Inside Cisco IT: How Cisco Deployed ISE and...

Inside Cisco IT: How Cisco Deployed ISEand TrustSec, globally

Simon Finn

BRKCOC-2255

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3BRKCOC-2255

ISE is a journey

• Introduction

• Foundation Deployment

• Network Deployment

• Network Policy

• Integration

• Where to next?

• Q&A

Agenda

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

122K Workforce

170 Countries

~3M IP Addresses

215K Infra Devices

275K Total Hosts

2500+ IT Applications

27K Remote Office Connections

via Cisco Virtual Office

Defending Cisco: What We Must Protect

16 major Internet connections

~47 TB bandwidth used daily

1350 Labs

180+ Acquisitions

300 partner extranet connections

500 Cloud ASPs

WebEx, Meraki, Umbrella and Growing Portfolio of Offers

BRKCOC-2255 5

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255

Network ResourcesAccess Policy

TraditionalCisco

TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-Based

Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

A centralized security solution that automates context-aware access to network resources and shares

contextual data

Network

Door

Physical or VM

Context

ISE pxGrid

Controller

BRKCOC-2255 6


ISE And The Cisco Security Solutions

NetFlow

NGIPS

Cisco StealthWatch

AMP

AMP Threat Grid

FireSIGHT™ Console

CWS

WSA

ESA

FirePOWER™ Services

DURING AFTERBEFORE

ISE

How WhatWhoWhereWhen

BRKCOC-2255 7


Seamless Connectivity and Integrated Security

Identity Services Engine

Wireless Devices

AnyConnect VPN (All Mobile)

WSAESAAMP

Wired Network Devices

Adaptive Security

Appliance

Cisco Core Network

Home Access (CVO)

Device Management

StealthWatch

AMP Threat-Grid

BRKCOC-2255 8


Cisco IT Network Security Requirements

*CVO is Cisco Virtual Office, for small office/home office

Requirement Major Technical

Outcome

Major Business

Outcome

Secure Guest Network

ION (Internet Only Network)

Simplified single secure

platform (reduce server footprint

from 28 to 8)

• High availability

• Secure, scalable, and flexible

offering for guests, partners,

and employees

802.1x Auth: WLAN, CVO*, LAN

VPN + AnyConnect

Complete visibility and control of

devices connecting to the

network

• One scalable policy

enforcement environment

• Network segmentation

• Productivity on the go

Consistent Assured Network

Access

Scalable enterprise secure

network

• Enhanced Risk Management

• Consistent User Experience

• Improved Operations

9


Business Outcomes - High Level Dependency

Trusted Enterprise

Trusted DeviceTrusted Service Trusted Cloud Monitoring and Visibility

Dynamic Device Policy Dynamic User Policy

IOT Posture Acquisitions Vendors

TrustSec

Wireless Wired VPN

Dep

en

ds o

n

GuestQuarantine

CompleteComplete ~85%

Complete

BRKCOC-2255

Foundations


Single Global ISE Deployment (WLAN, CVO, LAN, VPN)

AER

RTP

ALN

MTV

SNG

Secondary ISE PAN/M&T

ISE PSN

Primary ISE PAN/M&T

24 ISE Nodes

20 PSNs; 8 DC (Node Groups)

TYO

HKG

BGL

12


Cisco IT ISE Global Deployment (WLAN, VPN, LAN)

ISE PSNs Data Center (8) Network Devices (sites/cities) Auth traffic to ISE PSNs

13


Cisco IT ISE Global Deployment (All Network Devices)

