cisco identity services engine
TRANSCRIPT
Chad Mitchell, CCIE #44090Security Consulting Systems Engineer, GSSO April 2017
Threat Centric Identity & Access Control
Cisco Identity Services Engine
Cisco ISE and AnyConnect
Access Policy
Who
What
How
When
Where
Health
Threats
Cisco ISE
CVSS
Wired Wireless VPN
Role-Based Access Control | Guest Access | BYOD | Secure Access
For Endpoints For Network
Cisco ISE
Partner Eco System
SIEM, MDM, NBA, IPS, IPAM, etc.
pxGridand APIs
Cisco AnyconnectSupplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.
Context aware policy service, to control access and threat across wired, wireless and VPN networks.
Managing Policy Based on ‘Trust’Connecting Trusted Users and Devices to Trusted Services
✕ ✕ ✓ ✓ ✕ ✕
✕ ✓ ✓ ✓ ✓ ✕
✓ ✕ ✓ ✓ ✓ ✓Trusted Asset
Trusted User
Partners
Trus
ted
Use
r
Partn
ers
Clo
ud A
pp A
Clo
ud A
pp B
Serv
er A
Serv
er B
Cloud
On Prem
Trus
ted
App/
Serv
ices
Non
-Tru
sted
App
/Ser
vice
s
Improved Visibility and Decision Software-Defined Segmentation,Service Access and Entitlement
Location-Free App/Service Access
Vulnerability
Threats
Posture
Behavior
Time
Location
User-Groups Device-type
Cisco Identity Services Engine
Office 365
Microsoft Exchange Outlook
Always-on Policy Compliance
Visibility
Guest Access Simplified Firewall Rule management with TrustSec
DEFCON Policy Enforcement
Rapid Threat Containment
TrustSec Software-Defined Segmentation
Ecosystem Integration
Next Gen Access Control
ISE Use CasesThe Advantages Are Built-In!
Showing customers who and what is on their network and to share with FMC and Stealthwatch for better threat and behavioral clarity
When there is a security outbreak customers have one button to push to activate different policies network-wide – using software-defined segmentation
The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs
Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements
Stop threats anywhere in the network from one console
Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation
Control access to network and resources based on context for more accurate access policy options and enforcement
One framework to integrate different security products, share intel, see threats faster and take an action from the customer’s preferred product, such as FMC or Splunk
ISE can Collect Contextual Information from the Network
The Contextual information can then be shared with systems
Network
Cisco ISE
Security Starts with ‘Visibility’Visibility
ISE Dashboard: SummaryVisibility
• Discover network assets and endpoints in minsusing a Wizard.
• Connect to Identity Stores e.g (Join an Active Directory).
Discover the Network for Devices and Users ISE Visibility Setup Wizard
Visibility
Network Device Discovery
ISE can do a SNMP scan of the network and populate the Network Devices.
* Only supported on Standalone ISE deployment.
Name IP Address Device Type Location Description
Cat3850-1 10.1.100.1 Switch Bldg-A Cisco IOS Software XE..
ISR4KX-1 10.1.100.2 Router Bldg-A Cisco IOS Software XE..
WLC5520-1 10.1.100.3 Controller DC-01 Cisco Controller
N5K-1 10.1.100.4 Switch DC-01 Cisco Nexus OS version..
Visibility
• Context Tabs• Interactive Charts• Action Bar for endpoints
• Breadcrumbs for filters• Dynamically updated table
based on filter
Context VisibilityVisibility
Feed Service(Online/Offline)
Netflow DHCP DNS HTTP RADIUS NMAP SNMP
CDP LLDP DHCP HTTP H323 SIP MDNS
Active Probes
Device Sensor
1.5 million
devices with ‘50’ attributes each can be stored
550+
High-level canned profiles. +Periodic feeds
250+
Medical device profiles
Cisco ISE
Cisco Network
How Does ISE Get All That Information ?Cisco ISE Profiling
Visibility
Application Visibility Using ISEISE Posture
Continuous Data Monitoring on APP’sISE will collect and monitor data from user’s device every 5, can be set to 1 min for demo purposes.AnyConnect will report a complete list of running applications and installed applications.
