Cisco Identity Services Engine (ISE) is a centralized access control and policy management solution that can automate secure access to network resources. It profiles users and devices, authenticates network access, enforces security policy, and shares contextual data across the IT infrastructure. ISE provides capabilities for guest access management, secure BYOD onboarding, network access control, software-defined segmentation with Cisco TrustSec, and visibility/context sharing through its pxGrid technology. It supports a wide range of use cases including guest access, BYOD, network access, device administration, and compliance.
Threats have never been more relevant than they are today. Nation states, adversaries, corporate and government espionage, hackers, etc. are all on the hunt for valuable information. The information they seek includes enterprise and individual details. Networks are only as secure as their weakest components. With the hyper-growth in connected devices including smart phones, tablets, wearables and Internet of Things (IoT) devices, networks are very vulnerable.
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. It determines whether users are accessing the network on authorized devices, establishes user identity and context, and assigns services based on user attributes. ISE provides comprehensive secure access, increases productivity, and reduces operations costs through centralized policy control, visibility, automated provisioning, and guest access management.
Cisco Secure Access Control System (ACS) and Cisco Identity Services Engine (ISE) are two technologies for network access control and security policy management. ACS provides centralized management of access policies for wired, wireless, and remote network access using RADIUS/TACACS+ protocols. It supports flexible authentication methods and integration with external identity stores. ISE combines authentication, authorization, accounting, posture assessment, and device profiling into one appliance. It provides enhanced features such as source group tagging, guest access management, and scalability for large enterprise deployments. ISE offers improved visibility, context-aware security policies, and integration with other systems through protocols like pxGrid.
Identity Services Engine Overview and UpdateCisco Canada
Cisco Identity Services Engine (ISE) provides an all-in-one solution for secure access across wired, wireless, and VPN networks. It replaces separate AAA, RADIUS, NAC, guest management, and device identity servers with a single platform for centralized policy management and visibility. ISE enforces dynamic access control policies based on user, device, location, and other context to protect networks and simplify security.
Текториал по тематике информационной безопасности Cisco Russia
The document discusses best practices for deploying and optimizing Cisco Identity Services Engine (ISE). It provides an overview of key ISE features in version 1.4, including enhancements to guest access, profiling, and load balancing. The presentation aims to help engineers implement ISE using best practices to ensure scalability, performance, and redundancy.
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
Cisco ISE provides comprehensive secure access through device profiling, posture assessment, and contextual identity to apply appropriate network access policies. It centrally manages policy enforcement on wired, wireless and VPN networks to increase security, productivity and operational efficiency. Cisco ISE automates user onboarding and ensures compliant devices receive network access while improperly postured devices are remediated.
Threats have never been more relevant than they are today. Nation states, adversaries, corporate and government espionage, hackers, etc. are all on the hunt for valuable information. The information they seek includes enterprise and individual details. Networks are only as secure as their weakest components. With the hyper-growth in connected devices including smart phones, tablets, wearables and Internet of Things (IoT) devices, networks are very vulnerable.
Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. It determines whether users are accessing the network on authorized devices, establishes user identity and context, and assigns services based on user attributes. ISE provides comprehensive secure access, increases productivity, and reduces operations costs through centralized policy control, visibility, automated provisioning, and guest access management.
Cisco Secure Access Control System (ACS) and Cisco Identity Services Engine (ISE) are two technologies for network access control and security policy management. ACS provides centralized management of access policies for wired, wireless, and remote network access using RADIUS/TACACS+ protocols. It supports flexible authentication methods and integration with external identity stores. ISE combines authentication, authorization, accounting, posture assessment, and device profiling into one appliance. It provides enhanced features such as source group tagging, guest access management, and scalability for large enterprise deployments. ISE offers improved visibility, context-aware security policies, and integration with other systems through protocols like pxGrid.
Identity Services Engine Overview and UpdateCisco Canada
Cisco Identity Services Engine (ISE) provides an all-in-one solution for secure access across wired, wireless, and VPN networks. It replaces separate AAA, RADIUS, NAC, guest management, and device identity servers with a single platform for centralized policy management and visibility. ISE enforces dynamic access control policies based on user, device, location, and other context to protect networks and simplify security.
Текториал по тематике информационной безопасности Cisco Russia
The document discusses best practices for deploying and optimizing Cisco Identity Services Engine (ISE). It provides an overview of key ISE features in version 1.4, including enhancements to guest access, profiling, and load balancing. The presentation aims to help engineers implement ISE using best practices to ensure scalability, performance, and redundancy.
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
Cisco ISE provides comprehensive secure access through device profiling, posture assessment, and contextual identity to apply appropriate network access policies. It centrally manages policy enforcement on wired, wireless and VPN networks to increase security, productivity and operational efficiency. Cisco ISE automates user onboarding and ensures compliant devices receive network access while improperly postured devices are remediated.
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
These are the slides used in the Live Webinar August 3, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time. You can listen/watch the replay of that show at techwisetv.com. Just click on 'workshops.' The TechWiseTV Episode is also on that site or on YouTube at https://youtu.be/zZHRLsaKD3U
Demos to checkout:
ISE Streamlined Visibility: https://communities.cisco.com/videos/15260
ISE Context Visibility: https://communities.cisco.com/videos/15264
ISE EasyConnect: https://communities.cisco.com/videos/15285
ISE Threat-centric NAC (AMP): https://communities.cisco.com/videos/15269
ISE Threat-centric NAC (Qualys): https://communities.cisco.com/videos/15270
This document provides steps for deploying Cisco Identity Services Engine (ISE) to enable 802.1X authentication on wired and wireless networks. It involves deploying ISE as the centralized RADIUS server, enabling MAC authentication bypass and 802.1X open mode on switches to monitor device connections in "monitor mode", integrating ISE with wireless LAN controllers for 802.1X wireless authentication, and profiling devices using DHCP and other traffic sources. The deployment is intended to enable identity-based network access without impacting existing connectivity as part of a phased approach to a full TrustSec deployment.
This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
Replay the live event: http://cs.co/90008z2Ar
Learn how your existing Cisco network can help you to know exactly who is doing what on the network with end-to-end visibility, differentiate anomalies from normal behavior with contextual threat intelligence and stop threats and mitigate risk with one-click containment of users and devices.
It’s time for the network to protect itself. Please make time for this important workshop.
Resources:
Watch the Cisco Stealthwatch and ISE full episode: http://cs.co/90008z24M
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
The document provides best practices for Cisco Identity Services Engine (ISE) configurations. It discusses recommendations for wired and wireless dot1x configurations, redirected flows, upgrading to ISE 2.0, and configuring mobile device management (MDM) authorization policies across different ISE versions. Key recommendations include enabling radius server dead detection, using policy sets to optimize policy lookups, and configuring separate authorization policies for MDM redirection and registered devices.
