibility
How Does ISE Get all that Information ?Cisco ISE Profiling
Feed Service
(Online/Offline)
Netflow DHCP DNS HTTP RADIUS NMAP SNMP
CDP LLDP DHCP HTTP H323 SIP MDNS
ACTIVE PROBES
DEVICE SENSOR
1.5 million
550+
250+
devices with ‘50’ attributes
each can be stored
High-level canned
profiles. +Periodic feeds
Medical device profiles
Cisco ISE
Cisco Network
Visibility
Application Visibility using ISEISE Posture
Continuous Data Monitoring on APP’s
ISE will collect and monitor data from user’s
device every 5, can be set to 1 min for demo
purposes.
AnyConnect will report a complete list of
running applications and installed
applications.
Visibility
Application ‘Visibility’ via AnyconnectAnyConnect as a collector using NVM
Cisco Anyconnect with
‘Network Visibility’ module
IPFIX/NetFlow
Collector
Corporate Public
Visibilityin to process, process hash, URLs, and more
Contextfor Network Behavioral Analysis
Controlrun-time applications via ’Posture Policies’
Visibility
Network
ResourcesRole-based policy
access
Traditional TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
Network
Door
Physical or VM
Conte
xt
ISE pxGrid
controller
Next Gen Access Control in ActionISE automatically applies policy to Identity context to control access
Next Gen Access
Control
Passive Identity Active Identity
MAC Authentication Bypass
Easy Connect ®
Access Control
ENTERPRISE
NETWORK AD / LDAP / SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords / Tokens
ASP: Auto Smart Port
Built-in CA
500,0
00
concurr
ent sessio
ns
50
0,0
00
Up to 100K
Network Devices
Up to 50 distinct AD join point
support
300K Internal Users
Native Supplicants /
Cisco AnyConnect
802.1
X
IEEE 802.1X
Web Authentication
Central WebAuth
Local WebAuth
Next Gen Access
Control
Authentication Methods Authorization Options
MAC Authentication Bypass
Easy Connect ®
IEEE 802.1X
Web Authentication
Central WebAuth
Local WebAuth
Downloadable / Named ACL
Air Space ACL
VLAN Assignment
Security Group Tags
URL-Redirection
Port Configuration (ASP)
PASSIVE
IDENTITY
ACTIVE
IDENTITY
Authentications and Authorizations
ENTERPRISE
NETWORK
SAML iDPs
APIs
Single Sign-On
Certificate Authorities
SCEP / CRL
Certificate based Auth
LDAP / SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords / Tokens
Native Supplicants /
Cisco Anyconnect
802.1
X
Up to 50 distinct AD domain support
Next Gen Access
Control
White Listing DevicesMAC Authentication Bypass (MAB)
LAN
Network Device
Cisco ISE802.1X
No
802.1X
Endpoints without supplicant will fail 802.1X authentication!
What’s your Id?