14


Guestnet (ION) Deployment

MTV

Sponsor Portal

GSSinternet.cisco.com

Guest Account Creation

Wireless access

Wired access

NADs AMER

Guest Portal Auth

Pri

ma

ry

ion-mtv-guest

ion-mtv-sponsor

Wireless access

Wired access

NADs EMEA/APJC

Guest Portal Auth

AER

PPAN Alias

PA

N

PA

N

MnT

MnT

PS

N

PS

N

PS

N

PS

N

Primary

MTV

Secondary

AER

ion-aer-guest

ion-aer-sponsor

Pri

ma

ry

ION

LB

VIPs

VMS

Tool

Lobby Ambassadors

Guest Account Creation

Secondary

Secondary

ION

LB

VIPs

Geo Proximity Based NAD & GSS Configuration


ISE Deployment Architecture

PPAN SPAN

Primary & Secondary ADMIN

Nodes

PMnT SMnT

Primary & Secondary Monitoring

Nodes

Automatic Failover

Replication

Logging

Primary ISE VIP

Secondary ISE VIPs

PS

N PS

N

ISE-MTV-VIP

PS

N

ISE-ALN-VIP

PS

N PS

N

ISE-RTP-VIP

PS

N

ISE-AER-VIP

PS

N PS

N

ISE-BGL-VIP

PS

N PS

N

ISE-HKG-VIP

PS

N

ISE-TYO-VIP

PS

N

ISE-SNG-VIP

Network Devices

MTV

Network Devices

AER

Network Devices

BGL

ISE Policy Service Nodes:

20 PSNs, 8 Data CentersUS Sites APAC Sites

EMEAR Site

MTV MTV ALNALN

BRKCOC-2255

ISE-AER-WLAN

ISE-AER-LAN

ISE-AER-VPN

ISE-AER-CVO

BRKCOC-2255 16


Why Use Load Balancers?

• Ease of global configuration

• Overcome device limits for AAA servers

• Ease of migration, cluster split. No need to change thousands of network devices

17BRKCOC-2255

Request for

service at

single host

‘psn-cluster’PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

ACE LB

Response from ise-psn-3.company.com

DNS Lookup = psn-cluster.company.com

DNS Response = 10.1.98.10

Request to psn-cluster.company.com

VIP:

10.1.98.10

PSN-

CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Serve

r

VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)

Acce

ss

Devic

e

DNS

request sent

to resolve

psn.cluster

FQDN

Request sent to Virtual IP Address

(VIP) 10.1.98.10

Response received from real server

ise-psn-3 @ 10.1.99.7


Consideration when Load Balancers

18BRKCOC-2255

• CoA traffic has to be NAT’ed from PSN to client by the load balancer

• Be careful what other traffic sits on udp/1700 you may catch

• Your LB may not behave as you expect…test

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

ACE LB10.1.98.10

10.1.99.5

10.1.99.6

10.1.99.7

CoA SRC=10.1.99.5

CoA SRC=10.1.98.10

aaa server radius dynamic-author

client 10.1.99.5 server-key cisco123






<…one entry per PSN…> aaa server radius dynamic-author


PSN

ISE-PSN-X

Before

After

10.1.99.x


ISE Deployment Ecosystem: Building Blocks

ISE

(Logical Layer)

ISE (Physical Layer) : ISE Appliance OR VM (Fabric, Compute, Storage)

Network: DNS, NTP, SFTP, Load Balancers

Network Access

Devices

Endpoints: Devices,

Users & Supplicants

Enterprise Monitoring: HTTP(S), RADIUS, PEAP, EAP-FAST, EAP-TLS

User

Provisioning

Mobile Device

Management

Network

Device

Provisioning

ISE Policy

Management

Active

Directory

Call Manager

Data

Analysis

(Syslog)

Quality

MAP

Monitor

ActPrevent

19


Active Directory Dedicated Infra For ISE

Before:

• Highly recommended by the BU

• Highly avoided by the teams

• Highly costly, causing few outages

After:

• Better fine-tuning to suit ISE requirements

• Better – and faster – troubleshooting

• Better monitoring for preventative measures

Active

DirectoryISE (Logical Layer)

Network Access

Devices

Endpoints: Devices,

Users & Supplicants

Active

Directory

20


ISE AD : Physical Architecture

PPAN

Isemtv-prd-05/06/08

isemtv-prd-wlan

isemtv-prd-lan

isemtv-prd-cvo

PSN

PSN

PSN

MTV VIPs & PSNs

iseallne-prd-02/03

isealln-prd-wlan

isealln-prd-lan

isealln-prd-cvo

PSN

PSN

ALLN VIPs & PSNs

isertp-prd-02/03/04

isertp-prd-wlan

isertp-prd-lan

isertp-prd-cvo

PSN

PSN

PSN

RTP VIPs & PSNs

iseaer-prd-01/03

iseaer-prd-wlan

iseaer-prd-lan

iseaer-prd-cvo

PSN

PSN

AER VIPs & PSNsPMnT

isemtv-prd-22

isemtv-prd-32

MTV

Primary Admin &

MnT SPAN

SMnT

isealln-prd-21

Iseallne-prd-31

ALLN

Secondary Admin &

MnT

AD DCs AD DCs AD DCs

AD DCs

APAC Sites[BGL, HKG, SNG,

TYO]

