Chad Mitchell, CCIE #44090Security Consulting Systems Engineer, GSSO April 2017

Threat Centric Identity & Access Control

Cisco Identity Services Engine

Cisco ISE and AnyConnect

Access Policy

Who

What

How

When

Where

Health

Threats

Cisco ISE

CVSS

Wired Wireless VPN

Role-Based Access Control | Guest Access | BYOD | Secure Access

For Endpoints For Network

Cisco ISE

Partner Eco System

SIEM, MDM, NBA, IPS, IPAM, etc.

pxGridand APIs

Cisco AnyconnectSupplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.

Context aware policy service, to control access and threat across wired, wireless and VPN networks.

Managing Policy Based on ‘Trust’Connecting Trusted Users and Devices to Trusted Services

✕ ✕ ✓ ✓ ✕ ✕

✕ ✓ ✓ ✓ ✓ ✕

✓ ✕ ✓ ✓ ✓ ✓Trusted Asset

Trusted User

Partners

Trus

ted

Use

r

Partn

ers

Clo

ud A

pp A

Clo

ud A

pp B

Serv

er A

Serv

er B

Cloud

On Prem

Trus

ted

App/

Serv

ices

Non

-Tru

sted

App

/Ser

vice

s

Improved Visibility and Decision Software-Defined Segmentation,Service Access and Entitlement

Location-Free App/Service Access

Vulnerability

Threats

Posture

Behavior

Time

Location

User-Groups Device-type

Cisco Identity Services Engine

Office 365

Microsoft Exchange Outlook

Always-on Policy Compliance

Visibility

Guest Access Simplified Firewall Rule management with TrustSec

DEFCON Policy Enforcement

Rapid Threat Containment

TrustSec Software-Defined Segmentation

Ecosystem Integration

Next Gen Access Control

ISE Use CasesThe Advantages Are Built-In!

Showing customers who and what is on their network and to share with FMC and Stealthwatch for better threat and behavioral clarity

When there is a security outbreak customers have one button to push to activate different policies network-wide – using software-defined segmentation

The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs

Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements

Stop threats anywhere in the network from one console

Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation

Control access to network and resources based on context for more accurate access policy options and enforcement

One framework to integrate different security products, share intel, see threats faster and take an action from the customer’s preferred product, such as FMC or Splunk

ISE can Collect Contextual Information from the Network

The Contextual information can then be shared with systems

Network

Cisco ISE

Security Starts with ‘Visibility’Visibility

ISE Dashboard: SummaryVisibility

• Discover network assets and endpoints in minsusing a Wizard.

• Connect to Identity Stores e.g (Join an Active Directory).

Discover the Network for Devices and Users ISE Visibility Setup Wizard

Visibility

Network Device Discovery

ISE can do a SNMP scan of the network and populate the Network Devices.

* Only supported on Standalone ISE deployment.

Name IP Address Device Type Location Description

Cat3850-1 10.1.100.1 Switch Bldg-A Cisco IOS Software XE..

ISR4KX-1 10.1.100.2 Router Bldg-A Cisco IOS Software XE..

WLC5520-1 10.1.100.3 Controller DC-01 Cisco Controller

N5K-1 10.1.100.4 Switch DC-01 Cisco Nexus OS version..

Visibility

• Context Tabs• Interactive Charts• Action Bar for endpoints

• Breadcrumbs for filters• Dynamically updated table

based on filter

Context VisibilityVisibility

Feed Service(Online/Offline)

Netflow DHCP DNS HTTP RADIUS NMAP SNMP

CDP LLDP DHCP HTTP H323 SIP MDNS

Active Probes

Device Sensor

1.5 million

devices with ‘50’ attributes each can be stored

550+

High-level canned profiles. +Periodic feeds

250+

Medical device profiles

Cisco ISE

Cisco Network

How Does ISE Get All That Information ?Cisco ISE Profiling

Visibility

Application Visibility Using ISEISE Posture

Continuous Data Monitoring on APP’sISE will collect and monitor data from user’s device every 5, can be set to 1 min for demo purposes.AnyConnect will report a complete list of running applications and installed applications.