Any Packet Machine MAC: 00-10-23-AA-1F-38
ACCESS-ACCEPT
MAB requires a MAC database | ISE can build this database dynamically
Bypassing “Known” MAC Addresses
00-10-23-AA-1F-38 Network Device
Cisco ISE
Next Gen Access
Control
Quickly see value with ‘Easy Connect’
EMPLOYEES
UNKNOWN LIMITED ACCESS
FULL ACCESS
DHCP DNS
NTP AD
DOMAIN\bob
Enterprise
Network
CISCO ISESWITCH-1
DOMAIN
CONTROLLER
LIMITED ACCESS
ISE retrieves user-ID and
user’s AD membership
Limited AccessCoA: Full AccessFULL ACCESS
No 802.1X
Bob logged in
Increased visibility
into active network
sessions
Flexible deployment
co-operates with
other auth methods
Immediate value
Leverage existing
infrastructure
Next Gen Access
Control
Authorization3 Major authorization options for ‘access control’
Contractordeny ip host <protected>
permit ip any any
DACL or Named ACL
Employeepermit ip any any
Downloadable ACL (Wired) or
Named ACL (Wired + Wireless)
VLANs
Remediation
Dynamic VLAN Assignments
EmployeesVLAN 3
GuestVLAN 4
Per port / Per Domain / Per MAC
Security Group Tags
16 bit SGT assignment and
SGT based Access Control
TrustSec Software-Defined
Segmentation
Next Gen Access
Control
Software-Defined SegmentationEasily classify endpoints devices and use group-based policies in NGFWs and the Network
Printer 1 Printer 2
SGT_Guest SGT_Building
Management
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature
Device 1
Temperature
Device 2
Surveillan
ce
Device 1
Surveillance
Device 2
50°
50°
Software-Defined Segmentation
Simplifying Segmentation with TrustSec
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
High cost and complex maintenance
Voice
VLAN
Voice
Data
VLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate
security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
Enterprise
Backbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation
Software-Defined Segmentation
Segmentation Management
Destinations
SourcesCompany
Database
Public
Cloud
External
PartnerInternet
Guest Define
Access
Define
Access
Define
Access
Define
Access
Employee BYODDefine
Access
Define
Access
Define
Access
Define
Access
Building Mgmt.Define
Access
Define
Access
Define
Access
Define
Access
EmployeeDefine
Access
Define
Access
Define
Access
Define
Access
Deny
DenyDefine
Access
PermitPermit Deny
Deny Web Apps
Deny
Permit PermitDefine
AccessPermit
Define access policies using plain
language instead of complex ACLs and
firewall rules
Simplify role creation
Defining policies with logical tags means
that rules don’t depend on individual IP
addresses and can be dynamically and
transparently changed no matter the
group size
Maintain and scale dynamically
Deny Deny Permit
Permit
Deny
Define segmentation based on logical
groupings that are applied automatically
Apply rules automatically
Maintain agility with simple, dynamic policy updates
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Software-Defined Segmentation
A Range of Deployment Scenarios
Data Center
Segmentation
Campus and Branch
Segmentation
User to Data Center & Cloud
Access Control
Software-Defined Segmentation
Campus / Branch / DC Segmentation
Segment traffic based on
classified group (SGT), not
based on topology (VLAN,
IP subnet)
Micro-Segmentation / Host
Isolation in LAN and DC
with single policy (segment
devices even in same VLAN
or same security group)
VLAN: Data-1VLAN: Data-2
Data Center
Application
Servers
ISE
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
Application Servers Tag
Shared Services Tag
Software-Defined Segmentation
TrustSec Policy Matrix (SGACL)
permit tcp dst eq 6970 log
permit tcp dst eq 6972 log
permit tcp dst eq 3804 log
permit tcp dst eq 8443 log
permit tcp dst eq 8191 log
permit tcp dst eq 5222 log
permit tcp dst eq 37200 log
permit tcp dst eq 443 log
permit tcp dst eq 2748 log
permit tcp dst eq 5060 log
permit tcp dst eq 5061 log
permit tcp dst range 30000 39999 log
permit udp dst range 5070 6070 log
deny ip log
Software-Defined Segmentation Servers
SGT: 10
Enforcement
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539
• Simplified rule management:
• Define protected assets by their role, not IP address
• Works across TrustSec and ACI environments
• Avoids complexity and add/move/change effort
• Leads to much simpler and smaller rule-base
• Consistent, clear, simple rules
Simplifying Firewall Rule Management with TrustSec
Simplified Firewall Rules Management
