Is your network Access
Secure? Try CISCO ISE 2.0.
We live in a connected world that is digitally enabled and
is just like a small village. All the time we are constantly connected;
checking our devices for a status update, or we are the ones posting an update
or we are trying to send that status report or close a business deal online.
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. And according to Forbes.com, as cyberattacks increase in quantity and
sophistication, the global cybersecurity market is expected to be worth $170
billion by 2020 and is currently suffering from a dire skilled network security
professional’s shortage. In 60 percent of cases, attackers can compromise an
organization within minutes. And the proportion of breaches discovered within
days falls well below that of time to compromise (Verizon 2015 Data Breach
Investigations Report). Threat intelligence sharing among security products for
more rapidly closing this gap between detection and response is now a business
Today’s enterprise network is rapidly changing, especially
when it comes to employee mobility and access to network facilities. Employees
are no longer tethered to desktop workstations, but instead access enterprise
resources via a variety of devices: tablets, smartphones, and personal laptops,
just to name a few.
Being able to access resources from anywhere greatly
increases productivity, but it also increases the probability of data breaches
and security threats because you may not control the security posture of
devices accessing the network from outside of the office brick and mortar setup.
Keeping track of all devices accessing the network is a huge task in itself,
and as the need for more access arises, the more unsustainable it becomes to
So, what can we do to
get out of this fix?
Fret not yourself, the Cisco Identity Services Engine (ISE)
2.0 is here to help you and in such a big way. ISE is an identity-based network
access control and policy enforcement system. It takes care of the mundane
day-to-day tasks like BYOD device onboarding, guest onboarding, switchport VLAN
changes for end-users, access list management, and many others, so a network
administrator can focus on other important tasks like keeping abreast with the
current threats and how to counteract them.
Essentially, ISE attaches an identity to a device based on
user, function, or other attributes to provide policy enforcement and security requirements
compliance before the device is authorized to access the network resources.
Based on the results from a variety of factors, an endpoint can be allowed to access
the network with a specific set of access policies applied to the interface it
is connected to, else it can be completely denied or given guest access based
on the specific company guidelines. Therefore, this implies that Cisco ISE is a
context aware policy service, to control access and threat across wired,
wireless and VPN networks and a component of Cisco’s Borderless Networking and
the company’s TrustSec product line.
And another plus is that Cisco has Finally Released the
Identity Service Engine 2.0 (ISE) which comes with a robust array of features
and functionalities that will be a great asset to your organization.
Let us review the ISE platform in brief
The ISE Platform in
a nutshell – figure 1.0
The ISE platform is typically a distributed deployment of
nodes made up of three different Profiles: the Policy Administration Node
(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy Services
Node (PSN). All three roles are required for ISE to function properly.
Let us look at each of this profiles and service entry
The PAN profile is the interface the administrator logs into
in order to configure policies that will drive the entire setup. It is the
control center of the deployment for the ISE. This node will allow an
administrator to make changes to the entire ISE topology, and those changes are
pushed out from the admin node to the Policy Services Nodes (PSN).
Policy Services Node
The PSN profile is where policy decisions will be made.
These are the nodes where network enforcement devices send all network
messaging to; RADIUS messaging is an example of what is sent to the PSNs. The
messages are processed and the PSN gives the go/no-go for access to the network
based on what was configured in PAN.
Troubleshooting Node (MnT)
The MnT profile is where logging of all service reports occur
and reports can be generated as needed. All logs are sent to this node and it
sorts through them so it can assemble them in a legible format. It is also used
to generate various detailed and graphical reports that can aid senior
management make strategic decisions regarding your companies’ network
resources, as well as notify you of any alarms for ISE.
Having familiarized ourselves with this three profiles, let
us look at some of the things ISE 2.0 can offer to your organization:
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Here are some of the fancy Technical
features within ISE:
TACACS+ support for
Device Administration AAA
Cisco ISE supports device administration using the Terminal
Access Controller Access-Control System (TACACS+) security protocol to control
and audit the configuration of network devices. The network devices are
configured to query ISE for authentication and authorization of device
administrator actions, and send accounting messages for ISE to log the actions.
It facilitates granular control of who can access which
network device and change the associated network settings. An ISE administrator
can create policy sets that allow TACACS results, such as command sets and
shell profiles, to be selected in authorization policy rules in a device
administration access service. The ISE Monitoring node provides enhanced
reports related to device administration. The Work Center menu contains all the
device administration pages, which acts as a single start point for ISE
administrators. ISE requires a Device Administration license to use TACACS+.
The new Endpoints
At first glance, one would think of this as a seemingly
small thing, but this is the single most frequently viewed page in all of ISE.
It was also one of the biggest pains to use in the previous versions of ISE. But
it has been revamped in ISE 2.0, and in a great way. Some very useful
functionalities have been added to the pie charts at the top. If you click on
the pie chart slice, it will automatically filter the table below it. The table
itself is completely re-written and remembers where you were when you clicked into
an endpoint for details and then went back to the table.
ISE is a complex system with tremendous power to boot. A
system like this cannot normally come with a User Interface that is contained
within only a few pages. Most often a solution like this needs to have a menu
system, and many levels of navigation. It can be expected that ISE will
certainly be afflicted with the need to have many menus with sub-levels, and simply
put: a lot of navigation. However, ISE 2.0 rips out the entire navigational
framework and replaces it with one that is modern and lightning fast. It’s
obviously the start of a complete UI overhaul – where some functional areas and
their pages are also re-written, and it would be expect that the entire UI
refresh will be complete in the next release or two. The first time you log
into ISE 2.0, you immediately see the difference with prominent menus and side
It’s no secret that upgrade is a complex procedure for any
large distributed system in any technological setup. Many solutions do away
with the upgrade option all together and instead they require you to reinstall
and restore the configuration from backup. ISE has always supported upgrade and
has made significant improvements with each release. ISE 2.0 adds a new
Wizard-based GUI to handle the upgrades for you in an orderly manner. You can
specify which repository each node in the deployment should use, pre-stage the
upgrade files, and control the order in which each node is upgraded. All within
Support tunnels have been added to ISE 2.0. This feature allows
the administrator to enable a secure tunnel for Cisco’s TAC to remotely access
the appliance’s root operating system. Well, that’s to put it simply. This is
fantastic functionality, because it means fewer WebEx sessions with Cisco TAC
remotely seeing the UI of a customer’s ISE deployment – they can view it
directly if and only if the customer has enabled the support tunnel &
provided the TAC engineer with the unique key required to activated and
authenticate the access.
Stacking of Command
ISE 2.0 allows for multiple command sets to be sent in
response to an authorization request from any of the nodes. This has been done
in a Brilliant way, it will allow the command sets to stack, where a permit
statement shall always outweigh a deny statement – unless it is an explicit “deny_always”
Network Device Profiles
Network Device Profiles are completely brilliant and provide
something that many have been looking for in ISE since the very beginning, the
ability to customize the settings for network devices, including the way it should
handle Change of Authorizations, URL-Redirections and more. The implementation
of NAD profiles allows for them to be imported and exported so they can be shared.
ISE 2.0 ships with a load of pre-built profiles for many network devices.
EAP-TTLS is a tunneled EAP protocol that is fairly popular
with universities that use eduroam applications. Prior to ISE version 2.0 it
was one of the only popular EAP types that was missing support in ISE, even
though there was support for it in Cisco’s supplicant: the Cisco AnyConnect
Network Access Module.
The ISE 1.3 added the built-in Certificate Authority for
BYOD endpoint certificates. It would create endpoint certificates for devices
that underwent the Cisco BYOD on-boarding process only. In ISE 1.4 an API was
added to aid and allow the creation of priv/pub certificate key-pairs that
could be imported into devices that couldn’t go through the BYOD flows. Now in
ISE 2.0 there is a much better and fully-blown customizable portal that allows
the creation of individual certificate key-pairs, submitting and signing
Certificate Signing Requests (CSRs), or even the bulk creation of certificates.
This is a gem for every network administrator out there.
Kicking Endpoints off
the Network when Certificate is revoked
When ISE issues a certificate to a BYOD endpoint, and that
certificate was revoked, it would naturally be denied access at the next
authentication. However the endpoint would remain on the network until the next
re-authentication time. ISE 2.0 adds a CoA-Terminate (a disconnection) to any
endpoint with an active session whose certificate has been revoked, thereby
immediately kicking them off the network and reducing the clatter of endpoints
you do not need.
This are just but a few of the many economic and security
benefits to be derived from Cisco ISE 2.0 implementation in your organization.
And further to this, a research carried out by Forrester, Cost
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy a CISCO ISE 2.0 configuration and stay abreast of
the cybersecurity needs of the modern digital organizations.
Let us stay safe on the net with CISCO ISE 2.0!!