Visibility
Cisco Anyconnect with ‘Network Visibility’ module
IPFIX/NetFlowCollector
Corporate Public
Visibilityin to process, process hash, URLs, and more
Contextfor Network Behavioral Analysis
Controlrun-time applications via ’Posture Policies’
Application ‘Visibility’ via AnyconnectAnyConnect as a Collector Using NVM
Outlook
Microsoft
Visibility
ISE Passive Identity Connector (ISE-PIC)Collect and Share Identity Information
WMI Rest API
Legacy CDA-RADIUSOutput
pxGrid Pub/Sub BusOutput
ASA
SyslogISE-PIC Agent
Input to ISE-PIC/ISEKerberos
SPAN
Almost Anything
Custom Apps
Endpoint Probe
Still There?
Same User?
ISE-PIC
WWW FMC
AD AD
AD
AD AD
AD
Legacy CDA-RADIUS Not Availableat FCS Planned for ~2.2p1
Testing Excercise
VMWAREInfrastructure
WindowsTerminal Services
Visibility
Network Resources
Role-based policy access
Traditional TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profilingand Posture
Who
CompliantP
What
When
Where
How
NetworkDoor
Physical or VM
ContextISE pxGridcontroller
Next Gen Access Control in ActionISE Automatically Applies Policy to Identity Context to Control Access
Next Gen Access Control
Passive Identity Active Identity
• MAC Authentication Bypass• Easy Connect®
ENTERPRISE NETWORK AD/LDAP/SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords/Tokens
ASP: Auto Smart Port
Built-in CA
500,
000
conc
urre
nt s
essi
ons
500,
000
Up to 100KNetwork Devices
Up to 50 distinct AD join point support
300K Internal Users
Native Supplicants/ Cisco AnyConnect
802.
1X
• IEEE 802.1X• Web Authentication
- Central WebAuth- Local WebAuth
Access ControlNext Gen Access Control
Authentications and Authorizations
ENTERPRISE NETWORK
SAML iDPs
APIs
Single Sign-On
LDAP/SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords/Tokens
Native Supplicants/ Cisco Anyconnect
802.
1X
Up to 50 distinct AD domain support
Authentication Methods Authorization Options
• MAC Authentication Bypass• Easy Connect®
• IEEE 802.1X• Web Authentication
- Central WebAuth- Local WebAuth
• Downloadable/Named ACL• Air Space ACL• VLAN Assignment• Security Group Tags• URL-Redirection• Port Configuration (ASP)
PassiveIdentity
ActiveIdentity
Certificate Authorities
SCEP/CRL
Certificate based Auth
Microsoft Azure
Next Gen Access Control
White Listing DevicesMAC Authentication Bypass (MAB)
MAB requires a MAC database | ISE can build this database dynamically
LAN
Network Device Cisco ISE
P
P
!
!
Endpoints without supplicant will fail 802.1X authentication!
What’s your Id?
Any Packet Machine MAC: 00-10-23-AA-1F-38
ACCESS-ACCEPT
Bypassing “Known” MAC Addresses
00-10-23-AA-1F-38 Network DeviceCisco ISE
No Answer= Timeout1
2
802.1X
No 802.1X MAB
Next Gen Access Control
ISE Deployment Assistant (IDA)to Simplify Cisco ‘Network Device’ Configurations
ISE Service
Per Device Actionable Information
• Network Assessment
• Configuration of NADs (Network Access Devices)
• Ability to Troubleshoot failed authentications
Next Gen Access Control
Authorization3 Major Authorization Options for ‘Access Control’
Contractordeny ip host <protected>
permit ip any any
DACL or Named ACL
Employeepermit ip any any
Downloadable ACL (Wired) or Named ACL (Wired + Wireless)
VLANs
Remediation
Dynamic VLAN Assignments
EmployeesVLAN 3
GuestVLAN 4
Per port/Per Domain/Per MAC
Security Group Tags
16 bit SGT assignment and SGT based Access Control
TrustSec Software-Defined Segmentation
Next Gen Access Control
ISE Supports 3rd Party ‘Network Devices’Cisco customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco vendors.