FTD policies based on ISE attributes & Sec Groups
PxG
RID
NGIPS /
ASA + Firepower
Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)
Simplified Firewall Rules Management
ASA with Firepower Services: Inspect based on SGTs
Data Center
Customer DB
Partners
Employee
Suppliers
ASA
FirePower
Enterprise
Backbone
Servers
SGT: 10
Enforcement
Simplified Firewall Rules Management
Multiple TrustSec Matrices
Segmentation Policy sets based on Risk
Global Risk Level Use Case
1 2 3 4 5
Policies
Apply
Local policy sets for high-risk locations,
compliance-critical environments
1 2 3 4 5
Policies
1. London DCs
2. High Risk Sites
3 PCI Zones
4. Development
locations
5. NY Data Centers
Apply different TrustSec policy sets for
different environments or risk
conditions
Create different policy sets and apply
different policies to different business
environments
Easily change policies
Threat response
By applying risk-based,
predefined policies
Simplified Operations
Allow policy changes to be
applied to different operational
zones with centralized
management
Segmentation flexibility
Enables customers to
differentiate their
segmentation to sites based
on business role
Benefits
• Mitigates threats by changing applied policy sets
• Pre-determined segmentation policies enable
error-free changes
• Allows distinct policy sets to be applied to different
environments
• Flexible policy setup for multiple operational use
cases
Capabilities
Risk Level Policy Sets
Restrict All Lateral
Movement
Multiple levels of
policy sets
Applied globally
DEFCON Policy Enforcement
Posture defines the state of compliance with the company’s security policy
Posture Flow
AUTHENTICATE USER/DEVICEPosture: Unknown / Non-Compliant ?
QUARANTINELimited Access: VLAN / dACL / SGTs
POSTURE ASSESMENTCheck Hotfix, AV, Pin lock, USB Device, etc.
REMEDIATIONWSUS, Launch App, Scripts, MDM, etc.
AUTHORIZATION CHANGEFull Access – VLAN / dACL / SGTs.
Antivirus Update
Anti-Virus?
Always-on Policy Compliance
Always-on Policy Compliance
ISE – Posture Policies
Always-on Policy Compliance
Flexible deployment Options
Employee
Cisco Any Connect Standard Mode
Cisco Any Connect Stealth Mode
AC with no UI
Cisco NAC Web Agent
Non-Persistant
Contractor
Threat
Protection
Cisco AnyConnect
AnyConnect – Way more than VPN
Basic VPNEndpoint
Compliance
Enterprise
Access
Inspection
ServiceNetwork
Visibility
AnyConnect features
Integration with other Cisco solutions
Identity Services
Engine (ISE)
ASR / CSR Switches and
Wireless Controllers
Cloud Web Security
Services
(CWS + WSA)
ISR Adaptive Security
Appliance (ASA)
Advanced VPN
NetFlow CollectorsAdvanced
Malware ProtectionRoaming Protection
ODNS
Plugin
Always-on Policy Compliance
Posture Conditions explainedHighlights Description
File Check
Enhancements
Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories
such as “Desktop” and “User Profile”
OSx Daemon Check User Agent Check , User based process check
Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State
Reporting Report based on Condition name and Condition State
USB Condition and
Remediation
“Dynamic” a.k.a real time enforced.
Configured at initial posture check or Passive Reassessment checks (PRA).
Any Connect 4.3 enforces the Disk Encryption Policy
Native Patch
Management
Patch Management supported via OPSWAT
{Install, Enable, Up-To-Date}
AMP Enabler Profile Download and provisioning of the AMP client module
Posture Lease (from
ISE 1.3)
Once postured compliant, user may disconnect/ reconnect multiple times
before re-posture
For your reference
Posture capabilitiesHighlights Description
File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such
as “Desktop” and “User Profile”
OSx Daemon Check User Agent Check , User based process check
Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State
Reporting Report based on Condition name and Condition State
Native Patch Management Patch Management supported via OPSWAT
{Install, Enable, Up-To-Date}
AMP Enabler Profile Download and provisioning of the AMP client module
Posture Lease (from ISE
1.3)
Once postured compliant, user may disconnect/ reconnect multiple times before re-
posture
ISE 2.0 Any Connect 4.2
ISE 2.1 Any Connect 4.3
For your reference
Anti-Malware Checks Combination of the antispyware and antivirus conditions and is supported by
OESIS version 4.x or later compliance module`
USB Condition and
Remediation
“Dynamic” a.k.a real time enforced.