Replication

Logging

AD Primary Config

AD Secondary Config

Cisco.com AD (Port 389)

Cisco.com AD (Port 389)

BRKCOC-2255 21


18,362

9,961

23,969 26,070

32,651

28,124

12,870

5,317

32,856

14,765

40,995

37,481

58,846

51,878

21,384

9,445

-

10,000

20,000

30,000

40,000

50,000

60,000

70,000

AER ALLN BGL HKG MTV RTP SNG TYO

Users

Endpoints/MAC

BRKCOC-2255

Wireless Users/Endpoints by Node Group

Avg. 33K Endpoints

22


Testing High Availability When 1 DC Fails

23


Cisco IT Deployment Strategy

• Avoid the “Big Bang”

• Too many new capabilities and features to enable in a single deployment.

• “ISE Deployment Bundle” model

• Capabilities have been grouped into bundles to enable targeted & manageable deployments

• Multiple clusters consolidated

• Pros and cons of single vs. distributed: ISE Limits, Scalability, # EP, Auth, Latency, AD…

• “Start with one cluster and add more if necessary”

• Global Infrastructure Foundation

• Minimize Network Device configuration where possible: Use different Virtual IPs by service (e.g., WLAN, LAN, CVO, VPN) for better manageability and ease/speed of control

• Build a parallel production infra for testing, readiness to scale, and easier upgrade

• Build a cross-functional team from the start

• Everybody is an equal partner; extend to the BU

BRKCOC-2255 24


Program Governance

Steering Committee

Core team

Foundation Wired Auth Etc…

Director level representation across all relevant areas of IT and security. Responsible for approving high level policy and direction

Senior technical and PM members across all relevant areas of IT and Security. Responsible for setting strategic technical direction

Execution and delivery tracks. Includes implementation engineers. Overseen by subset of core team.


Sample ISE Basic Deployment RoadmapPhase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion

Fine tune Optimize

Foundation ISE 1.2

Install

ISE 1.3

Upgrade

ISE 1.4

Upgrade

Infra

Design, Proof of Concepts, Data Analysis

Apply

patches

Fine tune Optimize

Network

Guest

Wireless

Monitor

Endpoint Analysis: Wired dot1x MM & Profiling

VPN

Wired

802.1x Authentication

Guest Access

Wireless (WLAN) Auth Deployment

CVO (Home Office) Wireless Auth

VPN AuthCVO Wired Auth

Limited Sites Wired Auth

Global Wired Auth Enforcement

Quarantine/Remediation

Posture Enforcement (ISE)

Security Group Tagging (SGT)Advanced Capabilities

ISE 2.1

Upgrade

Fine tune

Posture Assessment (DM)

PxGrid Integration

Wired 802.1X Monitor Mode Deployment

26


Deployment Readiness

BRKCOC-2255

Design Engineer Personal Lab

Solution Verification Lab

Stage & Pilot

Deploy!

27


Deployment Health Monitoring

Drill-down troubleshootingTransaction focused, Step-by-step breakdown

Basic Reporting

ISE

Out-of-BoxDashboard,

Alarms & Alerts Dependency MonitoringISE, AD, DNS, Filer

ISE Infra Monitors

VMs, LB VIPs,

Resource Utilization

ISE Protocol MonitorsRadius, HTTPS, PEAP, EAP

Enterprise MonitorsSNMP Based,

Integrated monitoring

Event CorrelationISE, NADs, DM, AD

Early-detection of potential issuesPattern analysis, Benchmark comparative analysis

Enhanced Reporting

SplunkData Analytics,

Pro-active alerting

ISE Deployment : Monitoring & Troubleshooting

BRKCOC-2255 28


Cisco IT ISE Production Deployment Metrics

Internet Only

Corporate Access

WLAN, CVO, VPN, LAN

ISE 1.2, 8 VMs, 2 DCs

ISE 2.1, 24 VMs, 8 DCs

Over a million active profiled “Endpoints”

Max ~200K Concurrent “Endpoints”

27K CVO; ~60K EP

580 WLC; ~200K EP

70 ASA; ~90K EP

2K SW; ~200K EP

8 Sites; ~8K EP

~14K Guest/Week

98 Countries

580 Offices

130K Stakeholders

27K Home Offices

CWA

Central Web Auth

29

Network Deployment

TrustSec

Wireless Wired VPN


How prepared is your network?

