Scribd
Upload
26 views56 pages

VoE ISE

Technical documentation

Uploaded by

Juan Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views56 pages

VoE ISE

Technical documentation

Uploaded by

Juan Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 56

Juan Carlos Figueredo

[email protected]
Julio 2014

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
END-USER EXPECTATIONS IT TRENDS
• Over 15 billion devices by 2015, with • 50% of workloads are virtualized
average worker with 3 devices to increase efficiency
• New workspace: • Two-thirds of workloads will be
anywhere, anytime in the cloud by 2016
• 71% of Gen Y workforce • 71% of the world’s mobile
do not obey policies data traffic will be video in 2016
• 60% will download sensitive data • Mobile malware has
onto personal device doubled from 2010 to 2011

REDUCE IMPROVE END-USER INCREASE OPERATIONAL


SECURITY RISK PRODUCTIVITY EFFICIENCIES

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Who What Where When How

Security Policy Attributes

Identity
Context

Business-Relevant
Policies

Wired Wireless VPN

VM client, IP device, guest, employee, remote user


Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Policy Management
Cisco® Identity Services Engine (ISE) Cisco Prime™ Infrastructure

Policy Information
User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents

Policy Enforcement
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
BYOD GUEST ACCESS
Users connect safely to the Internet quickly It’s easy to provide
and easily guests limited time and resource access

SECURE ACCESS ON WIRED, CISCO TRUSTSEC NETWORK


WIRELESS, AND VPN POLICY
Control with one policy across wired, Rules written in business terms control
wireless, and remote infrastructure access

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Who? What? When? Where? How?

Context-Aware
1
Classification

Context-Aware
2
Policy
ISE

3 Enforcement

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Who? Employee Attacker Guest

What? Personal Device Company Asset

How? Wired Wireless VPN

Where? @ Starbucks Headquarters

When? Weekends (8:00am – 5:00pm) PST

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Who? How

Examples: Employees and staff, faculty and students, or extended access to partners and contractors
Primary authentication methods: 802.1X or agent-based

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cisco AnyConnect® Secure Mobility 3.1
• Unified access interface for
̶ 802.1X for LAN / WLAN
̶ VPN (SSL-VPN and IPSec)
̶ Mobile User Security (WSA / ScanSafe)
• Supports MACSec / MKA (802.1X-REV) for data encryption in software; performance is
based on endpoint CPU
• MACSec-capable hardware (network cards) enhance performance with
Cisco® AnyConnect 3.0

NAC agent currently used for


posture; will be merged into
AnyConnect in AC3.2

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Who?

• Centralized and customizable web authentication portal Controller Switch


• Both employee and guest authentication supported
• Tunable username and password policies
• Supports print, email, SMS guest notifications

Need something to intercept browser


requests to provide captive portal and
redirection to local or remote web
authentication portal

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Examples: Printers, miscellaneous devices with no supplicant
Primary authentication methods: MAB

Examples: Redirect users to WebAuth if MAB fails

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Who?

Who?

Permissions = Authorizations
• Employee_iPAD Set VLAN = 30 (Corporate Access)
• Contractor_iPAD Set VLAN = 40 (Internet Only)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Collection Classification

NMAP NetFlow

HTTP SNMP LLDP

Radius DHCP

• Process of collecting data to be used


for identifying devices
Classifies based on Device fingerprint
• Uses Probes for collecting device attributes

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Apple HP Motorola Cisco Blackberry
WYSE
Lexmark VMware Microsoft Xerox
Samsung

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Who? What?

What=? Who = Employee

Permissions = Authorizations
• Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Posture is the state of compliance with the company’s security policy.

• Is the system running the current Windows patches?


• Do you have anti-virus software installed? Is it up to date?
• Do you have anti-spyware software installed? Is it up to date?

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
What?