Configured at initial posture check or Passive Reassessment checks (PRA).
Any Connect 4.3 enforces the Disk Encryption Policy
Posture capabilitiesHighlights Description
Enhanced Posture
Discovery and Client
Provisioning
Ability to on-board endpoints using an off-premesis portal. Users are protected
100% of the time (On-Prem or Off-Prem)
Posture on 3rd party devices (non URL redirect agent to ISE communication)
AnyConnect Headless AnyConnect Agent with no UI for both Win/OS X option (no UI module)
Application Visibility, Control
and Enforcement
Continuous Data Monitoring on installed and running applications, ISE will collect
and monitor data from user’s device every 5, can be set to 1 min for demo
purposes.
Firewall enabled checks and
remediation
Check if Firewall is running or installed, ability to launch firewall if its not running.
AnyConnect Profile
Provisioning using JSON
OpenDNS Umbrella provisioning support
UDID context sharing Seemless posture experience when switching b/w wired and wireless and exposure
in Context Directory.
Common Certificates and
http ports for Posture
Avoiding the un-known Cert errors
Apex enforcement (Posture admin UI shuts down)
ISE 2.2 Any Connect 4.4
For your reference
CLIENT PROVISIONING
RESOURCES
Operating System and version
Browser type and version
User group membership
Condition evaluation results*
Cisco ISE looks at various elements when classifying the type of
login session through which users access the internal network
MacOsXAgent Download
Client Provisioning Overview
* - Based on dictionary attributes
Client provisioning functions in Cisco ISE allow you to download client provisioning resources and configure agent profiles for
Windows and MAC OS X clients, and native supplicant profiles for your own personal mobile devices.
MacOsXAgentClient provisioning
resources consist
of compliance and
posture agents for
desktops, and
native supplicant
profiles for phones
and tablets.
Always-on Policy Compliance CLIENT PROVISIONING
Simple Authorization PolicyPosture Complaint = Full Access | Posture Non-Complaint = Access Limited to Remediation Network
Authorization PolicyAlways-on Policy Compliance
Patch Management Remediation
• Remediation type – same as AV and AS remediation.
• Operation System –Windows only supported.
• Vendor Name – List is loaded from the OPSWAT update.
• Remediation options:
• Enabled
• Install missing patches
• Activate patch management software GUI
• Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.
Always-on Policy Compliance
ISE and SCCM Integration overview
Cisco ISE
Managed Asset
ISE 2.1 integrates with SCCM
to retrieve compliance status
of Windows managed
endpoints.
This integration uses MDM
flows. (ISE communicates
with SCCM Server using WMI
to retrieve the current
attributes for a device.)
Microsoft SCCM as external MDM servers for Cisco ISE
SCCM Servers
Registered
Registered + Non-Compliant
Registered + Compliant
STATUS CHECKS
Patch and Software
management
Posture Status
WMI
Always-on Policy Compliance
Threat Centric NAC explainedReduce vulnerabilities, contain threats
Compromised endpoints spread malware by
exploiting known vulnerabilities in the network
1
Malware infection
Malware scans for vulnerable endpoints2
Vulnerability detected3
Infection spread
4
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)
Flag compromised and vulnerable hosts and limit
access to remediation Segment
Cisco AMP Vulnerable host
Quarantine and
Remediate
IOC CVSS
“Threat detected” Vulnerability scan
Most endpoint AMP deployed in ‘visibility only’ mode
Always-on Policy Compliance
- STIX
- Threat events
- CVSS
- IOC
- Vulnerability assessments
- Threat notifications
What is Threat Centric NAC ?
AMP
Cisco ISE
Endpoints
Cisco ISE protects your
network from data breaches
by segmenting compromised
and vulnerable endpoints for
remediation.
