Embedded Security with Cisco Identity Services Engine (ISE)
Why Cisco ISE?
Ever wonder if it is possible to provide network access (wired, wireless and VPN) to departments within your company, yet restrict access to certain parts of the network to only specific departments?
Do you have a new corporate policy to allow "Bring Your Own Device" (BYOD) to work, where those devices will need access to the network, and you need enforce compliance to your company's security policy prior to providing access to the network?
Is there a need to lock down management access to your company's network infrastructure, offer appropriate authorization to the different teams managing the network, and provide detailed accounting regarding the commands entered?
Look no further! Cisco Identity Services Engine (ISE) allows for all this and more. Cisco ISE is the next-generation network control appliance that leverages identities (who), endpoints (what), time and location (where) and more, to provide policy compliance, access control, and reporting.
Some of the high-level ISE use-cases are listed below:
Great, but how does ISE work?
ISE's unique architecture allows enterprises to collect and provide real-time contextual information regarding all endpoints on the network, to make proactive governance decisions. ISE does this by tying identity, location and other contextual information back into the endpoints, to provide software-defined access.
Security starts with visibility
With context-rich awareness and visibility, ISE can provide a robust incident response based on your company's security policy.
ISE gathers the contextual information regarding the endpoint and its user by:
• Endpoint Device Profiling using probes, which classify the endpoints as personal or corporate
o Part of the device discovery can be done using active probes
- NMP scan
- NMAP scan
- WMI probe
• Passive Identity Profiling
o Evaluation of the traffic type via Netflow or Stealthwatch
o Firewall syslog parsing
o MAC Organizational Unique Identifier (OUI), DHCP, etc.
• Posture Assessment, which determines the health of the endpoint (clean or malware-infected, patched or unpatched, allowed Operating Systems, etc.)
• User Logins:
o Authenticated identity with Active Directory logins or Web-enabled
o Guest management, self-registration or sponsored access, which grants and enforces temporary access to the network
o BYOD self-registration portal
Network Visibility & Enforcement (NVE)
With ISE and integration with Firesight Management Center (FMC) and Stealthwatch, the network can be used as a sensor to provide visibility and enforcement.
In addition to the other use cases of ISE stated above, some of the advanced functionality of ISE is:
• Threat-centric NAC and Rapid Threat Containment (RTC)
o FireSight Management Center (FMC) or pxGrid partner
• Network Segmentation with TrustSec
With Threat-centric NAC and RTC, endpoints that are infected with malware can be detected and removed from the network, and the scope of the threat can be quickly contained.
Network segmentation with TrustSec and security group tags (SGT) allow for identity-based access without having to create additional VLANs, manual creation, and administration of access-lists.
ISE Policy Enforcement
Once ISE has determined the profile and posture of the endpoint, policy enforcement can be dynamically implemented from ISE via:
• VLAN re-assignment
o Endpoints can be dynamically re-assigned to a remediation VLAN
• Downloadable ACL (DACL),
o DACLs are pushed directly from ISE to the switchport the endpoint is connected to
o Downloadable ACLs applies to the ingress policy on the switch
• Security Group ACL (SGACL)
o SGACLs are also pushed directly from ISE to the switch
o SGACLs applies to the egress table and egress policy on the switch
ISE can scale beyond 500,000 endpoints and can support a centralized or distributed deployment model.
In closing, ISE is a very powerful tool that allows for software-defined access, and helps to restore network visibility and control to your corporate network.
For additional information regarding Cisco ISE, please contact your High Availability, Inc. account manager.