Presentation ISEcisco
Presentation ISEcisco
2
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Foundations of Zero Trust in Your Workplace
Grant the right level of Shrink zones of trust and grant Automate containment of
network access to users across access based on least privilege infected endpoints and revoke
domains network access
3
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Provides Zero Trust for the Workplace
Enterprise Security
ISE
Cisco DNA Center
4
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Secure Access Control Options
Native Supplicants | Cisco AnyConnect SAML IdPs Single Sign-On
5
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Customers Buy ISE
TACACS+ Migrating from Cisco Secure ACS or building a new Device Administration Policy Server, this allows for
Device Administration secure, identity-based access to the network devices
Allow wired, wireless, or VPN access to network resources based upon the identity of the
Secure Access user and/or endpoint. Use RADIUS with 802.1X, MAB, Easy Connect, or Passive ID
Differentiate between Corporate and Guest users and devices. Choose from Hotspot, Self-Registered Guest, and
Guest Access Sponsored Guest access options
Use the probes in ISE and Cisco network devices to classify endpoints and authorize them
Asset Visibility appropriately with Device Profiling. Automate access for many different IoT devices
Group-based Policy allows for segmentation of the network through the use of Scalable Group Tags (SGT) and
Segmentation Scalable Group ACLs (SGACL) instead of VLAN/ACL segmentation.
ISE integrates with DNA Center to automate the network fabric and enforces the policies throughout the entire
Cisco SDA/DNAC network infrastructure using Software-Defined Access (SDA)
Allow employees to use their own devices to access network resources by registering their device and downloading
BYOD certificates for authentication through a simple onboarding process
Using a Threat Analysis tool, such as Cisco Cognitive Threat Analytics, to grade an endpoints threat score and allow
Threat Containment network access based upon the results
6
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Administration with TACACS+
Network Admin
7
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE and Duo Integration for MFA
Guest
Bob
ISE
Employees
Alice Duo Cloud Service
8
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Typical Customer Journey
Not a standard or recommended approach
Each use case may be the end goal
Use Case
Visibility Visibility
Customer Corporate
Start with Secure Wired See Apps & HW Use SGTs for Integrate with
Wireless Access inventory segmentation eco-system
partners
Non-disruptive 802.1X / MAB Enforce system Enforce Group
due to SSIDs (with Profiling) compliance based policies Contain threats
BYOD
9
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Guest Solution Overview
1
million API
Immediate, un-credentialed Self-registration by guests, Sponsors may Authorized sponsors create account and
Internet access approve access share credentials
10
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE BYOD Solution
Public
Device Support EMM/MDM Integrations
Android
Resources
✕✓✕✓✓✓
Devices
macOS ✓✓✕✓✕✕
✕✓✓✕✕✕
Windows
Corporate
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://cisco.com/go/csta 11
Endpoint Profiling
The profiling service in Cisco ISE identifies the devices that connect to your network
AnyConnect: ACIDex
Endpoints send
interesting data,
that reveal their
device type Feed Service
(Online/Offline)
DS ISE
ACIDex
12
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Profiling Packages and Integrations
Medical Devices IOT Building & Automation
Library
X p X s1
250+ Medical
Hospital device profiles
pxGrid ISE
IND
Factory
Cisco Industrial
Network Director Cisco AI Endpoint Analytics
Industrial Devices
Profiles IOT devices and sends endpoint labels via pxGrid to ISE for authorization
https://community.cisco.com/t5/tag/ise-endpoint-profile/tg-p/board-id/4561-docs-security 13
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AI Endpoint Analytics and ISE
Cisco ISE
Web Interface Cisco DNAC+EA
Context
Classifications ISE
Policy
Endpoint Analytics shows
device classification results
associated with endpoints Distribution Layer
SPAN
Wireless LAN
NBAR Telemetry Traffic Appliance Controller
(SD-AVC Agent) (TTA)
Catalyst 9000
14
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Create ISE Custom profile using EA attributes
ISE UI: WorkCentre> Profiler > Profiling Policies
Warning
15
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Active versus Passive Identity
3 DOMAIN\Jim (AD Login)
5 Full Access
1 MAB
Jim
Yes Active
Directory
2
Auth Req
1 802.1X
3 Full Access
Alice
16
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Make it easy with ‘Easy Connect’
Identity based network access without 802.1X
AD Domain Controller
DOMAIN\bob
Bob logged in
DHCP DNS
NTP AD ISE retrieves user-ID and user’s AD membership
Limited Access
Enterprise
No 802.1X Network
17
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Group Based Policy Simplifies Segmentation
Traditional Segmentation TrustSec DC Servers
Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD
Security Policy based on Topology Use existing topology and automate security
High cost and complex maintenance policy to reduce OpEx
18
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Non-Fabric Group-Based Policy Enforcement