Compliments Posture
Vulnerability data tells endpoint’s
posture from the outside
Expanded control
driven by threat intelligence and
vulnerability assessment data
Faster response
with automated, real-time policy
updates based on vulnerability
data and threat metrics
Who
What
When
Where
How
Posture
Threat
Vulnerability
Create ISE authorization policies based on the threat and vulnerability attributes
Network Access Policy
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise
(IOC)
Qualys
CT
A
ISE 2.2
Always-on Policy Compliance
Mobile Device Posture assessment
MDM Policy Checks
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Posture Compliance assessment for Mobile devices
Employee
* * * * * * *
1. Register with ISE 2. Internet Access
3. Register with MDM 5. Allow Corp access
Cisco ISE
MDM
Internet
Corporate
4. Comply MDM Policy
Personal Device
Always-on Policy Compliance
Initial compromise Detection
Rapid Threat Containment (RTC)With Firesight Management Center (FMC) and ISE
Protect critical data, by stopping attacks faster, based on real-time threat intelligence
INTERNET
ENTERPRISE
NETWORK
Monetize theft
Time To Detection (TTD) : 100-200 days - http://bit.ly/cisco-asr-2016
PR
OB
LE
M
Infection spread
Data hoarding
Data exfiltration
100 – 200 days Initial compromise Containment
INTERNET
SO
LU
TIO
N
PxGrid
ENTERPRISE
NETWORK
SENSOR
- AMP /
- NGIPS /
- ASA
(wFirePOWER)
EPS: Quarantine
(over PxGrid)
COA
Minutes
FMC
ISE
TrustSec
segmentation
Rapid Threat Containment
Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data
When
Where
Who
How
What
Cisco and Partner
Ecosystem
ISE
pxGrid
Controller
Context
32
1
45
Cisco® ISE collects
contextual data from network1
Context is shared via
pxGrid technology2
Partners use context to
improve visibility to
detect threats3
Partners can direct ISE to
rapidly contain threats4
ISE uses partner data to
update context and
refine access policy5
Cisco Network
https://datatracker.ietf.org/doc/draft-appala-mile-xmpp-grid/
Ecosystem Integration
Integrating the traditional way
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!I need reputation…
I have NetFlow!
I need entitlement…
I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have application info!
I need location & auth-group…
I have threat data!
I need reputation…
I have location!
I need identity…
SIO
Proprietary
APIs aren’t
the solution
We need to
share data
Ecosystem Integration
The problem
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
I have sec events!I need reputation…
I have NetFlow!
I need entitlement…
I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have application info!
I need location & auth-group…
I have threat data!
I need reputation…
I have location!
I need identity…
SIO
Proprietary
APIs aren’t
the solution
We need to
share data
TRADITIONAL APIs – One Integration at a Time
• Single-purpose function = need for many APIs/dev (and lots of testing)
• Not configurable = too much/little info for interface systems (scale issues)
• Pre-defined data exchange = wait until next release if you need a change
• Polling architecture = can’t scale beyond 1 or 2 system integrations
• Security can be “loose”
Ecosystem Integration
Solving the integration problem with a Grid
INFRASTRUCTURE FOR A ROBUST ECOSYSTEM
• Single framework – develop once, instead of multiple APIs
• Customize and secure what context gets shared and with which platforms
• Bi-directional – share and consume context
• Enables any pxGrid partner to share with any other pxGrid partner
SIO
Single, ScalableFramework
Direct, Secured Interfaces
pxGridContext
Sharing
Ecosystem Integration
3 things you can do with Ecosystems
BENEFITS
ISE Makes Customer IT
Platforms, User / Identity,
Device and Network Aware
ISE Shares User/Device &
Network Context with IT
Infrastructure
1
ISE ECO-PARTNER
CONTEXT
Puts “Who, What Device, What
Access” with Events. Way Better
than Just IP Addresses!
