Cisco ISE Design and Architecture
-
Upload
mike-van-kleef -
Category
Documents
-
view
370 -
download
16
description
Transcript of Cisco ISE Design and Architecture
-
2011 Cisco and/or its affiliates. All rights reserved. 1 1 2013 Cisco and/or its affiliates. All rights reserved.
CiscoExpo Club ISE 1.2
Ji Tesa CCIE #14558
-
2013 Cisco and/or its aliates. All rights reserved. Cisco Connect 2
ISE Design & Architecture
-
3
NETWORK ENFORCED POLICY
ACCESS FW IPS VPN WEB EMAIL
APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL
CLOUD-BASED THREAT INTEL & DEFENSE
ATTACKS APPLICATION REPUTATION
SITE REPUTATION
MALWARE
GLOBAL LOCAL PARTNER API
COMMON POLICY, MANAGEMENT & CONTEXT
COMMON MANAGEMENT
SHARED POLICY ANALYTICS COMPLIANCE
PARTNER API
IDENTITY APPLICATION DEVICE LOCATION TIME
Workloads
Apps / Services
Infrastructure
public
tenants hybrid
private
-
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco ISE
Wired Wireless VPN
Business-Relevant Policies
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Identity Context
Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5
NAC Profiler ACS5.x
Catalyst Switch
802.1X
MAB
Directory Server
NAC Guest Server
Web Auth
RADIUS
Various Authorization Methods (VLAN, Downloadable ACL, URL Redirect, etc)
Scalable / Flexible Policy & Authentication Server supporting RBAC
Guest Service to provide full guest access management with Web
Authentication
Profiling System to perform automatic device profiling for unattended device or
any type of network attached device
Cisco IOS intelligence to provide phased deployment mode for 802.1X (Monitor Mode, Low Impact Mode,
High Security Mode)
Flexible Authentication Methods (802.1X, MAB, Web Auth in any order)
Guest
Employee
Printer
ISE
Cisco Identity Solution Specifics
-
Agents AnyConnect 3.1 Unified access interface for
802.1X for LAN / WLAN VPN (SSL-VPN and IPSec) Mobile User Security (WSA / ScanSafe)
Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU
MACSec-capable hardware (network cards) enhance performance w/ AC 3.0
NAC Agent currently used for posture. Will be merged into AnyConnect in AC3.2
-
ISE Web Authentication
Need Something to intercept browser requests to provide capBve portal and /or redirecBon to local or remote web auth portal
Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications
Who?
switch Controller
Used to identify users without supplicants Misconfigured, missing altogether, etc.
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8
Providing Network Access to Guests and Employees
On wireless:
Using multiple SSIDs Open SSID for Guest
On wired:
No notion of SSID Unified port: Need to use different auth
methods on single port Enter Flex Auth
SWITCHPORT
Employee Desktop
Printer
Guest Contractor
IP Phone
Corporate
Guest
SSID Corp
SSID Guest
Unifying network access for guest users and employees
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9
Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS
Manage: Sponsor privileges, guest accounts and policies, guest portal
Report: On all aspects of guest accounts
Guests
Components of a Full Guest Lifecycle Solution
Authenticate/Authorize guest via a guest portal on ISE
-
Cisco Secure Access and TrustSec Technology Review:
Network Identity & Enforcement
Authentication - (802.1x, MAB, Web, NAC)
Authorization - (VLAN, DACL, SXP or SGT)
Enforcement (SGACL and Identity Firewall)
I want to allow guests into the network
I need to allow/deny iPADs in my network
I need to ensure data integrity and confidentiality
for my users
I need a scalable way of authorizing users or
devices in the network
I need to ensure my endpoints dont become a
threat vector
How can I set my firewall policies based on identity instead of IP addresses?
