Cisco ISE Design and Architecture

CiscoExpo Club ISE 1.2

Jiří Tesař CCIE #14558 [email protected] © 2013 2011 Cisco and/or its affiliates. All rights reserved.

1

ISE Design & Architecture

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Connect

2

CLOUD-BASED THREAT INTEL & DEFENSE

ATTACKS

APPLICATION REPUTATION

GLOBAL

SITE REPUTATION

LOCAL

MALWARE

PARTNER API

Infrastructure

public COMMON POLICY, MANAGEMENT & CONTEXT

PARTNER COMMON SHARED ANALYTICS COMPLIANCE API MANAGEMENT POLICY IDENTITY

APPLICATION

DEVICE

LOCATION

TIME

Apps / Services

hybrid tenants Workloads

NETWORK ENFORCED POLICY

ACCESS

FW

IPS

VPN

WEB

EMAIL

private

APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL

3

Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control Who

What

Where

When

Security Policy Attributes

Identity Context

Cisco® ISE Business-Relevant Policies

Wired Wireless VPN

Virtual machine client, IP device, guest, employee, and remote user Replaces AAA and RADIUS, NAC, guest management, and device identity servers

How

Cisco Identity Solution Specifics Flexible Authentication Methods (802.1X, MAB, Web Auth in any order)

Scalable / Flexible Policy & Authentication Server supporting RBAC

Guest Service to provide full guest access management with Web Authentication NAC Guest Server

Printer MAB ACS5.x 802.1X Employee Web Auth

RADIUS Catalyst Switch

Guest

Cisco IOS © intelligence to provide phased deployment mode for 802.1X (Monitor Mode, Low Impact Mode, High Security Mode)

© 2012 Cisco and/or its affiliates. All rights reserved.

NAC Profiler

ISE Various Authorization Methods (VLAN, Downloadable ACL, URL Redirect, etc)

Directory Server Profiling System to perform automatic device profiling for unattended device or any type of network attached device

Cisco Connect

5

Agents AnyConnect 3.1 §  Unified access interface for

§  802.1X for LAN / WLAN §  VPN (SSL-VPN and IPSec) §  Mobile User Security (WSA / ScanSafe) §  Supports MACSec / MKA (802.1X-REV) for data encryption in

software; Performance based on endpoint CPU §  MACSec-capable hardware (network cards) enhance

performance w/ AC 3.0

NAC Agent currently used for posture. Will be merged into AnyConnect in AC3.2

ISE Web Authentication Used to identify users without supplicants Misconfigured, missing altogether, etc. •  •  •  • 

Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications

Controller

switch

Need Something to intercept browser requests to provide capBve portal and /or redirecBon to local or remote web auth portal

Who?

Providing Network Access to Guests and Employees •  Unifying network access for guest users and employees

SWITCHPORT

Guest Contractor SSID Corp

te Corpora

Guest

SSID Guest

IP Phone

On wireless:

Printer

Employee Desktop

On wired:

§  Using multiple SSIDs

§  No notion of SSID

§  Open SSID for Guest

§  Unified port: Need to use different auth methods on single port ► Enter Flex Auth


Cisco Connect

8

Components of a Full Guest Lifecycle Solution Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal

Guests

Authenticate/Authorize guest via a guest portal on ISE Report: On all aspects of guest accounts


Cisco Connect

9

Cisco Secure Access and TrustSec Technology Review: I want to allow guests into the network

Network Identity & Enforcement •  Authentication (802.1x, MAB, Web, NAC)

Guest Access

I need to allow/deny iPADs in my network

Profiler

I need to ensure my endpoints don’t become a threat vector

Posture

•  Authorization (VLAN, DACL, SXP or SGT)

•  Enforcement – (SGACL and Identity Firewall)

I need to ensure data integrity and confidentiality for my users

MACSec Encryption

I need a scalable way of authorizing users or devices in the network

Security Group Access

I need to securely allow personal devices on the network

BYOD/MDM

How can I set my firewall policies based on identity instead of IP addresses?