Make ISE a Better
Network Policy Platform
for Customers
ISE receives Context from Eco
Partners to Make Better Network
Access Policy
2
ISE ECO-PARTNER
CONTEXT
Creates a Single Place for Comprehensive
Network Access Policy thru Integration
Make ISE a Better Network
Policy Platform for
Customers3
ECO-PARTNER ISE
CISCO NETWORK
ACTION
MITIGATE
Decreases Time, Effort and Cost to
Responding to Security and
Network Events
Help Customer IT
Environments Reach into
the Cisco Network
Ecosystem Integration
pxGrid – Industry Adoption Critical Mass40+ Partner Product Integrations and 12 Technology Areas in First Year of Release
Vulnerability
Assessment
Packet Capture
& Forensics
SIEM &
Threat Defense
IAM & SSO
Cisco pxGrid
SECURITY THRUINTEGRATION
Net/App
Performance
IoT
Security
Cisco ISE
Cisco WSA
Cloud Access
Security
?
pxGrid-Enabled ISE Partners:
• RTC: Cisco FirePower, Bayshore, E8,
Elastica, Hawk, Huntsman, Infoblox,
Invincea, Lancope, LogRhythm, NetIQ,
Rapid7, SAINT, Splunk, Tenable
• Firewall: Check Point, Infoblox, Bayshore
• DDI: Infoblox
• Cloud: Elastica, SkyHigh Networks
• Net/App: Savvius
• SIEM/TD: Splunk, Lancope, NetIQ,
LogRhythm, FortScale, Rapid7
• IAM: Ping, NetIQ, SecureAuth
• Vulnerability: Rapid7, Tenable, SAINT
• IoT Security: Bayshore Networks
• P-Cap/Forensics: Emulex
• Cisco: WSA, Firesight, Firepower, ISE
Other ISE Partners:
• SIEM/TD: ArcSight, IBM QRadar, Tibco
LogLogic, Symantec
• MDM/EMM: Cisco Meraki, MobileIron,
AirWatch, JAMF, SOTI, Symantec, Citrix,
IBM, Good, SAP, Tangoe, Globo,
Absolute Cisco FirePOWER
Firewall &
Access Control
Rapid Threat
Containment
(RTC)
DDI
Ecosystem Integration
Same ISE for ‘Network Device’ Administration
Device Administration
Role-based access control
• Role-based access control
• Flow-based user experience
• Command level authorization with detailed logs for auditing
• Dedicated TACACS+ workcenter for network administrators
• Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature Highlight
Customers can now use Terminal Access
Controller Access Control System
(TACACS) with ISE to simplify device
administration and enhance security
through flexible, granular control of access
to network devices.
Simplified, centralized device
administration
Increase security, compliancy,
auditing for a full range of
administration use cases
Flexible, granular control
Control and audit the configuration of
network devices
Security Admin Team
TACACS+
Work Center
Network Admin Team
TACACS+
Work Center
Holistic, centralized visibility
Get a comprehensive view
of TACACS+ configurations with the
TACACS+ administrator work center
Deploying ISE
pXGrid Controller
- Facilitates sharing of context
Policy Services Node (PSN)
- Makes policy decisions
- RADIUS / TACACS+ Servers
Policy Administration Node (PAN)
- Single plane of glass for ISE admin
- Replication hub for all database config changes
Monitoring and Troubleshooting Node (MnT)
- Reporting and logging node
- Syslog collector from ISE Nodes
Single Node (Virtual / Appliance)
Up to 20,000 concurrent endpoints
STANDALONE ISE
Multiple Nodes (Virtual / Appliance)
Up to 500,000 concurrent endpoints
Network
MULTI-NODE ISE
Scaling ISEOne management interface for 1 – 500K endpoints
1 Endpoint 20,000 Endpoints 50,000 Endpoints 500,000 Endpoints100,000 Endpoints 250,000 Endpoints
Standalone deployment
Multi-Node deployment
Multi-Node deployment
Multi-Node deployment
Multi-Node deployment
+
x 4 PSNs
x 2 MnTs
x 2 PANs
x 12 PSNs
x 2 MnTs
x 2 PANs
x 25 PSNs
x 2 MnTs
x 2 PANs
x 50 PSNs
x 2 MnTs
x 2 PANs
- Applies to both physical and virtual deployment
- Compatible with load balancers
HA configuration with minimum 6 redundant nodes
ISE Deployment Assistant (IDA)to simplify Cisco ‘Network Device’ configurations
ISE Service
Per Device Actionable Information
Network Assessment
Configuration of NADs
(Network Access Devices)
Ability to Troubleshoot failed authentications
Next Gen Access
Control
ISE Licensing
EVALUATION
BASE
PLUS
APEX
Full Cisco ISE functionality for 100 endpoints.