Guest Access
Profiler
Posture
MACSec Encryption
Security Group Access
Identity-Based Firewall
I need to securely allow personal devices on the
network BYOD/MDM
-
Administration Process & Explanation
NAD PAN Admin User
Policy Administration Node All Management UI Activities Synchronizing all ISE Nodes
PSN
All Policy is Synchronized from PAN to PSNs
Policy Service Node The Work-Horse RADIUS, Profiling, WebAuth Posture, Sponsor Portal Client Provisioning
SWITCHPORT
MnT
User
Network Access Device Access-Layer Devices Enforcement Point for all Policy
RADIUS From NAD to Policy Service Node
RADIUS From PSN to NAD w/ Enforcement Result
Logging
Monitoring and Troubleshooting Logging and Reporting Data
Logging
AD
PSN Queries AD Directly
RADIUS Accounting
-
How ISE is Used Today
Its easy to provide guests limited Bme and resource access
Control with one policy across wired, wireless & remote infrastructure
Users get safely on the internet fast and easy
Rules wriMen in business terms controls access
-
Wireless Upgrade License (ATP) Extend Policy for Wired and VPN Endpoints
Platforms
Small: Cisco ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355 Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New
Wireless License Policy for Wireless Endpoints: 5-Year Term Licensing
Authentication and authorization Guest provisioning Link-encryption policies
Device profiling Host posture Security group access
Base License (ATP) Policy for Wired, Wireless, and VPN Endpoints
Advanced License (ATP) Policy for Wired, Wireless, and VPN Endpoints
Perpetual Licensing 3- or 5-Year Term Licensing +
Cisco ISE Packaging and Licensing
-
2013 Cisco and/or its aliates. All rights reserved. Cisco Connect 14
ISE 1.2
-
New Upgrade Process that Significantly Reduces Time.
Brand-New Replication Model that Improves WAN Replication
Policy Groups (ACS Parity) Logical Profile Groups & Profile as Attribute 3rd Party MDM Integration Re-Written Reporting w/ Scheduling 3rd Party MAB Support 64-Bit Architecture Brand New Hardware (UCS Based
Appliance)
External RESTful Services (ERS) API View Logs from CLI (no Support Bundle
Needed)
Live Sessions Log Search & Session Trace Tool Guest Enhanced: Mobile Friendly Portal dACL Checker Feed Service Backup and Restore Progress Bars,
Cancel & Scheduling
Licensing for both Pri & Sec Admin Nodes
ISE 1.2 is a HUGE release!
-
Walks through ISE Config
Walks through NAD Config
Can Help with Quick Proof of Concept setups.
Setup Assistant
-
Setup Assistant
-
What Was Missing? Troubleshooting and Reporting
19
-
What Was Missing? Detailed Visibility into Successful and Failed Access Attempts
20
-
What Was Missing? Detailed Visibility into All Active Sessions and Access Policy Applied
-
Search
Solution: Search Tools
Ability to Quickly Find Information
22
-
Powerful Search
-
Session Trace Tool and Endpoint Details
-
Endpoint Details
Authentication logs (like seen in Live Log details) including RADIUS Auth Details Auth Result Other Attributes Steps
Accounting logs including RADIUS details Steps Other Attributes
Detailed Profiler Attributes
Authentication
-
Endpoint Details Accounting
Authentication logs (like seen in Live Log details) including RADIUS Auth Details Auth Result Other Attributes Steps
Accounting logs including RADIUS details Steps Other Attributes
Detailed Profiler Attributes
-
Endpoint Details Profiler
Authentication logs (like seen in Live Log details) including RADIUS Auth Details Auth Result Other Attributes Steps
Accounting logs including RADIUS details Steps Other Attributes
Detailed Profiler Attributes
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Profiler Feed Service Zero Day availability
PSN Cisco
Partner Feed Server DB PSN
Notifications Supported
No need to wait for new ISE version Zero day support for popular endpoints is
added using Feed Server
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
What? ISE Posture What can be checked? Microsoft Updates
Service Packs Hotfixes OS/Browser versions
Antivirus Installation/Signatures
Antispyware Installation/Signatures
File data Services Applications / Processes Registry Keys
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Identifying Corporate Assets
NAC or Web Agent check in Windows registry for domain value.
Ex: mycompany.com.
Posture Assessment
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Identifying Corporate Assets
EAP Chaining uses EAP-FAST protocol extensions Ties both machine and user credentials to the device, thus the owner is using a corporate asset Machine credentials are authenticated to the network using 802.1X. Once user logs onto the device, session information from the machine auth and user credentials are sent
as part of the same authentication. If both machine + user credentials successfully validated, then owner is tied to the device (corp asset). If both or either credentials fail, restricted network access can be given according to ISE policy.
