Владимир Илибман

CISSP, CCSP

Cisco Identity Services Engine

Эволюция модели сетевой безопасности

Эволюция доступаЭпоха сетей без границ

Кампусная

сетьЦОД.

Внутренние

ресурсы

Филиал

Интернет

Рабочие

места

сотрудников

Сотрудники

VPN

Рабочие

места

внешних

сервисов

КонтрактникиГостиIP камера

Партнерские

подключения

VPN

VPN

Мобильные сотрудники

Сотрудники с WiFI-

устройствами

Системы

безопасности

Принтеры

Банкоматы

Cisco ISE and Anyconnect

ACCESS POLICY

WHO

WHAT

HOW

WHEN

WHERE

HEALTH

THREATS

CISCO ISE

CVSS Partner Eco System

PxGRID& APIs

Cisco ISE

Context aware policy service, to control access and threat across wired, wireless and VPN networks

Cisco Anyconnect

Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.

SIEM, MDM, NBA, IPS, IPAM, etc.

WIRED WIRELESS VPN

Role-based Access Control | Guest Access | BYOD | Secure Access

FOR ENDPOINTS FOR NETWORK

Managing policy based on ‘Trust’

✕ ✕ ✓ ✓ ✕ ✕

✕ ✓ ✓ ✓ ✓ ✕

✓ ✕ ✓ ✓ ✓ ✓Trusted Asset

Trusted User

Partners

Tru

ste

d U

se

r

Pa

rtn

ers

Clo

ud

Ap

p A

Clo

ud

Ap

p B

Se

rve

r A

Se

rve

r B

Cloud

On Prem

Tru

ste

d A

pp /

Serv

ices

No

n-T

ruste

d A

pp /

Se

rvic

es

Improved Visibility and DecisionSoftware-Defined Segmentation,

Service Access & Entitlement

Location-Free App/Service

Access

Vulnerability

Threats

Posture

Behavior

Time

Location

User-Groups Device-type

CISCO IDENTITY SERVICES ENGINE

Connecting Trusted Users and Devices to Trusted Services

Rapid Threat

Containment

Always-on Policy

Compliance

Guest Access

Simplified Firewall Rule

management with TrustSec

Risk Level Policy

Enforcement

Visibility

ISE Use CasesThe competitive advantages are built-in!

Showing customers who and what is on their network and to share with FMC and

Stealthwatch for better threat and behavioral clarity

When there is a security outbreak customers have one button to push to activate

different policies network-wide – using software-defined segmentation

The number and complications of firewall rule can be reduced up to 80% which reduces

errors and costs

Assurance that your network, devices and their behaviors are compliant with company

and regulatory compliance requirements

Stop threats anywhere in the network from one console

Easily create segments on the network and NGFW to increase protection and reduce

malware proliferation.

-Defined Segmentation

TrustSec Software-Defined

Segmentation

Ecosystem IntegrationOne framework to integrate different security products, share intel, see threats faster and

take an action from the customer’s preferred product, such as FMC or Splunk.

Next Gen Access Control Control access to network and resources based on context for more accurate access

policy options and enforcement

Security starts with ‘Visibility’

Visibility

ISE can Collect Contextual Information from the Network

The Contextual information can then be shared with

systems

Network

Cisco ISE

ISE Dashboard: SummaryVisibility

Discover the network for Devices and Users ISE Visibility Setup Wizard

Discover network

assets and

endpoints in mins

using a Wizard.

Connect to Identity

Stores e.g(Join an Active

Directory)

Visibility

Context Visibility

• Context Tabs

• Interactive

Charts

• Action Bar for

endpoints

• Breadcrumbs

for filters

• Dynamically

updated table

based on filter

Visibility

How Does ISE Get all that Information ?Cisco ISE Profiling

Feed Service

(Online/Offline)

Netflow DHCP DNS HTTP RADIUS NMAP SNMP

CDP LLDP DHCP HTTP H323 SIP MDNS

ACTIVE PROBES

DEVICE SENSOR

1.5 million

550+

250+

devices with ‘50’ attributes

each can be stored

High-level canned

profiles. +Periodic feeds

Medical device profiles

Cisco ISE

Cisco Network

Visibility

Application Visibility using ISEISE Posture

Continuous Data Monitoring on APP’s

ISE will collect and monitor data from user’s

device every 5, can be set to 1 min for demo

purposes.

