Cisco Identity Services Engine

Similar documents

Cisco Secure Control Access System 5.8

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Cisco Secure Network Server

Cisco Secure Access Control System 5.5

Cisco TrustSec Solution Overview

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

HP Intelligent Management Center User Access Management Software

Cisco TrustSec How-To Guide: Guest Services

Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Configure ISE Version 1.4 Posture with Microsoft WSUS

ClearPass Policy Manager

On-boarding and Provisioning with Cisco Identity Services Engine

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

RSA SecurID Ready Implementation Guide

Cisco Prime Home 5.0 Minimum System Requirements (Standalone and High Availability)

Request for Proposal MDM Offeror s Questions for RFP for Virtual Private Network Solution (VPN)

Proof of Concept Guide

HP IMC Smart Connect w/wlan Manager Virtual Appliance Software

Very Large Enterprise Network Deployment, 25,000+ Users

TrustSec How-To Guide: On-boarding and Provisioning

Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

Solutions for admission control and data loss prevention in a modern corporate network

NAC Guest. Lab Exercises

Models HP IMC Smart Connect Edition Virtual Appliance Software E-LTU

Install Guide for JunosV Wireless LAN Controller

Very Large Enterprise Network, Deployment, Users

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Delivering Control with Context Across the Extended Network

RSA SecurID Ready Implementation Guide

Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Cisco AnyConnect Secure Mobility Client integration with ISE & SCCM client for patch remediation on windows

WLAN Security: Identifying Client and AP Security

Kaspersky Endpoint Security 10 for Windows. Deployment guide

NetScaler VPX FAQ. Table of Contents

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

v7.8.2 Release Notes for Websense Content Gateway

Installing and Configuring Active Directory Agent

EMC Security for Microsoft Exchange Solution: Data Loss Prevention and Secure Access Management

The most advanced policy management platform available

ClearPass: Understanding BYOD and today s evolving network access security requirements

Network Virtualization Network Admission Control Deployment Guide

QuickSpecs. HP PCM Plus v4 Network Management Software Series (Retired) Key features

SolarWinds Network Performance Monitor powerful network fault & availabilty management

ACL Compliance Director FAQ

TABLE OF CONTENTS NETWORK SECURITY 1...1

Cisco Actualtests Exam Questions & Answers

Installing Websense Data Security

Endpoint protection for physical and virtual desktops

Symantec VIP Integration with ISE

Security. AAA Identity Management. Premdeep Banga, CCIE # Cisco Press. Vivek Santuka, CCIE # Brandon J. Carroll, CCIE #23837

NSi Mobile Installation Guide. Version 6.2

Deploying Cisco ASA VPN Solutions Exam.

Sophos Certified Architect Course overview

How To Use Cisco Identity Based Networking Services (Ibns)

HP PCM Plus v3 Network Management Software Series Overview

SolarWinds Network Performance Monitor

Superior protection from Internet threats and control over unsafe web usage

TABLE OF CONTENTS NETWORK SECURITY 2...1

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

Arrow ECS sp. z o.o. Oracle Partner Academy training environment with Oracle Virtualization. Oracle Partner HUB

Endpoint protection for physical and virtual desktops

BENEFITS. Capex reduction with bundling of all required features in a single appliance. Promote your brand with customized Guest Login pages.

SolarWinds Network Performance Monitor

This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how to add and upgrade licenses.

IOS110. Virtualization 5/27/2014 1

Application-Centric WLAN. Rob Mellencamp

Cisco Prime Data Center Network Manager Release 6.1

Preparing a SQL Server for EmpowerID installation

Tutorial: Assigning Prelogin Criteria to Policies

Customer Service Description Next Generation Network Firewall

Configure Posture. Note. Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.1 1

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

10.2 Requirements for ShoreTel Enterprise Systems

HP E-PCM Plus Network Management Software Series

Virtualization Guide. McAfee Vulnerability Manager Virtualization

AP ENPS ANYWHERE. Hardware and software requirements

Cisco IP Communicator (Softphone) Compatibility

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

TechGuard Firewall Products Specs/Parts/Competitive Analysis

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Implementing Cisco IOS Network Security

MSC-131. Design and Deploy AirDefense Solutions Exam.

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

YubiRADIUS Deployment Guide for corporate remote access. How to Guide

CLEARPASS ONGUARD CONFIGURATION GUIDE

SourceFireNext-Generation IPS

CONSTRUCTION / SERVICE BILLING SYSTEM SPECIFICATIONS

Transcription:

Cisco Identity Services Engine Secure Access Stefan Dürnberger CCIE Security Sourcefire Certified Expert

Most organizations, large and small, have already been compromised and don t even know it: 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware. Cisco 2014 Annual Security Report

The Security Problem - Impact of a Breach The security problem Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation 60% data in breaches is stolen in hours 54% of breaches remain undiscovered for month Information of up to 750 million individuals on the black market over last three years

How would you do security differently if you knew you were going to be compromised?