EAP-Chaining
Machine & User Credentials Validated: AD (EAP-MSCHAPv2 inner method) PKI (EAP-TLS inner method)
RADIUS
Machine Credentials
User Credentials
Machine Authentication
User Authentication
PSN
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Identifying Corporate Assets EAP-Chaining: Policy Example
User Authentication includes both user & machine identity types
AnyConnect is required for EAP-Chaining
-
Enterprise App Distribution
& Mgmt
Inventory/Cost Management
Data Backup
Classification/Profiling Enrollment & Registration
Secure Network Access (Wireless, Wired, VPN)
Context-Aware Access Control (Role, Location, etc.)
Cert + Supplicant Provisioning
Network Policy Enforcement
Policy Compliance (Jailbreak,
PIN Lock, etc.)
Data Loss Prevention (Container, encryption,
wipe)
ISE MDM
Enterprise App Policy
Identity and Policy
Management
Native ISE functionality Profiling Authentication Policy Enforcement etc.
ISE 1.0 & 1.1
Native ISE functionality Enrollment/Registration Self-Enroll Portal Certificate Enrollment Blacklisting
ISE 1.1.x
ISE MDM API Additional device data Policy compliance Data wipe
ISE 1.2
Evolving Roles of ISE and MDMs
-
MDM Vendors
Only ONE may be active at a time in ISE
Cisco Published API Specs to 5 Vendors: AirWatch Version 6.2 Mobile Iron Version: 5.0 ZenPrise Version: 7.1 Good Version: 2.3 SAP Sybase
Requires a new API in MDM Server Ini$al Vendors
BYO-X
-
MDM Compliance Checking
Compliance based on: General Compliant or ! Compliant status
OR
Disk encryption enabled Pin lock enabled Jail broken status
MDM attributes available for policy conditions Passive Reassessment: Bulk recheck against
the MDM server using configurable timer (4 hours default). If result of periodic recheck shows that a connected
device is no longer compliant, ISE sends a CoA to terminate session.
Compliance and Attribute Retrieval via API
Micro level
Macro level
-
MDM Integration
Prole Encryp$on JailBroken Registered
BYO-X
-
MDM Integration
Prole Encryp$on JailBroken Registered
BYO-X
-
2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public
BYOD Onboarding Flow
Access-Accept
Registered Device No
MyDevices ISE BYOD Registration
Yes
MDM Registered No
ISE Portal Link to MDM Onboarding
Yes
-
2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public
MDM Integration
Administrator / user can issue remote actions on the device through MDM server (Example: remote wiping the device) MyDevices Portal ISE Endpoints Directory
Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock
Options
Remediation
-
Basic 2-Node ISE Deployment (Redundant) Maximum Endpoints = 10,000 (Platform dependent)
Campus A
Campus B
Branch A
AP
WLC
AP
ASA VPN
Switch 802.1X
WLC
All Services run on both ISE Nodes
Set one for Primary Admin / Secondary M&T
Set other for Primary Monitoring / Sec. Admin
Max Endpoints is platform dependent: 33x5 = Max 2k endpoints 3415 = Max 5k endpoints 3495 = Max 10k endpoints
Sec. Admin Sec. M&T
PSN
AP Switch 802.1X
Branch B
Switch 802.1X
AP
Switch 802.1X
PSN
HA Inline Posture Nodes
Pri. Admin Pri. M&T
-
Basic Distributed Deployment Maximum Endpoints = 10,000 / Maximum 5 PSNs
Branch A
AP
WLC
AP
ASA VPN
Switch 802.1X
WLC
Dedicated Management Appliances Pri. Admin / Sec MNT Pri MNT / Sec Admin
Dedicated Policy Service Nodes Up to 5 PSNs
No more than 10,000 Endpoints Supported 3355/3415 as Admin/MnT = Max 5k endpts 3395/3495 as Admin/MnT = Max 10k endpts
AP Switch 802.1X
Branch B
Switch 802.1X
AP
Switch 802.1X
HA Inline Posture Nodes
Pri. Admin Sec. M&T
Pri. M&T Sec. Admin
Campus B
PSN PSN
PSN
PSN
Campus A
-
Fully Distributed Deployment Maximum Endpoints = 250,000 / Maximum 40 PSNs
Branch A
AP
WLC
AP
ASA VPN
Switch 802.1X
WLC
Dedicated Management Appliances Pri. Admin Sec. Admin Pri MNT Sec Admin
Dedicated Policy Service Nodes Up to 40 PSNs
Up to 100k endpoints using 3395 Admin and MnT Up to 250k endpoints using 3495 Admin and MnT