Visibility

Cisco Anyconnect with ‘Network Visibility’ module

IPFIX/NetFlowCollector

Corporate Public

Visibilityin to process, process hash, URLs, and more

Contextfor Network Behavioral Analysis

Controlrun-time applications via ’Posture Policies’

Application ‘Visibility’ via AnyconnectAnyConnect as a Collector Using NVM

Outlook

Microsoft

Visibility

ISE Passive Identity Connector (ISE-PIC)Collect and Share Identity Information

WMI Rest API

Legacy CDA-RADIUSOutput

pxGrid Pub/Sub BusOutput

ASA

SyslogISE-PIC Agent

Input to ISE-PIC/ISEKerberos

SPAN

Almost Anything

Custom Apps

Endpoint Probe

Still There?

Same User?

ISE-PIC

WWW FMC

AD AD

AD

AD AD

AD

Legacy CDA-RADIUS Not Availableat FCS Planned for ~2.2p1

Testing Excercise

VMWAREInfrastructure

WindowsTerminal Services

Visibility

Network Resources

Role-based policy access

Traditional TrustSec

BYOD Access

Secure Access

Guest Access

Role-based Access

Identity Profilingand Posture

Who

CompliantP

What

When

Where

How

NetworkDoor

Physical or VM

ContextISE pxGridcontroller

Next Gen Access Control in ActionISE Automatically Applies Policy to Identity Context to Control Access

Next Gen Access Control

Passive Identity Active Identity

• MAC Authentication Bypass• Easy Connect®

ENTERPRISE NETWORK AD/LDAP/SQL

Active Directory

LDAP Servers

SQL Server

External Identity Stores

Passwords/Tokens

ASP: Auto Smart Port

Built-in CA

500,

000

conc

urre

nt s

essi

ons

500,

000

Up to 100KNetwork Devices

Up to 50 distinct AD join point support

300K Internal Users

Native Supplicants/ Cisco AnyConnect

802.

1X

• IEEE 802.1X• Web Authentication

- Central WebAuth- Local WebAuth

Access ControlNext Gen Access Control

Authentications and Authorizations

ENTERPRISE NETWORK

SAML iDPs

APIs

Single Sign-On

LDAP/SQL

Active Directory

LDAP Servers

SQL Server

External Identity Stores

Passwords/Tokens

Native Supplicants/ Cisco Anyconnect

802.

1X

Up to 50 distinct AD domain support

Authentication Methods Authorization Options

• MAC Authentication Bypass• Easy Connect®

• IEEE 802.1X• Web Authentication

- Central WebAuth- Local WebAuth

• Downloadable/Named ACL• Air Space ACL• VLAN Assignment• Security Group Tags• URL-Redirection• Port Configuration (ASP)

PassiveIdentity

ActiveIdentity

Certificate Authorities

SCEP/CRL

Certificate based Auth

Microsoft Azure

Next Gen Access Control

White Listing DevicesMAC Authentication Bypass (MAB)

MAB requires a MAC database | ISE can build this database dynamically

LAN

Network Device Cisco ISE

P

P

!

!

Endpoints without supplicant will fail 802.1X authentication!

What’s your Id?