Watch the TechWiseTV Episode: http://cs.co/9001Bvqpz
Watch the workshop replay: http://bit.ly/2bAsxby
See how the latest evolution of Cisco TrustSec helps protect critical assets by extending and enforcing policies anywhere in your network. Go in-depth with how Cisco TrustSec simplifies your network security with software-defined segmentation.
Replay the Live Event: http://cs.co/90068G6ln
Get an inside look at how Stealthwatch Learning Network License can transform your branch network router into a powerful security sensor and enforcer: one capable of quickly detecting threat activity and mitigating attacks, with little to no hands-on management needed.
Don’t miss this opportunity to hear from our security experts.
See the Stealthwatch Learning Network License TechWiseTV Episode: http://cs.co/90048G6WY
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect Robb Boyd
Cisco plans to further integrate OpenDNS with its other security tools acquired through mergers and acquisitions. OpenDNS cannot directly block URLs based on geographic location but can identify suspicious destinations based on geo-related factors. To use the full capabilities discussed, a customer needs AnyConnect Plus or Apex software subscriptions as well as a separate Umbrella subscription, though the Umbrella Roaming Client provides standalone DNS redirection. AnyConnect Plus and Apex licenses can also be applied to ASA Service Modules.
Cisco Trustsec provides a virtual VLAN solution using Security Group Tagging to simplify network segmentation and policy enforcement for PCI compliance. The Cisco Identity Services Engine profiles devices and users to assign them Security Group Tags, which are then propagated through the network using inline switches and routers. This allows firewall and other security policies to be applied based on the SGT rather than the traditional VLAN method, reducing costs and complexity of maintaining separate physical networks. While router and switch support needs verification, when used with the Cisco ASA firewall and a SIEM for log monitoring, Cisco Trustsec can help streamline PCI compliance using an identity-based virtual segmentation approach.
The document provides guidance on migrating configuration data from Cisco Secure Access Control System (ACS) Releases 3.x and 4.x to ACS Release 5.6. It describes the differences between the older and new versions, outlines the migration process, and details how to use the ACS 5.6 Migration Utility to migrate users, network devices, policies and other elements from ACS 4.x to 5.6. Administrators can use the utility to analyze, export, import and validate configuration data during the migration.
The document discusses upcoming updates and new features for Cisco's Prime Infrastructure network management software. It provides an agenda for a wireless update meeting that will cover the Prime Infrastructure 2.2 update, the new Prime Infrastructure 3.0 release, and a demonstration of PI 3.0. The meeting will discuss customer adoption of PI 2.2, continuous delivery of PI, new platform support in PI 2.2.2, and enhanced features and capabilities in PI 3.0 such as a modern user interface, configuration compliance, client troubleshooting improvements, and rogue device management enhancements. PI 3.0 is targeted for release in June 2015 and will provide improved management of wireless, wired, and datacenter networks.
Replay the Live Event: http://cs.co/90098Be7h
See firsthand how Cisco Tetration Analytics uses unsupervised machine learning and behavior analysis, along with advanced algorithmic approaches, to provide unprecedented insight into IT infrastructure.
Don’t miss this chance to get an up-close look at the analytics platform that lets you see and know exactly what’s happening in any application, any flow, anywhere in your data center—all in a matter of seconds.
See the Tetration Analytics TechWiseTV Episode: http://cs.co/90048BefC
Remote connectivity is crucial for enterprise productivity and SSL has gained fast popularity as a remote access
tool. In fact, SSL VPNs as a technology have shown promise in eliminating many of the client side issues associated
with IPSec, and other forms of remote access. Furthermore, SSL VPNs offer a smooth migration to a more costeffective,
easier to deploy remote access solution than IPSec. SSL VPN’s combination of flexibility and functionality
makes it competitive with IPSec even when deployed for enterprise’s “power users.”
In today’s crowded SSL VPN market, it’s easy to become overwhelmed by the wide range of solutions available.
Obviously, there are many factors to consider when purchasing an SSL VPN product, and you want to make the
best choice possible. This SSL VPN Evaluation Guide serves as an important resource in identifying, describing, and
prioritizing the criteria you should consider when selecting an SSL VPN provider that best fits the needs of your
organization.
Selection Criteria
In coming up with a selection criteria, the functions offered by SSL VPNs have to be evaluated against two key
aspects: security and user experience. A truly successful deployment of a secure access solution cannot be achieved
without taking both aspects into consideration. Look for an SSL VPN that can also serve the organization’s longterm
needs, integrates seamlessly with the network architecture, and provides powerful management tools. The
optimal provider will exceed in these key areas:
n Performance and scalability
n Security
n Ease of use
n Company reputation
n Technology leadership
Cisco prime-nms-overview-hi-techdays deep divesolarisyougood
This document discusses Cisco Prime Network Management and its benefits over traditional point-product network management solutions. It provides an overview of Cisco Prime's integrated workflows, common user experience, consolidated management capabilities, and benefits such as reduced costs, accelerated service rollout, and consistent user experience. Key features covered include comprehensive device lifecycle management, deep application visibility and performance assurance, and consolidated reporting and compliance auditing through a single management interface.
The document provides an overview of Oracle Platform Security Services (OPSS) and how it can be used to provide security for Java applications. OPSS provides standards-based security services and abstracts security implementation details away from developers. It supports features like authentication, authorization, role-based access control, and integration with identity management systems. The document also describes several use cases where OPSS can be leveraged for applications developed using Java EE, Java SE, Oracle ADF, and other Oracle products.
AG Series secure access gateways provide scalable and
controlled remote and mobile access to corporate networks,
enterprise applications and cloud services for any user,
anywhere on any device.
Technology Overview - Validation & ID Protection (VIP)Iftikhar Ali Iqbal
The presentation provides the following:
- Symantec Corporate Overview
- Solution Portfolio of Symantec
- Symantec Validation & ID Protection - Introduction
- Symantec Validation & ID Protection - Components
- Symantec Validation & ID Protection - Architecture
- Symantec Validation & ID Protection - Use Cases
- Symantec Validation & ID Protection - Licensing & Packaging
- Symantec Validation & ID Protection - Appendix (extra information)
This provides a brief overview of Symantec Validation & ID Protection (VIP). Please note all the information is based prior to May 2016 and the full integration of Blue Coat Systems's set of solutions.
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
Managing tightly-controlled user access in AWS is complex. And complexity leads to errors and sloppiness. There are six main reasons why this operational complexity is the biggest security threat to your AWS Environment. Paul Campaniello at Cryptzone discusses in this eBook.
The document discusses Cisco's next-generation SD-WAN architecture. It notes that applications are moving to the cloud, users are accessing apps from diverse mobile devices, and the internet edge is moving to branches. The Cisco SD-WAN solution provides a secure WAN fabric with elements like the vEdge router, vSmart controller, and vBond orchestrator. It separates the control, data, and management planes and provides benefits such as application awareness, security, scalability, and simplified operations.