• The deployment of TrustSec has proven to be the biggest compliance effort ever undertaken by Cisco IT.

• Despite numerous systems deployed for managing the network, exceptions were numerous, which were not accounted for in network scripting initially

• Use monitor mode and analytics for visibility

• Be prepared to adapt to your business

• Customer facing

• Special circumstances

• Physical limitations

• Different usage (e.g. demos, testbeds)

• Plan for exceptions, automate where possible

31BRKCOC-2255


Timing is important…

BRKCOC-2255 32


Some legacy systems :

UPS, Building Management Systems, Lighting and power management

Some newer :

Connected workspaces, Sensors…

What can be connected, will be connected

How tight are your current controls?

What is the business culture like?Do you have processes to deal with it?

BRKCOC-2255 33


Exceptions

34BRKCOC-2255


Top 4 cities by number of guest authentication over a 7-day period

6,379 3,583

2,232

2,107

BRKCOC-2255

Cisco IT ISE Guest Network – Wireless

35

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Internet Only NetworkAn important ‘default’ capability

• The Internet Only Netwok is a natural evolution of Guest networking, but for more generic purposes

• Important segmentation to not only enable the busininess but protect the business

• Wired and wireless

Some questions we had to ask:

• What is considered acceptable minimum access?

• User attribution for legal events?

BRKCOC-2255


VPN Migration

37BRKCOC-2255

• Came after wireless (and ISE 1.2)

• Requires ASA 9.3.1 for CoA

• Part of the network…


Changing Business Logic Stores: VPN issue

Summary: The enforcement of policy for

VPN authentication/authorization uncovered

a gap in exceptions on-boarding.

Legacy approval systems placed people in

different groups on ACS, which forced a

specific tunnel-group

Migration caused some issues. Restricted

users with undocumented exceptions lost

the ability to connect to Production VPN

hubs.

Users with Corp

Prod VPN Profile

Users with

Restricted VPN

Profile

Users in restricted auth

group

User

Store

CRDC

group

Connect to

Prod Hub

Auth with ISE

Not in CRDC

– access OK!

Connect to

restricted

Hub

Auth with ISE

in restricted group

– access OK!

(Apply ISE policy)

Connect to

Prod Hub

Auth with ISE

in restricted group

group – Stop!

Temp Policy

change to

allow access


AnyConnect

AnyConnect is core to our strategy

• NVM + NAM

• Umbrella integration

• Posture services…


Platform Compatibility*Platform Min. Acceptable Code Preferred Code (if appropriate)

C3750X 15.2(1)E 15.2(2)E3

C3850 3.3.1

(15.0(1)EZ1)

3.6.5E

C4510R+E/Sup7E 3.6.1E 3.6.5E

C4510R+E/Sup8E 3.6.1E 3.6.5E

C6k/Sup32 12.2(33)SXJ6 15.1(2)SY4A

WLCs 8.0 8.0.135.0

C881W (CVO) 15.4(1)T

ISE 4451 IOS-XE 3.15.01S

ASR1K IOS-XE 3.11S

*based upon Cisco IT Routing & Switching roadmap


Attribution

• Some questions your incident response teams need to know the answer to:

• What was using the IP at [date:time] ?

• Who owns the machine(s) in question?

• What was the machine in question (UUID, OS)?

• This can be directly integrated or shared/imported via syslog

• Analytics can benefit greatly from the addition of this information and we have found incidents from this.

• Monitor mode has no impact*, yet big rewards

41BRKCOC-2255


IBNS 2.0 Features In Use

BRKCOC-2255

Concurrent Authentication

Service TemplatesCritical ACL/VLAN

RADIUS Probe-On


EEM script – “Fail open” assurance

• Full synthetic authentication transaction.

If failure:

• Inserts "ip deny any any” to prevent traffic being redirected

• Changes the policy-map governing the switch port dot1x behavior, calling the service-template ‘AUTH OUTAGE’ ("permit ip any any" acl) - fail open for connections started after the server is identified as not responding

• Maintains and logs data base of interfaces that were “failed open”

Upon restore:

• Restores the initial service-template, and policy-map and forces user to authenticate once the authentication server is responding.