AnyConnect will report a complete list of

running applications and installed

applications.

Visibility

Application ‘Visibility’ via AnyconnectAnyConnect as a collector using NVM

Cisco Anyconnect with

‘Network Visibility’ module

IPFIX/NetFlow

Collector

Corporate Public

Visibilityin to process, process hash, URLs, and more

Contextfor Network Behavioral Analysis

Controlrun-time applications via ’Posture Policies’

Visibility

Network

ResourcesRole-based policy

access

Traditional TrustSec

BYOD Access

Secure Access

Guest Access

Role-based Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

Network

Door

Physical or VM

Conte

xt

ISE pxGrid

controller

Next Gen Access Control in ActionISE automatically applies policy to Identity context to control access

Next Gen Access

Control

Passive Identity Active Identity

MAC Authentication Bypass

Easy Connect ®

Access Control

ENTERPRISE

NETWORK AD / LDAP / SQL

Active Directory

LDAP Servers

SQL Server

External Identity Stores

Passwords / Tokens

ASP: Auto Smart Port

Built-in CA

500,0

00

concurr

ent sessio

ns

50

0,0

00

Up to 100K

Network Devices

Up to 50 distinct AD join point

support

300K Internal Users

Native Supplicants /

Cisco AnyConnect

802.1

X

IEEE 802.1X

Web Authentication

Central WebAuth

Local WebAuth

Next Gen Access

Control

Authentication Methods Authorization Options

MAC Authentication Bypass

Easy Connect ®

IEEE 802.1X

Web Authentication

Central WebAuth

Local WebAuth

Downloadable / Named ACL

Air Space ACL

VLAN Assignment

Security Group Tags

URL-Redirection

Port Configuration (ASP)

PASSIVE

IDENTITY

ACTIVE

IDENTITY

Authentications and Authorizations

ENTERPRISE

NETWORK

SAML iDPs

APIs

Single Sign-On

Certificate Authorities

SCEP / CRL

Certificate based Auth

LDAP / SQL

Active Directory

LDAP Servers

SQL Server

External Identity Stores

Passwords / Tokens

Native Supplicants /

Cisco Anyconnect

802.1

X

Up to 50 distinct AD domain support

Next Gen Access

Control

White Listing DevicesMAC Authentication Bypass (MAB)

LAN

Network Device

Cisco ISE802.1X

No

802.1X

Endpoints without supplicant will fail 802.1X authentication!

What’s your Id?

Any Packet Machine MAC: 00-10-23-AA-1F-38

ACCESS-ACCEPT

MAB requires a MAC database | ISE can build this database dynamically

Bypassing “Known” MAC Addresses

00-10-23-AA-1F-38 Network Device

Cisco ISE

Next Gen Access

Control

Quickly see value with ‘Easy Connect’

EMPLOYEES

UNKNOWN LIMITED ACCESS

FULL ACCESS

DHCP DNS

NTP AD

DOMAIN\bob

Enterprise

Network

CISCO ISESWITCH-1

DOMAIN

CONTROLLER

LIMITED ACCESS

ISE retrieves user-ID and

user’s AD membership

Limited AccessCoA: Full AccessFULL ACCESS

No 802.1X

Bob logged in

Increased visibility

into active network

sessions

Flexible deployment

co-operates with

other auth methods

Immediate value

Leverage existing

infrastructure

Next Gen Access

Control

Authorization3 Major authorization options for ‘access control’

Contractordeny ip host <protected>

permit ip any any

DACL or Named ACL

Employeepermit ip any any

Downloadable ACL (Wired) or

Named ACL (Wired + Wireless)