Cisco Identity Services Engine (ISE) provides a centralized security solution that automates context-aware access to network resources. It allows organizations to (1) gain visibility into devices accessing their network, (2) grant access based on user roles and needs, and (3) share threat information across security tools to improve detection and response capabilities. ISE controls all access from a single interface and integrates with Cisco and third-party solutions to enhance visibility and protection.
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
These are the slides used in the Live Webinar August 3, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time. You can listen/watch the replay of that show at techwisetv.com. Just click on 'workshops.' The TechWiseTV Episode is also on that site or on YouTube at https://youtu.be/zZHRLsaKD3U
Demos to checkout:
ISE Streamlined Visibility: https://communities.cisco.com/videos/15260
ISE Context Visibility: https://communities.cisco.com/videos/15264
ISE EasyConnect: https://communities.cisco.com/videos/15285
ISE Threat-centric NAC (AMP): https://communities.cisco.com/videos/15269
ISE Threat-centric NAC (Qualys): https://communities.cisco.com/videos/15270
This document provides steps for deploying Cisco Identity Services Engine (ISE) to enable 802.1X authentication on wired and wireless networks. It involves deploying ISE as the centralized RADIUS server, enabling MAC authentication bypass and 802.1X open mode on switches to monitor device connections in "monitor mode", integrating ISE with wireless LAN controllers for 802.1X wireless authentication, and profiling devices using DHCP and other traffic sources. The deployment is intended to enable identity-based network access without impacting existing connectivity as part of a phased approach to a full TrustSec deployment.
This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
Replay the live event: http://cs.co/90008z2Ar
Learn how your existing Cisco network can help you to know exactly who is doing what on the network with end-to-end visibility, differentiate anomalies from normal behavior with contextual threat intelligence and stop threats and mitigate risk with one-click containment of users and devices.
It’s time for the network to protect itself. Please make time for this important workshop.
Resources:
Watch the Cisco Stealthwatch and ISE full episode: http://cs.co/90008z24M
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
The document provides best practices for Cisco Identity Services Engine (ISE) configurations. It discusses recommendations for wired and wireless dot1x configurations, redirected flows, upgrading to ISE 2.0, and configuring mobile device management (MDM) authorization policies across different ISE versions. Key recommendations include enabling radius server dead detection, using policy sets to optimize policy lookups, and configuring separate authorization policies for MDM redirection and registered devices.
Watch the TechWiseTV Episode: http://cs.co/9001Bvqpz
Watch the workshop replay: http://bit.ly/2bAsxby
See how the latest evolution of Cisco TrustSec helps protect critical assets by extending and enforcing policies anywhere in your network. Go in-depth with how Cisco TrustSec simplifies your network security with software-defined segmentation.
Replay the Live Event: http://cs.co/90068G6ln
Get an inside look at how Stealthwatch Learning Network License can transform your branch network router into a powerful security sensor and enforcer: one capable of quickly detecting threat activity and mitigating attacks, with little to no hands-on management needed.
Don’t miss this opportunity to hear from our security experts.
See the Stealthwatch Learning Network License TechWiseTV Episode: http://cs.co/90048G6WY
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect Robb Boyd
Cisco plans to further integrate OpenDNS with its other security tools acquired through mergers and acquisitions. OpenDNS cannot directly block URLs based on geographic location but can identify suspicious destinations based on geo-related factors. To use the full capabilities discussed, a customer needs AnyConnect Plus or Apex software subscriptions as well as a separate Umbrella subscription, though the Umbrella Roaming Client provides standalone DNS redirection. AnyConnect Plus and Apex licenses can also be applied to ASA Service Modules.
Cisco Trustsec provides a virtual VLAN solution using Security Group Tagging to simplify network segmentation and policy enforcement for PCI compliance. The Cisco Identity Services Engine profiles devices and users to assign them Security Group Tags, which are then propagated through the network using inline switches and routers. This allows firewall and other security policies to be applied based on the SGT rather than the traditional VLAN method, reducing costs and complexity of maintaining separate physical networks. While router and switch support needs verification, when used with the Cisco ASA firewall and a SIEM for log monitoring, Cisco Trustsec can help streamline PCI compliance using an identity-based virtual segmentation approach.
The document provides guidance on migrating configuration data from Cisco Secure Access Control System (ACS) Releases 3.x and 4.x to ACS Release 5.6. It describes the differences between the older and new versions, outlines the migration process, and details how to use the ACS 5.6 Migration Utility to migrate users, network devices, policies and other elements from ACS 4.x to 5.6. Administrators can use the utility to analyze, export, import and validate configuration data during the migration.
The document discusses upcoming updates and new features for Cisco's Prime Infrastructure network management software. It provides an agenda for a wireless update meeting that will cover the Prime Infrastructure 2.2 update, the new Prime Infrastructure 3.0 release, and a demonstration of PI 3.0. The meeting will discuss customer adoption of PI 2.2, continuous delivery of PI, new platform support in PI 2.2.2, and enhanced features and capabilities in PI 3.0 such as a modern user interface, configuration compliance, client troubleshooting improvements, and rogue device management enhancements. PI 3.0 is targeted for release in June 2015 and will provide improved management of wireless, wired, and datacenter networks.
Replay the Live Event: http://cs.co/90098Be7h
See firsthand how Cisco Tetration Analytics uses unsupervised machine learning and behavior analysis, along with advanced algorithmic approaches, to provide unprecedented insight into IT infrastructure.
Don’t miss this chance to get an up-close look at the analytics platform that lets you see and know exactly what’s happening in any application, any flow, anywhere in your data center—all in a matter of seconds.
See the Tetration Analytics TechWiseTV Episode: http://cs.co/90048BefC
Remote connectivity is crucial for enterprise productivity and SSL has gained fast popularity as a remote access
tool. In fact, SSL VPNs as a technology have shown promise in eliminating many of the client side issues associated
with IPSec, and other forms of remote access. Furthermore, SSL VPNs offer a smooth migration to a more costeffective,
easier to deploy remote access solution than IPSec. SSL VPN’s combination of flexibility and functionality
makes it competitive with IPSec even when deployed for enterprise’s “power users.”
In today’s crowded SSL VPN market, it’s easy to become overwhelmed by the wide range of solutions available.
Obviously, there are many factors to consider when purchasing an SSL VPN product, and you want to make the
best choice possible. This SSL VPN Evaluation Guide serves as an important resource in identifying, describing, and
prioritizing the criteria you should consider when selecting an SSL VPN provider that best fits the needs of your
organization.