43BRKCOC-2255


Wired Default Networking

Failed Auth

Failed Auth ACL

Default access including:

• Laptop builds

• AD

• Support pages

Redirect ACL

Deny tcp/80+443:

• Laptop builds

• Support pages

• ISE Servers

Web-Auth-RedirectPermit Access

Guest Access – Guest VLAN

Employee Credentials – Data

Pre-auth ACL – What services are needed

before auth?

Failed-auth ACL – What services are needed

by default?

Redirect ACL - What traffic do you want to

catch (or not want to)

BRKCOC-2255 44


Wired Auth 802.1x Learning

First: Communicate!

Second: Automate!

Last: Regulate!

45

Start slow and small…then

accelerate


Example: Windows Laptop BuildsDNS/NTP/DHCP

TFTP

File shares

AD/SCCM

1. Basic IP/BOOTP

2. Download WinPE

3. WinPE Build, AD registration, new logon

BRKCOC-2255


Ecosystem Issue Example: New Hires

• New hires are required to change their password upon first login (AD setting)

• Windows PE does not provide an interactive prompt for password

• Net result : Building the windows laptop cannot be the first login a user does

• New hire process including badging system leveraged to work around, but also make a smarter on-boarding experience.

47BRKCOC-2255


Device Identification In Policy

Conditions and permissions depending on the “identity” of the device:

• OUI: Vendor + other attributes

• Profiling attributes and/or DNS

• Profile based policy caveats

• Device sensor

• Probes

• Consistent configuration


Collaboration Device Landscape

BRKCOC-2255 49

Network Policy

Dynamic Device Policy Dynamic User Policy

IOT Posture Acquisitions Vendors GuestQuarantine


Quarantine Time to detect –

Time to contain

= Exposure window

To lower exposure, we need tools to contain rogue endpoints, whilst minimising business impact.

• Infrastructure configured

for CoA

• Policy must be

understood by network

device.

Quarantine Key Lessons

BRKCOC-2255 51


Device Quarantine Process

Wired

Wireless

VPNEndpoint

CSIRT

1. CSIRT adds the

MAC address to the

‘Quarantine Endpoint’

Identity Group Via API

Policy

Admin

node

Policy

Service

Node

2. Policy change for

endpoint sent to

policy service node

3. Change of authorization

sent to the network

device, and the new policy

applied (quarantine)

Note: this method is extensible to any business case for changing

endpoint policy in real timeBRKCOC-2255 52


“GreyWare”

• Real security incidents from ’low impact’ malware

• Change system settings

• Ad injection

• Break A/V

• Host control

• User tracking

• Exfiltration

• Goal : low business impact mechanism to get rid of greyware.

53BRKCOC-2255


End goal : Secure the network

Create device access policies based on risk/assurance criteria, your level of control, and risk tolerance:

• Public areas

• Vendor/Partner managed devices

• BYOD (OS dependent: iOS, Android, Windows Mobile, Linux, Samsung, etc.)

• Printers, Cameras, Badge Readers, Coffee machines, etc.

• IoE/IoT devices

e.g.

IoE/IoT

devices

e.g. Company

managed

devices

LOW HIGH

H

I

G

H

L

O

W

ACCESS

AS

SU

RA

NC

E

L

O

W

H

I

G

H

RIS

K

BYOD

Vendor/Partner

managed devices

?

54


Basic Segmentation Static Network Policy

Guest VLAN

Building VLAN

IOT VLAN

IOT Internet VLAN

Prod VLAN

Proliferation of VLANs

IP address space management

Regional firewalls

Complex policy

Individual port

management

High touch

provisioning

DC FW

NGFW

VPN

Complex network topology based

policy

Human error prone, often

ineffectual

Internet

Cloud Services

Internal Systems

BRKCOC-2255 55


Some Dynamic Segmentation

Building VLAN

Internet VLAN

Prod VLAN

VLAN’s and firewalls

reduced

Provisioning Times

reduced

Policy largely simplified

Dynamic policy for some

user and device groups,

manual for others

DC FW

NGFW

VPN

Some legacy static configuration

due to risk

Some context based policy

Policy management in ISE, DC,

etc.

