Cisco ISE Design and Architecture

2011 Cisco and/or its affiliates. All rights reserved. 1 1 2013 Cisco and/or its affiliates.
tes. All rights reserved.

CiscoExpo Club
ISE 1.2

Ji! Tesa!
CCIE #14558
[email protected]
2013 Clsco and/or lLs amllaLes. All rlghLs reserved. Clsco ConnecL 2
ISE Design &
Architecture
3
NETWORK
ENFORCED
POLICY
ACCESS FW IPS VPN WEB EMAIL
APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL
CLOUD-BASED
THREAT INTEL &
DEFENSE
ATTACKS
APPLICATION
REPUTATION
SITE
REPUTATION
MALWARE
GLOBAL LOCAL PARTNER API
COMMON POLICY,
MANAGEMENT &
CONTEXT
COMMON
MANAGEMENT
SHARED
POLICY
ANALYTICS COMPLIANCE
PARTNER
API
IDENTITY APPLICATION DEVICE LOCATION TIME
Workloads
Apps /
Services
Infrastructure
public
tenants
hybrid
private
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco
ISE
Wired
Wireless
VPN
Business-Relevant
Policies
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Identity
Context
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5
NAC Profiler
ACS5.x
Catalyst
Switch
802.1X
MAB
Directory Server
NAC Guest Server
Web Auth
RADIUS
Various Authorization Methods (VLAN,
Downloadable ACL, URL Redirect, etc)
Scalable / Flexible Policy & Authentication
Server supporting RBAC
Guest Service to provide full guest
access management with Web
Authentication
Profiling System to perform automatic
device profiling for unattended device or
any type of network attached device
Cisco IOS intelligence to provide phased deployment
mode for 802.1X (Monitor Mode, Low Impact Mode,
High Security Mode)
Flexible Authentication Methods
(802.1X, MAB, Web Auth in any order)
Guest
Employee
Printer
ISE
Cisco Identity Solution Specifics
Agents

AnyConnect 3.1
! Unified access interface for
! 802.1X for LAN / WLAN
! VPN (SSL-VPN and IPSec)
! Mobile User Security (WSA / ScanSafe)
! Supports MACSec / MKA (802.1X-REV) for data encryption in
software; Performance based on endpoint CPU
! MACSec-capable hardware (network cards) enhance
performance w/ AC 3.0
NAC Agent currently used
for posture. Will be merged
into AnyConnect in AC3.2
ISE Web Authentication

need SomeLhlng Lo lnLercepL
browser requesLs Lo provlde
capuve porLal and /or
redlrecuon Lo local or remoLe
web auLh porLal

Centralized and customizable Web authentication portal
Both employee and guest auth supported
Tunable username and password policies
Support print, email, SMS guest notifications
Who?
swlLch
ConLroller
Used to identify users without supplicants
Misconfigured, missing altogether, etc.
Providing Network Access to Guests and Employees
On wireless:
! Using multiple SSIDs
! Open SSID for Guest
On wired:
! No notion of SSID
! Unified port: Need to use different auth
methods on single port " Enter Flex Auth
SWITCHPORT
Employee
Desktop
Printer
Guest
Contractor
IP Phone
C
orporate
Guest
SSID
Corp
SSID
Guest
Unifying network access for guest
users and employees
Provisioning: Guest
accounts via sponsor portal
Notify: Guests of account
details by print, email, or SMS
Manage: Sponsor privileges,
guest accounts and policies,
guest portal
Report: On all aspects of
guest accounts
Guests
Components of a Full Guest Lifecycle Solution
Authenticate/Authorize guest
via a guest portal on ISE
Cisco Secure Access and TrustSec Technology Review:
Network Identity & Enforcement
Authentication -
(802.1x, MAB, Web, NAC)
Authorization -
(VLAN, DACL, SXP or SGT)
Enforcement
(SGACL and Identity Firewall)
I want to allow guests into
the network
I need to allow/deny iPADs
in my network
I need to ensure data
integrity and confidentiality
for my users
I need a scalable way of
authorizing users or
devices in the network
I need to ensure my
endpoints dont become a
threat vector
How can I set my firewall
policies based on identity
instead of IP addresses?
Guest Access
Profiler
Posture
MACSec
Encryption
Security Group
Access
Identity-Based
Firewall
I need to securely allow
personal devices on the
network
BYOD/MDM
Administration Process & Explanation
NAD PAN
Admin
User
Policy Administration
Node
All Management UI Activities
Synchronizing all ISE Nodes
PSN
All Policy is Synchronized from PAN to PSNs
Policy Service Node
The Work-Horse
RADIUS, Profiling, WebAuth
Posture, Sponsor Portal
Client Provisioning
SWITCHPORT
MnT
User
Network Access
Device
Access-Layer Devices
Enforcement Point for
all Policy
RADIUS From NAD to Policy Service Node
RADIUS From PSN to NAD w/ Enforcement Result
Logging
Monitoring and
Troubleshooting
Logging and
Reporting Data
Logging
AD
PSN Queries AD Directly
RADIUS Accounting
How ISE is Used Today
lL's easy Lo provlde
guesLs llmlLed ume and resource access
ConLrol wlLh one pollcy across wlred, wlreless &
remoLe lnfrasLrucLure
users geL safely on Lhe lnLerneL fasL and easy
8ules wrluen ln buslness Lerms conLrols access
Wireless Upgrade License (ATP)
Extend Policy for Wired and VPN Endpoints
Platforms
Small: Cisco
ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355

Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New
Wireless License
Policy for Wireless Endpoints: 5-Year Term Licensing
Authentication and authorization
Guest provisioning
Link-encryption policies
Device profiling
Host posture
Security group access
Base License (ATP)
Policy for Wired, Wireless, and VPN Endpoints
Advanced License (ATP)
Policy for Wired, Wireless, and VPN Endpoints
Perpetual Licensing 3- or 5-Year Term Licensing
+
Cisco ISE Packaging and Licensing
ISE 1.2
New Upgrade Process that Significantly
Reduces Time.
Brand-New Replication Model that Improves
WAN Replication
Policy Groups (ACS Parity)
Logical Profile Groups & Profile as Attribute
3
rd
Party MDM Integration
Re-Written Reporting w/ Scheduling
3
rd
Party MAB Support
64-Bit Architecture
Brand New Hardware (UCS Based
Appliance)
External RESTful Services (ERS) API
View Logs from CLI (no Support Bundle
Needed)
Live Sessions Log
Search & Session Trace Tool
Guest Enhanced: Mobile Friendly Portal#
dACL Checker
Feed Service
Backup and Restore Progress Bars,
Cancel & Scheduling
Licensing for both Pri & Sec Admin Nodes
ISE 1.2 is a HUGE release!
Walks through
ISE Config
Walks through
NAD Config
Can Help with
Quick Proof of
Concept
setups.
Setup Assistant
Setup Assistant
What Was Missing?
Troubleshooting and Reporting
1
9
What Was Missing?
Detailed Visibility into Successful and Failed Access Attempts
2
0
What Was Missing?
Detailed Visibility into All Active Sessions and Access Policy Applied
Search
Solution: Search Tools

Ability to Quickly Find Information
2
2
Powerful Search
Session Trace Tool and Endpoint Details
Endpoint Details
Authentication logs (like seen
in Live Log details) including
$ RADIUS Auth Details
$ Auth Result
$ Other Attributes
$ Steps
Accounting logs including
$ RADIUS details
$ Steps
$ Other Attributes
Detailed Profiler Attributes
Authentication
Endpoint Details
Accounting
$ Auth Result
$ Other Attributes
$ Steps
$ RADIUS details
$ Steps
$ Other Attributes
Endpoint Details
Profiler
$ Auth Result
$ Other Attributes
$ Steps
$ RADIUS details
$ Steps
$ Other Attributes
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Profiler Feed Service
Zero Day availability
PSN
Cisco
Partner
Feed
Server DB
PSN
Notifications
Supported
! No need to wait for new ISE version
! Zero day support for popular endpoints is
added using Feed Server
What?
ISE Posture
What can be checked?
Microsoft Updates
Service Packs
Hotfixes
OS/Browser versions