Any Packet Machine MAC: 00-10-23-AA-1F-38

ACCESS-ACCEPT

Bypassing “Known” MAC Addresses

00-10-23-AA-1F-38 Network DeviceCisco ISE

No Answer= Timeout1

2

802.1X

No 802.1X MAB

Next Gen Access Control

ISE Deployment Assistant (IDA)to Simplify Cisco ‘Network Device’ Configurations

ISE Service

Per Device Actionable Information

• Network Assessment

• Configuration of NADs (Network Access Devices)

• Ability to Troubleshoot failed authentications

Next Gen Access Control

Authorization3 Major Authorization Options for ‘Access Control’

Contractordeny ip host <protected>

permit ip any any

DACL or Named ACL

Employeepermit ip any any

Downloadable ACL (Wired) or Named ACL (Wired + Wireless)

VLANs

Remediation

Dynamic VLAN Assignments

EmployeesVLAN 3

GuestVLAN 4

Per port/Per Domain/Per MAC

Security Group Tags

16 bit SGT assignment and SGT based Access Control

TrustSec Software-Defined Segmentation

Next Gen Access Control

ISE Supports 3rd Party ‘Network Devices’Cisco customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco vendors.

Benefits

Protect consistently Deploy ISE across network devices, including non-Cisco NADs

Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access

Maximize value Realize additional value from your existing infrastructure

ISE 1.0 802.1x

New withISE 2.1

ProfilingPostureGuestBYOD An

d M

any

Mor

e

Compatible device vendors*

Aruba Wireless HP Wireless

Motorola Wireless Brocade Wired

HP Wired Ruckus Wireless

• Templatized MAB configuration for select non-Cisco vendor devices

• CoA and URL re-direction • Non-Cisco NADs enabled to drive regular

802.1x operations

Capabilities

*For additional information, refer to the Cisco Compatibility Matrix

Next Gen Access Control

Software-Defined SegmentationEasily Classify Endpoints Devices and Use Group-Based Policies in NGFWs and the Network

Printer 1 Printer 2

SGT_Guest SGT_BuildingManagement

SGT_Employee

Guest 1

Guest 2

Guest 3 Guest 4

Employee 1 Employee 2 Employee 3

Employee 4

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2

Temperature Device 1

Temperature Device 2

SurveillanceDevice 1

SurveillanceDevice 2

50°

50°

Software-Defined Segmentation

Simplifying Segmentation with TrustSec

Access Layer

VoiceVLAN

Voice

DataVLAN

Employee

Aggregation Layer

Supplier

GuestVLAN

BYOD

BYODVLAN

Non-Compliant

QuarantineVLAN

VLANAddress

DHCP ScopeRedundancy

RoutingStatic ACL

VACL

Security Policy based on TopologyHigh cost and complex maintenance

VoiceVLAN

Voice

DataVLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

EnterpriseBackbone

Access Layer

DC Firewall/Switch

DC Servers

Policy

TrustSecTraditional Segmentation

EnterpriseBackbone

Software-Defined Segmentation

Segmentation ManagementMaintain Agility with Simple, Dynamic Policy Updates

Destinations

Sources Company Database

PublicCloud

External Partner Internet

Guest Define Access

Define Access

Define Access

Define Access

Employee BYOD Define Access

Define Access

Define Access

Define Access

Building Mgmt. Define Access

Define Access

Define Access

Define Access

Employee Define Access

Define Access

Define Access

Define Access

Deny

Deny Define Access

PermitPermit Deny

Deny Web Apps

Deny

Permit Permit Define Access Permit

Deny Deny Permit

Permit

Deny

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Define access policies using plain language instead of complex ACLs and firewall rules

Simplify role creation

Defining policies with logical tags means that rules don’t depend on individual IP addresses and can be dynamically and transparently changed no matter the group size

Maintain and scale dynamically

Define segmentation based on logical groupings that are applied automatically

Apply rules automatically

Software-Defined Segmentation

Campus/Branch/DC SegmentationSegment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)

Micro-Segmentation/Host Isolation in LAN and DC with single policy (segment devices even in same VLAN or same security group)

VLAN: Data-1VLAN: Data-2

Data CenterApplicationServers

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

SharedServices

Employee Tag

Supplier Tag

Non-Compliant TagApplication Servers TagShared Services Tag

SGACLISE

SGACL

Software-Defined Segmentation

Scalable Policy Enforcement Across TrustSecand ACI DomainsTrustSec-ACI Inline Tagging

