Demystifying Cisco Identity Services Engine (ISE) Architecture and Enterprise Security Akhil Behl (CCIE X 2) Pre-Sales Manager
Parminder Pal Singh (CCIE X 2, CCSI) CCSI) Lead Trainer
Agenda •
Today’s Security Trends
•
Introduction to Cisco Identity Services Engine (ISE)
•
Positioning ISE
•
ISE Architecture
•
MDM, TrustSec, and pxGrid
•
QA
Today’s Security Trends
Where’s the World Heading? $
Mobile Mobile Device Proliferation
55%
IP Traffic Mobile by 2017
Cloud Cloud Apps growing at exponential rate Cloud 44% Annual Workload Growth
IoE More than 20B Connected “Smart Objects” by 2020
36X
Growth in M2M IP Traffic 2013 –18
More Devices, More Connectivity, More Exposure = More Attack Surface Adoption IoT/IoE Mobility Booms Guest Access
BYOD mobile devices increased multifold
Proliferation of connected devices
2011
2016+
Early Days
Endpoints were IT Procured/Managed
2000
Simple Guest Access
2005
Time
Introduction to Cisco Identity Services Engine (ISE)
Cisco ISE is Core to Cisco Security Construct Attack Continuum
BEFORE
DURING
AFTER
Control Enforce Harden
Detect Block Defend
Scope Contain Remediate
Firewall
VPN
NGIPS
Advanced Malware Protection
NGFW
UTM
Web + Email Security
Network Behavior Analysis
NAC + Identity Services
ISE Ecos ystem + pxGrid
ISE Provides Visibility, Context, and Control Across t he Entire Continuum
ISE is a Standards-Based AAA Server Supports Cisco and 3rd Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols
Wired
ISE Policy Server
802.1X = EAPoLAN
Wireless 802.1X = EAPoWLAN
VPN VPN
SSL/ IPsec Ci s co Pr i m e
ISE offers Secure Access at Multiple Levels Who?
Employee
Guest
What?
Personal Device
Company Asset
How?
Wired
Wireless
VPN
Where?
@ Cafe
Headquarters
When?
Weekends
(9:00am – 5:00pm) PST
Positioning ISE in an Enterprise Network
The Different Ways ISE can be Leveraged Guest Access Management Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterpris e Mobility Seamlessly and securely onboard devices with the right levels of access
Secure Access acros s t he Entire Network Simplify and unify enterprise network access policy across wired, wireless, and VPN
With Cisco TrustSec Identity-aware Network Segmentation and Access Policy Enforcement
Cisco ISE Architecture
ISE Nodes (and Personas) ISE Admin
Monitoring
Persona—one or more of: • Administration • Monitoring • Policy service
ISE Policy Service
Single ISE node (appliance or VM)
Inline Posture
Single inline posture node (appliance only)
Policy Administration Node (PAN) •
Writeable Access to the Database
•
Interface to configure and view policies
•
Responsible for policy sync across all PSNs and secondary PAN
•
Provides: • • •
•
Licensing Admin authentication & authorization Admin audit
Each ISE deployment must have at least one PAN •
Only 1x Primary and 1x Secondary (Backup) PAN possible
PAN Administration
AD/LDAP
External ID Store
Monitoring and Troubleshooting Node (MnT) •
Logging and Reporting
•
MnT node receives logging from PAN, PSN, IPN, NAD, and ASA Each ISE deployment must have at least one MnT
•
•
Max 1x Primary and 1x Secondary (Backup) MnT possible PAN
Syslog
PSN
Syslog from access devices are correlated with user/device session
MnT
IPN Syslog from firewall is correlated with guest access session
Syslog from other ISE nodes are sent to monitoring node for reporting
Network Access Device (NAD) Also Known as the ‘RADIUS Client’ •
Major Secure Access component that enforces network policies.
•
NAD sends request to the PSN for implementing authorization decisions for resources.