Antivirus
Installation/Signatures
Antispyware
Installation/Signatures

File data
Services
Applications / Processes
Registry Keys

Identifying Corporate Assets
NAC or Web Agent check in
Windows registry for domain
value.
Ex: mycompany.com.
Posture Assessment
EAP Chaining uses EAP-FAST protocol extensions
Ties both machine and user credentials to the device, thus the owner is using a corporate asset
Machine credentials are authenticated to the network using 802.1X.
Once user logs onto the device, session information from the machine auth and user credentials are sent
as part of the same authentication.
If both machine + user credentials successfully validated, then owner is tied to the device (corp asset).
If both or either credentials fail, restricted network access can be given according to ISE policy.

EAP-Chaining
Machine & User Credentials
Validated:

AD (EAP-MSCHAPv2 inner method)
PKI (EAP-TLS inner method)
RADIUS
Machine
Credentials
User
Credentials
Machine Authentication
User Authentication
PSN
EAP-Chaining: Policy Example
User Authentication includes both user & machine identity types
AnyConnect is required for EAP-Chaining
Enterprise
App Distribution
& Mgmt
Inventory/Cost
Management
Data
Backup
Classification/Profiling
Enrollment & Registration
Secure Network Access (Wireless,
Wired, VPN)
Context-Aware Access Control
(Role, Location, etc.)
Cert + Supplicant
Provisioning
Network Policy
Enforcement
Policy
Compliance (Jailbreak,
PIN Lock, etc.)
Data Loss Prevention
(Container, encryption,
wipe)
ISE
MDM
Enterprise
App Policy
Identity
and Policy
Management
Native ISE functionality
Profiling
Authentication
Policy Enforcement
etc.
ISE 1.0 & 1.1
Native ISE functionality
Enrollment/Registration
Self-Enroll Portal
Certificate Enrollment
Blacklisting
ISE 1.1.x
ISE MDM API
Additional device data
Policy compliance
Data wipe
ISE 1.2

Evolving Roles of ISE and MDMs
MDM Vendors
Only ONE may be active at a time in ISE
Cisco Published API Specs to 5 Vendors:
$ AirWatch Version 6.2
$ Mobile Iron Version: 5.0
$ ZenPrise Version: 7.1
$ Good Version: 2.3
$ SAP Sybase
Requires a new API in MDM Server
!"#$%& ()"*+,-
BYO-X
MDM Compliance Checking
Compliance based on:
$ General Compliant or ! Compliant status
OR
$ Disk encryption enabled
$ Pin lock enabled
$ Jail broken status
MDM attributes available for policy conditions
Passive Reassessment: Bulk recheck against
the MDM server using configurable timer (4 hours
default).
$ If result of periodic recheck shows that a connected
device is no longer compliant, ISE sends a CoA to
terminate session.
Compliance and Attribute Retrieval via API
Micro level
Macro level
MDM Integration
.,+/&)
0"1,23$+" 4%#&5,+6)" 7)8#-9),)*
BYO-X
MDM Integration
.,+/&)
0"1,23$+" 4%#&5,+6)" 7)8#-9),)*
BYO-X
2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public
BYOD Onboarding Flow
Access-AccepL
Registered
Device
no
MyDevices
ISE BYOD Registration
?es
MDM
Registered no
ISE Portal
Link to MDM Onboarding
?es
2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public
MDM Integration
Administrator / user can issue remote
actions on the device through MDM server
(Example: remote wiping the device)
$ MyDevices Portal
$ ISE Endpoints Directory
Edit
Reinstate
Lost?
Delete
Full Wipe
Corporate Wipe
PIN Lock
Options
Remediation
Basic 2-Node ISE Deployment (Redundant)
Maximum Endpoints = 10,000 (Platform dependent)
Campus A
Campus B
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
All Services run on both ISE Nodes
Set one for Primary Admin / Secondary M&T
Set other for Primary Monitoring / Sec. Admin
Max Endpoints is platform dependent:
33x5 = Max 2k endpoints
3415 = Max 5k endpoints
3495 = Max 10k endpoints
Sec. Admin Sec. M&T
PSN
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
PSN
HA Inline
Posture Nodes
Pri. Admin Pri. M&T
Basic Distributed Deployment
Maximum Endpoints = 10,000 / Maximum 5 PSNs
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
Dedicated Management Appliances
Pri. Admin / Sec MNT
Pri MNT / Sec Admin
Dedicated Policy Service Nodes
Up to 5 PSNs
No more than 10,000 Endpoints Supported
3355/3415 as Admin/MnT = Max 5k endpts
3395/3495 as Admin/MnT = Max 10k endpts
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
HA Inline
Posture Nodes
Pri. Admin
Sec. M&T
Pri. M&T
Sec. Admin
Campus B
PSN
PSN
PSN
PSN
Campus A
Fully Distributed Deployment
Maximum Endpoints = 250,000 / Maximum 40 PSNs
Branch A
AP
WLC
AP
ASA VPN
Switch
802.1X
WLC
Dedicated Management Appliances
Pri. Admin
Sec. Admin
Pri MNT
Sec Admin
Dedicated Policy Service Nodes
Up to 40 PSNs
Up to 100k endpoints using 3395 Admin and MnT
Up to 250k endpoints using 3495 Admin and MnT
AP
Switch
802.1X
Branch B
Switch
802.1X
AP
Switch
802.1X
HA Inline
Posture Nodes
Pri. Admin
PSN
PSN
PSN
PSN Sec. Admin
Pri. MnT
Sec. MnT
Campus A
Campus B
New Appliances
Cisco Secure Network Servers
Based on the Cisco UCS C220 Server, but designed for