Internet

Cloud Services

Internal Systems

Prime Services

Catalog

BRKCOC-2255 56


Dynamic Segmentation (with IOT)

Internet VLAN

Prod VLAN

VLAN’s collapsed to

minimum

All endpoints

authenticated and/or

policy applied

DC FW

NGFW

VPN

Full policy automation, MUD to

assist with IOT and approval

workflows

Internet

Cloud Services

Internal Systems

MUD Service

Policy Mgmt

Prime Services

Catalog

BRKCOC-2255 57


Business Requirement: Operational continuity after Business Unit divesture to Technicolor

• Cisco campus with multiple buildings – one building is sold to acquiring company

• Divestiture requires continued access by former Cisco and existing Technicolor employees to resources that are on Cisco’s network or physically inside Cisco buildings.

Challenge: Protect Cisco networks and applications while allowing Technicolor employees physical access to Cisco buildings and logical access to required network resources during the transition period.

Dynamic User Policy Use Case Divestiture Security Challenges

Building sold

and employees

consolidated

Lawrenceville Campus

BRKCOC-2255 58


Business Expectations

• Cisco continues to own the existing LAN in the Technicolor building until Technicolor builds their LAN/WAN

• All users must be identified at the network access layer – either wired or wireless

• Based on user identification, access to Cisco network should be either open (Cisco users) or very limited (TCH users)

• Technicolor users need to have access to Cisco resources whether physically in Technicolor building or other Cisco buildings

• User experience is critical – minimal user impact is expected by BU

• TCH users must have continued access to required network resources

• Cisco users should not have any access limitations that they wouldn’t normally have

IT/InfoSec Requirements

BRKCOC-2255 59


Technology Solution

• InfoSec Architecture Requirement: Provide identity-based differentiated access on both the wired and wireless networks at the divestiture sites with ongoing physical access by divested employees.

• Proposed Solution: Authenticate users with 802.1x and leverage ISE via AD group membership with TrustSec SGA/SGT enforcement.

• Referred to as Dynamic User Policy (DUP), logically segments access so Technicolor employees only have access to resources they require, whether they’re physically sitting in a Cisco or a Technicolor building

Access

PolicyWired Wireles

s

Cisco

User

Open Open

TCH

User

SG Tag

+ ACL

SG Tag

+ ACL

Identity Services Engine

802.1

x TCHSGT

TCHSGT

SG ACL

WWW

BRKCOC-2255 60


VPN Use Case

Problem• Different VPN solutions for

different user communities

• Overhead of hardware and

management

Solution• Use consolidated VPN clusters

• Tag traffic and apply SGACL’s as

needed

• Allows greater resiliency and

availability for all services

Before SGT

EmployeeDiverse

BU

VendorOther

After SGT

Employee Vendor Diverse BU

Single

Cluster

BRKCOC-2255 61


802.1x wired rollout – CAM exhaustion

Problem• Unauthorized users must have

limited access

• Limited access is enforced by an

ACL

• ACLs on a per port basis can

cause exhaustion of switch TCAM

resources

Solution• Use Security Group Tags for pre-

auth

• Most switches support L2

enforcement, ensuring

unauthenticated access

• Single instance of ACL means

saved TCAMAlso solves ipv6 scale

BRKCOC-2255 62


Lab Use Case

Problem• Labs are uncontrolled/unauthenticated

• Labs are a source of network issues

• Need to be able to control lab traffic

and drop for certain data center

resources

Solution

• Tag all traffic leaving labs

• Drop lab tagged traffic for sensitive

applications

• Rate limit/control lab traffic

Lab

Edge

DC Edge

Drop

BRKCOC-2255 63


Many devices are not capable of protecting themselves - the network is needed.

Abili

ty o

f devic

e

to p

rote

ct itself

Log(Time)

Android

Your refrigerator

Your car

Network

Protection

1 year 10 years

BRKCOC-2255 64


Your business will digitize;

Monitors, sensors, probes,

distributed computing,

all need connecting

…and securing

Planning to secure more, faster

BRKCOC-2255 65

Integration


Service Oriented Orchestration

Service Grouping

Access Control

ACI TrustSec IOS

EPG

Contract SGACL

SGTObject Group

ACL

IPv4

IPv6

IPv4

IPv6

Change ipv4/6 hosts

once

Change service port

information onceBRKCOC-2255 67BRKCOC-2255 67


TrustSec and ACI Integration


Add User and Device Information into Services

69

Cisco WSA

User policy based upon tags, users in logs

Lancope

User and device information in console


• Improve threat visibility and detection effectiveness so that IT security can detect new and stealthy malware throughout the network

• Speed time to containment so that infected endpoints are quickly and automatically removed as threats

• Lower operational overhead and malware-related costs while supporting the use of already-deployed Cisco networking devices for enforcement

Rapid Threat ContainmentFireSight

ISE

Context Information

Threat detected

CoA/ Quarantine

BRKCOC-2255 70


• Scaling management solutions

• URL redirect requirements

• Analytics and Device Groups

Posture

DMs

Configuration &

Policy

Status and

Inventory Access

Controls

ISE

Enrolled?