Selection Criteria
In coming up with a selection criteria, the functions offered by SSL VPNs have to be evaluated against two key
aspects: security and user experience. A truly successful deployment of a secure access solution cannot be achieved
without taking both aspects into consideration. Look for an SSL VPN that can also serve the organization’s longterm
needs, integrates seamlessly with the network architecture, and provides powerful management tools. The
optimal provider will exceed in these key areas:
n Performance and scalability
n Security
n Ease of use
n Company reputation
n Technology leadership
Cisco prime-nms-overview-hi-techdays deep divesolarisyougood
This document discusses Cisco Prime Network Management and its benefits over traditional point-product network management solutions. It provides an overview of Cisco Prime's integrated workflows, common user experience, consolidated management capabilities, and benefits such as reduced costs, accelerated service rollout, and consistent user experience. Key features covered include comprehensive device lifecycle management, deep application visibility and performance assurance, and consolidated reporting and compliance auditing through a single management interface.
The document provides an overview of Oracle Platform Security Services (OPSS) and how it can be used to provide security for Java applications. OPSS provides standards-based security services and abstracts security implementation details away from developers. It supports features like authentication, authorization, role-based access control, and integration with identity management systems. The document also describes several use cases where OPSS can be leveraged for applications developed using Java EE, Java SE, Oracle ADF, and other Oracle products.
AG Series secure access gateways provide scalable and
controlled remote and mobile access to corporate networks,
enterprise applications and cloud services for any user,
anywhere on any device.
Technology Overview - Validation & ID Protection (VIP)Iftikhar Ali Iqbal
The presentation provides the following:
- Symantec Corporate Overview
- Solution Portfolio of Symantec
- Symantec Validation & ID Protection - Introduction
- Symantec Validation & ID Protection - Components
- Symantec Validation & ID Protection - Architecture
- Symantec Validation & ID Protection - Use Cases
- Symantec Validation & ID Protection - Licensing & Packaging
- Symantec Validation & ID Protection - Appendix (extra information)
This provides a brief overview of Symantec Validation & ID Protection (VIP). Please note all the information is based prior to May 2016 and the full integration of Blue Coat Systems's set of solutions.
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
Managing tightly-controlled user access in AWS is complex. And complexity leads to errors and sloppiness. There are six main reasons why this operational complexity is the biggest security threat to your AWS Environment. Paul Campaniello at Cryptzone discusses in this eBook.
The document discusses Cisco's next-generation SD-WAN architecture. It notes that applications are moving to the cloud, users are accessing apps from diverse mobile devices, and the internet edge is moving to branches. The Cisco SD-WAN solution provides a secure WAN fabric with elements like the vEdge router, vSmart controller, and vBond orchestrator. It separates the control, data, and management planes and provides benefits such as application awareness, security, scalability, and simplified operations.
Cisco Identity Services Engine (ISE) provides a centralized security solution that automates context-aware access to network resources. It allows organizations to (1) gain visibility into devices accessing their network, (2) grant access based on user roles and needs, and (3) share threat information across security tools to improve detection and response capabilities. ISE controls all access from a single interface and integrates with Cisco and third-party solutions to enhance visibility and protection.
This document discusses simplifying security in the data center. It introduces concepts like micro-segmentation using Endpoint Groups (EPGs) in Cisco Application Centric Infrastructure (ACI) to isolate application traffic. It also discusses integrating ACI with Cisco TrustSec to apply common identity and security policies between the campus and data center domains. Finally, it demonstrates how the Cisco Firepower management center can be used to automate a security feedback loop, moving compromised endpoints to a quarantined EPG for remediation through REST API calls to ACI.
Enterprise Architecture, Deployment and Positioning Cisco Russia
The document discusses enterprise network deployment models and Cisco products for each model. It provides an overview of unified access, traditional access, converged access, and instant access deployment models. For each model, it describes the key characteristics and considerations, as well as which Cisco products are best suited as the lead platform. The document also covers topics like Cisco TrustSec for security, application visibility and control, and resiliency features of Cisco Catalyst infrastructure products.
Cisco Connect 2018 Thailand - Software defined access a transformational appr...NetworkCollaborators
The document discusses Cisco's approach to software-defined access networking and the challenges of traditional network designs. It introduces Cisco's intent-based networking model which uses automation, analytics, and policy-based segmentation to simplify network management and operations. Key components of Cisco's SDA solution include the Cisco DNA Center for network design, provisioning, policy management, and assurance across switching, routing, and wireless platforms.
The document outlines a 12-step program for developing network security strategies. It discusses identifying network assets and security risks, analyzing security requirements and tradeoffs, developing a security plan and policy, implementing technical security strategies, and maintaining security. It also covers securing different parts of the network like internet connections, servers, remote access, services, and wireless networks using mechanisms like firewalls, authentication, encryption, and wireless security protocols.
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
This document summarizes a presentation about VMware's NSX virtualized networking solution. It introduces NSX Edge gateways which provide routing, firewalling, load balancing, and VPN services. It discusses how NSX addresses the needs of cloud computing through automation, standard hardware, and a single management plane. Example use cases are shown. Key features of the NSX Edge including scalable performance are outlined. The document also briefly discusses NSX operations and management tools, and its deployment on VMware vCloud Hybrid Service.
Enterprise Network Design and Deployment Sandeep Yadav
The document discusses several Cisco network security products:
- Identity Services Engine (ISE) provides context-aware access control and shares user data.
- Intrusion Prevention System (IPS) detects and prevents various cyber attacks like denial of service.
- Web Security Appliance (WSA) filters web traffic and scans for malware and data loss.
- Access Control System (ACS) centralizes access policies for wireless, wired, and network devices.
- Adaptive Security Appliance (ASA) provides firewall functionality, VPN access, and acts as an authentication proxy.
The document discusses strategies for delivering secure wireless guest access, including Cisco solutions that provide controlled network access for guests while segmenting them from the enterprise network. It describes features such as lobby ambassador portals for guest user provisioning, network partitioning using tunnels, and customizable guest portals.
The document provides a summary of Nagabhushana Rao P's qualifications and experience as a network architect. It details his 9 years of experience in infrastructure administration including networking, virtualization strategies, server consolidation, and working with various technologies like Citrix, SAP, and SharePoint. It also lists his various technical certifications and proficiency in English, Hindi, and Telugu.
ESDS Software Solution Pvt. Ltd. is a leading provider of hosting and data center solutions with a global presence across India, USA and UK. It has over 300 employees across 10 locations worldwide and services over 35,000 customers across 5 continents. The company has received several awards and certifications for its innovation and services. ESDS introduces eMagic, its all-in-one datacenter management suite that allows users to monitor, manage and deploy their entire datacenter infrastructure from a single console in just three simple steps - device auto-discovery, network topology mapping, and comprehensive monitoring. The suite offers features like netflow analysis, virtual machine management, change management, and is available in various licensing editions.