Benefits
Protect consistently Deploy ISE across network devices, including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
ISE 1.0 802.1x
New withISE 2.1
ProfilingPostureGuestBYOD An
d M
any
Mor
e
Compatible device vendors*
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
• Templatized MAB configuration for select non-Cisco vendor devices
• CoA and URL re-direction • Non-Cisco NADs enabled to drive regular
802.1x operations
Capabilities
*For additional information, refer to the Cisco Compatibility Matrix
Next Gen Access Control
Software-Defined SegmentationEasily Classify Endpoints Devices and Use Group-Based Policies in NGFWs and the Network
Printer 1 Printer 2
SGT_Guest SGT_BuildingManagement
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature Device 1
Temperature Device 2
SurveillanceDevice 1
SurveillanceDevice 2
50°
50°
Software-Defined Segmentation
Simplifying Segmentation with TrustSec
Access Layer
VoiceVLAN
Voice
DataVLAN
Employee
Aggregation Layer
Supplier
GuestVLAN
BYOD
BYODVLAN
Non-Compliant
QuarantineVLAN
VLANAddress
DHCP ScopeRedundancy
RoutingStatic ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
VoiceVLAN
Voice
DataVLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
EnterpriseBackbone
Access Layer
DC Firewall/Switch
DC Servers
Policy
TrustSecTraditional Segmentation
EnterpriseBackbone
Software-Defined Segmentation
Segmentation ManagementMaintain Agility with Simple, Dynamic Policy Updates
Destinations
Sources Company Database
PublicCloud
External Partner Internet
Guest Define Access
Define Access
Define Access
Define Access
Employee BYOD Define Access
Define Access
Define Access
Define Access
Building Mgmt. Define Access
Define Access
Define Access
Define Access
Employee Define Access
Define Access
Define Access
Define Access
Deny
Deny Define Access
PermitPermit Deny
Deny Web Apps
Deny
Permit Permit Define Access Permit
Deny Deny Permit
Permit
Deny
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Define access policies using plain language instead of complex ACLs and firewall rules
Simplify role creation
Defining policies with logical tags means that rules don’t depend on individual IP addresses and can be dynamically and transparently changed no matter the group size
Maintain and scale dynamically
Define segmentation based on logical groupings that are applied automatically
Apply rules automatically
Software-Defined Segmentation
Campus/Branch/DC SegmentationSegment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)
Micro-Segmentation/Host Isolation in LAN and DC with single policy (segment devices even in same VLAN or same security group)
VLAN: Data-1VLAN: Data-2
Data CenterApplicationServers
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
SharedServices
Employee Tag
Supplier Tag
Non-Compliant TagApplication Servers TagShared Services Tag
SGACLISE
SGACL
Software-Defined Segmentation
Scalable Policy Enforcement Across TrustSecand ACI DomainsTrustSec-ACI Inline Tagging
• Data plane integration allows inline tagging between TrustSec and ACI
• Translate information between TrustSec and ACI environments
• Scales the ability to address breach, segmentation, and compliance challenges
• Consistently shares security policy groups between TrustSec network of any size and ACI domains
Capabilities
Campus/Branch/Data Center/VPNTrustSec Policy Domain
Campus Networks/Branch WAN
Data CenterACI Policy Domain
TrustSec SGTs mapped to and from ACI EPGs
Voice
Employee
Non-Compliant
BYOD
Pointof Sale
Auditor
ACI Data Center
ACI Data Center
ACI Data Center
Now, consistent policies can be enforced across networks of any size, providing an increased ability to scale your security policy enforcement.