Compliant?

Network Access

Remediation

by

Cisco IT

BRKCOC-2255 71


What is coming next for Cisco IT?

BRKCOC-2255 72


Context-Aware Security : Bridging The Gap…

Network

SecurityCisco

ISE

Network Context

WHO, WHAT, HOW, WHERE,

WHEN

ConnectorIdentity Over IP

(Situational)

Context-

Aware App

Security

Network + App

Security Context

WHO, WHAT, HOW, WHERE, WHEN

Network

Limited

Context

AFARIA CASPER

SCCMMDMs

2

ISE pxGrid

1 3

4

Application

Security

Network

Rich Context

Better Security(Layered Sec, Elevated Auth)

Better User Experience(Zero Sign-On Experience)

Flexible & Granular

Access Policies

5

6Device Context

WHAT

User Context

WHO

Other Context

HOW, WHERE, WHEN

Risk Context

Vulnerability, Threat

BRKCOC-2255 73


Example solution outline.

Box.net

Sso.cisco.comISE

Shares Posture

policy result Via

PxGrid. Policy

applies to small

user group

Consumes

Posture policy

result Via PxGrid.

SAML assertion

of “Low” to Box

Block access for

“Low” answer for

On Prem

Off Prem

* Off-prem will require VPN to access box for these

users in order to get posture validated in the interim

BRKCOC-2255 74


Sa

les

Trusted Device Identity

Encryption

Security E

Security A

Security B

Security D

SSO

Cisco Security

On Prem

Security C

Trusted Service VisionConsistent: Security

between clouds and

on premises

Pervasive: Extend on

Premises Security to

the Cloud

Scalable

Policy based

Goal of parity

between A-E

BRKCOC-2255 75


• Automation

• Identity stores

• User identity

• Device identity (certs)

• Infrastructure Information

Other Focus Areas

76

Q & A


Continue Your Education

• Demos in the Cisco campus

• Demo in the Cisco on Cisco booth in the Hub

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

• “ Targeted Threat (APT) Defense for Applications Featuring pxGrid” DevNet with Dave Jones. Wed 5:00 p.m. - 5:45 p.m. | Hall 2.2, The Hub, DevNet Classroom 2

• Spark Rooom

BRKCOC-2255 78


References

• Cisco.com/go/ise; Cisco.com/go/anyconnect; Cisco.com/go/trustsec

• Annual Security Report 2016

• ISE Design Guides

• Bringing Context-aware Security to Applications

• Securing the Internet of Everything with ISE

• Network Segmentation with TrustSec SGT

• Securing Cloud Applications

• Ping and ID Over IP Leveraging PxGrid; PxGrid White Paper

• Forrester: “The Total Economic ImpactTM Of Cisco TrustSec” [March 2015]

BRKCOC-2255 79

http://cisco.com/go/ise

http://cisco.com/go/anyconnect

http://cisco.com/go/trustsec

http://www.cisco.com/c/m/en_us/offers/sc04/2016-annual-security-report/index.html?KeyCode=001031927

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

http://blogs.cisco.com/ciscoit/b-s-11162015-bringing-context-aware-security-to-applications

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-06172015-secure-ioe-ise.html

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-02292016-Policies-to-Control-User-Access.html

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-sec-01292016-securing-cloud-applications.html

https://www.pingidentity.com/en/about/press-releases/2014/ping-and-id-over-ip-join-forces-with-cisco.html

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/white-paper-c11-735489.html

http://www.cisco.com/c/dam/en/us/products/collateral/security/secure-access-control-system/tei-of-cisco-trustsec.pdf


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKCOC-2255 80

CiscoLive.com/Online

Thank You

Date post:	22-Mar-2018
Category:	Documents
Upload:	trinhtuyen
View:	233 times
Download:	5 times

Inside Cisco IT: How Cisco Deployed ISE and...

Documents