AP Switch 802.1X
Branch B
Switch 802.1X
AP
Switch 802.1X
HA Inline Posture Nodes
Pri. Admin
PSN PSN
PSN
PSN Sec. Admin Pri. MnT Sec. MnT
Campus A Campus B
-
New Appliances
Cisco Secure Network Servers Based on the Cisco UCS C220 Server, but designed for
v Cisco Identity Services Engine (ISE) v Network Admission Control (NAC) v Access Control Server (ACS)
SNS-3415-K9 & SNS-3495-K9
-
New Appliances
P/N Popis Cena SNS-3415-K9 Small Secure Network Server for ISE NAC & ACS ApplicaBons - CON-SNT-SNS3415 SMARTNET 8X5XNBD Small Secure Server $2 643 SW-3415-ISE-K9 Cisco ISE So_ware for the SNS-3415-K9 $11 990
P/N Popis Cena SNS-3495-K9 Large Secure Server for ISE and NAC ApplicaBons - CON-SNT-SNS3495 SMARTNET 8X5XNBD Large Secure Server $3 362 SW-3495-ISE-K9 Cisco ISE So_ware for SNS-3495-K9 $22 990
-
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 45
Migran politika pro HW nebo SW NAC -> ISE
Pokud plat: Current ACS, NGS, NAC Appliance, or Profiler product Any Version / Any Quantity
Plat nrok na upgrade: Any Quantity of Any Appliance Migration SKU (includes physical or VM appliance SKUs)
-
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 46
Migran politika pro licence ACS -> ISE
Pokud plat: ACS or NAC Guest Server - Any Version - Any Quantity
Plat nrok na upgrade: Any Base License Migration SKU, = 50% off standard list
-
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 47
Migran politika pro licence NAC -> ISE
Pokud plat: NAC Server, N = souet vech licenc na uivatele
Plat nrok na upgrade: Base License pro N koncovch bod Advanced licence pro N koncovch bod na 3 roky
-
New Appliances Migration P/N P/N Popis Cena Kusu SNS-3415-M-ISE-K9 SNS 3415 MigraBon Server: Loaded with ISE So_ware $0 1 CON-SNTP-SNS3415 SMARTNET 24X7X4 Small Secure Network $2 643 1 CAB-9K10A-EU Power Cord 250VAC 10A CEE 7/7 Plug EU $0 1 SNS-4GBSR-1X041RY 4GB 1600 Mhz Memory Module $0 4 SNS-600GB-HDD 600 GB Hard Disk Drive $0 1 SNS-650W-PSU 650W power supply for C-series rack servers + cord (congur $0 1 SNS-CPU-2609-E5 2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz $0 1 SNS-N2XX-ABPCI01 Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI $0 1 SNS-RAID-ROM5 Embedded SW RAID 0/1/10 8 ports SAS/SATA $0 1 SW-3415-M-ISE-K9 Cisco ISE So_ware for the SNS-3415-M-ISE-K9 $9 400 1
ISE-SNS-ACCYKIT ISE SNS Accessory Kit $0 1 SNS-UCS-TPM Trusted Plakorm Module for UCS servers $0 1
P/N Popis Cena Kusu SNS-3495-M-ISE-K9 SNS 3495 MigraBon Server: Loaded with ISE So_ware $0 1 CON-SNTP-SNS3495 SMARTNET 24X7X4 Large Secure Server $5 379 1 SW-3495-M-ISE-K9 Cisco ISE So_ware for the SNS-3495-M-ISE-K9 $18 990 1
ISE-SNS-ACCYKIT ISE SNS Accessory Kit $0 1 CAB-9K10A-EU Power Cord 250VAC 10A CEE 7/7 Plug EU $0 2 SNS-4GBSR-1X041RY 4GB 1600 Mhz Memory Module $0 8 SNS-600GB-HDD 600 GB Hard Disk Drive $0 2 SNS-650W-PSU 650W power supply for C-series rack servers + cord (congur $0 2 SNS-CPU-2609-E5 2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz $0 2 SNS-N2XX-ABPCI01 Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI $0 1 SNS-RAID-11-C220 Mezanine RAID for C220 $0 1 SNS-UCS-SSL-CATD Cavium Card $0 1 SNS-UCS-TPM Trusted Plakorm Module for UCS servers $0 1
-
klovn
Policy Service Node (PSN) and Concurrent Endpoint Max Number Specifications by Deployment Model
Deployment Model Platform Max # PSNs Max # Endpoints
Standalone (all personas on same node)
33xx N/A 2,000 3415 N/A Target 5,000 3495 N/A Target 10,000
Admin + MNT on same node; Dedicated PSN
3355 as Admin+MNT 5 5,000 3395 as Admin+MNT 5 10,000 3415 as Admin+MNT 5 5,000 3495 as Admin+MNT 5 10,000
Dedicated Admin and MNT nodes 3395 as Admin and MNT 36 (1.1) 40 (1.2) 100,000
3495 as Admin and MNT 40 (1.2) 250,000
Dedicated PSN Max Concurrent Endpoint Count (All Services)
ISE-3315 3,000 ISE-3355 6,000 ISE-3395 10,000 SNS-3415 5,000 SNS-3495 20,000