" Cisco Identity Services Engine (ISE)
" Network Admission Control (NAC)
" Access Control Server (ACS)
SNS-3415-K9 & SNS-3495-K9
New Appliances
.:; .+3#- <)"%
=;=>?@AB>CD Small Secure neLwork Server for lSL nAC & ACS Appllcauons -
CCn-Sn1-SnS3413 SMA81nL1 8x3xn8u Small Secure Server $2 643
SW-3413-lSL-k9 Clsco lSL Soware for Lhe SnS-3413-k9 EAA DDF
.:; .+3#- <)"%
=;=>?@DB>CD Large Secure Server for lSL and nAC Appllcauons -
CCn-Sn1-SnS3493 SMA81nL1 8x3xn8u Large Secure Server $3 362
SW-3493-lSL-k9 Clsco lSL Soware for SnS-3493-k9 EGG DDF
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 45
Migra!n politika pro HW nebo SW
NAC -> ISE
! Pokud plat:
Current ACS, NGS, NAC Appliance, or Profiler product
Any Version / Any Quantity

! Plat nrok na upgrade:
Any Quantity of Any Appliance Migration SKU
(includes physical or VM appliance SKUs)
Migra!n politika pro licence
ACS -> ISE
! Pokud plat:
ACS or NAC Guest Server - Any Version - Any Quantity

Any Base License Migration SKU, = 50% off standard list
Migra!n politika pro licence
NAC -> ISE
! Pokud plat:
NAC Server, N = sou%et v&ech licenc na u'ivatele