• Data plane integration allows inline tagging between TrustSec and ACI

• Translate information between TrustSec and ACI environments

• Scales the ability to address breach, segmentation, and compliance challenges

• Consistently shares security policy groups between TrustSec network of any size and ACI domains

Capabilities

Campus/Branch/Data Center/VPNTrustSec Policy Domain

Campus Networks/Branch WAN

Data CenterACI Policy Domain

TrustSec SGTs mapped to and from ACI EPGs

Voice

Employee

Non-Compliant

BYOD

Pointof Sale

Auditor

ACI Data Center

ACI Data Center

ACI Data Center

Now, consistent policies can be enforced across networks of any size, providing an increased ability to scale your security policy enforcement.

Consistent segmentationBy enforcing group-based policy approaches

Scalable and efficientpolicy enforcement across networks of any size

Simplified managementOf access policies simplifies security design, operations, and compliance

Benefits

ACI Data Center

TrustSec Policy Matrix (SGACL)ServersSGT: 10

Enforcement

permit tcp dst eq 6970 logpermit tcp dst eq 6972 logpermit tcp dst eq 3804 logpermit tcp dst eq 8443 logpermit tcp dst eq 8191 logpermit tcp dst eq 5222 logpermit tcp dst eq 37200 logpermit tcp dst eq 443 logpermit tcp dst eq 2748 logpermit tcp dst eq 5060 logpermit tcp dst eq 5061 logpermit tcp dst range 30000 39999 logpermit udp dst range 5070 6070 logdeny ip log

Software-Defined Segmentation

access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Simplifying Firewall Rule Management with TrustSec

• Simplified rule management:- Define protected assets by their role, not IP address

- Works across TrustSec and ACI environments

- Avoids complexity and add/move/change effort

- Leads to much simpler and smaller rule-base

- Consistent, clear, simple rules

Source Destination Action

IP Group/User Security Group IP Security Group Port Action

ANY ANY Employees on Corporate Assets ANY ACI_Intranet_Servers_EPG Any tcp Allow

ANY ANY Senior Execs on registered BYOD devices

ANY ACI_Finance_Servers_EPG http, https Allow

ANY ANY Contractors on unmanageddevices

ANY ACI_Citrix_VDI_EPG RDP, ICA Allow

ANY ANY Divested Business – Employees ANY Divested Business Servers ANY Allow

ANY ANY ANY ANY ANY ANY DENY

Simplified Firewall Rules Management

FTD Policies Based on ISE Attributes and Sec GroupsAccess Control Policies’ Based on ISE Attributes (SGT, Device-type and Endpoint Location)

NGIPS/ASA + Firepower

PxG

RID

Simplified Firewall Rules Management

ASA with Firepower Services: Inspect Based on SGTs

ServersSGT: 10

Enforcement

Data CenterCustomer DB

PartnersEmployee

Suppliers

ASAFirePower

EnterpriseBackbone

Simplified Firewall Rules Management

Segmentation Policy Sets Based on RiskMultiple TrustSec Matrices

• Mitigates threats by changing applied policy sets

• Pre-determined segmentation policies enable error-free changes

• Allows distinct policy sets to be applied to different environments

• Flexible policy setup for multiple operational use cases

Capabilities

Apply different TrustSec policy sets for different environments or risk conditions Create different policy sets and apply different policies to different business environments Easily change policies

Threat responseBy applying risk-based, predefined policies

Simplified OperationsAllow policy changes to be applied to different operational zones with centralized management

Segmentation flexibilityEnables customers to differentiate their segmentation to sites based on business role