VLANs

Remediation

Dynamic VLAN Assignments

EmployeesVLAN 3

GuestVLAN 4

Per port / Per Domain / Per MAC

Security Group Tags

16 bit SGT assignment and

SGT based Access Control

TrustSec Software-Defined

Segmentation

Next Gen Access

Control

Software-Defined SegmentationEasily classify endpoints devices and use group-based policies in NGFWs and the Network

Printer 1 Printer 2

SGT_Guest SGT_Building

Management

SGT_Employee

Guest 1

Guest 2

Guest 3 Guest 4

Employee 1 Employee 2 Employee 3

Employee 4

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2

Temperature

Device 1

Temperature

Device 2

Surveillan

ce

Device 1

Surveillance

Device 2

50°

50°

Software-Defined Segmentation

Simplifying Segmentation with TrustSec

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on Topology

High cost and complex maintenance

Voice

VLAN

Voice

Data

VLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate

security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

Access Layer

Enterprise

Backbone

DC Firewall / Switch

DC Servers

Policy

TrustSecTraditional Segmentation

Software-Defined Segmentation

Segmentation Management

Destinations

SourcesCompany

Database

Public

Cloud

External

PartnerInternet

Guest Define

Access

Define

Access

Define

Access

Define

Access

Employee BYODDefine

Access

Define

Access

Define

Access

Define

Access

Building Mgmt.Define

Access

Define

Access

Define

Access

Define

Access

EmployeeDefine

Access

Define

Access

Define

Access

Define

Access

Deny

DenyDefine

Access

PermitPermit Deny

Deny Web Apps

Deny

Permit PermitDefine

AccessPermit

Define access policies using plain

language instead of complex ACLs and

firewall rules

Simplify role creation

Defining policies with logical tags means

that rules don’t depend on individual IP

addresses and can be dynamically and

transparently changed no matter the

group size

Maintain and scale dynamically

Deny Deny Permit

Permit

Deny

Define segmentation based on logical

groupings that are applied automatically

Apply rules automatically

Maintain agility with simple, dynamic policy updates

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Software-Defined Segmentation

A Range of Deployment Scenarios

Data Center

Segmentation

Campus and Branch

Segmentation

User to Data Center & Cloud

Access Control

Software-Defined Segmentation

Campus / Branch / DC Segmentation

Segment traffic based on

classified group (SGT), not

based on topology (VLAN,

IP subnet)

Micro-Segmentation / Host

Isolation in LAN and DC

with single policy (segment

devices even in same VLAN

or same security group)

VLAN: Data-1VLAN: Data-2

Data Center

Application

Servers

ISE

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

Application Servers Tag

Shared Services Tag

Software-Defined Segmentation

TrustSec Policy Matrix (SGACL)

permit tcp dst eq 6970 log

permit tcp dst eq 6972 log

permit tcp dst eq 3804 log

permit tcp dst eq 8443 log

permit tcp dst eq 8191 log

permit tcp dst eq 5222 log

permit tcp dst eq 37200 log

permit tcp dst eq 443 log

permit tcp dst eq 2748 log

permit tcp dst eq 5060 log

permit tcp dst eq 5061 log

permit tcp dst range 30000 39999 log

permit udp dst range 5070 6070 log

deny ip log

Software-Defined Segmentation Servers

SGT: 10

Enforcement

access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539

• Simplified rule management:

• Define protected assets by their role, not IP address

• Works across TrustSec and ACI environments

• Avoids complexity and add/move/change effort

• Leads to much simpler and smaller rule-base

• Consistent, clear, simple rules

Simplifying Firewall Rule Management with TrustSec

Simplified Firewall Rules Management

FTD policies based on ISE attributes & Sec Groups

PxG

RID

NGIPS /

ASA + Firepower

Access Control Policies’ based on ISE Attributes (SGT, Device-type and Endpoint Location)