Global Azure Bootcamp 2018 - Azure Network SecurityScott Hoag
In this session, attendees will learn about the network control plane in Azure and how to secure both Infrastructure-as-a-Service and Platform-as-a-Service components of Azure.
This document provides an overview of hybrid cloud scenarios using Microsoft Azure. It discusses using Azure to extend infrastructure to the cloud, processing data in the cloud, and accessing data and applications across cloud and on-premises. It provides examples of hybrid scenarios for infrastructure as a service, platform as a service, development/test, backup/recovery, and enterprise mobility. It also discusses networking options and enhancements for hybrid configurations including virtual networks, gateways, and security groups.
Syed Aman Hussain is a network engineer with over 4 years of experience working in Riyadh, Saudi Arabia. He has extensive knowledge of routing, switching, and network security. Some of his responsibilities include designing, implementing, and monitoring network infrastructure, as well as configuring routers, switches, firewalls, and other network devices. He has professional certifications from Cisco and Juniper Networks.
Are you facing some, or all, of these challenges?
-Host Mobility (w/o stretching VLANs)
-Network Segmentation (w/o implementing MPLS)
-Roles-based Access Control (w/o end-to-end TrustSec)
-Common Policy for Wired and Wireless (w/o multiple tools)
Using Cisco technologies already available today, you can overcome these challenges and build an evolved Campus network to better meet your business objectives.
Virtualization Forum 2015, Praha, 7.10.2015
sál Citrix
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
1) Getting Started with AWS Security provides an overview of AWS security best practices including understanding AWS shared responsibility model, building strong compliance foundations, integrating identity and access management, enabling detective controls, establishing network security, implementing data protection, optimizing change management, and automating security functions.
2) Statoil migrated applications and infrastructure to AWS to achieve a cloud-first strategy. They established security automation, self-service provisioning, and continuous monitoring using native AWS services to securely manage their AWS environment.
3) Evolving security architecture practices involves treating security as part of the development process through automation, embedding architecture into code repositories, and ensuring solutions provide continuous audit and compliance.
This document discusses security automation through SDN and NFV. It begins with an overview of security challenges from a service provider perspective, such as growing traffic and threats. It then discusses how SDN can automate and accelerate DDoS mitigation by redirecting traffic. The document outlines Cisco's Firepower 9300 platform for integrated security services and its use with Radware virtual DDoS protection. It also discusses how the Cisco Application Centric Infrastructure automates security policy and service chains in the data center.
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
Join Don Pearson and Travis Cox from Inductive Automation and Chris Harlow from Bedrock Automation as they discuss an end-to-end approach to SCADA/ICS security that encompasses software as well as hardware.
You’ll learn about:
What built-in security is and why it’s essential
Security benefits of OPC UA and MQTT
How to secure your PLC, RTU, or DCS
Best practices such as role-based access and authentication
Security risks that are often overlooked
And more!
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
4. Identity Profiling Access Policy Network Resources
and Posture
Traditional
Cisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Who
Compliant
What
When
Where
How
A centralised security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Physical or VM
Controller
Context
ISE pxGrid
7
5. The Different Ways Customers Use ISE
Guest Access Management
Easily provide visitors secure guest Internet access
BYOD and Enterprise Mobility
Seamlessly classify & securely onboard devices with the right levels ofaccess
Secure Access across the Entire Network
Streamline enterprise network access policy over wired, wireless, & VPN
Software-Defined Segmentation with Cisco TrustSec®
Simplify Network Segmentation and Enforcement to Contain Network Threats
Visibility & Context Sharing with pxGrid
Share endpoint and user context to Cisco and 3rd party system
Network Device Administration
Device administration and Network Access on a single platform
6. With Cisco Identity Services Engine You Can
6
See and share rich user Stop and contain threats
and device details
Control all access
throughout the network
from one place
7. IT Requirements ISE Capabilities
Access
Control
Authentication
on wired &
wireless
networks as
well as VPN BYOD
Support Trusted
Device
Standard and
enable BYOD
Profiling
Ability to
identify
users and
devices on
our network
Endpoint
Protection
Protect the
network
from
infected
devices
GuestAccess
Restrict
unauthorized
devices &
users to
Internet
access only
Device Control
Secure network
while allowing
mobile device
access*
* Cisco IT uses a 3 different Device ManagementProducts
11
Contextual Data
Cross-platform
contextual data
sharing across
the entire IT
infrastructure
8. • Identity of a
device on the
network
• Quantify the risk
1. Profiling
• User and end
device attribution
• Identification of
endpoints on
Wireless/Wired
connections
2.Authentication
• Device security
posture
identification
• Allows for better
policy & security
decisions
3. Posture
• Ability to enforce
policy decisions
based on context
• Untrusted
devices have
restricted access
4. Enforcement
The Four Stages of a Secure Network
ISE 1.2
Profiling
ISE 1.2
802.1XAuth
WLAN,CVO
ISE 1.3/1.4
802.1XAuth
CVO, Wired, VPN, MDM
ISE 2.1
802.1X Wired AuthMode
MDM
√ √ √
12
9. ISE Guest ION:
GuestAccess
ISE 802.1xAuth:
Wireless,CVO
ISE 802.1x + MAB
Monitor Mode:
Wired (Limited)
ISE 802.1xAuth:
VPN + AnyConnect:
• Mobile Devices with
Certificate
• Laptops with OTP
ISE/MDM Integration:
Afaria, Casper
ISE SGT:
TrustSec Limited
Deployment
ISE/MDM:
Posture Enforcement
ISE 802.1xAuth:
Xtranet/Partners
ISE SGT:
Network
Segmentation&
Optimization
ISE TACACS+:
Device Administration
ACS + NACs:
Guest Access
ACS Auth:
Wireless,CVO
AD Auth + One-
Time-Password:
VPN
Open Access:
Wired
Assured Network Access Roadmap
Start
ACS 5.x
NAC
Active
Directory
ISE 1.2
ISE 1.3
ISE 1.4
ISE 2.1
Continue
ISE 802.1xAuth:
Wired(Global)
ISE/MDM Integration:
Afaria, Casper, SCCM
Posture Assessment
Endpoint Protection:
Quarantine/Remediate
√
√
√
√
13
11. Make Fully Informed Decisions with Rich
Contextual Awareness
Poor Context Awareness Extensive ContextAwareness
BobIP address 192.168.1.51
Context:
Who
TabletUnknownWhat
Building 200, first floorUnknownWhere
11:00 a.m. EST on April 10UnknownWhen
WirelessUnknownHow
The right user, on the right device, fromthe
right place is granted the rightaccess
Any user, any device, anywhere gets on
the network
Result
12. Many Different Visibility Variables
Trust Gradient
•Authentication
•Certificate
•Managed/Unmanaged
•Compliance/Posture
Threat/Risk
•Threat score
•Fidelity
Reach
•What services can be
accessed
•What other entities
can be impacted
Behaviour
•Historical versus
active. Now or before
•Was I doingthe
expected or
unexpected
Users
•Role
•Permissions/rights
•Importance
Devices
•Ownership – managed
or unmanaged
•Type of device
•Function
•Applications
Connectivity
• Medium
(Wired/Wireless/VPN)
•NAD/NAD Details
•State (active session)
Location
•Physical
•Logical
Time
•Time of Day
•Day of week
•Connection duration
13. Visibility Technologies
ISE Description
Technology and Use Cases
Profiling Technology Device Identification by Cisco ISE
SIEM -- Threat Detection with a
NetflowAnalyser
SIEM and threat detection analyses network traffic and
tells ISE to take action
NaaS/ NaaE Network as a Sensor
Network as an Enforcer
Rapid Threat Containment
Firepower and Identity Services
Engine
ISE can take action on Threats detected by Source Fire
TheArchitecture
PxGrid - SACM
(Security Automation and ContinuousMonitoring)
Cisco pxGrid provides a unified framework that enables
ecosystem partners to integrate.