Benefits

Global DEFCON Use Case

1 2 3 4 5

Policies

Apply

Local policy sets for high-risk locations, compliance-critical environments

1 2 3 4 5Policies

1. London DCs

2. High Risk Sites3 PCI Zones

4. Development locations

5. NY Data Centers

ü

DefCon Policy Sets

Des

tinat

ion

LoB

1 Em

ploy

ee

LoB

2 Em

ploy

ee

Partn

er 1

Partn

er 2

PCI S

erve

r

Shar

ed A

pps

LoB

1 Ap

ps

LoB

2 Ap

ps

Source

LoB 1 Employee

LoB 2 Employee

Partner 1

Partner 2

POS Terminal

Des

tinat

ion

LoB

1 Em

ploy

ee

LoB

2 Em

ploy

ee

Partn

er 1

Partn

er 2

PCI S

erve

r

Shar

ed A

pps

LoB

1 Ap

ps

LoB

2 Ap

ps

Source

LoB 1 Employee

LoB 2 Employee

Partner 1

Partner 2

POS Terminal

DEFCON3 Policy

Restrict All LateralMovement

Multiple levels of policy setsApplied globally

Standard Policy

5 4 3 2 1DEFCON

DEFCON Policy Enforcement

Posture

Remediation Actions

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

File Remediations

Launch Program Remediations

Link Remediations

Patch Management Remediations

USB Remediations

Window Server Update Server

Windows Update Remediations

Always-on Policy Compliance

Posture defines the state of compliance with the company’s security policy

Posture Flow

Authenticate User/DevicePosture: Unknown/Non-Compliant ?

QuarantineLimited Access: VLAN/dACL/SGTs

Posture AssesmentCheck Hotfix, AV, Pin lock, USB Device, etc.

RemediationWSUS, Launch App, Scripts, MDM, etc.

Authorization ChangeFull Access – VLAN/dACL/SGTs.

Antivirus Update

Anti-Virus?

Posture

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

Application Condition

Compound Condition

Disk Encryption Condition

File Condition

Patch Management Condition

Registry Condition

Service Condition

USB Condition

Always-on Policy Compliance

AnyConnect – Way more than VPN

ASR/CSR Switches and Wireless

Controllers

ISR Adaptive Security Appliance (ASA)

Identity Services Engine (ISE)

NetFlow CollectorsCloud Web Security Services

(CWS + WSA)

AdvancedMalware

Protection

RoamingProtection

Basic VPN Advanced VPN Endpoint Compliance

Inspection Service

Enterprise Access

ThreatProtection

Network Visibility

ODNS Plugin

Cisco AnyConnect

Integration with other Cisco solutions

Always-on Policy Compliance

Posture Conditions ExplainedUse-Case Description

File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such as “Desktop” and “User Profile”

OSx Daemon Check User Agent Check, User based process check

Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State

Reporting Report based on Condition name and Condition State

USB Condition and Remediation “Dynamic” a.k.a real time enforced.Configured at initial posture check or Passive Reassessment checks (PRA).Any Connect 4.3 enforces the Disk Encryption Policy

Native Patch Management Patch Management supported via OPSWAT{Install, Enable, Up-To-Date}

AMP Enabler Profile Download and provisioning of the AMP client module

Posture Lease (from ISE 1.3) Once postured compliant, user may disconnect/ reconnect multiple times before re-posture

For your reference

PostureAnti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

Application Condition

Compound Condition

Disk Encryption Condition

File Condition

Patch Management Condition

Registry Condition

Service Condition

USB Condition

Dictionary Simple Condition

Dictionary Compound Condition

Posture CapabilitiesFor your reference

Highlights Description

File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories such as “Desktop” and “User Profile”

OSx Daemon Check User Agent Check, User based process check

Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State

Reporting Report based on Condition name and Condition State

Native Patch Management Patch Management supported via OPSWAT{Install, Enable, Up-To-Date}

AMP Enabler Profile Download and provisioning of the AMP client module

Posture Lease (from ISE 1.3) Once postured compliant, user may disconnect/ reconnect multiple times before re-posture

