identity services engine

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1

Identity Services Engine Cisco’s Next-Generation Network Access Control Solution

George Nazarey Security Consulting Systems Engineer


Agenda

Identity Market Drivers

802.1X Overview

ISE Overview

Posture Services

Profiling Services

Guest Services


Identity Market Drivers


Disciplines of Security: Identity Is the Base

Information Sharing

Encryption

Threat Migration

Policy/ Governance

Access Control

Forensics

Data Leakage

Non-Repudiation

Audit

Threat Mitigation

Availability

Inventory


Today’s Network Is Not Like Yesterday’s Network

Laptop Managed asset Main Laboratory 11 a.m.

Security Camera G/W Agentless asset MAC: F5 AB 8B 65 00 D4

Vicky Sanchez Employee Marketing Wireline 3 p.m.

Frank Lee Guest Wireless 9 a.m.

Rossi Barks Employee HR Wireline 11 a.m.

IP Phone G/W Managed asset Finance dept. 12:00 p.m.

Printer Agentless asset MAC: B2 CF 81 A4 02 D7

Francois Didier Consultant HQ - Strategy Remote Access 6 p.m.

Sergei Balazov Contractor IT Wireline 10 a.m.

Susan Kowalski Employee CEO Remote Access 10 p.m.

Diverse Environment

Employees, contractors, guests, and non-PCs

Mission-Critical Technologies

Network, devices, and applications

Multiple Access Methods

Different devices, locations, and times

All need policies and controls

Bill Graves Employee R&D Wireless 2 p.m.


Five Aspects of Identity

Who are you? 802.1X authenticates (or other methods) the user

Are you healthy? Using NAC, the end-station and network can check whether device complies with corporate host security policy

What service level do you receive? User can be given a per-user access control list or given specific QoS priority on the network

What are you doing? Using the identity and location of the user, tracking and accounting can be better managed

Where can you go? Based on authentication, user is placed in correct workgroup or VLAN


Policy: Areas of Focus Context-Based

Security

Gartner: “We are seeing a shift to context-aware,

adaptive security infrastructure across all

areas of information security today.”

User, Device, Location, Server, Data

Service Personalization

Media Energy

Mobile Access

Video Conf

Laptop Security

Services automatically delivered to appropriate

users, devices, applications.

Virtualization & Cloud

Virtual application and infrastructure policy

vDC Capabilities

Tenant Reqs

Resource Policies

Network & Application Policies


802.1X Overview


Why 802.1X?

9

Industry-standard

approach to identity

Most secure user/machine authentication

solution

Complements other switch

security features

Easier to deploy

Provides foundation for

additional services (e.g., posture)


Request for Service (Connectivity)

Back-End Authentication Support

Identity Store Integration

Authenticator Switch, router, WAP

Layer 2

How Does 802.1X Work?

Layer 3

Identity Store/Management Active directory, LDAP

Supplicant

Authentication Server RADIUS server


Who (or What) Can Be Authenticated?

alice

User Authentication Device Authentication

host\XP2 host\XP2

•  Enables Devices To Access Network Prior To (or In the Absence of) User Login

•  Enables Critical Device Traffic (DHCP, NFS, Machine GPO)

•  Is Required In Managed Wired Environments

•  Enables User-Based Access Control and Visibility

•  If Enabled, Should Be In Addition To Device Authentication


Various Authorization Mechanisms

  802.1X provides various authorization mechanisms for policy enforcement

  Three major enforcement / segmentation mechanisms: • Dynamic VLAN assignment – Ingress • Downloadable per session ACL – Ingress • Security Group Access Control List (SGACL) - Egress

  Three different enforcement modes: • Monitor Mode • Low Impact Mode (with Downloadable ACL) • High-Security Mode

  Session-Based on-demand authorization: • Change of Authorization (RFC3576 RADIUS Disconnect Messages)


Putting it All Together: “Flex-Auth” One Configuration Fits Most

Multiple Methods Configurable order and priority of methods

Configurable behavior after 802.1X timeout and failure

Configurable behavior when AAA server dies / recovers

Flex-Auth enables most use cases

with a single configuration

•  802.1X: managed devices/users •  MAB: non-802.1X devices •  WebAuth: non-802.1X users

Unknown MAC

EAP 1X

MAB MAB

URL

802.1x times out or fails

WEB

802.1X Client

Valid Host Asset

Guest User

Employee Partner

Faculty

Sub Contractor

Valid MAC Address

Guest User

802.1X Client Valid MAC Addr

Known MAC - Access Accept

Port Authorized

Host Change

EAP Credentials Sent & Validated

Port Authorized


ISE Overview


Cisco TrustSec

Cisco TrustSec is a security solution that provides policy-based access control, identity-aware networking, and data integrity and confidentiality services


NAC Manager NAC Server

NAC Profiler

NAC Guest Server NAC Agent

Device Profiling & Provisioning + Identity

Monitoring

Identity & Access Control + Posture

Guest Lifecycle Management

NAC Collector Standalone appliance or licensed as a module on

NAC Server

Identity & Access Control

Access Control Solution

Identity Services Engine Next Generation PMBU Solution Portfolio

ISE


A single appliance deployment

Single ISE Node providing all services

For smaller environments

2 boxes for resiliency


A multi-box deployment

Multiple ISE Nodes in a system

More than 1 box for medium to large environments, or distributed organization.