Simplified Firewall Rules Management

ASA with Firepower Services: Inspect based on SGTs

Data Center

Customer DB

Partners

Employee

Suppliers

ASA

FirePower

Enterprise

Backbone

Servers

SGT: 10

Enforcement

Simplified Firewall Rules Management

Multiple TrustSec Matrices

Segmentation Policy sets based on Risk

Global Risk Level Use Case

1 2 3 4 5

Policies

Apply

Local policy sets for high-risk locations,

compliance-critical environments

1 2 3 4 5

Policies

1. London DCs

2. High Risk Sites

3 PCI Zones

4. Development

locations

5. NY Data Centers

Apply different TrustSec policy sets for

different environments or risk

conditions

Create different policy sets and apply

different policies to different business

environments

Easily change policies

Threat response

By applying risk-based,

predefined policies

Simplified Operations

Allow policy changes to be

applied to different operational

zones with centralized

management

Segmentation flexibility

Enables customers to

differentiate their

segmentation to sites based

on business role

Benefits

• Mitigates threats by changing applied policy sets

• Pre-determined segmentation policies enable

error-free changes

• Allows distinct policy sets to be applied to different

environments

• Flexible policy setup for multiple operational use

cases

Capabilities

Risk Level Policy Sets

Restrict All Lateral

Movement

Multiple levels of

policy sets

Applied globally

DEFCON Policy Enforcement

Posture defines the state of compliance with the company’s security policy

Posture Flow

AUTHENTICATE USER/DEVICEPosture: Unknown / Non-Compliant ?

QUARANTINELimited Access: VLAN / dACL / SGTs

POSTURE ASSESMENTCheck Hotfix, AV, Pin lock, USB Device, etc.

REMEDIATIONWSUS, Launch App, Scripts, MDM, etc.

AUTHORIZATION CHANGEFull Access – VLAN / dACL / SGTs.

Antivirus Update

Anti-Virus?

Always-on Policy Compliance

Always-on Policy Compliance

ISE – Posture Policies

Always-on Policy Compliance

Flexible deployment Options

Employee

Cisco Any Connect Standard Mode

Cisco Any Connect Stealth Mode

AC with no UI

Cisco NAC Web Agent

Non-Persistant

Contractor

Threat

Protection

Cisco AnyConnect

AnyConnect – Way more than VPN

Basic VPNEndpoint

Compliance

Enterprise

Access

Inspection

ServiceNetwork

Visibility

AnyConnect features

Integration with other Cisco solutions

Identity Services

Engine (ISE)

ASR / CSR Switches and

Wireless Controllers

Cloud Web Security

Services

(CWS + WSA)

ISR Adaptive Security

Appliance (ASA)

Advanced VPN

NetFlow CollectorsAdvanced

Malware ProtectionRoaming Protection

ODNS

Plugin

Always-on Policy Compliance

Posture Conditions explainedHighlights Description

File Check

Enhancements

Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories

such as “Desktop” and “User Profile”

OSx Daemon Check User Agent Check , User based process check

Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State

Reporting Report based on Condition name and Condition State

USB Condition and

Remediation

“Dynamic” a.k.a real time enforced.

Configured at initial posture check or Passive Reassessment checks (PRA).

Any Connect 4.3 enforces the Disk Encryption Policy

Native Patch

Management

Patch Management supported via OPSWAT

{Install, Enable, Up-To-Date}

AMP Enabler Profile Download and provisioning of the AMP client module

Posture Lease (from

ISE 1.3)

Once postured compliant, user may disconnect/ reconnect multiple times

before re-posture

For your reference

Posture capabilitiesHighlights Description

File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such

as “Desktop” and “User Profile”

OSx Daemon Check User Agent Check , User based process check

Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State

Reporting Report based on Condition name and Condition State

Native Patch Management Patch Management supported via OPSWAT

{Install, Enable, Up-To-Date}

AMP Enabler Profile Download and provisioning of the AMP client module

Posture Lease (from ISE

1.3)

Once postured compliant, user may disconnect/ reconnect multiple times before re-

posture

ISE 2.0 Any Connect 4.2

ISE 2.1 Any Connect 4.3

For your reference

Anti-Malware Checks Combination of the antispyware and antivirus conditions and is supported by

OESIS version 4.x or later compliance module`

USB Condition and

Remediation

“Dynamic” a.k.a real time enforced.