Identity-Based Firewall

Administration Process & Explanation Policy Administration Node All Management UI Activities Synchronizing all ISE Nodes

PAN

Policy Service Node The “Work-Horse” RADIUS, Profiling, WebAuth Posture, Sponsor Portal Client Provisioning

Monitoring and Troubleshooting Logging and Reporting Data

MnT

PSN

Network Access Device Access-Layer Devices Enforcement Point for all Policy

NAD

Admin User

SWITCHPORT

All Policy is Synchronized from PAN to PSNs RADIUS From NAD to Policy Service Node PSN Queries AD Directly AD

RADIUS From PSN to NAD w/ Enforcement Result RADIUS Accounting Logging Logging

User

How ISE is Used Today

Users get safely on the internet fast and easy

Control with one policy across wired, wireless & remote infrastructure

It’s easy to provide guests limited Bme and resource access

Rules wriMen in business terms controls access

Cisco ISE Packaging and Licensing Wireless Upgrade License (ATP) Extend Policy for Wired and VPN Endpoints Wireless License

Policy for Wireless Endpoints: 5-Year Term Licensing

Base License (ATP) Policy for Wired, Wireless, and VPN Endpoints Perpetual Licensing

+

•  Authentication and authorization •  Guest provisioning •  Link-encryption policies

Advanced License (ATP) Policy for Wired, Wireless, and VPN Endpoints 3- or 5-Year Term Licensing

•  Device profiling •  Host posture •  Security group access

Platforms Small: Cisco® ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355 Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New

ISE 1.2


Cisco Connect

14

ISE 1.2 is a HUGE release! •  New Upgrade Process that Significantly Reduces Time.

•  External RESTful Services (ERS) API

•  Brand-New Replication Model that Improves WAN Replication

•  View Logs from CLI (no Support Bundle Needed)

•  Policy Groups (ACS Parity)

•  Live Sessions Log

•  Logical Profile Groups & Profile as Attribute

•  Search & Session Trace Tool

•  3rd Party MDM Integration

•  Guest Enhanced: Mobile Friendly Portal…

•  Re-Written Reporting w/ Scheduling

•  dACL Checker

•  3rd Party MAB Support

•  Feed Service

•  64-Bit Architecture •  Brand New Hardware (UCS Based Appliance)

•  Backup and Restore Progress Bars, Cancel & Scheduling •  Licensing for both Pri & Sec Admin Nodes

Setup Assistant •  Walks through ISE Config •  Walks through NAD Config •  Can Help with Quick Proof of Concept setups.

Setup Assistant

What Was Missing? Troubleshooting and Reporting

1 9

What Was Missing? Detailed Visibility into Successful and Failed Access Attempts

2 0

What Was Missing? Detailed Visibility into All Active Sessions and Access Policy Applied

Search Ability to Quickly Find Information •  Solution: Search Tools

2 2

Powerful Search

Session Trace Tool and Endpoint Details

Endpoint Details Authentication •  Authentication logs (like seen in Live Log details) including ‒  RADIUS Auth Details ‒  Auth Result ‒  Other Attributes ‒  Steps

•  Accounting logs including ‒  RADIUS details ‒  Steps ‒  Other Attributes

•  Detailed Profiler Attributes

Endpoint Details Accounting •  Authentication logs (like seen in Live Log details) including ‒  RADIUS Auth Details ‒  Auth Result ‒  Other Attributes ‒  Steps



Endpoint Details Profiler •  Authentication logs (like seen in Live Log details) including ‒  RADIUS Auth Details ‒  Auth Result ‒  Other Attributes ‒  Steps



Profiler Feed Service Zero Day availability

Cisco

PSN

PSN

Feed Server DB

Partner

Notifications Supported

§  No need to wait for new ISE version §  Zero day support for popular endpoints is added using Feed Server © 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28

ISE Posture

What?