Services can be turned on or off on each individual node as necessary


HQ

Division X

Branch A

AP

AP

WLC

AP

ASA VPN

Switch 802.1X

Switch 802.1X

Switch 802.1X

WLC

•  Active/Standby PAP/M&T

•  Centralized Wired 802.1X Services for HQ and Branches

•  Distributed PDP services in Division X

•  VPN (non-CoA) support via HA iPEPs

Admin and Logging nodes

PDP Cluster

HA IPEPs

Distributed PDP

Branch B

AP Switch 802.1X

Example ISE Deployment

PAP M&T

PAP M&T

PDP

PDP PDP

PEP

PEP


Advanced Package Profiler | Posture | SGA

Base Package Basic Network Access | Guest

Platforms Small | Medium | Large | VM

Are my endpoints authenticated?

Are my endpoints secure?

Packaging / Licensing Specifics

Perpetual License

Term License

  Software license model

  Licenses based on concurrent # endpoints counted centrally (not tied to HW)

  Floating (active) device/user based pricing

  3 different hardware appliances or VMware-based appliance

  Small = 3315/1121 appliances

  Medium = 3355 appliances

  Large = 3395 appliances   ESX v4.x, ESXi v4.x and

Server 2.0


UX: Login


UX: Dashboard

All ISE nodes registered to PAP

All Attribute Sources

Search

Now called ISE!

Compliance Stats & Failures

Error Rates and

Distributions

Metric Meters Feedback!

Endpoint Distributio

ns

Profile Distributio

ns

Summarized Alarms


In-context configuration of Identity Groups

Object Selector pop-up with search and filtering capabilities

New Identity Groups can be created without leaving Policy

screen

Robust UI Tabular View is also available

Reusable simple and compound ‘Condition’

objects

Drag-and-Drop functionality for re-ordering rules


Developing Authorization Policy – Adding Rules


UX: Authentications “Live” Authentications!

Filters

Passed / Failed

row colors

© 2009 Cisco Systems, Inc. All rights reserved. PositronWiki Presentation_ID 26

Posture Services


Posture Services Overview

  Must have advanced licensing enabled on your ISE devices   Must enable Posture Services on your ISE Policy server.   Same Posture evaluation as in NAC Appliance   Passive Re-Assessment Support   Remediation Actions same as NAC Appliance   Posture automatic updates available with advanced licensing

Posture Runtime Services


Posture Conditions

 File

 Registry

 AV/AS

 Service

 Compound Conditions (Pre-Configured)

 AV/AS Compound Conditions

Policy > Policy Elements > Conditions > Posture


Posture Policy   Posture Policies tie the Requirements to Identity Groups and

other Conditions together to make a Policy

  Once a User is Authenticated, Posture Policy is checked for the Identity Group/User

  If Posture passes, users will be assigned a new Authorization Policy


Profiling Services


NAC Gap: Non-PC Endpoint Devices

Do you have a full record of devices on the network?

Enterprises without VoIP Wired Endpoints Distribution

50% Windows

50% Other

33% Windows

33% IP phones

33% Other

Enterprises with VoIP Wired Endpoints Distribution


Printers

Fax Machines

IP Phones

IP Cameras

Wireless APs

Managed UPS

Hubs

Cash Registers

Medical Imaging Machines

Alarm Systems

Video Conferencing Stations

Turnstiles

HVAC Systems

RMON Probes

Vending Machines

. . . and many others

Examples of Non-PC Endpoints


UX: Profiling

Many built-in profiles for Cisco and other common devices!


MAC Authentication – Endpoints List Administration > Identity Management > Identities > Endpoints

Find your MAC Address in list of endpoints

Use the Filter!

Static ?


Guest Services


Managing the Guest User Lifecycle

PROVISIONING

MANAGEMENT

NOTIFICATION

REPORTING

Create Guest Accounts

Manage Guest Accounts

Give Accounts to Guests

Report on Guests

Create a single Guest Account

Create multiple Guest Accounts by Importing a CSV file

Print Account and Access Details Send Account Details via Email Send Account Details via SMS

View, edit or suspend your Guest Accounts

Manage batches of accounts you have created

View audit reports on individual Guest accounts

Display Management reports on Guest Access

Increased Productivity, Operational Efficiency


ISE Guest Server – Overview

  ISE Guest Server can provide :

-  Self-Registration -  Full Sponsored Access -  Device Registration

  ISE Guest Server has : – Multiple Portal Options – Guest User Policies – Sponsor Groups & Policies – Guest User Policies – Sponsor Portal Settings


ISE Sponsored Guests – Sponsor Portal

 Customizable Web Portal for Sponsors as well

 Authenticate Sponsors with corporate credentials –  Local Database – Active Directory –  LDAP – RADIUS – Kerberos


ISE Sponsored Guest Creation

 Sponsor can create One or Multiple Accounts

 Sponsor Sets which Group Role/Identity Store Guests will be placed

 Different Time Profiles can be used for Access

 User Accounts can be provided by different means of notification (Email,Print,SMS)


Guest User Account Detail Delivery

Send account information via print-out, email, or SMS


Guest Verification

 Monitor > Authentications window will show all Authentications including Guests

  Identity and Authorization can be found for Guests

identity services engine

Technology