From cisco ACS To ISEComparison of two technologies

M.Zahedi 2015

2 In The Name Of GodCo

nten

tsACS Introduction

Policy terminology

Access Service /Examples

Why ISE

New features Of ISE

3 Cisco secure Access Control

Network security officers and administrators need solutions that support flexible authentication and authorization policies that are tied not only to a user’s identity but also to context such as the network access type, time of day the access is requested, and the security of the machine used to access the network.

Cisco Secure ACS, a core component of the Cisco TrustSec® solution, is a highly sophisticated policy platform providing RADIUS and TACACS+ services.

Cisco Secure ACS provides central management of access policies for device administration and for wireless, wired IEEE 802.1x, and remote (VPN) network access scenarios.

4 Features

Unique, flexible, and detailed device administration in IPv4 and IPv6 networks, with full auditing and rules-based policy model that flexibly addresses complex policy needs

A lightweight, web-based GUI with intuitive navigation and workflow accessible from both IPv4 and IPv6 clients

Integrated advanced monitoring, reporting, and troubleshooting capabilities for excellent control and visibility

Integration with external identity and policy databases, including Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases, simplifying policy configuration and maintenance

A distributed deployment model that enables large-scale deployments and provides a highly available solution

5 Main Features and Benefits of Cisco Secure ACS 5.8Features Benefit

Complete access control and confidentiality solution

It can be deployed with other Cisco TrustSec components, including policy components, infrastructure enforcement components, endpoint components, and professional services.

Authentication, authorization, and accounting (AAA) protocols

supporting two distinct AAA protocols: RADIUS and TACACS+

Database options integration with existing external identity repositories such as Microsoft AD servers, LDAP servers, and RSA token servers.

Authentication protocols

PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication through Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and PEAP-TLS. It also supports TACACS+ authentication with CHAP/MSCHAP protocols and PAP-based password change when using TACACS+ and EAP-GTC with LDAP servers.

6 Cont. Main Features and Benefits of Cisco Secure ACS 5.8Features Benefit

Access policies

a rules-based, attribute-guided policy model that provides greatly increased power and flexibility for access control policies, which can include authentication protocol requirements, device restrictions, time-of- day restrictions, and other access requirements. Cisco Secure ACS can apply downloadable access control lists (dACLs), VLAN assignments, and other authorization parameters. Furthermore, it allows comparison between the values of any two attributes that are available to Cisco Secure ACS to be used in identity, group-mapping, and authorization policy rules.

Centralized management

Cisco Secure ACS 5.8 supports a completely redesigned lightweight, web-based GUI that is easy to use. An efficient, incremental replication scheme quickly propagates changes from primary to secondary systems, providing centralized control over distributed deployments. Software upgrades are also managed through the GUI and can be distributed by the primary system to secondary instances.

Support for high availability in largerCisco Secure ACS deployments

Cisco Secure ACS 5.8 supports up to 22 instances in a single Cisco ACS cluster: 1 primary and 21 secondary. One of these instances can function as a hot (active) standby system, which can be manually promoted to the primary system in the event that the original primary system fails.

If <identity-condition, restriction-condition> then <authorization-profile>

7 Cont. Main Features and Benefits of Cisco Secure ACS 5.8Feature Benefit

Programmatic interface

cisco Secure ACS 5.8 supports a programmatic interface for create, read, update, and delete operations on users and identity groups, network devices, and hosts (endpoints) within the internal database. It also adds the capability to export the list of Cisco Secure ACS administrators and their roles through the same web services API.

Monitoring, reporting, and troubleshooting

Cisco Secure ACS 5.8 includes an integrated monitoring, reporting, and troubleshooting component that is accessible through the web-based GUI. This tool provides excellent visibility into configured policies and authentication and authorization activities across the network.

8 Policy terminology

Access service : A sequential set of policies used to process access request Policy element : Global, shared object that defines policy conditions and

permission Shell profile: permissions container for TACACS+ based device

administration policy Authorize profile: permissions container for RADIUS based network Command set: contains the set of permitted commands Policy: A set of rules that are used to reach a specific policy decision Identity policy: policy for choosing how to authenticate and acquire identity

attributes for a given request.

9 Access Services

Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices that connect to the network and for network administrators who administer network devices

In ACS 5.x, authentication and authorization requests are processed by access services.

An access service consists of the following elements: Identity Policy—Specifies how the user should be authenticated and includes the allowed authentication protocols and the user repository to use for password validation. Group Mapping Policy—Specifies if the user's ACS identity group should be dynamically established based on user attributes or group membership in external identity stores. The user's identity group can be used as part of their authorization. Authorization Policy—Specifies the authorization rules for the user.