What can be checked? •  Microsoft Updates

Service Packs Hotfixes OS/Browser versions


Antivirus Installation/Signatures Antispyware Installation/Signatures

File data Services Applications / Processes Registry Keys

Cisco Confidential

29

Identifying Corporate Assets Posture Assessment •  NAC or Web Agent check in

Windows registry for domain value. Ex: mycompany.com.


Cisco Confidential

30

Identifying Corporate Assets EAP-Chaining •  EAP Chaining uses EAP-FAST protocol extensions •  Ties both machine and user credentials to the device, thus the ‘owner’ is using a corporate asset •  Machine credentials are authenticated to the network using 802.1X. •  Once user logs onto the device, session information from the machine auth and user credentials are sent

as part of the same authentication.

•  If both machine + user credentials successfully validated, then ‘owner’ is tied to the device (corp asset). •  If both or either credentials fail, restricted network access can be given according to ISE policy. Machine Credentials

Machine Authentication RADIUS

User Credentials


User Authentication

PSN

Machine & User Credentials Validated: AD (EAP-MSCHAPv2 inner method) PKI (EAP-TLS inner method)

Cisco Confidential

31

Identifying Corporate Assets EAP-Chaining: Policy Example

User Authentication includes both user & machine identity types

AnyConnect is required for EAP-Chaining


Cisco Confidential

32

Identity and Policy

Evolving Roles of ISE and MDMs

Management

ISE Network Policy Classification/Profiling Enforcement Secure Network Access (Wireless, Wired, VPN) Context-Aware Access Control (Role, Location, etc.)

MDM Policy Compliance (Jailbreak, Enrollment & Registration PIN Lock, etc.) Cert + Supplicant Provisioning

Data Loss Prevention (Container, encryption, wipe)

Enterprise App Distribution & Mgmt Data Enterprise App Policy

Backup

Inventory/Cost Management

ISE 1.0 & 1.1

ISE 1.1.x

ISE 1.2

Native ISE functionality •  Profiling •  Authentication •  Policy Enforcement •  etc.

Native ISE functionality •  Enrollment/Registration •  Self-Enroll Portal •  Certificate Enrollment •  Blacklisting

ISE – MDM API •  Additional device data •  Policy compliance •  Data wipe

BYO-X

MDM Vendors Requires a new API in MDM Server

•  Only ONE may be active at a time in ISE

•  Cisco Published API Specs to 5 Vendors: ‒  AirWatch Version 6.2 ‒  Mobile Iron Version: 5.0 ‒  ZenPrise Version: 7.1 ‒  Good Version: 2.3 ‒  SAP Sybase

Ini$al Vendors

MDM Compliance Checking Compliance and Attribute Retrieval via API •  Compliance based on: ‒  General Compliant or ! Compliant status

Macro level

OR

‒  Disk encryption enabled ‒  Pin lock enabled

Micro level

‒  Jail broken status

•  MDM attributes available for policy conditions •  “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer (4 hours default). ‒  If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session.

BYO-X

MDM Integration

Registered

JailBroken

Encryp$on

Profile

BYO-X

MDM Integration

Registered

JailBroken

Encryp$on

Profile

BYOD Onboarding Flow

Registered Device

No MyDevices ISE BYOD Registration

Yes

MDM Registered

No ISE Portal Link to MDM Onboarding

Yes

BRKSEC-2022

Access-‐Accept © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

MDM Integration Remediation

•  Administrator / user can issue remote actions on the device through MDM server (Example: remote wiping the device) ‒  MyDevices Portal ‒  ISE Endpoints Directory

•  •  •  •  •  •  •  BRKSEC-2022


Cisco Public

Options Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock

Basic 2-Node ISE Deployment (Redundant) Maximum Endpoints = 10,000 (Platform dependent) Pri. Admin

Pri. M&T Sec. Admin PSN

Sec. M&T PSN HA Inline Posture Nodes

Campus B

WLC

Campus A Switch 802.1X

ASA VPN

AP WLC

•  All Services run on both ISE Nodes

AP

Branch A

AP

Switch 802.1X

Switch 802.1X

Branch B

•  Set one for Primary Admin / Secondary M&T •  Set other for Primary Monitoring / Sec. Admin