14. Better with Cisco Router and
Switches Device Sensor
• The Network IS the Collector!
• Automatic discovery for most common devices (printers, phones, Cisco devices)
• Collects the data at point closest to endpoint
• Topology independent
• Profiling based on:
• CDP/LLDP
• DHCP
• HTTP (WLC only)
• mDNS, H323,
MSI-Proxy (4k only)
Device Sensor Distributed Probes
ISE
Device Sensor Support
3k/4k/WLC
DHCP HTTPCDP/LLDP/DHCP/CDP/LLDP/DHCP CDP/LLDP/DHCP
16. See How Endpoints Act On The Network With
Better Visibility
Network as a Sensor
• Cisco ISE
• Cisco Networking Portfolio
• Cisco NetFlow
• Lancope StealthWatch
Data
17. ADMIN
ZONE
ENTERPRISE
ZONE
POS
ZONE
VENDOR
ZONE
And Make Visibility Actionable Through
Segmentation And Automation
Network as an Enforcer
• Cisco ISE
• Cisco Networking Portfolio
• Cisco NetFlow
• Lancope StealthWatch
• Cisco TrustSec Software-Defined
Segmentation
EMPLOYEE
ZONE
DEV
ZONE
18. Enable Unified Threat Response By Sharing Contextual Data
Cisco Platform Exchange Grid (pxGrid)
Cisco and Partner
Ecosystem
When
Where
Who
How
What
32
1
ISE
45
Cisco Network
pxGrid
controller
1 ISE collects contextual
data fromnetwork
Contextual data is
2 shared via pxGrid
technology
Partners use ISEdata
3 to quickly identify and
classify threats
Partners take
4 remediation actions
throughISE
ISE fine tunesaccess
5 policies with security
event data
Context
20. Improve Guest Experiences Without
Compromising Security
Guest
Guest
GuestSponsor
Internet
Internet
Internet and
Network
Immediate, Uncredentialed
InternetAccess
with Hotspot
SimpleSelf-Registration
Role-Based Accesswith
Employee Sponsorship
21. ISE Built-in Portal Customisation?
CreateAccounts
Print Email SMS
Mobile and
DesktopPortals
Notifications
Approved! credentials
username: trex42
password: littlearms
22. Which Portals Are Customisable
All Except The Admin Portal
1. Guest
2. Sponsor
3. BYOD (Device Registration)
4. My Devices
5. Client Provisioning (Desktop Posture)
6. MDM (Mobile Device Management)
7. Blacklist
8. Certificate Provisioning Portal
23. Access your portals to
manage and share
Choose from Pre-Built
Portal Layouts
24. ISE Express offers the same
dynamic Guest features of the
market-leading Cisco ISE in an
entry-level bundle at an aggressive
70-80% discount over the
competition.
25. Features / Capabilities?
Platform Included w/Licensing?
List Price?
Cisco ISE Base vs. Cisco ISE Express
Same
YES – Bundle includes 1
ISE VM + 150 Licenses
$2,500 US
Cisco ISE Express
Guest Access; RADIUS/AAA
NO – Purchase HW or VM
and licensing
$6,990 US
(ISE VM:$5,990 + Base:
$1,000, for 200 licenses)
Cisco ISE Base
26. What’s New
ISE Express Installation Wizard
Free, downloadable application
Simplifies ISE and wireless controller
installation
Provisions Hotspot, Self-Registered or
Sponsor services
Modifies guest portals with logo and
colours
Go to ISE Cisco Software Download
on CCO
28. Secure Access Use Cases
• MacAuthentication
Bypass (MAB)
• Whitelist
• Central Web
Authentication
(CWA)
• No supplicant
Good Better
• Roll out 802.1x in
Phases (Monitor
Mode)
Best
• 802.1x (Low
Impact, Closed
Mode)
• Certificates
• EAP etc..
• Supplicant on
endpoint
• Switch
configuration
29. ISE is a Standards-Based AAAServer
Access Control System Must Support All Connection Methods
ISE PolicyServer
VPN
CiscoPrime
Wireless
VPN
Supports Cisco and 3rd-Party solutions via
standard RADIUS, 802.1X, EAP, and VPN
Protocols .. more to come …
RADIUS
Wired
802.1X = EAPoLAN
802.1X = EAPoLAN
SSL / IPsec
30. Building the Architecture in Phases
47
Access-Prevention Technology
– A Monitor Mode is necessary
– Must have ways to implement and see who will succeed and who will fail
Determine why, and then remediate before taking 802.1X into astronger
enforcementmode.
Solution = Phased Approach to Deployment:
Monitor Mode Low Impact Mode Closed Mode
What part of the
network does phased
deployment apply?
32. Internal
Employee
Intranet
Enable Faster and Easier Device Onboarding
Without Any IT Support
Confidential
HR Records
?
Device Profiling
www
Employee
Simplified Device Management
from Self-Service Portal
Automated Authentication and
Access to BusinessAssets
Rapid Device Identification with
Out-of-the-Box Profiles
ITStaff
33. Streamlining BYOD and Enterprise Mobility
Reducing the Complexity of Managing BYOD and Device Onboarding
Improved Device Recognition Desktop
& Mobile
Ready!
Integrated Native Certificate Authority for Devices
Customisable Branded Experiences
Easy User Onboarding with Self-Service Device Portals
Comprehensive Device Security with Posture and EMM
Supports 1M Registered Endpoints and 250K ACTIVE, Concurrent Endpoints
34. Single Versus Dual SSID Provisioning
• Single SSID
• Start with 802.1X on one SSID
using PEAP
• End on same SSID with 802.1X
using EAP-TLS
• Dual SSID
• Start with CWA on one SSID
• End on different SSID with 802.1X
using PEAP or EAP-TLS
SSID = BYOD-Open
(MAB / CWA)
SSID = BYOD-Closed (802.1X)
WLAN Profile
SSID = BYOD-Closed
PEAP or EAP-TLS
(Certificate=MyCert)
SSID = BYOD-Closed (802.1X)
WLAN Profile
SSID = BYOD-Closed
EAP-TLS
Certificate=MyCert
Which flow
provides better
user experience?
35. Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
Device
Onboarding
Certificate
Provisioning
Supplicant
Provisioning
Self-
Service
Model
iOS
Android
Windows
MAC OS
MyDevices
Portal
Provisions device Certificates.
‒ Based on Employee-ID &Device-ID.
Provisions Native Supplicants:
‒ Windows: XP, Vista, 7, 8, 8.1, 10
‒ Mac: OS X 10.6, 10.7, 10.8, 10.9, 10.10.
10.11
‒ iOS: 4, 5, 6, 7, 8, 9
‒ Android – 2.2 and above
‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
Employee Self-Service Portal
‒ Lost Devices are Blacklisted
‒ Self-Service Model reduces ITburden
36. What Makes a BYOD Policy?
Sample Complete BYOD Policy
Internet Only
Employee Guest
Access-Reject
i-Device Registered?
Access-Accept
MAC address lookup to AD/LDAP
Profiling
Posture
Machine certificates
Non-exportable user certificate
Machine auth with PEAP-
MSCHAPv2’
EAP chaining
Y
N
N
Y
Y
N
38. What Is the Cisco ISE Posture Service?
PSN
MnT
ISE Node
PANPosture Service in ISE allows you to check the state
(posture) forALL the endpoints that are connecting to your
ISE-enabled network.
The Posture Agents, which are installed on the clients,
interact with the Posture Service to enforce security
policies on all the endpoints that attempt to gain access to
your protected network.
Posture Agents enforce security policies on noncompliant endpoints by blocking
network access to your protected network.
Must have Apex licensing enabled on your ISE devices
39. Posture Assessment
Does the Device Meet Security Requirements?
• Posture = The state-of-compliance with the company’s security policy.
• Extends the user / system Identity to include Posture Status.
Posture
Microsoft Updates Antivirus/
Antispyware
Misc
Service Packs
Hotfixes
OS/Browser
versions
Installation/Signatures File data
Services
Applications / Processes
Registry Keys
Patch Management
Disk Encryption
What is the main
difference
between Profiling
& Posture?
40. Posture Enhancements
Mac OSx SupportAdded for Custom Checks: File / Service /Application / Disk Encryption
• File, Service (daemon,
User Agent), and
Application (process)
checks
• File condition, file path
can have home or root
follow with path.
• SHA 256 Check
• Property List (plist) Check
NOTE: Disk Encryption new for ISE 2.0
41. Posture Enhancements - OSx Daemon Check
• A daemon is a program that runs in
the background as part of the overall
system (not tied to user)
• A user agent is a process that runs in
the background on behalf of a
particular user.
• ISE 2.0 supports feature to check user
agent as well as the daemon
42. Posture for all Devices
Desktop Posture vs Mobile Posture
Focused on Mobile Devices Posture ONLY
Requires devices to comply with MDM policy
PINLock, JailBroken,APP check and More …
ISE + MDM
Together
Mobile Posture
SOLUTION
Desktop Compliance checks for Windows and OSx
Variety of Checks ranging from OS, Hotfix, AV / AS,
Patch Management andMore…
ISE can enforce
Network Access based onCompliance
Desktop Posture
ISE can enforce
Network Access based on MDMCompliance
44. MDM Flow
86
ISE Policy
Server
VPN
If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment
If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance
Authentication
MDM Compliance Status != Compliant
Redirect to ISE landing page for MDM
enrollment or compliance status
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm
MDMAPI
Connect to WLAN=Corp
Redirect browser to ISE
Cloud MDM
Google
Play/AppStore
45. MDM Remediation
87
ISE Policy
Server
VPN
CoA allows re-authentication to
be processed based on new
endpoint identity context (MDM
enrollment/compliance status).
ReAuth
MDM Status = Compliant
Remove Redirection and apply access
permissions for compliant endpoints
CoA
MDM Agents downloaded directly from MDM
Server or Internet App Stores
Periodic recheck via API; CoA if not compliant
ASA
MDMAPI
Cloud MDM
ReAuth after Comply
Compliant = Full Access
47. Campus & DC
Segmentation
User to DC
Access Control
How TrustSec/ SGT is used today
Server
Segmentation
Application
Protection
Secure
ContractorAccess
BYOD
Security
Machine-
Machine Control
Threat DefenceFast Server
Provisioning
Firewall Rule
Reduction
PCI & PHI
Compliance
Network & Role
Segmentation
48. Segmentation with Security Group
Data CentreFirewall
Voice Data Suppliers Guest Quarantine
Retaining initial VLAN/Subnet Design
Regardless of topology or location,
policy (Security Group Tag) stays
with users, devices, and servers
Access Layer
Data Tag
Supplier Tag
Guest Tag
Quarantine Tag
Aggregation Layer
DC-RTP (VDI)
Production
Servers
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
Destination
49. Enforcing Policy Downstream
Context Telemetry:
• Manager
• Windows PC
• Compliant
Timecard
application
server
Credit Card
transaction serverFirewall
Enforcement
Cisco ISE
Classify Mark, Propagate, Enforce
• IP Precedence and DiffServ code points
• 802.1Q User Priority
• MPLS VPN
• TrustSec
Classify
&
Mark
EnforcePropagation
50. Static Classification
• IPAddress
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
Pre-fix learning
Common Classification for Servers,
Topology-based policy, etc.
802.1X/ RAS VPNAuthentication
WebAuthentication
MAC Auth Bypass
Common Classification for Mobile
Devices
SGT
Classification Summary
SGTAssignment
Dynamic Classification
Classification
51. Dynamic Classification Process in Detail
Layer 2
Supplicant Switch / WLC ISE
Layer 3
Authorisation
DHCP
EAPoLTransaction RADIUS Transaction
EAPTransaction
SGT
Authenticated
Authorised
0 Policy
Evaluation
DHCP Lease:
10.1.10.100/24
ARP Probe IP Device
Tracking
Authorised MAC:
00:00:00:AB:CD:EF
SGT =5
Binding:
00:00:00:AB:CD:EF = 10.1.10.100/24
1
2
3
SRC: 10.1.10.1 = SGT 5
00:00:00:AB:CD:EF
cisco-av-pair=cts:security-group-tag=0005-01
Make sure that IP
Device Tracking
is TURNED ON
3560X#show cts role-based sgt-map all details
Active IP-SGT Bindings Information
IP Address Security Group Source
=============================================
10.1.10.1
10.1.10.100
3:SGA_Device
5:Employee
INTERNAL
LOCAL
Classification
52. Traditional TrustSec Tag Assignment & SXP
Propagation
Access
Switch
Router DC FW DC Switch
HR Servers
Fin Servers
ISE Directory
Enforcement
Classification
User /
Endpoint
Propagation
53. ISE as SXP Speaker
Access
Switch
DC Switch
HR Servers
Fin Servers
ISE Directory
Classification
User /
Endpoint
SXP
Tag
IP Addr
5 10.10.10.10
5 Fin Servers
10 HR Servers
Propagation
Enforcement
SXP
Propagation
Router DC FW
Does Access Switch needto
understandTrustSec?