Basic network access: AAA, IEEE-802.1X
Guest management
Easy Connect (Passive ID)
TrustSec (SGT, SGACL, ACI Integration)
ISE Application Programming Interfaces
BYOD with built-in Certificate Authority Services
Profiling and Feed Services
Endpoint Protection Service (EPS)
Cisco pxGrid
Third Party Mobile Device Management (MDM)
Posture Compliance
Threat Centric NAC (TC-NAC)
Perpetual
Subscription (1, 3, or 5 years)
Subscription (1, 3, or 5 years)
Temp (90 days)
DEVICE ADMIN
ADDITIONAL OPTIONS
Perpetual
Cisco ISE requires a Device
Administration license to use
the TACACS+ service on top of
an existing Base or Mobility
license.
MOBILITY
Subscription (1, 3, or 5 years)
Combination of Base, Plus, and
Apex for wireless and VPN
endpoints
MOBILITY UPGRADE
Subscription (1, 3, or 5 years)
Provides wired support to
Mobility license
Licenses are uploaded to the Primary Administration node and propagated to the other Cisco ISE nodes in the cluster
Base license is fundamental for use of Plus / Apex services.
Mobility licenses cannot coexist on a Cisco Administration node with Base, Plus, or Apex Licenses.
• ACS is no longer being sold after August 30, 2017
ACS to ISE migration
ACS Version End of Sale End of Life
End of Support
(Including
Vulnerability fix) EoS
5.8 Aug 30, 2017 Aug 30, 2018 Aug 31, 2020 EoS/L
5.7 May 2, 2016 May 2, 2017 May 31, 2019 EoS/L
5.6 Feb 16, 2016 Feb 15, 2017 February 28, 2019 EoS/L
5.5 April 15, 2015 April 14, 2016 April 30, 2018 EoS/L
4.2 October 27, 2011 October 26, 2012 October 31, 2014 EoS/L
3.3 August 29, 2006 August 29, 2007 August 28, 2009 EoS/L
•ACS to ISE Migration Guide
Cisco ISE delivers
1. Simplified access delivery
across wired, wireless, and
VPN connections
2. Visibility into who and what is on
your network that shared across
security and network solutions
3. Reduced risk and threat
containment by dynamically
controlling network access
These ISE allows you to see it all
and secure it now
Don’t just take it from us
“Cisco ISE unifies and automates access control to proactively enforce role-based access to
enterprise networks and resources.”
— SC Company 2016
Recognized as a LEADER, four years in a row
— Gartner Magic Quadrant for NAC: 2014, 2013, 2012, 2011
A CHAMPION in Info-Tech Vendor Landscape for NAC
— Info-Tech Research Group, 2014
Recipient of the 2016 Frost & Sullivan Global NAC Market Leadership Award
“In this generation NAC platform, Cisco wanted to make an easier, more intuitive platform
while adding features and functionality. Cisco has gone a long way toward achieving
these objectives.”
— Frost & Sullivan, 2016
ISE Resources
http://bit.ly/ise-design-guides
Design guides focusing on ISE
• Deployment Strategy
• ISE Configuration
• Network Access Device Configuration
• Guest and Web Authentication
• Mobile Device Management (MDM)
• Cisco pxGrid
• Third-Party Integration
• etc.