AP

Switch 802.1X

•  Max Endpoints is platform dependent: •  33x5 = Max 2k endpoints •  3415 = Max 5k endpoints •  3495 = Max 10k endpoints

Basic Distributed Deployment Maximum Endpoints = 10,000 / Pri. Admin Sec. M&T

Maximum 5 PSNs

Pri. M&T Sec. Admin

PSN

HA Inline Posture Nodes

Campus B

Campus A

PSN PSN

ASA VPN

WLC

Switch 802.1X AP

WLC

PSN

AP

Branch A

AP

Switch 802.1X

Switch 802.1X

Branch B

•  Dedicated Management Appliances •  Pri. Admin / Sec MNT •  Pri MNT / Sec Admin •  Dedicated Policy Service Nodes •  Up to 5 PSNs

AP

Switch 802.1X

•  No more than 10,000 Endpoints Supported •  3355/3415 as Admin/MnT = Max 5k endpts •  3395/3495 as Admin/MnT = Max 10k endpts

Fully Distributed Deployment Maximum Endpoints = 250,000 /

Pri. Admin

Maximum 40 PSNs

Sec. Admin Sec. MnT

Pri. MnT

HA Inline Posture Nodes

Campus B

Campus A

PSN PSN

ASA VPN

PSN

WLC

Switch 802.1X AP

WLC

PSN

AP

Branch A

AP

Switch 802.1X

Switch 802.1X

Branch B

AP

Switch 802.1X

•  Dedicated Management Appliances •  Pri. Admin •  Sec. Admin •  Pri MNT •  Sec Admin •  Dedicated Policy Service Nodes •  Up to 40 PSNs •  Up to 100k endpoints using 3395 Admin and MnT •  Up to 250k endpoints using 3495 Admin and MnT

New Appliances

SNS-3415-K9 & SNS-3495-K9

Cisco Secure Network Servers Based on the Cisco UCS C220 Server, but designed for v  Cisco Identity Services Engine (ISE) v  Network Admission Control (NAC) v  Access Control Server (ACS)

New Appliances

P/N SNS-‐3415-‐K9 CON-‐SNT-‐SNS3415 SW-‐3415-‐ISE-‐K9

Popis Small Secure Network Server for ISE NAC & ACS ApplicaBons SMARTNET 8X5XNBD Small Secure Server Cisco ISE So_ware for the SNS-‐3415-‐K9

Cena

P/N SNS-‐3495-‐K9 CON-‐SNT-‐SNS3495 SW-‐3495-‐ISE-‐K9

Popis Large Secure Server for ISE and NAC ApplicaBons SMARTNET 8X5XNBD Large Secure Server Cisco ISE So_ware for SNS-‐3495-‐K9

Cena

-‐ $2 643 $11 990

-‐ $3 362 $22 990

Migrační politika pro HW nebo SW NAC -> ISE

§  Pokud platí: Current ACS, NGS, NAC Appliance, or Profiler product Any Version / Any Quantity

§  Platí nárok na upgrade: Any Quantity of Any Appliance Migration SKU (includes physical or VM appliance SKUs)


Cisco Confidential

45

Migrační politika pro licence ACS -> ISE

§  Pokud platí: ACS or NAC Guest Server - Any Version - Any Quantity

§  Platí nárok na upgrade: Any Base License Migration SKU, = 50% off standard list


Cisco Confidential

46

Migrační politika pro licence NAC -> ISE

§  Pokud platí: NAC Server, N = součet všech licencí na uživatele

§  Platí nárok na upgrade: Base License pro N koncových bodů Advanced licence pro N koncových bodů na 3 roky


Cisco Confidential

47

New Appliances – Migration P/N P/N SNS-‐3415-‐M-‐ISE-‐K9 CON-‐SNTP-‐SNS3415 CAB-‐9K10A-‐EU SNS-‐4GBSR-‐1X041RY SNS-‐600GB-‐HDD SNS-‐650W-‐PSU SNS-‐CPU-‐2609-‐E5 SNS-‐N2XX-‐ABPCI01 SNS-‐RAID-‐ROM5 SW-‐3415-‐M-‐ISE-‐K9 ISE-‐SNS-‐ACCYKIT SNS-‐UCS-‐TPM