Base License pro N koncov(ch bod)
Advanced licence pro N koncov(ch bod) na 3 roky
New Appliances Migration P/N
.:; .+3#- <)"% CH-H
=;=>?@AB>I>!=0>CD SnS 3413 Mlgrauon Server: Loaded wlLh lSL Soware $0 1
CCn-Sn1-SnS3413 SMA81nL1 24x7x4 Small Secure neLwork $2 643 1
CA8-9k10A-Lu ower Cord 230vAC 10A CLL 7/7 lug Lu $0 1
SnS-4C8S8-1x0418? 4C8 1600 Mhz Memory Module $0 4
SnS-600C8-Puu 600 C8 Pard ulsk urlve $0 1
SnS-630W-Su 630W power supply for C-serles rack servers + cord (congur $0 1
SnS-Cu-2609-L3 2.4 CPz L3-2609/80W 4C/10M8 Cache/uu83 1600MPz $0 1
SnS-n2xx-A8Cl01 8roadcom 3709 uual orL 10/100/1Cb nlC w/1CL lSCSl $0 1
SnS-8Alu-8CM3 Lmbedded SW 8Alu 0/1/10 8 porLs SAS/SA1A $0 1
SW-3413-M-lSL-k9 Clsco lSL Soware for Lhe SnS-3413-M-lSL-k9 ED @FF 1
lSL-SnS-ACC?kl1 lSL SnS Accessory klL $0 1
SnS-uCS-1M 1rusLed lauorm Module for uCS servers $0 1
.:; .+3#- <)"% CH-H
=;=>?@DB>I>!=0>CD SnS 3493 Mlgrauon Server: Loaded wlLh lSL Soware $0 1
CCn-Sn1-SnS3493 SMA81nL1 24x7x4 Large Secure Server $3 379 1
SW-3493-M-lSL-k9 Clsco lSL Soware for Lhe SnS-3493-M-lSL-k9 EAJ DDF 1
lSL-SnS-ACC?kl1 lSL SnS Accessory klL $0 1
CA8-9k10A-Lu ower Cord 230vAC 10A CLL 7/7 lug Lu $0 2
SnS-4C8S8-1x0418? 4C8 1600 Mhz Memory Module $0 8
SnS-600C8-Puu 600 C8 Pard ulsk urlve $0 2
SnS-630W-Su 630W power supply for C-serles rack servers + cord (congur $0 2
SnS-Cu-2609-L3 2.4 CPz L3-2609/80W 4C/10M8 Cache/uu83 1600MPz $0 2
SnS-n2xx-A8Cl01 8roadcom 3709 uual orL 10/100/1Cb nlC w/1CL lSCSl $0 1
SnS-8Alu-11-C220 Mezanlne 8Alu for C220 $0 1
SnS-uCS-SSL-CA1u Cavlum Card $0 1
SnS-uCS-1M 1rusLed lauorm Module for uCS servers $0 1
*klovn
Policy Service Node (PSN) and Concurrent Endpoint Max Number Specifications by Deployment Model
Deployment Model Platform Max # PSNs Max # Endpoints
Standalone (all personas on same
node)
33xx N/A 2,000
3415 N/A Target 5,000
3495 N/A Target 10,000
Admin + MNT on same node;
Dedicated PSN
3355 as Admin+MNT 5 5,000
3395 as Admin+MNT 5 10,000
3415 as Admin+MNT 5 5,000
3495 as Admin+MNT 5 10,000
Dedicated Admin and MNT nodes
3395 as Admin and MNT
36 (1.1)
40 (1.2) 100,000
3495 as Admin and MNT 40 (1.2) 250,000
Dedicated PSN Max Concurrent
Endpoint Count (All Services)
ISE-3315 3,000
ISE-3355 6,000
ISE-3395 10,000
SNS-3415 5,000
SNS-3495 20,000

For Your
Reference
Sizing Production VMs to Physical Appliances
Summary
Appliance used for sizing
comparison
CPU
Memory (GB)
Physical Disk
(GB)*
# Cores Clock Rate
ISE Small
(ACS-1121/ISE-3315)
4 2.66 4 500
ISE Medium
(ISE-3355)
4 2.0 4 600
ISE Large
(ISE-3395)
8 2.0 4 600
SNS Small
(ISE-3415)
4 2.4 16 600
SNS Large
(ISE-3495)
8 2.4 32 600
* Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on Disk Sizing.
Porovnn fyzick a virtuln appliance
Virtuln appliance