Configured at initial posture check or Passive Reassessment checks (PRA).

Any Connect 4.3 enforces the Disk Encryption Policy

Posture capabilitiesHighlights Description

Enhanced Posture

Discovery and Client

Provisioning

Ability to on-board endpoints using an off-premesis portal. Users are protected

100% of the time (On-Prem or Off-Prem)

Posture on 3rd party devices (non URL redirect agent to ISE communication)

AnyConnect Headless AnyConnect Agent with no UI for both Win/OS X option (no UI module)

Application Visibility, Control

and Enforcement

Continuous Data Monitoring on installed and running applications, ISE will collect

and monitor data from user’s device every 5, can be set to 1 min for demo

purposes.

Firewall enabled checks and

remediation

Check if Firewall is running or installed, ability to launch firewall if its not running.

AnyConnect Profile

Provisioning using JSON

OpenDNS Umbrella provisioning support

UDID context sharing Seemless posture experience when switching b/w wired and wireless and exposure

in Context Directory.

Common Certificates and

http ports for Posture

Avoiding the un-known Cert errors

Apex enforcement (Posture admin UI shuts down)

ISE 2.2 Any Connect 4.4

For your reference

CLIENT PROVISIONING

RESOURCES

Operating System and version

Browser type and version

User group membership

Condition evaluation results*

Cisco ISE looks at various elements when classifying the type of

login session through which users access the internal network

MacOsXAgent Download

Client Provisioning Overview

* - Based on dictionary attributes

Client provisioning functions in Cisco ISE allow you to download client provisioning resources and configure agent profiles for

Windows and MAC OS X clients, and native supplicant profiles for your own personal mobile devices.

MacOsXAgentClient provisioning

resources consist

of compliance and

posture agents for

desktops, and

native supplicant

profiles for phones

and tablets.

Always-on Policy Compliance CLIENT PROVISIONING

Simple Authorization PolicyPosture Complaint = Full Access | Posture Non-Complaint = Access Limited to Remediation Network

Authorization PolicyAlways-on Policy Compliance

Patch Management Remediation

• Remediation type – same as AV and AS remediation.

• Operation System –Windows only supported.

• Vendor Name – List is loaded from the OPSWAT update.

• Remediation options:

• Enabled

• Install missing patches

• Activate patch management software GUI

• Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.

Always-on Policy Compliance

ISE and SCCM Integration overview

Cisco ISE

Managed Asset

ISE 2.1 integrates with SCCM

to retrieve compliance status

of Windows managed

endpoints.

This integration uses MDM

flows. (ISE communicates

with SCCM Server using WMI

to retrieve the current

attributes for a device.)

Microsoft SCCM as external MDM servers for Cisco ISE

SCCM Servers

Registered

Registered + Non-Compliant

Registered + Compliant

STATUS CHECKS

Patch and Software

management

Posture Status

WMI

Always-on Policy Compliance

Threat Centric NAC explainedReduce vulnerabilities, contain threats

Compromised endpoints spread malware by

exploiting known vulnerabilities in the network

1

Malware infection

Malware scans for vulnerable endpoints2

Vulnerability detected3

Infection spread

4

Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)

Flag compromised and vulnerable hosts and limit

access to remediation Segment

Cisco AMP Vulnerable host

Quarantine and

Remediate

IOC CVSS

“Threat detected” Vulnerability scan

Most endpoint AMP deployed in ‘visibility only’ mode

Always-on Policy Compliance

- STIX

- Threat events

- CVSS

- IOC

- Vulnerability assessments

- Threat notifications

What is Threat Centric NAC ?

AMP

Cisco ISE

Endpoints

Cisco ISE protects your

network from data breaches

by segmenting compromised

and vulnerable endpoints for

remediation.