Popis SNS 3415 MigraBon Server: Loaded with ISE So_ware SMARTNET 24X7X4 Small Secure Network Power Cord 250VAC 10A CEE 7/7 Plug EU 4GB 1600 Mhz Memory Module 600 GB Hard Disk Drive 650W power supply for C-‐series rack servers + cord (configur 2.4 GHz E5-‐2609/80W 4C/10MB Cache/DDR3 1600MHz Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI Embedded SW RAID 0/1/10 8 ports SAS/SATA Cisco ISE So_ware for the SNS-‐3415-‐M-‐ISE-‐K9 ISE SNS Accessory Kit Trusted Plakorm Module for UCS servers

Cena

P/N SNS-‐3495-‐M-‐ISE-‐K9 CON-‐SNTP-‐SNS3495 SW-‐3495-‐M-‐ISE-‐K9 ISE-‐SNS-‐ACCYKIT CAB-‐9K10A-‐EU SNS-‐4GBSR-‐1X041RY SNS-‐600GB-‐HDD SNS-‐650W-‐PSU SNS-‐CPU-‐2609-‐E5 SNS-‐N2XX-‐ABPCI01 SNS-‐RAID-‐11-‐C220 SNS-‐UCS-‐SSL-‐CATD SNS-‐UCS-‐TPM

Popis SNS 3495 MigraBon Server: Loaded with ISE So_ware SMARTNET 24X7X4 Large Secure Server Cisco ISE So_ware for the SNS-‐3495-‐M-‐ISE-‐K9 ISE SNS Accessory Kit Power Cord 250VAC 10A CEE 7/7 Plug EU 4GB 1600 Mhz Memory Module 600 GB Hard Disk Drive 650W power supply for C-‐series rack servers + cord (configur 2.4 GHz E5-‐2609/80W 4C/10MB Cache/DDR3 1600MHz Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI Mezanine RAID for C220 Cavium Card Trusted Plakorm Module for UCS servers

Cena

Kusu $0 $2 643 $0 $0 $0 $0 $0 $0 $0 $9 400 $0 $0

1 1 1 4 1 1 1 1 1 1 1 1

Kusu $0 $5 379 $18 990 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0

1 1 1 1 2 8 2 2 2 1 1 1 1

Škálování

For Your Reference

Policy Service Node (PSN) and Concurrent Endpoint Max Number Specifications by Deployment Model Deployment Model Standalone (all personas on same node)

Admin + MNT on same node; Dedicated PSN

Dedicated Admin and MNT nodes

Platform 33xx 3415 3495 3355 as Admin+MNT 3395 as Admin+MNT 3415 as Admin+MNT 3495 as Admin+MNT 3395 as Admin and MNT 3495 as Admin and MNT

Dedicated PSN Max Concurrent Endpoint Count (All Services) ISE-3315

3,000

ISE-3355

6,000

ISE-3395

10,000

SNS-3415

5,000

SNS-3495

20,000

Max # PSNs N/A N/A N/A 5 5 5 5 36 (1.1) 40 (1.2) 40 (1.2)

Max # Endpoints 2,000 Target 5,000 Target 10,000 5,000 10,000 5,000 10,000 100,000 250,000

Sizing Production VMs to Physical Appliances Summary

Appliance used for sizing comparison

CPU Memory (GB)

Physical Disk (GB)*

# Cores

Clock Rate

ISE Small (ACS-1121/ISE-3315)

4

2.66

4

500

ISE Medium (ISE-3355)

4

2.0

4

600

ISE Large (ISE-3395)

8

2.0

4

600

SNS Small (ISE-3415)

4

2.4

16

600

SNS Large (ISE-3495)

8

2.4

32

600

* Actual disk requirement is dependent on persona(s) deployed and other factors.