Fyzick appliance

Po'adavky na virtuln appliance

SNS Large
(ISE-3495)
8 2.4 32 600
Appliance used for sizing
comparison
CPU
Memory (GB)
Physical Disk
(GB)*
# Cores Clock Rate
.:; .+3#- <)"%
lSL-vM-k9= Clsco ldenuLy Servlces Lnglne vM $3 990
CCn-SAu-lSLvM SW A Su + uC8 Clsco ldenuLy Servlces Lnglne vlrLual M $1 198
.:; .+3#- <)"%
=;=>?@DB>CD Large Secure Server for lSL and nAC Appllcauons -
CCn-Sn1-SnS3493 SMA81nL1 8x3xn8u Large Secure Server $3 362
SW-3493-lSL-k9 Clsco lSL Soware for SnS-3493-k9 $22 990
2013 Cisco and/or its affiliates. All rights reserved. CyberSecurity 58
TrustSec
WSA
Identity Policies
Passive Authentication Architecture
Active Directory
Domain Controller
Cisco CDA
Server
Domain user
Cisco ASA + CX
User Login
Event
User Login Event
Security Log
(WMI)
Domain Username/Group to IP Mapping
(Radius)
Domain username
and group
information (LDAP)
Traffic controlled by Access Policies which leverage Identity
LAN
Identity Policy Enforcement (FW, switch, router,#)
How to Identify the User ??
TrustSec
Fidelity
Breadth
TRUSTSEC*
Network Identity
Group information
Any tagged traffic
User Authentication
Auth-Aware Apps
Mac, Windows, Linux
AD/LDAP user credential
AD/LDAP Identity
Non-auth-aware apps
Any platform
AD/LDAP credential
IP Surrogate
AD Agent
NTLM
Kerberos
Lets use information from access layer => TrustSec
Rich Context Classification with ISE BYOD Use Case
DC Resource
Access
Restricted
Internet Only
Distributed
Enforcement based on
Security Group
Security
Group
Policy
Wireless LAN
Controller
AP
Personal asset
Company
asset
Employee
I
D