Attack Continuum

Cisco ISE is not just a single product. It is a system, securing your wired, wireless and RA VPN infrastructur including guest services and more [SD]

Cisco Secure Access Enabled by ISE Secure Access on wired, wireless and VPN Control with one policy across wired, wireless and VPN XYOD Users get safely on the network fast and easy Guest Access It s easy to provide guests limited time and resource access TrustSec Network Policy Rules written in business terms controls access

ISE / TrustSec How-To Guides http://www.cisco.com/en/us/solutions/ns340/ns414/ns742/ns744/landing_designzone_trustsec.html

ISE Hardware

Cisco ISE Appliance Based on the Cisco UCS C220 M3 Server Virtual Appliance based on VMWare Hypervisor

SNS-34x5 Appliances- Specs Platform Secure Network Services Appliance SNS-3415-K9 Secure Network Services Appliance SNS-3495-K9 Processor 1 - QuadCore Intel Xeon 2.4 GHz 2 - QuadCore Intel Xeon 2.4 GHz No. of Cores per CPU 4 (4 total cores) 4 (8 total cores) Memory 16 GB DDR3-1066 (4 x 4GB) 32 GB DDR3-1066 (8 x 4GB) Hard disk 1-2.5 Inch 600 GB SAS 10K RPM 2-2.5 Inch 600 GB SAS 10K RPM RAID No Yes - RAID 1 (600 GB Total Storage) Ethernet NICs 4 (2 on board; 2 on NIC) 4 (2 on board; 2 on NIC) Power Supplies 1 x 650W 2 x 650W Trusted Platform Module Yes Yes SSL Acceleration Card No Yes Concurrent Endpoints 5,000 (PSN function) 20,000 (PSN function)

ISE Architecture

Cisco ISE Architecture Logging Monitor View Logs/ Reports Logging Admin View/Configure Policies Policy Service Query Attributes External Data Request/Response Context Logging Endpoint Access Request Enforce Resource Access Resource

Distributed Topology Deployment Admin (P) PAN Monitor (P) MnT Policy Services Cluster PSN PSN PSN PSN Admin (S) Monitor (S) PAN MnT Distributed Policy Services PSN PSN ASA VPN AP HA Inline Posture Nodes IPN IPN WLC 802.1X Data Center A Switch 802.1X AD/LDAP (External ID/ Attribute Store) Switch 802.1X DC B AD/LDAP (External ID/ Attribute Store) WLC 802.1X AP Branch A Branch B PSN Branch C PSN AP Switch 802.1X AP Switch 802.1X AP Switch 802.1X

ISE Software - Functional Description -

Secure Access: Classification Attributes Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN Where? @ Starbucks Headquarters When? Week Days Weekends 8:00 AM 6:00 PM (8:00am 5:00pm) PST

ISE- Identity Stores Identity Store OS / Version ISE RADIUS Active Directory LDAP Servers Token Servers Internal Endpoints, Internal Users RFC 2865-compliant RADIUS servers Microsoft Windows Active Directory 2003, 32-bit only Microsoft Windows Active Directory 2003 R2, 32-bit only Microsoft Windows Active Directory 2008, 32-bit and 64-bit Microsoft Windows Active Directory 2008 R2, 32-bit and 64-bit Microsoft Windows Active Directory 2012 (ISE 1.2) SunONE LDAP Directory Server, Version 5.2 Linux LDAP Directory Server, Version 4.1 NAC Profiler, Version 2.1.8 or later RSA ACE/Server 6.x Series RSA Authentication Manager 7.x Series RADIUS RFC 2865-compliant token servers SafeWord Server prompts

Cisco ISE- 802.1X Authentication

PEAP/TLS with Windows/MAC/Linux PEAP/TLS is supported on all OS and compatible with compliance module Compliance module is supported on Windows & MAC

Cisco ISE- MAC Authentication Bypass

Cisco ISE- Profiling Profiling Database is filled up with endpoint information Using these information in policies will consume licenses

Cisco ISE- Profiling

Cisco ISE- Compliance State of compliance with the company s security policy Is the system running the current Windows patches Do you have anti-virus software installed? Is it up to date Do you have anti-spyware software installed? Is it up to date Services, Applications/processes & Registry Keys

Cisco ISE- Compliance AC get s security product information out of the scan. These information are available in DART as well.

Cisco ISE- Policy Enforcement VLANs DACLs SGTs

Cisco ISE- Policy Enforcement Downlink Encryption

Sponsor & Guest Local users or Active Directory Users/Groups are allowed to generate guest accounts Different types of Guests (daily weekly monthly user defined) Sponsors can create single, a bunch of guests with one click or can import from a.csv file

Sponsor & Guest cont. Different sponsor portals can be configured. Fully customizeable (HTML, CSS) Concept of sponsor all accounts, group accounts and own accounts Locallobby user can just see and manage their own created guest accounts Sponsor can manage guest accounts like reset password, extend the account...

Sponsor & Guest cont. Priviliges like VLAN, DACL, etc. can be different for wired/wireless guests. ios/android profiles can be dynamically created by ISE to onboard private devices. Not shown in the POC Guest Flow All unknown Endpoints (wired or wireless) are treated as guests. This make your network a closed infrastructure

Sponsor & Guest cont. More Options for Guest Guest self-registration- SMS, Email Guest self-registration with sponsord approval Daily code for trainings Hotspot

ISE Syslog & Prime integration cont. ISE brings identity & endpoint information to Cisco Prime E.g. posture information. Use magnifier to drill into the event

ISE troubleshooting options Click here to get output below

ISE troubleshooting options cont. Get your.pcap directly from ISE. No need for SPAN during troubleshooting. Other tools available on the left pane.

ISE troubleshooting options cont.

Cisco ISE- REST API

Cisco ISE is not just a single product. It is a system, securing your wired, wireless and RA VPN infrastructur including guest services and more [SD]