See slide on Disk Sizing.

Porovnání fyzické a virtuální appliance Virtuální appliance P/N

Popis

ISE-‐VM-‐K9= CON-‐SAU-‐ISEVM

Cisco IdenBty Services Engine VM SW APP SUPP + UPGR Cisco IdenBty Services Engine Virtual M

Cena

$5 990 $1 198

Fyzická appliance P/N SNS-‐3495-‐K9 CON-‐SNT-‐SNS3495 SW-‐3495-‐ISE-‐K9

Popis Large Secure Server for ISE and NAC ApplicaBons SMARTNET 8X5XNBD Large Secure Server Cisco ISE So_ware for SNS-‐3495-‐K9

Cena -‐ $3 362 $22 990

Požadavky na virtuální appliance Appliance used for sizing comparison SNS Large (ISE-3495)

CPU # Cores

Clock Rate

8

2.4

Memory (GB)

32

Physical Disk (GB)* 600

TrustSec


CyberSecurity

58

Identity Policies

Passive Authentication Architecture Traffic controlled by Access Policies which leverage Identity WSA LAN Cisco ASA + CX Domain username and group information (LDAP)

Domain user User Login Event

Domain Username/Group to IP Mapping (Radius)

User Login Event Security Log (WMI)

Active Directory Domain Controller © 2012 Cisco and/or its affiliates. All rights reserved.

Cisco CDA Server Cisco Connect

59

TrustSec

Identity Policy Enforcement (FW, switch, router,…) How to Identify the User ??

Fidelity AD/LDAP Identity NTLM Kerberos

TRUSTSEC*

•  Non-auth-aware apps •  Any platform •  AD/LDAP credential

Network Identity

User Authentication

Group information Any tagged traffic

•  Auth-Aware Apps •  Mac, Windows, Linux •  AD/LDAP user credential

IP Surrogate AD Agent

Breadth Let’s use information from access layer => TrustSec

SGT Overview

Rich Context Classification with ISE BYOD Use Case Classification Result: Device Type: Apple iPAD User: Mary Group: Employee Corporate Asset: No

Personal Asset SGT

ISE Profiling

Along with authentication, various data is sent to ISE for device profiling ID & Profiling Data

Company asset AP Employee Personal asset

SGT

ISE (Identity Services Engine) Security Group Policy DC Resource Access

NetFlow DCHP DNS HTTP OUI RADIUS NMAP SNMP

Wireless LAN Controller

Restricted Internet Only

Distributed Enforcement based on Security Group

Enforcement

Enforcing Traffic on Firewall (ASA) - SGFW

Source Tags

Destination Tags

TrustSec – Switch Support SXP ----------------------------------------------------------------------2960-S (LAB) 15.0.2(SE) 3560-CG (IPB) 12.2(55)EX2 3560-SMI (IPB) 12.2(55)SE 3560-EMI (IPS) 12.2(55)SE 3560v2-SMI (IPB) 12.2(55)SE 3560v2-EMI (IPS) 12.2(55)SE 3750-SMI (IPB) 12.2(55)SE 3750-EMI (IPS) 12.2(55)SE 3750v2-SMI (IPB) 12.2(55)SE 3750v2-EMI (IPS) 12.2(55)SE 3560-E (IPB) 12.2(55)SE 3560-E (IPS) 12.2(55)SE 3560-X (LAB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-E (IPB) 12.2(55)SE 3750-E (IPS) 12.2(55)SE 3750-X (LAB) 15.0.2(SE) 3750-X (IPB/IPS) 12.2.53(SE2)

For Your Reference

SGACL ----------------------------------------------------------------------3560-X (IPB/IPS) 15.0.2(SE) 3750-X (IPB/IPS) 15.0.2(SE)

802.1AE - MACsec (SAP) ----------------------------------------------------------------------3560-CG (IPB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-X (IPB/IPS) 12.2.53(SE2)

pxGrid


CyberSecurity

64

Enabling the Potential of Network-Wide Context Sharing I have reputation info! I need threat data…

SIO

I have sec events!