Anti-Malware Checks Combination of the antispyware and antivirus conditions and is supported by OESIS version 4.x or later compliance module`

USB Condition and Remediation “Dynamic” a.k.a real time enforced. Configured at initial posture check or Passive Reassessment checks (PRA).Any Connect 4.3 enforces the Disk Encryption Policy

+ISE 2.0 Any Connect 4.2

+ISE 2.1 Any Connect 4.3

Posture CapabilitiesFor your reference

Highlights DescriptionEnhanced Posture Discovery and Client Provisioning

Ability to on-board endpoints using an off-premesis portal. Users are protected 100% of the time (On-Prem or Off-Prem)

Posture on 3rd party devices (non URL redirect agent to ISE communication)

AnyConnect Headless AnyConnect Agent with no UI for both Win/OS X option (no UI module)

Application Visibility, Control and Enforcement

Continuous Data Monitoring on installed and running applications, ISE will collect and monitor data from user’s device every 5, can be set to 1 min for demo purposes.

Firewall enabled checks and remediation

Check if Firewall is running or installed, ability to launch firewall if its not running.

AnyConnect Profile Provisioning using JSON OpenDNS Umbrella provisioning support

UDID context sharing Seemless posture experience when switching b/w wired and wireless and exposure in Context Directory.

Common Certificates and http ports for Posture Avoiding the un-known Cert errors

Apex enforcement (Posture admin UI shuts down)

+ISE 2.2 Any Connect 4.4

Simple Authorization Policy Authorization Policy

Posture Complaint = Full Access | Posture Non-Complaint = Access Limited to Remediation Network

Always-on Policy Compliance

Patch Management Remediation

• Remediation type – same as AV and AS remediation.

• Operation System –Windows only supported.• Vendor Name – List is loaded from the

OPSWAT update.• Remediation options:

- Enabled- Install missing patches- Activate patch management software GUI

• Product list is updated according to selected vendor and Remediation option. Product can be selected only if supported for related option.

Always-on Policy Compliance

ISE and SCCM Integration Overview

• ISE 2.1 integrates with SCCM to retrieve compliance status of Windows managed endpoints.

• This integration uses MDM flows. (ISE communicates with SCCM Server using WMI to retrieve the current attributes for a device.)

Cisco ISE

Microsoft SCCM as external MDM servers for Cisco ISE

SCCM Servers

RegisteredRegistered + Non-CompliantRegistered + Compliant

Status Checks

Managed Asset

Patch and Software management

Posture Status

WMI

Always-on Policy Compliance

Threat Centric NAC ExplainedReduce Vulnerabilities, Contain Threats

Problem

Compromised endpoints spread malware by exploiting known vulnerabilities in the network

1

Malware infection

Malware scans for vulnerable endpoints2

Vulnerability detected3

Infection spread4

Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) | Advanced Malware Protection (AMP)

Solution

Flag compromised and vulnerable hosts and limit access to remediation Segment

Cisco AMP Vulnerable host

Quarantine and Remediate

IOC CVSS

“Threat detected” Vulnerability scan

Most endpoint AMP deployed in ‘visibility only’ mode

Always-on Policy Compliance

Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation.

Compliments PostureVulnerability data tells endpoint’s posture from the outside

Expanded controldriven by threat intelligence and vulnerability assessment data

Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics

What Is Threat Centric NAC ?

- STIX- Threat events- CVSS- IOC

- Vulnerability assessments- Threat notifications

AMP

Cisco ISE

Endpoints

Who

What

When

Where

How

Posture

Threat

Vulnerability

P

Create ISE authorization policies based on the threat and vulnerability attributes

Network Access Policy

STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)

Qualys

CTA

ISE 2.2

Always-on Policy Compliance

What Is Threat Centric NAC ?

STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)

Always-on Policy Compliance

Rapid Threat Containment (RTC)With Firesight Management Center (FMC) and ISE

Initial compromise Detection

Protect critical data, by stopping attacks faster, based on real-time threat intelligence

Internet

EnterpriseNetwork

Monetize theft

Time To Detection (TTD): 100-200 days - http://bit.ly/cisco-asr-2016Pr

oble

m

Infection spread

Data hoarding

Data exfiltration

100 – 200 days Initial compromise Containment

Internet

Solu

tion

PxGrid

EnterpriseNetwork

Sensor- AMP/- NGIPS/- ASA(wFirePOWER)

EPS: Quarantine(over PxGrid)

COA

Minutes

FMC

ISE

TrustSecsegmentation

Rapid Threat Containment

Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data

Cisco® ISE collectscontextual data from network1

Context is shared viapxGrid technology2

Partners use context to improve visibility to detect threats3

Partners can direct ISE to rapidly contain threats4

ISE uses partner data to update context and refine access policy5

When

Where

Who

How

What

Cisco and Partner Ecosystem

ISE

pxGridController

Context

32

1

45 Cisco Network

https://datatracker.ietf.org/doc/draft-appala-mile-xmpp-grid/

Ecosystem Integration

Integrating the Traditional Way

I have NBAR info!I need identity…

I have firewall logs!I need identity…

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have reputation info!I need threat data…

I have MDM info!I need location…

I have app inventory info!I need posture…

I have identity and device-type!I need app inventory and vulnerability…

I have application info!I need location and auth-group…

I have threat data!I need reputation…

I have location!I need identity…

SIO

ProprietaryAPIs aren’tthe solution

We need to share data

Ecosystem Integration

The Problem

I have NBAR info!I need identity…

I have firewall logs!I need identity…

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have reputation info!I need threat data…

I have MDM info!I need location…

I have app inventory info!I need posture…

I have identity and device-type!I need app inventory and vulnerability…

I have application info!I need location and auth-group…

I have threat data!I need reputation…

I have location!I need identity…

SIO

ProprietaryAPIs aren’tthe solution

We need to share data

TRADITIONAL APIs – One Integration at a Time• Single-purpose function = need for many APIs/dev (and lots of testing)

• Not configurable = too much/little info for interface systems (scale issues)

• Pre-defined data exchange = wait until next release if you need a change

• Polling architecture = can’t scale beyond 1 or 2 system integrations

• Security can be “loose”

Ecosystem Integration

Solving the Integration Problem with a Grid

Infrastructure for aRobust Ecosystem

• Single framework – develop once, instead of multiple APIs

• Customize and secure what context gets shared and with which platforms

• Bi-directional – share and consume context

• Enables any pxGrid partner to share with any other pxGrid partner

SIO

Single, ScalableFramework

Direct, Secured Interfaces

pxGridContextSharing

Ecosystem Integration

pxGrid – Industry Adoption Critical Mass40+ Partner Product Integrations and 12 Technology Areas in First Year of Release

Cisco pxGridSecurity thruIntegration

Net/App Performance

IoT Security

VulnerabilityAssessment

Packet Captureand Forensics

SIEM andThreat Defense

IAM and SSO

Cisco ISE

Cisco WSA

Cloud AccessSecurity

?

Cisco FirePOWER

Rapid Threat Containment (RTC)

DDI

Firewall and Access Control

pxGrid-Enabled ISE Partners:• RTC: Cisco FirePower, Bayshore, E8, Elastica,

Hawk, Huntsman, Infoblox, Invincea, Lancope, LogRhythm, NetIQ, Rapid7, SAINT, Splunk, Tenable

• Firewall: Check Point, Infoblox, Bayshore• DDI: Infoblox• Cloud: Elastica, SkyHigh Networks• Net/App: Savvius• SIEM/TD: Splunk, Lancope, NetIQ, LogRhythm,

FortScale, Rapid7• IAM: Ping, NetIQ, SecureAuth• Vulnerability: Rapid7, Tenable, SAINT• IoT Security: Bayshore Networks• P-Cap/Forensics: Emulex• Cisco: WSA, Firesight, Firepower, ISE

Other ISE Partners:• SIEM/TD: ArcSight, IBM QRadar, Tibco LogLogic,

Symantec • MDM/EMM: Cisco Meraki, MobileIron, AirWatch,

JAMF, SOTI, Symantec, Citrix, IBM, Good, SAP, Tangoe, Globo, Absolute

Ecosystem Integration

Same ISE for ‘Network Device’ Administration

Benefits

TACACS+ Device Administration

Simplified, centralizeddevice administrationIncrease security, compliancy, auditing for a full range of administration use cases

Flexible, granular controlControl and audit the configuration of network devices

Holistic, centralized visibilityGet a comprehensive view of TACACS+ configurations with the Device administration work center

Feature Highlight

Customers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible, granular control of access to network devices.

Security Admin Team

Network Admin Team

Role-based access control

• Role-based access control• Flow-based user experience• Command level authorization with detailed

logs for auditing

• Dedicated TACACS+ workcenter for network administrators

• Support for core ACS5 features

Capabilities

Device Administration

TACACS+Work Center

TACACS+Work Center

Deploying ISE

pXGrid Controller- Facilitates sharing of context

Policy Services Node (PSN)- Makes policy decisions- RADIUS/TACACS+ Servers

Policy Administration Node (PAN)- Single plane of glass for ISE admin- Replication hub for all database config changes

Monitoring and Troubleshooting Node (MnT)- Reporting and logging node- Syslog collector from ISE Nodes

Single Node (Virtual/Appliance)

Up to 20,000 concurrent endpoints

Standalone ISE

Multiple Nodes (Virtual/Appliance)

Up to 500,000 concurrent endpoints

Multi-Node ISE

Network

Scaling ISEOne Management Interface for 1 – 500K Endpoints

• Applies to both physical and virtual deployment

• Compatible with load balancers

Standalone deploymentMulti-Node deployment

Multi-Node deployment

Multi-Node deployment

Multi-Node deployment

+

x 4 PSNs

x 2 MnTs

x 2 PANs

x 12 PSNs

x 2 MnTs

x 2 PANs

x 25 PSNs

x 2 MnTs

x 2 PANs

x 50 PSNs

x 2 MnTs

x 2 PANs

1 Endpoint 20,000 Endpoints 50,000 Endpoints 500,000 Endpoints100,000 Endpoints 250,000 Endpoints

HA configuration with minimum 6 redundant nodes

ISE Licensing

Evaluation

Base

Plus

APEX

• Full Cisco ISE functionality for 100 endpoints.

• Basic network access: AAA, IEEE-802.1X• Guest management• Easy Connect (Passive ID)• TrustSec (SGT, SGACL, ACI Integration)• ISE Application Programming Interfaces

• BYOD with built-in Certificate Authority Services• Profiling and Feed Services• Endpoint Protection Service (EPS)• Cisco pxGrid

• Third Party Mobile Device Management (MDM)• Posture Compliance• Threat Centric NAC (TC-NAC)

Perpetual

Subscription (1, 3, or 5 years)

Subscription (1, 3, or 5 years)

Temp (90 days)

Device AdminADDITIONAL OPTIONS

Perpetual• Cisco ISE requires a Device

Administration license to use the TACACS+ service on top of an existing Base or Mobility license.

MobilitySubscription (1, 3, or 5 years)• Combination of Base, Plus, and

Apex for wireless and VPN endpoints

Mobility UpgradeSubscription (1, 3, or 5 years)• Provides wired support to

Mobility license

• Licenses are uploaded to the Primary Administration node and propagated to the other Cisco ISE nodes in the cluster• Base license is fundamental for use of Plus/Apex services.

Mobility licenses cannot coexist on a Cisco Administration node with Base, Plus, or Apex Licenses.