10 Cont. Access Services : A Sample

Access Service List

Service selection Policy

11 WHY Cisco identity services Engine? The Evolving Workplace Landscape

Device proliferation

15 billion Devices by 2015 that Will Be Connecting to Your Network

40% of staff Are Bringing Their Devices to Work

On Average Every Person Has 3-4 Devices On them that Connects to the Network

Gartner:until 2020 26 billion Devices in IOE (Internet of Everything)

12 Key Functions

Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

Provides for comprehensive guest access management for Cisco ISE administrators

Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing the device posture for all endpoints that access the network, including 802.1X environments

Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network

Employs advanced enforcement capabilities including Trustsec through the use of Security Group Tags (SGTs) and Security Group Access Control Lists (SGACLs)

Supports scalability to support a number of deployment scenarios from small office to large enterprise environments

13 Features of ISEFeatures BenefitHighly secure supplicant-less network access

Provides organizations with the ability to swiftly roll out highly secure network access without configuring endpoints for authentication and authorization. Authentication and authorization are derived from login information across application layers and used to allow user access without requiring a 802.1X supplicant to exist on the endpoint

Guest lifecycle management

Time limits, account expirations, and SMS verification offer additional security controls, and full guest auditing can track access across your network for security and compliance demands.

Source-Group Tagging

Easier access controls

14 Cont. Features of ISE

Feature BenefitAAA protocols RADIUS /TACACS+ protocols

Authentication protocols

wide range of authentication protocols, including, but not limited to, PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS) and EAP-Tunneled Transport Layer Security (TTLS).

Device profiling

Ships with predefined device templates for many types of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. Administrators can also create their own device templates. These templates can be used to automatically detect, classify, and associate administration-defined identities when endpoints connect to the network

15 Cont. Features of ISEFeature Benefit

Internal certificate authority

Offers organizations an easy-to-deploy internal certificate authority to simplify certificate management for personal devices without adding the significant complexity of an external certificate authority application.

Endpoint posture Verifies endpoint posture assessment for PCs and mobile devices connecting to the network.

Ecosystem with pxGrid

integrating through pxGrid with SIEM and threat defense solutions, web security solutions, and operational technology control

Monitoring and troubleshooting

Includes a built-in web console for monitoring, reporting, and troubleshooting.

Extensive multiforest AD support

Provides comprehensive authentication and authorization against multiforest Microsoft Active Directory domains.

16 Comprehensive Visibility Identity and Context Awareness

Context

Identity

17 Identity Awareness

IEEE 802.1x Mac Auth Bypass web Authentication

Consistent identity feature supported on all Catalyst switch models

Authentication Features

18 Device identification/Device Profiling Automated Device Classification using Cisco Infrastructure

Cisco Innovation

Profiling operations: Determining The Manufacture of endpointFunction of endpoint (IP phone, IP camera, net printer)Other network level assessments of endpoint

19 Context Awareness: Posture Assessment ISE Posture Ensures Endpoint Health before network access

Posturing:

Using NAC agent, Posturing will ensure that endpoint is adhering to security policies.

If security policy is matched additional network access can be allowed via authorization policy.

Depth of posturing ->3party software such as MDMs

20 Context Awareness: Guest Management ISE Guest Service for Managing guests

21 SGT Exchange Protocol support

Cisco Innovation

Flexible Enforcement mechanisms in your infrastructure

22 Cont. Security Group Tagging support :Traditional ACL rules

23 Cont. S security Group Tagging support Enforcement is based on the Security Group Tag, can control

communication in same VLAN

24 Cont. Security Group Tagging support: ExampleSource/Des PCI HRPCIHR

PCI User attempting to talk to HR user on same switch same VLAN is denied.

HR User on Switch 1 is able to communicate with HR User on Switch 2.

HR User is denied access to the PCI Server.

PCI User is granted access to the PCI Server.

25 Platform Exchange Grid (pxGrid )context sharing

pxGrid is a robust context-sharing platform that takes the deep level of contextual data collected by ISE and delivers it to external and internal ecosystem partner solutions

ISE can integrate through pxGrid with SIEM and threat defense solutions, web security solutions, and operational technology control (including supervisory control and data acquisition, or SCADA, operational and security policy integration).

The list of ecosystem partners who are taking advantage of this simple unified framework continues to expand ( The Page: partner security ecosystem page)

26 ConclusionFeatures ACS ISEAAA protocol (TACACS+/RADUISE)

* *

External DB (AD,LDAP)

* *

Auth protocols * * + TTLSAuth features 802.1x 802.1x,MAB,webAuthEndpoint posture *Device profiling *Guest management *Access policies Vlan , ACL +SGTInternal CA *Complete access control

With other TrustSec solutions

With SIEM and security solutions using pxGrid

Monitoring, reporting, and troubleshooting

Using columns view Using real-time dashboard metrics

Thank You