Compliments Posture

Vulnerability data tells endpoint’s

posture from the outside

Expanded control

driven by threat intelligence and

vulnerability assessment data

Faster response

with automated, real-time policy

updates based on vulnerability

data and threat metrics

Who

What

When

Where

How

Posture

Threat

Vulnerability

Create ISE authorization policies based on the threat and vulnerability attributes

Network Access Policy

STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise

(IOC)

Qualys

CT

A

ISE 2.2

Always-on Policy Compliance

Mobile Device Posture assessment

MDM Policy Checks

Device registration status

Device compliance status

Disk encryption status

Pin lock status

Jailbreak status

Manufacturer

Model

IMEI

Serial number

OS version

Phone number

Posture Compliance assessment for Mobile devices

Employee

* * * * * * *

1. Register with ISE 2. Internet Access

3. Register with MDM 5. Allow Corp access

Cisco ISE

MDM

Internet

Corporate

4. Comply MDM Policy

Personal Device

Always-on Policy Compliance

Initial compromise Detection

Rapid Threat Containment (RTC)With Firesight Management Center (FMC) and ISE

Protect critical data, by stopping attacks faster, based on real-time threat intelligence

INTERNET

ENTERPRISE

NETWORK

Monetize theft

Time To Detection (TTD) : 100-200 days - http://bit.ly/cisco-asr-2016

PR

OB

LE

M

Infection spread

Data hoarding

Data exfiltration

100 – 200 days Initial compromise Containment

INTERNET

SO

LU

TIO

N

PxGrid

ENTERPRISE

NETWORK

SENSOR

- AMP /

- NGIPS /

- ASA

(wFirePOWER)

EPS: Quarantine

(over PxGrid)

COA

Minutes

FMC

ISE

TrustSec

segmentation

Rapid Threat Containment

Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data

When

Where

Who

How

What

Cisco and Partner

Ecosystem

ISE

pxGrid

Controller

Context

32

1

45

Cisco® ISE collects

contextual data from network1

Context is shared via

pxGrid technology2

Partners use context to

improve visibility to

detect threats3

Partners can direct ISE to

rapidly contain threats4

ISE uses partner data to

update context and

refine access policy5

Cisco Network

https://datatracker.ietf.org/doc/draft-appala-mile-xmpp-grid/

Ecosystem Integration

Integrating the traditional way

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events!I need reputation…

I have NetFlow!

I need entitlement…

I have reputation info!

I need threat data…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have application info!

I need location & auth-group…

I have threat data!

I need reputation…

I have location!

I need identity…

SIO

Proprietary

APIs aren’t

the solution

We need to

share data

Ecosystem Integration

The problem

I have NBAR info!

I need identity…

I have firewall logs!

I need identity…

I have sec events!I need reputation…

I have NetFlow!

I need entitlement…

I have reputation info!

I need threat data…

I have MDM info!

I need location…

I have app inventory info!

I need posture…

I have identity & device-type!

I need app inventory & vulnerability…

I have application info!

I need location & auth-group…

I have threat data!

I need reputation…

I have location!

I need identity…

SIO

Proprietary

APIs aren’t

the solution

We need to

share data

TRADITIONAL APIs – One Integration at a Time

• Single-purpose function = need for many APIs/dev (and lots of testing)

• Not configurable = too much/little info for interface systems (scale issues)

• Pre-defined data exchange = wait until next release if you need a change

• Polling architecture = can’t scale beyond 1 or 2 system integrations

• Security can be “loose”

Ecosystem Integration

Solving the integration problem with a Grid

INFRASTRUCTURE FOR A ROBUST ECOSYSTEM

• Single framework – develop once, instead of multiple APIs

• Customize and secure what context gets shared and with which platforms

• Bi-directional – share and consume context

• Enables any pxGrid partner to share with any other pxGrid partner

SIO

Single, ScalableFramework

Direct, Secured Interfaces

pxGridContext

Sharing

Ecosystem Integration

3 things you can do with Ecosystems

BENEFITS

ISE Makes Customer IT

Platforms, User / Identity,

Device and Network Aware

ISE Shares User/Device &

Network Context with IT

Infrastructure

1

ISE ECO-PARTNER

CONTEXT

Puts “Who, What Device, What

Access” with Events. Way Better

than Just IP Addresses!