For Your Reference
-
Sizing Production VMs to Physical Appliances Summary
Appliance used for sizing comparison
CPU Memory (GB) Physical Disk
(GB)* # Cores Clock Rate
ISE Small (ACS-1121/ISE-3315) 4 2.66 4 500
ISE Medium (ISE-3355) 4 2.0 4 600 ISE Large (ISE-3395) 8 2.0 4 600 SNS Small (ISE-3415) 4 2.4 16 600 SNS Large (ISE-3495) 8 2.4 32 600
* Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on Disk Sizing.
-
Porovnn fyzick a virtuln appliance
Virtuln appliance
Fyzick appliance
Poadavky na virtuln appliance
SNS Large (ISE-3495) 8 2.4 32 600
Appliance used for sizing comparison
CPU Memory (GB) Physical Disk
(GB)* # Cores Clock Rate
P/N Popis Cena ISE-VM-K9= Cisco IdenBty Services Engine VM $5 990 CON-SAU-ISEVM SW APP SUPP + UPGR Cisco IdenBty Services Engine Virtual M $1 198
P/N Popis Cena SNS-3495-K9 Large Secure Server for ISE and NAC ApplicaBons -
CON-SNT-SNS3495 SMARTNET 8X5XNBD Large Secure Server $3 362 SW-3495-ISE-K9 Cisco ISE So_ware for SNS-3495-K9 $22 990
-
2013 Cisco and/or its affiliates. All rights reserved. CyberSecurity 58
TrustSec
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 59
WSA
Identity Policies Passive Authentication Architecture
Active Directory Domain Controller
Cisco CDA Server
Domain user
Cisco ASA + CX
User Login Event
User Login Event Security Log (WMI)
Domain Username/Group to IP Mapping (Radius)
Domain username and group information (LDAP)
Traffic controlled by Access Policies which leverage Identity
LAN
-
Identity Policy Enforcement (FW, switch, router,) How to Identify the User ??
TrustSec
Fidelity
Breadth
TRUSTSEC* Network Identity
Group information Any tagged traffic User Authentication
Auth-Aware Apps Mac, Windows, Linux AD/LDAP user credential
AD/LDAP Identity Non-auth-aware apps Any platform AD/LDAP credential
IP Surrogate AD Agent
NTLM Kerberos
Lets use information from access layer => TrustSec
-
Rich Context Classification with ISE BYOD Use Case
DC Resource Access
Restricted Internet Only
Distributed Enforcement based on
Security Group
Security Group Policy
Wireless LAN Controller
AP
Personal asset
Company asset
Employee ID
&
Pro
filin
g D
ata
ISE (Identity Services Engine)
DCHP HTTP
RADIUS SNMP
SGT
NetFlow DNS OUI
NMAP
Device Type: Apple iPAD User: Mary Group: Employee Corporate Asset: No
Classification Result: Personal Asset
SGT
ISE Profiling Along with authentication, various data is sent to ISE for device profiling
SGT Overview
-
Enforcing Traffic on Firewall (ASA) - SGFW
Enforcement
Source Tags Destination Tags
-
TrustSec Switch Support SXP ----------------------------------------------------------------------- 2960-S (LAB) 15.0.2(SE) 3560-CG (IPB) 12.2(55)EX2 3560-SMI (IPB) 12.2(55)SE 3560-EMI (IPS) 12.2(55)SE 3560v2-SMI (IPB) 12.2(55)SE 3560v2-EMI (IPS) 12.2(55)SE 3750-SMI (IPB) 12.2(55)SE 3750-EMI (IPS) 12.2(55)SE 3750v2-SMI (IPB) 12.2(55)SE 3750v2-EMI (IPS) 12.2(55)SE 3560-E (IPB) 12.2(55)SE 3560-E (IPS) 12.2(55)SE 3560-X (LAB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-E (IPB) 12.2(55)SE 3750-E (IPS) 12.2(55)SE 3750-X (LAB) 15.0.2(SE) 3750-X (IPB/IPS) 12.2.53(SE2)
SGACL ----------------------------------------------------------------------- 3560-X (IPB/IPS) 15.0.2(SE) 3750-X (IPB/IPS) 15.0.2(SE)
802.1AE - MACsec (SAP) ----------------------------------------------------------------------- 3560-CG (IPB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-X (IPB/IPS) 12.2.53(SE2)
For Your Reference
-
2013 Cisco and/or its affiliates. All rights reserved. CyberSecurity 64
pxGrid
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Enabling the Potential of Network-Wide Context Sharing
I have NBAR info! I need identity
SIO
I have location! I need identity
I have MDM info! I need location
I have app inventory info! I need posture
I have identity & device-type! I need app inventory & vulnerability