Microsoft Updates Antivirus • File data


• Service Packs • Installation and signatures • Services
• Hotfixes Antispyware • Applications/processes
• OS/Browser versions • Installation and signatures • Registry Keys

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Employee Policy: Contractor Policy:
• Microsoft patches updated • Any AV installed, running, and current
• McAfee AV installed, running, and current
• Corp asset checks
Guest Policy:
• Enterprise application running • Accept AUP (No posture - Internet Only)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
NAC Agent for Windows Web Agent for Windows NAC Agent for MAC OS
OS/service packs/hotfixes OS/service packs/hotfixes
Process check Process check
Registry check Registry check AV installation
File check File check AV version, definition date
Posture Application check Application check AS installation
AV installation AV installation AS version, definition date
Assessment AV version/AV definition date AV version/AV definition date
Options AS installation AS installation
AS version/AS definition date AS version/AS definition date
Windows update running Windows update running
Windows update configuration Windows update configuration
WSUS compliance settings WSUS compliance settings
Message text (local check) Message text Message text
URL link (link distribution) URL link URL link
File distribution File distribution
Remediation Launch program
Options AV definition update AV live update
AS definition update (AS live update)
Windows update
WSUS

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Corporate Policy:
• Must have Kaspersky AV installed
• Automatic remediation enforced

Guest Policy:
• Must have AV installed but can be ANY vendor

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
EAPOL (dot1x)
MAB, WEB PSN

10.1.204.126 PSN

VLAN or ACL
Applied to Switch or Core ISE
WLC

HR Servers

Finance
✓ Finance
Finance Server

Finance HR

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
New
ISE 1.2

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Provision Manage Notify Report

Create guest Create sponsor Notify guest using Report on all


accounts in the policy different method aspects of guest
sponsor portal accounts
Manage sponsor Print
groups Email
SMS
Customize portals

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Unifying network access for guest
users and employees
Guest
Contractor
SSID
Corp

Guest
Contractor SSID Employee
Guest Desktop

On wireless: On wired:
• Using multiple SSIDs • No notion of SSID
• Open SSID for guest • Unified port: Need to use
different auth methods on a
single port
̶ Enter Flex Auth

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Serves guests and contractors
• Provides a portal for device registration
• Employees can also use for systems without supplicant

Centralized Web Auth (CWA) PSN Local Web Auth (LWA)

• Web pages served from ISE • Web pages served locally


• Supports session state (BYOD, posture, • Does not support session state (no
profiling, etc.) BYOD, no posture, no profiling)
• No WebAuth policy configuration on NAD • WebAuth policy configuration on NAD
(ACL,URL)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Customizable web portal for sponsors
as well
Authenticate sponsors with corporate
credentials
• Local database
• Active Directory
• LDAP
• RADIUS
• Kerberos

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Print the details
• Send through email
• Send through SMS

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Authentication page
Acceptable usage policy
Success/failure page

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Blacklisting and Multiple Device
Reinstating Support
of Devices

Multiple Network
Topologies

Certificate
Provisioning

Self-Registration
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• Reduced Burden on IT Staff Putting the End User in Control
̶ Device on-boarding
̶ Self-registration
̶ Supplicant provisioning
̶ Certificate provisioning
• Self-Service Model
̶ myDevice portal for registration
̶ Guest sponsorship portal
• Device Black Listing
̶ User-initiated control of their devices, black-listing,
reinstating device, etc)
• Support for:
̶ iOS (post 4.x)
̶ MAC OSX (10.6, 10.7)
̶ Android (2.2 and later)
̶ Windows (XP, Vista, Win7K)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• User connects to open SSID

• Redirected to WebAuth portal


Personal Asset
• User enters employee or guest credentials
BYOD-Secure
• Guest signs AUP and
Access Point
gets guest access

• Employee registers device


Wireless
LAN Controller
̶ Downloads certificate

̶ Downloads supplicant configuration

• Employee reconnects using EAP-TLS


ISE AD/LDAP

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• User connects to open SSID

• Redirected to WebAuth portal


Personal Asset
• User enters employee or guest credentials
BYOD-Secure
• Guest signs AUP and BYOD-Open
Access Point
gets guest access

• Employee registers device


Wireless
LAN Controller
̶ Downloads certificate

̶ Downloads supplicant configuration

• Employee reconnects using EAP-TLS


ISE AD/LDAP

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
The New Way
Best Practice Today Cisco® ISE 1.2

ISE MDM ISE and MDM


Device Access Control Mobile Devices Security Control Enforced Mobile Device Compliance