Make ISE a Better

Network Policy Platform

for Customers

ISE receives Context from Eco

Partners to Make Better Network

Access Policy

2

ISE ECO-PARTNER

CONTEXT

Creates a Single Place for Comprehensive

Network Access Policy thru Integration

Make ISE a Better Network

Policy Platform for

Customers3

ECO-PARTNER ISE

CISCO NETWORK

ACTION

MITIGATE

Decreases Time, Effort and Cost to

Responding to Security and

Network Events

Help Customer IT

Environments Reach into

the Cisco Network

Ecosystem Integration

pxGrid – Industry Adoption Critical Mass40+ Partner Product Integrations and 12 Technology Areas in First Year of Release

Vulnerability

Assessment

Packet Capture

& Forensics

SIEM &

Threat Defense

IAM & SSO

Cisco pxGrid

SECURITY THRUINTEGRATION

Net/App

Performance

IoT

Security

Cisco ISE

Cisco WSA

Cloud Access

Security

?

pxGrid-Enabled ISE Partners:

• RTC: Cisco FirePower, Bayshore, E8,

Elastica, Hawk, Huntsman, Infoblox,

Invincea, Lancope, LogRhythm, NetIQ,

Rapid7, SAINT, Splunk, Tenable

• Firewall: Check Point, Infoblox, Bayshore

• DDI: Infoblox

• Cloud: Elastica, SkyHigh Networks

• Net/App: Savvius

• SIEM/TD: Splunk, Lancope, NetIQ,

LogRhythm, FortScale, Rapid7

• IAM: Ping, NetIQ, SecureAuth

• Vulnerability: Rapid7, Tenable, SAINT

• IoT Security: Bayshore Networks

• P-Cap/Forensics: Emulex

• Cisco: WSA, Firesight, Firepower, ISE

Other ISE Partners:

• SIEM/TD: ArcSight, IBM QRadar, Tibco

LogLogic, Symantec

• MDM/EMM: Cisco Meraki, MobileIron,

AirWatch, JAMF, SOTI, Symantec, Citrix,

IBM, Good, SAP, Tangoe, Globo,

Absolute Cisco FirePOWER

Firewall &

Access Control

Rapid Threat

Containment

(RTC)

DDI

Ecosystem Integration

Same ISE for ‘Network Device’ Administration

Device Administration

Role-based access control

• Role-based access control

• Flow-based user experience

• Command level authorization with detailed logs for auditing

• Dedicated TACACS+ workcenter for network administrators

• Support for core ACS5 features

Capabilities

TACACS+ Device Administration

Benefits

Feature Highlight

Customers can now use Terminal Access

Controller Access Control System

(TACACS) with ISE to simplify device

administration and enhance security

through flexible, granular control of access

to network devices.

Simplified, centralized device

administration

Increase security, compliancy,

auditing for a full range of

administration use cases

Flexible, granular control

Control and audit the configuration of

network devices

Security Admin Team

TACACS+

Work Center

Network Admin Team

TACACS+

Work Center

Holistic, centralized visibility

Get a comprehensive view

of TACACS+ configurations with the

TACACS+ administrator work center

Deploying ISE

pXGrid Controller

- Facilitates sharing of context

Policy Services Node (PSN)

- Makes policy decisions

- RADIUS / TACACS+ Servers

Policy Administration Node (PAN)

- Single plane of glass for ISE admin

- Replication hub for all database config changes

Monitoring and Troubleshooting Node (MnT)

- Reporting and logging node

- Syslog collector from ISE Nodes

Single Node (Virtual / Appliance)

Up to 20,000 concurrent endpoints

STANDALONE ISE

Multiple Nodes (Virtual / Appliance)