56. Anatomy of a Typical Device Administration
Session with TACACS+
• TACACS+ Separates
Authentication,
Authorisation and
Accounting
• Flexible and extensible
• TCP for more reliable
accounting
• Built-in Goodies such as
User Change Password
57. Refresh on a Typical TACACS+ Session
• Two Main Authorisation
stages
• SESSION:
What can user do duringthis
session?
• COMMAND:
Can the user performthis
command?
Which TCPport
does T+ listen
on as default?
58. TACACS+ Authorisation: Protocol Level
• Authorisation is a single request/response: Header + Attributes
Device ISE
• Result is FAIL, PASS_ADD, PASS_REPLACE
• Fail: Request is not Permitted
• PASS_ADD: The permissions asked for are valid, but the operation must also apply
these extra attributes (Response Profile)
• PASS_REPLACE: The request is permitted, but with this alternative attribute profile
Type Author
user admin
rem_add
r
office
Result PASS_AD
D
priv-lvl 15
59. • Policy Service Node for Protocol
Processing
• Session Services (e.g. Network
Access/RADIUS) On by default
• Device Admin Service (e.g. TACACS+)
MUST BE ENABLED
FOR DEVICE ADMINISTRATION!!
142
ISE Deployment Node
Configuration
60. Supported Migration paths using Migration Tools
Path Segments Tools
ACS 4.x to ISE ACS 4.x -> ACS 5.6 ACS 4 Migration Tool
ACS 5.6 -> ISE ACS 5 Migration Tool
ACS 5.0 – ACS 5.4 to ISE ACS 5.x -> ACS 5.6 ACS 4 Migration Tool
ACS 5.6 -> ISE ACS 5 Migration Tool
ACS 5.5 - ACS 5.6 to ISE ACS 5.5 - ACS 5.6 to ISE ACS 5 Migration Tool
Consider options carefully, especially if migrating from ACS4
62. 3rd Party Device (NAD) Support
Customers can now deploy ISE services such as Profiling, Posture,
Guest and BYOD (on top of the already-working 802.1x) with Network
Access Devices (NADs) manufactured by non-Cisco third party
vendors.
63. Cisco Session ID & Redirect
NAD: “show authentication session”
ISE: Detailed Authentication Report
https://ise14.example.com:8443/guestportal/gateway?C0A8013C00000618B3C1CAFB&portal=&action=cwa
Browser: URL-redirect for Web Auth
C0A8013C00000618B3C1CAFB
NAS IPAddress Session Count Time Stamp
64. • Type: None / Static / Dynamic
• None – NAD does not have usable redirection
method
• Static – NAD requires ISE generated URL tobe
applied to local device config
• Dynamic – NAD can receive redirect via RADIUS
authorisation
URL Parameter Names
• Defines the format of
vendor redirect
• Allows ISE to parse
needed information from
redirected requests
URL Redirection
Static URL, Dynamic URL and URL Format
65. What is Change of Authorisation
(CoA)
The EndPoint needs a new Policy ( ISE 2.0 = RFC 3576 & RFC5176)
Example Cisco CoA operations
Terminatesession
Terminate session with port bounce
Re-authenticate session
Disable host port
Session Query
– For Active Services
– For Complete Identity
– Service Specific
Service Activate
Service De-activate
Service Query
CoA options are
NAD-specific
COAPorts
Port 1700, type = Cisco COA
Port 3799, type = RFC 5176
66. RFC 5176
What is Change of Authorisation (CoA)
The EndPoint needs a new Policy (RFC 3576 & RFC 5176)
• Disconnect Message (DM)
• Also known as “Packet of Disconnect (PoD)” or “CoA Session
Terminate”
• Terminate user session(s) on a NAS and discard all associated session
context.
Disconnect-Request
Disconnect-ACK/NAK
• Change-of-Authorisation (CoA) Messages
• Also known as “Authorise Only” or “CoA Push”
• CoA-Request packets contain information for dynamically changing session
authorisations.
CoA-Request
CoA-ACK/NAK
67. My 3rd Party NAD does not support COA ReAuth/ COA Push
ISE 2.0 can perform “COAStiching”
Web Auth: EnterCredentials
Full Access
PSN
CWASuccess
CoATerminate
New Auth Request
EmployeeAccess
Hold session open
for 20 seconds
Matching request
received < 20 sec;
return policy for
employee user
Session 002
Session 001
Accntg Stop
1
2
3
4
5
6
68. 3rd-Party NADs – Supported Features
• AAA
• 802.1X (since 1.0)
• MAB (since 1.2.)
• LWA to local portal (since 1.0)
• CoA
• Profiling (with CoA)
• Guest
• Hotspot
• Central Web Authentication (CWA)
• Sponsored guest flow
• Self-Registration guest flow
• ISE hosted portals
Features Vary By Vendor, Platform, and Versions!
Posture
BYOD
Device registration
Supplicant Provisioning
Certificate Provisioning
Self-Service device management
(MyDevices)
Single/Dual SSID
TrustSec
Dynamic SGT and SXP Listener
69. Adding 3rd-Party NADS
to facilitate policy management
Network Access Device Configuration
• Administration > Network Resource > Network
Devices
• Be sure to set the Device Profile correctly !!
• Enter Network Device Type and Location info
Optional:
Override default
CoA Port per
NAD
70. Current Vendor Test Results
Vendor Verified Series Tested Model /
Firmware
Supported / Validated use cases
CoA Profiler Posture Guest
/BYOD
Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔
Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔
HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔
HP Wired HP 5500 HI Switch
Series (H3C)
A5500-24G-4SFP
HI/5.20.99
✔ ✖ ✖ ✖
HP Wired HP 3800 Switch
Series (ProCurve)
3800-24G-POE-2SFP
(J9573A)
KA.15.16.000. 6
✖ ✖ ✖ ✖
Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖
Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖
Additional 3rd party NAD Support:
Requires identification of device properties/capabilities and to creation of a
custom NAD profile in ISE. More detailed guide to be published.
✔ Requires
CoA
support
Requires
CoA & url-
redirect
support
Requires
CoA & url-
redirect
support