Consistent segmentationBy enforcing group-based policy approaches
Scalable and efficientpolicy enforcement across networks of any size
Simplified managementOf access policies simplifies security design, operations, and compliance
Benefits
ACI Data Center
TrustSec Policy Matrix (SGACL)ServersSGT: 10
Enforcement
permit tcp dst eq 6970 logpermit tcp dst eq 6972 logpermit tcp dst eq 3804 logpermit tcp dst eq 8443 logpermit tcp dst eq 8191 logpermit tcp dst eq 5222 logpermit tcp dst eq 37200 logpermit tcp dst eq 443 logpermit tcp dst eq 2748 logpermit tcp dst eq 5060 logpermit tcp dst eq 5061 logpermit tcp dst range 30000 39999 logpermit udp dst range 5070 6070 logdeny ip log
Software-Defined Segmentation
access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Simplifying Firewall Rule Management with TrustSec
• Simplified rule management:- Define protected assets by their role, not IP address
- Works across TrustSec and ACI environments
- Avoids complexity and add/move/change effort
- Leads to much simpler and smaller rule-base
- Consistent, clear, simple rules
Source Destination Action
IP Group/User Security Group IP Security Group Port Action
ANY ANY Employees on Corporate Assets ANY ACI_Intranet_Servers_EPG Any tcp Allow
ANY ANY Senior Execs on registered BYOD devices
ANY ACI_Finance_Servers_EPG http, https Allow
ANY ANY Contractors on unmanageddevices
ANY ACI_Citrix_VDI_EPG RDP, ICA Allow
ANY ANY Divested Business – Employees ANY Divested Business Servers ANY Allow
ANY ANY ANY ANY ANY ANY DENY
Simplified Firewall Rules Management
FTD Policies Based on ISE Attributes and Sec GroupsAccess Control Policies’ Based on ISE Attributes (SGT, Device-type and Endpoint Location)
NGIPS/ASA + Firepower
PxG
RID
Simplified Firewall Rules Management
ASA with Firepower Services: Inspect Based on SGTs
ServersSGT: 10
Enforcement
Data CenterCustomer DB
PartnersEmployee
Suppliers
ASAFirePower
EnterpriseBackbone
Simplified Firewall Rules Management
Segmentation Policy Sets Based on RiskMultiple TrustSec Matrices
• Mitigates threats by changing applied policy sets
• Pre-determined segmentation policies enable error-free changes
• Allows distinct policy sets to be applied to different environments
• Flexible policy setup for multiple operational use cases
Capabilities
Apply different TrustSec policy sets for different environments or risk conditions Create different policy sets and apply different policies to different business environments Easily change policies
Threat responseBy applying risk-based, predefined policies
Simplified OperationsAllow policy changes to be applied to different operational zones with centralized management
Segmentation flexibilityEnables customers to differentiate their segmentation to sites based on business role
Benefits
Global DEFCON Use Case
1 2 3 4 5
Policies
Apply
Local policy sets for high-risk locations, compliance-critical environments
1 2 3 4 5Policies
1. London DCs
2. High Risk Sites3 PCI Zones
4. Development locations
5. NY Data Centers
ü
DefCon Policy Sets
Des
tinat
ion
LoB
1 Em
ploy
ee
LoB
2 Em
ploy
ee
Partn
er 1
Partn
er 2
PCI S
erve
r
Shar
ed A
pps
LoB
1 Ap
ps
LoB
2 Ap
ps
Source
LoB 1 Employee
LoB 2 Employee
Partner 1
Partner 2
POS Terminal
Des
tinat
ion
LoB
1 Em
ploy
ee
LoB
2 Em
ploy
ee
Partn
er 1
Partn
er 2
PCI S
erve
r
Shar
ed A
pps
LoB
1 Ap
ps
LoB
2 Ap
ps
Source
LoB 1 Employee
LoB 2 Employee
Partner 1
Partner 2
POS Terminal
DEFCON3 Policy
Restrict All LateralMovement
Multiple levels of policy setsApplied globally
Standard Policy
5 4 3 2 1DEFCON
DEFCON Policy Enforcement
Posture
Remediation Actions
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
File Remediations
Launch Program Remediations
Link Remediations
Patch Management Remediations
USB Remediations
Window Server Update Server
Windows Update Remediations
Always-on Policy Compliance
Posture defines the state of compliance with the company’s security policy
Posture Flow
Authenticate User/DevicePosture: Unknown/Non-Compliant ?
QuarantineLimited Access: VLAN/dACL/SGTs
Posture AssesmentCheck Hotfix, AV, Pin lock, USB Device, etc.
RemediationWSUS, Launch App, Scripts, MDM, etc.
Authorization ChangeFull Access – VLAN/dACL/SGTs.
Antivirus Update
Anti-Virus?
Posture
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
Always-on Policy Compliance
AnyConnect – Way more than VPN
ASR/CSR Switches and Wireless
Controllers
ISR Adaptive Security Appliance (ASA)
Identity Services Engine (ISE)
NetFlow CollectorsCloud Web Security Services
(CWS + WSA)
AdvancedMalware
Protection
RoamingProtection
Basic VPN Advanced VPN Endpoint Compliance
Inspection Service
Enterprise Access
ThreatProtection
Network Visibility
ODNS Plugin
Cisco AnyConnect
Integration with other Cisco solutions
Always-on Policy Compliance
Posture Conditions ExplainedUse-Case Description
File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such as “Desktop” and “User Profile”
OSx Daemon Check User Agent Check, User based process check
Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State
Reporting Report based on Condition name and Condition State
USB Condition and Remediation “Dynamic” a.k.a real time enforced.Configured at initial posture check or Passive Reassessment checks (PRA).Any Connect 4.3 enforces the Disk Encryption Policy
Native Patch Management Patch Management supported via OPSWAT{Install, Enable, Up-To-Date}
AMP Enabler Profile Download and provisioning of the AMP client module
Posture Lease (from ISE 1.3) Once postured compliant, user may disconnect/ reconnect multiple times before re-posture
For your reference
PostureAnti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
Dictionary Simple Condition
Dictionary Compound Condition
Posture CapabilitiesFor your reference
Highlights Description
File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such as “Desktop” and “User Profile”
OSx Daemon Check User Agent Check, User based process check
Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State
Reporting Report based on Condition name and Condition State
Native Patch Management Patch Management supported via OPSWAT{Install, Enable, Up-To-Date}
AMP Enabler Profile Download and provisioning of the AMP client module
Posture Lease (from ISE 1.3) Once postured compliant, user may disconnect/ reconnect multiple times before re-posture
Anti-Malware Checks Combination of the antispyware and antivirus conditions and is supported by OESIS version 4.x or later compliance module`
USB Condition and Remediation “Dynamic” a.k.a real time enforced. Configured at initial posture check or Passive Reassessment checks (PRA).Any Connect 4.3 enforces the Disk Encryption Policy
+ISE 2.0 Any Connect 4.2
+ISE 2.1 Any Connect 4.3
Posture CapabilitiesFor your reference
Highlights DescriptionEnhanced Posture Discovery and Client Provisioning
Ability to on-board endpoints using an off-premesis portal. Users are protected 100% of the time (On-Prem or Off-Prem)
Posture on 3rd party devices (non URL redirect agent to ISE communication)
AnyConnect Headless AnyConnect Agent with no UI for both Win/OS X option (no UI module)
Application Visibility, Control and Enforcement
Continuous Data Monitoring on installed and running applications, ISE will collect and monitor data from user’s device every 5, can be set to 1 min for demo purposes.
Firewall enabled checks and remediation
Check if Firewall is running or installed, ability to launch firewall if its not running.
AnyConnect Profile Provisioning using JSON OpenDNS Umbrella provisioning support
UDID context sharing Seemless posture experience when switching b/w wired and wireless and exposure in Context Directory.
Common Certificates and http ports for Posture Avoiding the un-known Cert errors
Apex enforcement (Posture admin UI shuts down)
+ISE 2.2 Any Connect 4.4
Simple Authorization Policy Authorization Policy
Posture Complaint = Full Access | Posture Non-Complaint = Access Limited to Remediation Network
Always-on Policy Compliance
Patch Management Remediation
• Remediation type – same as AV and AS remediation.
• Operation System –Windows only supported.• Vendor Name – List is loaded from the
OPSWAT update.• Remediation options:
- Enabled- Install missing patches- Activate patch management software GUI
• Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.
Always-on Policy Compliance
ISE and SCCM Integration Overview
• ISE 2.1 integrates with SCCM to retrieve compliance status of Windows managed endpoints.
• This integration uses MDM flows. (ISE communicates with SCCM Server using WMI to retrieve the current attributes for a device.)
Cisco ISE
Microsoft SCCM as external MDM servers for Cisco ISE
SCCM Servers
RegisteredRegistered + Non-CompliantRegistered + Compliant
Status Checks
Managed Asset
Patch and Software management
Posture Status
WMI
Always-on Policy Compliance
Threat Centric NAC ExplainedReduce Vulnerabilities, Contain Threats
Problem
Compromised endpoints spread malware by exploiting known vulnerabilities in the network
1
Malware infection
Malware scans for vulnerable endpoints2
Vulnerability detected3
Infection spread4
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)
Solution
Flag compromised and vulnerable hosts and limit access to remediation Segment
Cisco AMP Vulnerable host
Quarantine and Remediate
IOC CVSS
“Threat detected” Vulnerability scan
Most endpoint AMP deployed in ‘visibility only’ mode
Always-on Policy Compliance
Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation.
Compliments PostureVulnerability data tells endpoint’s posture from the outside
Expanded controldriven by threat intelligence and vulnerability assessment data
Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics
What Is Threat Centric NAC ?
- STIX- Threat events- CVSS- IOC
- Vulnerability assessments- Threat notifications
AMP
Cisco ISE
Endpoints
Who
What
When
Where
How
Posture
Threat
Vulnerability
P
Create ISE authorization policies based on the threat and vulnerability attributes
Network Access Policy
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
Qualys
CTA
ISE 2.2
Always-on Policy Compliance
What Is Threat Centric NAC ?
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
Always-on Policy Compliance
Rapid Threat Containment (RTC)With Firesight Management Center (FMC) and ISE
Initial compromise Detection
Protect critical data, by stopping attacks faster, based on real-time threat intelligence
Internet
EnterpriseNetwork
Monetize theft
Time To Detection (TTD): 100-200 days - http://bit.ly/cisco-asr-2016Pr
oble
m
Infection spread
Data hoarding
Data exfiltration
100 – 200 days Initial compromise Containment
Internet
Solu
tion
PxGrid
EnterpriseNetwork
Sensor- AMP/- NGIPS/- ASA(wFirePOWER)
EPS: Quarantine(over PxGrid)
COA
Minutes
FMC
ISE
TrustSecsegmentation
Rapid Threat Containment
Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data
Cisco® ISE collectscontextual data from network1
Context is shared viapxGrid technology2
Partners use context to improve visibility to detect threats3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy5
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
pxGridController
Context
32
1
45 Cisco Network
https://datatracker.ietf.org/doc/draft-appala-mile-xmpp-grid/
Ecosystem Integration
Integrating the Traditional Way
I have NBAR info!I need identity…
I have firewall logs!I need identity…
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity and device-type!I need app inventory and vulnerability…
I have application info!I need location and auth-group…
I have threat data!I need reputation…
I have location!I need identity…
SIO
ProprietaryAPIs aren’tthe solution
We need to share data
Ecosystem Integration
The Problem
I have NBAR info!I need identity…
I have firewall logs!I need identity…
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity and device-type!I need app inventory and vulnerability…
I have application info!I need location and auth-group…
I have threat data!I need reputation…
I have location!I need identity…
SIO
ProprietaryAPIs aren’tthe solution
We need to share data
TRADITIONAL APIs – One Integration at a Time• Single-purpose function = need for many APIs/dev (and lots of testing)
• Not configurable = too much/little info for interface systems (scale issues)
• Pre-defined data exchange = wait until next release if you need a change
• Polling architecture = can’t scale beyond 1 or 2 system integrations
• Security can be “loose”
Ecosystem Integration
Solving the Integration Problem with a Grid
Infrastructure for aRobust Ecosystem
• Single framework – develop once, instead of multiple APIs
• Customize and secure what context gets shared and with which platforms
• Bi-directional – share and consume context
• Enables any pxGrid partner to share with any other pxGrid partner
SIO
Single, ScalableFramework
Direct, Secured Interfaces
pxGridContextSharing
Ecosystem Integration
pxGrid – Industry Adoption Critical Mass40+ Partner Product Integrations and 12 Technology Areas in First Year of Release
Cisco pxGridSecurity thruIntegration
Net/App Performance
IoT Security
VulnerabilityAssessment
Packet Captureand Forensics
SIEM andThreat Defense
IAM and SSO
Cisco ISE
Cisco WSA
Cloud AccessSecurity
?