Up to 500,000 concurrent endpoints

Network

MULTI-NODE ISE

Scaling ISEOne management interface for 1 – 500K endpoints

1 Endpoint 20,000 Endpoints 50,000 Endpoints 500,000 Endpoints100,000 Endpoints 250,000 Endpoints

Standalone deployment

Multi-Node deployment

Multi-Node deployment

Multi-Node deployment

Multi-Node deployment

+

x 4 PSNs

x 2 MnTs

x 2 PANs

x 12 PSNs

x 2 MnTs

x 2 PANs

x 25 PSNs

x 2 MnTs

x 2 PANs

x 50 PSNs

x 2 MnTs

x 2 PANs

- Applies to both physical and virtual deployment

- Compatible with load balancers

HA configuration with minimum 6 redundant nodes

ISE Deployment Assistant (IDA)to simplify Cisco ‘Network Device’ configurations

ISE Service

Per Device Actionable Information

Network Assessment

Configuration of NADs

(Network Access Devices)

Ability to Troubleshoot failed authentications

Next Gen Access

Control

ISE Licensing

EVALUATION

BASE

PLUS

APEX

Full Cisco ISE functionality for 100 endpoints.

Basic network access: AAA, IEEE-802.1X

Guest management

Easy Connect (Passive ID)

TrustSec (SGT, SGACL, ACI Integration)

ISE Application Programming Interfaces

BYOD with built-in Certificate Authority Services

Profiling and Feed Services

Endpoint Protection Service (EPS)

Cisco pxGrid

Third Party Mobile Device Management (MDM)

Posture Compliance

Threat Centric NAC (TC-NAC)

Perpetual

Subscription (1, 3, or 5 years)

Subscription (1, 3, or 5 years)

Temp (90 days)

DEVICE ADMIN

ADDITIONAL OPTIONS

Perpetual

Cisco ISE requires a Device

Administration license to use

the TACACS+ service on top of

an existing Base or Mobility

license.

MOBILITY

Subscription (1, 3, or 5 years)

Combination of Base, Plus, and

Apex for wireless and VPN

endpoints

MOBILITY UPGRADE

Subscription (1, 3, or 5 years)

Provides wired support to

Mobility license

Licenses are uploaded to the Primary Administration node and propagated to the other Cisco ISE nodes in the cluster

Base license is fundamental for use of Plus / Apex services.

Mobility licenses cannot coexist on a Cisco Administration node with Base, Plus, or Apex Licenses.

• ACS is no longer being sold after August 30, 2017

ACS to ISE migration

ACS Version End of Sale End of Life

End of Support

(Including

Vulnerability fix) EoS

5.8 Aug 30, 2017 Aug 30, 2018 Aug 31, 2020 EoS/L

5.7 May 2, 2016 May 2, 2017 May 31, 2019 EoS/L

5.6 Feb 16, 2016 Feb 15, 2017 February 28, 2019 EoS/L

5.5 April 15, 2015 April 14, 2016 April 30, 2018 EoS/L

4.2 October 27, 2011 October 26, 2012 October 31, 2014 EoS/L

3.3 August 29, 2006 August 29, 2007 August 28, 2009 EoS/L

•ACS to ISE Migration Guide

Cisco ISE delivers

1. Simplified access delivery

across wired, wireless, and

VPN connections

2. Visibility into who and what is on

your network that shared across

security and network solutions

3. Reduced risk and threat

containment by dynamically

controlling network access

These ISE allows you to see it all

and secure it now

Don’t just take it from us

“Cisco ISE unifies and automates access control to proactively enforce role-based access to

enterprise networks and resources.”

— SC Company 2016

Recognized as a LEADER, four years in a row

— Gartner Magic Quadrant for NAC: 2014, 2013, 2012, 2011

A CHAMPION in Info-Tech Vendor Landscape for NAC

— Info-Tech Research Group, 2014

Recipient of the 2016 Frost & Sullivan Global NAC Market Leadership Award

“In this generation NAC platform, Cisco wanted to make an easier, more intuitive platform

while adding features and functionality. Cisco has gone a long way toward achieving

these objectives.”

— Frost & Sullivan, 2016

ISE Resources

http://bit.ly/ise-design-guides

Design guides focusing on ISE

• Deployment Strategy

• ISE Configuration

• Network Access Device Configuration

• Guest and Web Authentication

• Mobile Device Management (MDM)

• Cisco pxGrid

• Third-Party Integration

• etc.