I have firewall logs! I need identity
I have threat data! I need reputation
I have sec events! I need reputation
I have NetFlow! I need entitlement
I have reputation info! I need threat data
I have application info! I need location & auth-group
pxGrid Context Sharing
Single Framework
Direct, Secured Interfaces
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Available July 2013
Mobile Device Management
NEW! SIEM & Threat Defense
ISE provides user and device context to SIEM and Threat Defense partners Partners uBlize context to idenBfy users, devices, posture, locaBon and network privilege level associated with SIEM/TD security events
Partners may take network acBon on users/devices via ISE
Priori$ze Events, User/Device-Aware Analy$cs, Expedite Resolu$on
ISE serves as policy gateway for mobile device network access MDM provides ISE mobile device security compliance context ISE assigns network access privilege based on compliance context
Ensure Device Enrollment and Security Compliance
-
2013 Cisco and/or its aliates. All rights reserved. Cisco Connect 69
Cyber Security
-
70
Cyber Threat Defense Solution
Network Components Provide Rich Context Unites NetFlow data with identity and application ID to provide security context
Device? User? Events?
65.32.7.45
Posture? Vulnerability AV Patch
NetFlow Enables Security Telemetry
NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices
Cisco ISE
Cisco Network
Lancope Partnership Provides Behavior-Based Threat Detection
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting
Cisco ASR 1000 or ISR G2 + NBAR
Application?
+ +
+ NetFlow
FlowSensor FlowCollector StealthWatch Management
Console
Cisco ASA
Cisco NGA
-
71
Drilling into a single flow yields a wealth of information
71
-
72
Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope StealthWatch
Policy Start Active Time
Alarm Source Source Host
Group
Source User Name
Target
Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data
Bob Multiple Hosts
-
2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 73
Cisco Security
-
74
Cisco Security Product Highlights: 2012-2013
Cognitive Security Acquisition ASA Mid-range Appliances
ASA CX and PRSM Secure Data Center Launch
ISE 1.1 & 1.2 / TrustSec 2.1
Product Milestones
ASA 9.0 ASA 1000V IPS 4500 CSM 4.3 AnyConnect 3.1
-
2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 75
Dkujeme za pozornost.
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 76
Network Complexity - Michael H. Behringer: Classifying Network Complexity; slides; ACM ReArch'09 workshop; 2009 http://networkcomplexity.org/wiki/index.php?title=References
Cisco TrustSec 2.1 Design and Implementation Guide http://www.cisco.com/go/trustsec/
Cisco Wireless LAN Security - http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540
Managing Cisco Network Security - http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031
Cisco Firewalls http://www.ciscopress.com/bookstore/product.asp?isbn=1587141094 Cisco LAN Switch Security: What Hackers Know About Your Switches -
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563
Recommended Reading
76
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 77
Where To Find Out More Whitepapers
Deployment Scenario Design Guide http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html
Deployment Scenario Config Guide http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html
IEEE 802.1X Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html
MAB Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html Web Auth Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
Flex Auth App Note http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27- 573287_ps6638_Products_White_Paper.html
IP Telephony Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html
MACSec Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html
www.cisco.com/go/ibns