I have application info! I need location & auth-group…

I have NBAR info!

I need reputation…

I need identity…

pxGrid Context Sharing

I have location! I need identity…

I have NetFlow!

Single Framework

I need entitlement…

Direct, Secured Interfaces

I have MDM info! I need location…

I have threat data! I need reputation…

I have firewall logs! I need identity… © 2010 Cisco and/or its affiliates. All rights reserved.

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability… Cisco Confidential

66

Available July 2013 Priori$ze Events, User/Device-‐Aware Analy$cs, Expedite Resolu$on

NEW! – SIEM & Threat Defense

•  ISE provides user and device context to SIEM and Threat Defense partners •  Partners uBlize context to idenBfy users, devices, posture, locaBon and network privilege level

associated with SIEM/TD security events

•  Partners may take network acBon on users/devices via ISE

Ensure Device Enrollment and Security Compliance Mobile Device Management

•  ISE serves as policy gateway for mobile device network access •  MDM provides ISE mobile device security compliance context •  ISE assigns network access privilege based on compliance context


Cisco Confidential

67

Cyber Security


Cisco Connect

69

Cyber Threat Defense Solution NetFlow Enables Security Telemetry

+ Cisco Network

NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices NetFlow

Network Components Provide Rich Context Unites NetFlow data with identity and application ID to provide security context User? Cisco ISE

Cisco ASR 1000 or ISR G2 + NBAR

Cisco ASA

Device?

Posture? Vulnerability AV Patch

Cisco NGA

Events?

Application?

65.32.7.45

Lancope Partnership Provides Behavior-Based Threat Detection

+ FlowSensor

+

FlowCollector

Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting

StealthWatch Management Console

70

Drilling into a single flow yields a wealth of information

71

71

Identify Threats and Assign Attribution

Leveraging an integration between Cisco ISE and Lancope StealthWatch

Policy

Start Active Time

Alarm

Source

Source Host Group

Source User Name

Target

Inside Hosts

8-Feb-2012

Suspect Data Loss

10.34.74.123

Wired Data

Bob

Multiple Hosts

72

Cisco Security


Cisco Connect

73

Cisco Security Product Highlights: 2012-2013 ISE 1.1 & 1.2 / TrustSec 2.1 Cognitive Security Acquisition

ASA Mid-range Appliances

Product Milestones Secure Data Center Launch

•  •  •  •  • 

ASA CX and PRSM

ASA 9.0 ASA 1000V IPS 4500 CSM 4.3 AnyConnect 3.1

74

Děkujeme za pozornost.


Cisco Connect

75

Recommended Reading §  Network Complexity - Michael H. Behringer: Classifying Network Complexity; slides; ACM ReArch'09 workshop; 2009 http://networkcomplexity.org/wiki/index.php?title=References §  Cisco TrustSec 2.1 Design and Implementation Guide http://www.cisco.com/go/trustsec/

§  Cisco Wireless LAN Security http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540 §  Managing Cisco Network Security http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031 §  Cisco Firewalls –http://www.ciscopress.com/bookstore/product.asp?isbn=1587141094 §  Cisco LAN Switch Security: What Hackers Know About Your Switches http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563


Cisco Connect

76

76

Where To Find Out More Whitepapers

www.cisco.com/go/ibns

Deployment Scenario Design Guide

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ whitepaper_C11-530469.html

Deployment Scenario Config Guide

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ Whitepaper_c11-532065.html

IEEE 802.1X Deep Dive

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ guide_c07-627531.html

MAB Deep Dive

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ config_guide_c17-663759.html

Web Auth Deep Dive

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ app_note_c27-577494.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ app_note_c27-577490.html

Flex Auth App Note

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ application_note_c27- 573287_ps6638_Products_White_Paper.html

IP Telephony Deep Dive

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ config_guide_c17-605524.html

MACSec Deep Dive

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ deploy_guide_c17-663760.html


Cisco Connect

77

Cisco ISE Design and Architecture

Recommend Documents