Cisco FirePOWER
Rapid Threat Containment (RTC)
DDI
Firewall and Access Control
pxGrid-Enabled ISE Partners:• RTC: Cisco FirePower, Bayshore, E8, Elastica,
Hawk, Huntsman, Infoblox, Invincea, Lancope, LogRhythm, NetIQ, Rapid7, SAINT, Splunk, Tenable
• Firewall: Check Point, Infoblox, Bayshore• DDI: Infoblox• Cloud: Elastica, SkyHigh Networks• Net/App: Savvius• SIEM/TD: Splunk, Lancope, NetIQ, LogRhythm,
FortScale, Rapid7• IAM: Ping, NetIQ, SecureAuth• Vulnerability: Rapid7, Tenable, SAINT• IoT Security: Bayshore Networks• P-Cap/Forensics: Emulex• Cisco: WSA, Firesight, Firepower, ISE
Other ISE Partners:• SIEM/TD: ArcSight, IBM QRadar, Tibco LogLogic,
Symantec • MDM/EMM: Cisco Meraki, MobileIron, AirWatch,
JAMF, SOTI, Symantec, Citrix, IBM, Good, SAP, Tangoe, Globo, Absolute
Ecosystem Integration
Same ISE for ‘Network Device’ Administration
Benefits
TACACS+ Device Administration
Simplified, centralizeddevice administrationIncrease security, compliancy, auditing for a full range of administration use cases
Flexible, granular controlControl and audit the configuration of network devices
Holistic, centralized visibilityGet a comprehensive view of TACACS+ configurations with the Device administration work center
Feature Highlight
Customers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible, granular control of access to network devices.
Security Admin Team
Network Admin Team
Role-based access control
• Role-based access control• Flow-based user experience• Command level authorization with detailed
logs for auditing
• Dedicated TACACS+ workcenter for network administrators
• Support for core ACS5 features
Capabilities
Device Administration
TACACS+Work Center
TACACS+Work Center
Deploying ISE
pXGrid Controller- Facilitates sharing of context
Policy Services Node (PSN)- Makes policy decisions- RADIUS/TACACS+ Servers
Policy Administration Node (PAN)- Single plane of glass for ISE admin- Replication hub for all database config changes
Monitoring and Troubleshooting Node (MnT)- Reporting and logging node- Syslog collector from ISE Nodes
Single Node (Virtual/Appliance)
Up to 20,000 concurrent endpoints
Standalone ISE
Multiple Nodes (Virtual/Appliance)
Up to 500,000 concurrent endpoints
Multi-Node ISE
Network
Scaling ISEOne Management Interface for 1 – 500K Endpoints
• Applies to both physical and virtual deployment
• Compatible with load balancers
Standalone deploymentMulti-Node deployment
Multi-Node deployment
Multi-Node deployment
Multi-Node deployment
+
x 4 PSNs
x 2 MnTs
x 2 PANs
x 12 PSNs
x 2 MnTs
x 2 PANs
x 25 PSNs
x 2 MnTs
x 2 PANs
x 50 PSNs
x 2 MnTs
x 2 PANs
1 Endpoint 20,000 Endpoints 50,000 Endpoints 500,000 Endpoints100,000 Endpoints 250,000 Endpoints
HA configuration with minimum 6 redundant nodes
ISE Licensing
Evaluation
Base
Plus
APEX
• Full Cisco ISE functionality for 100 endpoints.
• Basic network access: AAA, IEEE-802.1X• Guest management• Easy Connect (Passive ID)• TrustSec (SGT, SGACL, ACI Integration)• ISE Application Programming Interfaces
• BYOD with built-in Certificate Authority Services• Profiling and Feed Services• Endpoint Protection Service (EPS)• Cisco pxGrid
• Third Party Mobile Device Management (MDM)• Posture Compliance• Threat Centric NAC (TC-NAC)
Perpetual
Subscription (1, 3, or 5 years)
Subscription (1, 3, or 5 years)
Temp (90 days)
Device AdminADDITIONAL OPTIONS
Perpetual• Cisco ISE requires a Device
Administration license to use the TACACS+ service on top of an existing Base or Mobility license.
MobilitySubscription (1, 3, or 5 years)• Combination of Base, Plus, and
Apex for wireless and VPN endpoints
Mobility UpgradeSubscription (1, 3, or 5 years)• Provides wired support to
Mobility license
• Licenses are uploaded to the Primary Administration node and propagated to the other Cisco ISE nodes in the cluster• Base license is fundamental for use of Plus/Apex services.
Mobility licenses cannot coexist on a Cisco Administration node with Base, Plus, or Apex Licenses.