•
Common enforcement mechanisms:
•
VLAN Assignment dACLs Security Group Access (SGA)
Basic NAD types
Cisco Catalyst Switches Cisco Wireless LAN Controllers Cisco ASA “VPN Concentrator”
NADs
Policy Service Node (PSN) •
RADIUS Server for the Network Access Devices
•
Per policy decision, responsible for: • • • • •
Network access (such as AAA RADIUS services) Posture Guest access (web portals) Profiling Client Provisioning, BYOD / MDM services
•
Directly communicates to external identity store for user authentication
•
Provides GUI for sponsors, agent download, guests access, device registration, and device on-boarding
• WebAuth • Posture/MDM • Client Provisioning
AD/LDAP /RADIUS RADIUS/Profiling
NAD
PSN
External ID Store
ISE Policy Architecture
Policy Synchronization Changes made via Primary PAN DB are automatically synced to Secondary PAN and all PSNs. PAN (Secondary)
PSN Policy Sync
Admin User
Policy Sync
Policy Change
PSN
PAN (Primary)
PSN • Guest account creation • Device Profile update
Policy Sync
PSN
ISE Deployment – Scenario 1 CENTRALIZED DEPLOYMENT EXAMPLE (<2,000 Devices)
Primary ISE Node
AD/LDAP
Wireless Controller
Switch
Secondary ISE Node
Data Center A
Admin Persona Switch Site B
AP
Switch Site C
AP
Monitor Persona Policy Services Node
ISE Deployment – Scenario 2 CENTRALIZED DEPLOYMENT EXAMPLE (5,000 Devices)
Primary A&M Node
Policy Services Node
Secondary A&M Node
Policy Services Node
AD/LDAP
Wireless Controller
Switch
Data Center A
Admin Persona Switch Site B
AP
Switch Site C
AP
Monitor Persona Policy Services Node
ISE Deployment – Scenario 3 DISTRIBUTED DEPLOYMENT EXAMPLE (20,000 Devices)
Primary Admin Node
Policy Services Node
AD/LDAP
Secondary Admin Node
Policy Services Node
AD/LDAP
Primary Monitor Node
Policy Services Node
WLC
Secondary Monitor Node
Policy Services Node
WLC
Data Center A
Data Center B
Admin Persona Switch
AP
Switch
AP
Monitor Persona Policy Services Node
Site C
Site D
ISE Software Licensing Components MDM 3rd Party Integration Compliance & Remediation Unified Endpoint Profiling / Feed Service BYOD Device Onboarding + Internal CA pxGrid + ESP Enhanced Guest AAA, 802.1X, TrustSec, Multiple APIs
ISE Base
ISE Plus
ISE Apex
ISE Wireless
Wired/Wireless/VPN
Wired/Wireless/VPN
Wired/Wireless/VPN
Wireless Only
ISE Hardware Licensing Components SNS-3495 ISE-3395
20,000 Endpoints 10,000 Endpoints 6,000 Endpoints
ISE-3355 5,000 Endpoints
SNS-3415 3,000 Endpoints
ISE-3315 / ACS-1121 Virtual Appliances
3,000 - 20,000* Endpoints
ISE Virtual Appliances are available individually, bundles of 5, and bundles of 10. * ISE
VM instances actual scalability vary based on allocated resources and other variables.
ISE Deployment Size
Cisco ISE – MDM, TrustSec, and pxGrid
ISE Integration with MDM (Third Party) •
MDM device registration via ISE • Non registered clients redirected to MDM registration page
•
Restricted access • Non compliant clients will be given restricted access based on policy
•
Endpoint MDM agent • Compliance • Device applications check
•
Device action from ISE • Device stolen -> wipe data on client
MCMS
DC, Campus and Branch Segmentation with TrustSec Data Center
Segment traffic based on classified group i.e. Security Group Tags (SGT), not based on topology (VLAN, IP subnet)
Shared Services
Application Servers DC Switch
Enterprise Backbone
Allows Micro-Segmentation in LAN (segment devices even in same VLAN) Switch
ISE
Switch
Employee Tag Supplier Tag Non-Compliant Employee
Voice
Voice
Employee
Supplier
Non-Compliant
Non-Compliant Tag
TrustSec Common Deployment Scenarios
User to Data Center Access Control
Data Center Segmentation
Campus and Branch Segmentation
• Context--based access control
• Server zoning & Micro-segmentation
• Line of business segregation
• Compliance requirements PCI,
• Production vs Development Server
• PCI, HIPAA and other compliance
HIPAA, export controlled information • Merger and acquisition integration, divestments
segmentation • Compliance requirements, PCI, HIPAA • Firewall rule automation
regulations • Malware propagation control/quarantine
Cisco Platform Exchange Grid – pxGrid INFRASTRUCTURE FOR A ROBUST ECOSYSTEM
SIO
•
Single framework – develop once, instead of multiple APIs
•
Customize and secure what context gets shared and with which platforms
Context Sharing
•
Bi-directional – share and consume context
Single, Scalable Framework
•
Enables any pxGrid partner to share with any other pxGrid partner
•
Integrating with Cisco ONE SDN for broad network control functions
Direct, Secured Interfaces
pxGrid
Unified Threat Response by Sharing Data Across Network 2
pxGrid controller
1
ISE collects contextual data from network
2
Context is shared via pxGrid technology
3
Who What
1
Partners use context to
When Where
3 improve visibility to detect
threats
ISE
Cisco and Partner Ecosystem
How
4
Partners can direct ISE to rapidly contain threats
Context 5
Cisco Network
4
ISE uses partner data to 5 update context and refine
access policy
QA
Thank You