• Device profiling • Device compliance • Forces on-boarding to MDM with personal devices
used for work
• BYOD on-boarding • Mobile application management
• Register but restrict access for personal devices
• Device access control • Securing data at rest not managed by MDM
• Quarantine non-compliant devices based on MDM
policy

Version: 6.2 Version: 7.1


Version: 2.3
MDM cannot ‘see’ non-registered devices to enforce device security
– but the network can Version: 5.0
MDM: Mobile Device Manager

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• MDM device registration through ISE
̶ Non-registered clients redirected to MDM
registration page
• Restricted access
̶ Non-compliant clients will be given restricted
access based on policy
• Endpoint MDM agent
̶ Compliance
̶ Device applications check
• Device action from ISE
̶ Device stolen > wipe data on client
• Survivability
̶ New attribute added

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
• ISE can Query MDM server using APIs Survivability Attribute
• Compliance based on:
̶ General Compliant or ! Compliant Status Macro level
OR
̶ Disk encryption enabled
̶ PIN lock enabled Micro level
̶ Jail-broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the MDM server using
a configurable timer
̶ If the result of a periodic recheck shows that a connected device is no longer
compliant, Cisco® ISE sends a CoA to terminate the session.

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Appliance Specifications
http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_ovr.html#wp1103032

Cisco Identity Services


Cisco® Identity Services Engine Cisco Identity Services Engine
Platform Engine Appliance 3395
Appliance 3315 (Small) Appliance 3355 (Medium)
(Large)
1 x QuadCore 1 x QuadCore 2 x QuadCore
Intel Core 2 CPU Q9400 Intel Xeon CPU E5504 Intel Xeon CPU E5504
Processor
@ 2.66 GHz @ 2.00 GHz @ 2.00 GHz
(4 total cores) (4 total cores) (8 total cores)

Memory 4 GB 4 GB 4 GB

2 x 250-GB SATA HDD 2 x 300-GB SAS drives 4 x 300-GB SFF SAS drives
Hard disk
(250 GB total disk space) (600 GB total disk space) (600 GB total disk space)

RAID No Yes (RAID 0) Yes (RAID 0+1)

Ethernet NICs 4x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 4 x Integrated Gigabit NICs

Concurrent
3000 maximum 6000 maximum 10,000 maximum
Endpoints

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
New
ISE 1.2

Cisco Secure Network Servers

Based on the Cisco UCS® C220 Server, but designed for:

• Cisco® Identity Services Engine (ISE)


• Network Admission Control (NAC)
• Access Control Server (ACS)
SNS-3415-K9 and SNS-3495-K9

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Secure Network Services Appliance SNS-3415-K9 Secure Network Services Appliance SNS-3495-K9
1 - QuadCore Intel Xeon 2 - QuadCore Intel Xeon
Processor
2.4 GHz 2.4 GHz
CPU Model E5-2609 E5-2609

Number of Cores Per CPU 4 (4 total cores) 4 (8 total cores)

Number of Threads Per Core 1 (No hyper-threading) 1 (No hyper-threading)

Memory 16 GB DDR3-1066 (4 x 4GB) 32 GB DDR3-1066 (8 x 4GB)

1 2.5-Inch 2 2.5-Inch
Hard Disk
600 GB SAS 10,000 RPM 600 GB SAS 10K RPM
Yes - RAID 1 (600 GB total storage)
RAID No
LSI 2008 SAS RAID mezzanine card
Ethernet NICs 4 (2 on board; 2 on NIC) 4 (2 on board; 2 on NIC)

Power Supplies 1 x 650 W 2 x 650 W

Trusted Platform Module Yes Yes

SSL Acceleration Card No Yes

Concurrent Endpoints 5000 (PSN function) 20,000 (PSN function)

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Wireless ATP Advanced
Wireless
Base Advanced
Advanced
Wireless
Base Advanced

Base Advanced Advanced

More Wireless
More Advanced
Wireless
ATP
Base Advanced ATP Base

Base
Full ISE (Wired, Wireless, VPN)
Base
Base Advanced

Wireless to Full ISE Upgrade More Base

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Base (Perpetual Lic.) Advanced (Term Lic.)
O  AAA  BYOD  MDM – 3rd Party
L  802.1X  Profiling & Feed Service  Endpoint Compliance &
D  Guest  TrustSec SGT Remediation
 Endpoint Protection Svcs.

Base (Perpetual Lic.) Plus (Term Lic.) Advanced (Term Lic.)


N  AAA  BYOD  BYOD  Endpoint Protection Svcs.
E  802.1X  Profiling & Feed Service  Profiling  MDM – 3rd Party
W  Guest  TrustSec SGT  Feed Service  Endpoint Compliance &
 Endpoint Protection Svcs.  TrustSec SGT Remediation

 Base License  1.2 Plus License Offers  Advanced License Remains


Remains the Discounted “Subset” the Same in ISE 1.2
Same in ISE 1.2 of Advanced.
ISE ISE

Admin Monitoring Policy Service Inline Posture

Persona—one or
more of: Single ISE node Single inline posture
• Administration
(appliance or VM) node (appliance only)
• Monitoring
• Policy service

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Monitor
Logging

Logging
View Logs,
Reports

Policy External
Admin Service Data
View and Query Attributes
Configure
Policies
Request/Respon Logging
se Context

Endpoint Enforce Resource


Access Request Resource
Access

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Distributed Deployment All Cisco® ISE personas are deployed across multiple sites
Admin Monitor Policy Services Cluster
Distributed
Admin (S) Monitor (S) Policy Services

HA Inline AD/LDAP
Posture Nodes (External
ASA VPN ID/Attribute Store) AD/LDAP
Data Data (External
Center A Center B ID/Attribute Store)

WLC Switch Switch WLC


802.1X 802.1X 802.1X 802.1X

AP
AP AP
AP

Branch A Branch B

Switch
Switch Switch
Switch
AP
AP 802.1X
802.1X AP
AP 802.1X
802.1X

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
PAN PAN PSN PAN MnT PSN
MnT
PSN MnT

• Administration and monitoring co-


• All personas running on • Dedicated administration node(s)
Persona located on a single node or
a single or redundant • Dedicated monitoring node(s)
Deployment redundant nodes
nodes • Dedicated policy service nodes
• Dedicated policy service nodes

• 2 admin nodes
Maximum Nodes • 2 Admin+MnT+PSN • 2 Admin+MnT nodes
• 2 MnT nodes
by Type nodes • 5 Policy Service nodes
• 40 policy service nodes

• 5000 with ISE-3355/SNS-3415 for


Maximum • 2000 with ISE-33x5
PAN+MnT • ISE 1.1: Maximum 100,000 endpoints
Endpoints for Entire • 5000 with SNS-3415
• 10,000 with ISE-3395/SNS-3495 for • ISE 1.2: Maximum 250,000 endpoints
Deployment • 10,000 with SNS-3495
PAN+MnT

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Entry Point for Third-Party Wireless Infrastructure

eth1 eth0 Trusted


Internet Network
VPN User ASA L3 Switch Policy Services
ISE Inline
Posture Node 1) RADIUS Auth for ASA
VPN Wired 2) Auth/Posture for Inline Posture
Node

VPN Infra

eth1 eth0

Wireless User AP Third Party


ISE Inline L3 Switch Policy Services
Controller
Posture Node 1) 802.1X Auth for WLC
Wireless Wired 2) Auth/Posture for Inline
Posture Node

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Native MDM Features in ISE
1 • Uses ISE as the device manager
• Uses Cisco® AnyConnect Mobile as the MDM agent

Integration of ISE and ASA


2
• Enforce ISE policy for remote access users

Deliver New Set of API - pxGrid


3 • Expand ISE eco-system with new APIs
(Lancope, Cisco Prime™, etc.)

Deliver Highly Requested Features


4 • Multiple AD forest support
• Guest API

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
AnyConnect 3.2 AnyConnect 3.3

Unified Agent L3 authentication support

(NAC agent integration with SCCM support


Cisco AnyConnect®)
Web agent
IPv6 phase II Miscellaneous VPN requests

Grace period remediation

MDM phase II

C97-729441-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Thank you.

You might also like