&

P
r
o
f
i
l
i
n
g

D
a
t
a

ISE (Identity Services Engine)
DCHP
HTTP
RADIUS
SNMP
S
G
T

NetFlow
DNS
OUI
NMAP
Device Type: Apple iPAD
User: Mary
Group: Employee
Corporate Asset: No
Classification Result:
Personal Asset
SGT
ISE Profiling
Along with authentication, various data
is sent to ISE for device profiling
SGT Overview
Enforcing Traffic on Firewall (ASA) - SGFW
Enforcement
Source Tags
Destination Tags
TrustSec Switch Support
SXP
-----------------------------------------------------------------------
2960-S (LAB) 15.0.2(SE)
3560-CG (IPB) 12.2(55)EX2
3560-SMI (IPB) 12.2(55)SE
3560-EMI (IPS) 12.2(55)SE
3560v2-SMI (IPB) 12.2(55)SE
3560v2-EMI (IPS) 12.2(55)SE
3750-SMI (IPB) 12.2(55)SE
3750-EMI (IPS) 12.2(55)SE
3750v2-SMI (IPB) 12.2(55)SE
3750v2-EMI (IPS) 12.2(55)SE
3560-E (IPB) 12.2(55)SE
3560-E (IPS) 12.2(55)SE
3560-X (LAB) 15.0.2(SE)
3560-X (IPB/IPS) 12.2(53)SE2
3750-E (IPB) 12.2(55)SE
3750-E (IPS) 12.2(55)SE
3750-X (LAB) 15.0.2(SE)
3750-X (IPB/IPS) 12.2.53(SE2)
SGACL
-----------------------------------------------------------------------
3560-X (IPB/IPS) 15.0.2(SE)
3750-X (IPB/IPS) 15.0.2(SE)
802.1AE - MACsec (SAP)
-----------------------------------------------------------------------
3560-CG (IPB) 15.0.2(SE)
3560-X (IPB/IPS) 12.2(53)SE2
3750-X (IPB/IPS) 12.2.53(SE2)
K+, L+H,
7)M),)"1)
2013 Cisco and/or its affiliates. All rights reserved. CyberSecurity 64
pxGrid
Enabling the Potential of Network-Wide Context Sharing
I have NBAR info!
I need identity"
SIO
I have location!
I need identity"
I have MDM info!
I need location"
I have app inventory info!
I need posture"
I have identity & device-type!
I need app inventory & vulnerability"
I have firewall logs!
I need identity"
I have threat data!
I need reputation"
I have sec events!
I need reputation"
I have NetFlow!
I need entitlement"
I have reputation info!
I need threat data"
I have application info!
I need location & auth-group"
3NO,#* <+"9)N9
=P%,#"8
Slngle lramework
ulrecL, Secured lnLerfaces
Available July 2013
I+Q#&) R)S#1)
I%"%8)T)"9
;0UV W =!0I X
YP,)%9 R)M)"-)
lSL provldes user and devlce conLexL Lo SlLM and 1hreaL uefense parLners
arLners uullze conLexL Lo ldenufy users, devlces, posLure, locauon and neLwork prlvllege level
assoclaLed wlLh SlLM/1u securlLy evenLs
arLners may Lake neLwork acuon on users/devlces vla lSL
.,#+,#$Z) 0S)"9-[ \-),:R)S#1)>]^%,) ]"%&2$1-[ 0N3)*#9) 7)-+&H$+"
lSL serves as pollcy gaLeway for moblle devlce neLwork access
MuM provldes lSL moblle devlce securlLy compllance conLexL
lSL asslgns neLwork access prlvllege based on compllance conLexL
0"-H,) R)S#1) 0",+&&T)"9 %"* =)1H,#92 <+T3&#%"1)
Cyber Security
70
Cyber Threat Defense Solution
Network Components Provide Rich Context
Unites NetFlow data with identity and application ID to provide security context
Device? User? Events?
65.32.7.45
Posture?
Vulnerability
AV
Patch
NetFlow Enables Security Telemetry
NetFlow-enabled Cisco switches and routers become security telemetry sources
Cisco is the undisputed market leader in Hardware-enabled NetFlow devices
Cisco ISE
Cisco Network
Lancope Partnership Provides Behavior-Based Threat Detection
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting
Cisco ASR
1000 or ISR
G2 + NBAR
Application?
+ +
+
NetFlow
FlowSensor FlowCollector
StealthWatch
Management
Console
Cisco
ASA
Cisco
NGA
71
Drilling into a single flow yields a wealth of
information
71
72
Identify Threats and Assign Attribution
Leveraging an integration between Cisco ISE and Lancope StealthWatch
Policy Start Active
Time
Alarm Source Source
Host
Group
Source User
Name
Target
Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired
Data
Bob Multiple Hosts
Cisco Security
74
Cisco Security Product Highlights: 2012-2013
Cognitive Security Acquisition
ASA Mid-range Appliances
ASA CX and PRSM Secure Data Center Launch
ISE 1.1 & 1.2 /
TrustSec 2.1
Product Milestones
ASA 9.0
ASA 1000V
IPS 4500
CSM 4.3
AnyConnect 3.1
D+kujeme za pozornost.
! Network Complexity - Michael H. Behringer: Classifying Network Complexity; slides; ACM
ReArch'09 workshop; 2009 http://networkcomplexity.org/wiki/index.php?title=References
! Cisco TrustSec 2.1 Design and Implementation Guide
http://www.cisco.com/go/trustsec/
! Cisco Wireless LAN Security -
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540
! Managing Cisco Network Security -
! Cisco Firewalls http://www.ciscopress.com/bookstore/product.asp?isbn=1587141094
! Cisco LAN Switch Security: What Hackers Know About Your Switches -
Recommended Reading
76
Where To Find Out More
Whitepapers
Deployment Scenario Design Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/
whitepaper_C11-530469.html
Deployment Scenario Config Guide
Whitepaper_c11-532065.html
IEEE 802.1X Deep Dive
guide_c07-627531.html
MAB Deep Dive
config_guide_c17-663759.html
Web Auth Deep Dive
app_note_c27-577494.html
app_note_c27-577490.html
Flex Auth App Note
application_note_c27- 573287_ps6638_Products_White_Paper.html
IP Telephony Deep Dive
config_guide_c17-605524.html
MACSec Deep Dive
deploy_guide_c17-663760.html
www.cisco.com/go/ibns

Cisco ISE Design and Architecture

Uploaded by

Copyright:

Available Formats

Cisco ISE Design and Architecture

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ISE Design and Architecture

Uploaded by

Copyright:

Available Formats

2011 Cisco and/or its affiliates. All rights reserved. 1 1 2013 Cisco and/or its affiliates.

tes. All rights reserved.

ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355

You might also like