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
19
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Context Build, Summarize, Exchange
Visibility and Access Control Context Reuse
ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis & control
Scalable Group
Endpoints
20
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Context Sharing with pxGrid
Eco system partnership to enrich, exchange context and enact
Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE Eco-Partner Cisco ISE
MITIGATE
ISE 2.2+
ISE makes Customer Enrich ISE context. Make ISE a Enforce dynamic policies into ISE brokers Customer’s IT
IT Platforms User/Identity, better Policy Enforcement the network based on Partner’s platforms to share data
Device and Network Aware Platform request amongst themselves
21
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Posture & Compliance MDM Attributes
ActivityType
AdminAction
AdminActionUUID
AnyConnectVersion
DaysSinceLastCheckin
DetailedInfo
DeviceID
DeviceName
DeviceType
DiskEncryption
Agentless EndPointMatchedProfile
FailureReason
IdentityGroup
IMEI
Authorization Policy IpAddress
JailBroken
AnyConnect IF JailBroken is No LastCheckInTimeStamp
ISE AND PinLock is Yes
THEN Compliant
MacAddress
Manufacturer
MDMCompliantStatus
MDMFailureReason
MDMServerName
EMM/MDM MEID
Model
OperatingSystem
PhoneNumber
PinLock
PolicyMatched
RegisterStatus
SerialNumber
https://cisco.com/go/csta ServerType
SessionId
UDID
UserName
UserNotified 22
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AnyConnect
A Suite of Security Service Enablement Modules
Posture
Umbrella Module
HostScan (aka: ASA posture) (No UI)
Network Visibility Module (NVM) (No UI)
Employee
802.1X / MAB
Compliant
Unknown
PowerShell / SSH
Posture Status
24
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Scripts 3.0
PowerShell / SSH+cURL+Bash
25
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Visibility Rapid Threat Containment (RTC)
1 2 AMP on Endpoint notifies the cloud
Jim 5
Qu
a ra
nti
ne
Ful
l Ac
ces
s 3
Threat from Jim’s
Harry device
Cisco ISE
Alice
26
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vulnerability Assessment (Threat-Centric NAC)
On-prem Scanner
3 Scans Scan report 4
Jim 1 6
Qu
a ra 2 Scan Jim’s Endpoint
nti
ne
Ful
l Ac
ces
s 5
CVSS=10
Harry
Cisco ISE
Alice
Authorization Policy
If CVSS is Greater than 5 = true, then Quarantine
CVSS: Common Vulnerability Scoring System
27
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Technical Alliance Partners
September 2020
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.cisco.com/go/csta 28
ISE REST APIs
http://cs.co/ise-api
29
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Architecture
Distributed ISE
Standalone ISE Policy Administration Node (PAN)
• Single plane of glass for ISE admin
• Replication hub for all config changes
pxGrid Controller
• Facilitates sharing of context
30
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential http://cs.co/ise-scale
ISE Node Personas… Explained
SIEM, MDM, NBA, IPS, IPAM,
etc.
ISE PSN IP address* = AAA
Admin
ANC action PAN
RADIUS server
SIEM
Operates
Context (pxGrid)
DNAC Automation REST
Partner Eco System
Context (pxGrid)
RADIUS, TACACS+,
Profiling, etc.,
ISE-PXG
Authorization Policy Exchange Topics
*PSNs can optionally be behind a load-balancer and can be accessed via Load Balancer Virtual IP address (VIPs)
31
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE Deployment Scale 2.6+
<=50: PSNs + <= 4 PXGs)
Same for physical and virtual deployments
Compatible with load balancers
Lab and Evaluation Small HA Deployment Medium Multi-node Deployment Large Deployment
2 x (PAN+MNT+PSN) 2 x (PAN+MNT+PXG), <= 6 PSN 2 PAN, 2 MNT, <=50: PSNs + <= 4 PXGs
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential http://cs.co/ise-scale 32
ISE Fully Distributed Architecture
• Centralize in DCs…or Distribute PSNs across Geographies
DC1 DC2
Primary PAN & MNT Secondary PAN & MNT
33
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE 3.0 Supported Platforms
Cisco ISE Cisco ISE Cisco ISE Cisco ISE Cisco ISE
Standalone
Appliances Sessions PSN Sessions Processor Cores Memory Disk RAID Network Interfaces
32 GB 2x10Gbase-T
SNS-3615 10,000 10,000 1- intel Xeon 2.10 GHz 4110 8 1 (600GB) No
(2 x 16 GB) 4x1GBase-T
96 GB 2x10Gbase-T
SNS-3655 25,000 50,000 1 – Intel Xeon 2.10 GHz 4116 12 4 (600 GB) 10
(6 x 16 GB) 4x1GBase-T
256 GB 2x10Gbase-T
SNS-3695 50,000 100,000 1 – Intel Xeon 2.10 GHz 4116 12 8 (600 GB) 10
(8 x 32 GB) 4x1GBase-T
16 GB
SNS-3515 7500 7500 1 – Intel Xeon 2.40GHz E5-2620 6 1 (600 GB) NO 6x1GBase-
(2 x 8 GB)
EOL
64 GB
SNS-3595 20,000 40,000 1 – Intel Xeon 2.60 GHz E5-2640 8 4 (600 GB) 10 6x1GBase-T
(4 x 16 GB)
34
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Platform Support • Make a Wish
• New Interface Look • PassiveID
and Feel with Windows
Eventing APIs
• SAML SSO with
Azure AD • Device Identifier
• 802.1X with Changes for Windows
Devices
Azure AD
• ODBC Multiple • Baselines Policies with
Resources • Community
http://cs.co/ise-community
• YouTube Channel
http://cs.co/ise-videos
• Evaluations
http://cs.co/ise-eval
• Integration Guides
http://cs.co/ise-guides
• Compatibility Guides
http://cs.co/ise-compatibility
• Licensing Guide
http://cs.co/ise-licensing
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next steps
‣ Schedule a full demo
‣ Visit cisco.com/go/ise
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential