Is your network AccessSecure? Try CISCO ISE 2.0.We live in a connected world that is digitally enabled andis just like a small village. All the time we are constantly connected;checking our devices for a status update, or we are the ones posting an updateor we are trying to send that status report or close a business deal online. Our access to the internet as increased tenfold from theprevious years with many more plugging in to the World Wide Web every second,we like to call ourselves the .
com generation or if you fancy the title”millennial” you are in the right timeline.But with such exposure, sometimes we just tend to forget thedangers lurking behind our use of the internet. A few of us try to at leastensure we are using a secure connection. But many ignore it all and end-up in areally bad fix.
Take for example the year 2017 as we knew it, every ITsecurity professional will tell you that it was a terrible year in the networksecurity home front especially in the malware category with Wannacry wreakinghavoc on company networks in a spat of ransomware attacks that led to losses inmillions of dollars. Such occurrences are a network security professional’s worstnightmare. And according to Forbes.com, as cyberattacks increase in quantity andsophistication, the global cybersecurity market is expected to be worth $170billion by 2020 and is currently suffering from a dire skilled network securityprofessional’s shortage. In 60 percent of cases, attackers can compromise anorganization within minutes. And the proportion of breaches discovered withindays falls well below that of time to compromise (Verizon 2015 Data BreachInvestigations Report).
Threat intelligence sharing among security products formore rapidly closing this gap between detection and response is now a businessimperative.Today’s enterprise network is rapidly changing, especiallywhen it comes to employee mobility and access to network facilities. Employeesare no longer tethered to desktop workstations, but instead access enterpriseresources via a variety of devices: tablets, smartphones, and personal laptops,just to name a few. Being able to access resources from anywhere greatlyincreases productivity, but it also increases the probability of data breachesand security threats because you may not control the security posture ofdevices accessing the network from outside of the office brick and mortar setup.Keeping track of all devices accessing the network is a huge task in itself,and as the need for more access arises, the more unsustainable it becomes tomanage.So, what can we do toget out of this fix?Fret not yourself, the Cisco Identity Services Engine (ISE)2.
0 is here to help you and in such a big way. ISE is an identity-based networkaccess control and policy enforcement system. It takes care of the mundaneday-to-day tasks like BYOD device onboarding, guest onboarding, switchport VLANchanges for end-users, access list management, and many others, so a networkadministrator can focus on other important tasks like keeping abreast with thecurrent threats and how to counteract them.
Essentially, ISE attaches an identity to a device based onuser, function, or other attributes to provide policy enforcement and security requirementscompliance before the device is authorized to access the network resources.Based on the results from a variety of factors, an endpoint can be allowed to accessthe network with a specific set of access policies applied to the interface itis connected to, else it can be completely denied or given guest access basedon the specific company guidelines. Therefore, this implies that Cisco ISE is acontext aware policy service, to control access and threat across wired,wireless and VPN networks and a component of Cisco’s Borderless Networking andthe company’s TrustSec product line.And another plus is that Cisco has Finally Released theIdentity Service Engine 2.0 (ISE) which comes with a robust array of featuresand functionalities that will be a great asset to your organization. Let us review the ISE platform in briefFigure 1.0 The ISE Platform ina nutshell – figure 1.
0 The ISE platform is typically a distributed deployment ofnodes made up of three different Profiles: the Policy Administration Node(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy ServicesNode (PSN). All three roles are required for ISE to function properly.Let us look at each of this profiles and service entrypoints:Policy AdministrationNode (PAN)The PAN profile is the interface the administrator logs intoin order to configure policies that will drive the entire setup. It is thecontrol center of the deployment for the ISE.
This node will allow anadministrator to make changes to the entire ISE topology, and those changes arepushed out from the admin node to the Policy Services Nodes (PSN).Policy Services Node(PSN)The PSN profile is where policy decisions will be made.These are the nodes where network enforcement devices send all networkmessaging to; RADIUS messaging is an example of what is sent to the PSNs.
Themessages are processed and the PSN gives the go/no-go for access to the networkbased on what was configured in PAN.Monitoring andTroubleshooting Node (MnT)The MnT profile is where logging of all service reports occurand reports can be generated as needed. All logs are sent to this node and itsorts through them so it can assemble them in a legible format. It is also usedto generate various detailed and graphical reports that can aid seniormanagement make strategic decisions regarding your companies’ networkresources, as well as notify you of any alarms for ISE.Having familiarized ourselves with this three profiles, letus look at some of the things ISE 2.0 can offer to your organization: Fundamentally, the CiscoISE offers a more holistic approach to network access security andprovides:? Accurate identification of everyuser and device.? Easy onboarding and provisioningof all devices.? Centralized, context-aware policymanagement to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data aboutconnected users and devices to more rapidly identify, mitigate, and remediate threats.Here are some of the fancy Technicalfeatures within ISE:TACACS+ support forDevice Administration AAACisco ISE supports device administration using the TerminalAccess Controller Access-Control System (TACACS+) security protocol to controland audit the configuration of network devices. The network devices areconfigured to query ISE for authentication and authorization of deviceadministrator actions, and send accounting messages for ISE to log the actions.It facilitates granular control of who can access whichnetwork device and change the associated network settings. An ISE administratorcan create policy sets that allow TACACS results, such as command sets andshell profiles, to be selected in authorization policy rules in a deviceadministration access service. The ISE Monitoring node provides enhancedreports related to device administration. The Work Center menu contains all thedevice administration pages, which acts as a single start point for ISEadministrators. ISE requires a Device Administration license to use TACACS+.
The new EndpointsIdentity pageAt first glance, one would think of this as a seeminglysmall thing, but this is the single most frequently viewed page in all of ISE.It was also one of the biggest pains to use in the previous versions of ISE. Butit has been revamped in ISE 2.0, and in a great way. Some very usefulfunctionalities have been added to the pie charts at the top. If you click onthe pie chart slice, it will automatically filter the table below it.
The tableitself is completely re-written and remembers where you were when you clicked intoan endpoint for details and then went back to the table.New NavigationFrameworkISE is a complex system with tremendous power to boot. Asystem like this cannot normally come with a User Interface that is containedwithin only a few pages. Most often a solution like this needs to have a menusystem, and many levels of navigation. It can be expected that ISE willcertainly be afflicted with the need to have many menus with sub-levels, and simplyput: a lot of navigation. However, ISE 2.0 rips out the entire navigationalframework and replaces it with one that is modern and lightning fast. It’sobviously the start of a complete UI overhaul – where some functional areas andtheir pages are also re-written, and it would be expect that the entire UIrefresh will be complete in the next release or two.
The first time you loginto ISE 2.0, you immediately see the difference with prominent menus and sidenavigation.Upgrade WizardIt’s no secret that upgrade is a complex procedure for anylarge distributed system in any technological setup.
Many solutions do awaywith the upgrade option all together and instead they require you to reinstalland restore the configuration from backup. ISE has always supported upgrade andhas made significant improvements with each release. ISE 2.0 adds a newWizard-based GUI to handle the upgrades for you in an orderly manner. You canspecify which repository each node in the deployment should use, pre-stage theupgrade files, and control the order in which each node is upgraded. All withinthe GUI.
Support TunnelsSupport tunnels have been added to ISE 2.0. This feature allowsthe administrator to enable a secure tunnel for Cisco’s TAC to remotely accessthe appliance’s root operating system. Well, that’s to put it simply.
This isfantastic functionality, because it means fewer WebEx sessions with Cisco TACremotely seeing the UI of a customer’s ISE deployment – they can view itdirectly if and only if the customer has enabled the support tunnel &provided the TAC engineer with the unique key required to activated andauthenticate the access.Stacking of CommandSetsISE 2.0 allows for multiple command sets to be sent inresponse to an authorization request from any of the nodes. This has been donein a Brilliant way, it will allow the command sets to stack, where a permitstatement shall always outweigh a deny statement – unless it is an explicit “deny_always”statement.Network Device ProfilesNetwork Device Profiles are completely brilliant and providesomething that many have been looking for in ISE since the very beginning, theability to customize the settings for network devices, including the way it shouldhandle Change of Authorizations, URL-Redirections and more.
The implementationof NAD profiles allows for them to be imported and exported so they can be shared.ISE 2.0 ships with a load of pre-built profiles for many network devices.Native EAP-TTLSSupportEAP-TTLS is a tunneled EAP protocol that is fairly popularwith universities that use eduroam applications. Prior to ISE version 2.0 itwas one of the only popular EAP types that was missing support in ISE, eventhough there was support for it in Cisco’s supplicant: the Cisco AnyConnectNetwork Access Module.CertificateProvisioning PortalThe ISE 1.3 added the built-in Certificate Authority forBYOD endpoint certificates.
It would create endpoint certificates for devicesthat underwent the Cisco BYOD on-boarding process only. In ISE 1.4 an API wasadded to aid and allow the creation of priv/pub certificate key-pairs thatcould be imported into devices that couldn’t go through the BYOD flows. Now inISE 2.0 there is a much better and fully-blown customizable portal that allowsthe creation of individual certificate key-pairs, submitting and signingCertificate Signing Requests (CSRs), or even the bulk creation of certificates.This is a gem for every network administrator out there.
Kicking Endpoints offthe Network when Certificate is revokedWhen ISE issues a certificate to a BYOD endpoint, and thatcertificate was revoked, it would naturally be denied access at the nextauthentication. However the endpoint would remain on the network until the nextre-authentication time. ISE 2.0 adds a CoA-Terminate (a disconnection) to anyendpoint with an active session whose certificate has been revoked, therebyimmediately kicking them off the network and reducing the clatter of endpointsyou do not need.This are just but a few of the many economic and securitybenefits to be derived from Cisco ISE 2.0 implementation in your organization.And further to this, a research carried out by Forrester, CostSavings and Business Benefits Enabled by ISE, there is a huge incentive foryour organization to deploy a CISCO ISE 2.0 configuration and stay abreast ofthe cybersecurity needs of the modern digital organizations.Let us stay safe on the net with CISCO ISE 2.0!!