Upload
vuongthuan
View
222
Download
1
Embed Size (px)
Citation preview
Deploying ISE in a Dynamic Public Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment
Take the Hassel out
of your ISE deployment!
K.I.T.T.
Know ISE Through Training
BRKSEC-2059 3
Deploying ISE in a Dynamic Public Environment
Clark Gambrel, CCIE #18179
Technical Leader, Engineering, Core Software Group
BRKSEC-2059
Managing a secure, yet flexible network in today's public access environments
can be very challenging. Public access networks in areas like universities,
hospitals and airports host a broad array of devices, both privately owned and
corporately managed. With the increasing importance of the Internet of Things,
the variety of devices that need to connect to these public networks is rapidly
increasing. Cisco Identity Services Engine (ISE) plays an integral role in
controlling the access to these dynamic public networks. This session will share
lessons learned (best practice) from an ISE escalation engineer in
troubleshooting complex customer environments.
Abstract
Introduction
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Clark Gambrel, CCIE #18179
Technical Leader – Engineering
Core Software Group
@ClarkGambrel
BRKSEC-2059 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
BRKSEC-2059 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Here
BRKSEC-2059 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
Kentucky is known for…BRKSEC-2059 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKY
BRKSEC-2059 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
KENTUCKYIch bin ein “Redneck“
BRKSEC-2059 12
• Introduction
• Public environments, Why are they so challenging?
• Advice – Words to live by in any environment (Best Practice!)
• Education – What we have learned
• Hospitals/Medical – Protecting the heart of your network
• Public Transportation – Tips for the thrifty traveler
• Conclusion
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please Fill Out The Survey!
BRKSEC-2059 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE & Software Defined Segmentation SessionsBRKSEC-2059 (2h)
Deploying ISE in a
Dynamic Public
Environment
Fri 24-Feb 11:30
BRKSEC-2203
(90m)
Enabling Software-
Defined
Segmentation with
TrustSec
Tue 21 Feb 16:45BRKSEC-2344 (2h)
Device
Administration with
TACACS+ using
Identity Services
Engine 2.X
Tue 21 Feb 14:15
BRKSEC-3690 (2h)
Advanced Security
Group Tags: The
Detailed Walk
Through
Wed 22 Feb 09:00
BRKSEC-3697 (2h)
Advanced ISE
Services, Tips and
Tricks
Thu 23 Feb 09:00
BRKSEC-3699 (2h)
Designing ISE for
Scale & High
Availability
Fri 24 Feb 09:00
TECSEC-2222
(4 h)
Securing Networks with
Cisco Trustsec
TECSEC-2404 (8 h)
ACI Security
You are here
TECSEC-2672 (8 h)
Intermediate - Network
Access Control with ISE
(Identity Services Engine)
BRKSEC-3014 (2h)
Security Monitoring
with StealthWatch:
The detailed
walkthrough
Wed 22 Feb 09:00
BRKSEC-2059 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Labs & Lunch and Learn Sessions
LABSEC-1007 (45m)
AnyConnect(4.2)
Posture with Identity
Services Engine
(ISE) 2.1
LABSEC-1300 (30m)
Configuring and
troubleshooting
TACACS+ in ISE 2.1
with Nx-OS devices,
IOS and WLC
LABSEC-2004
(30m)
Dot1x :
Troubleshooting
tips and tricks
LALSEC-2003
Lunch and Learn -
Cisco Identity
Services Engine
(ISE)
Tue 21 Feb
LALSEC-2006
Lunch and Learn -
Network as a
Sensor/Enforcer
Wed 22 Feb
LTRSEC-3400 (4h)
ISE
Troubleshooting
LAB
Tue 21 Feb 14:15
LTRSEC-2800 (90m)
Integrating TrustSec
and ACI Together
Thurs 23 Feb 14:00
BRKSEC-2059 16
Public environments, Why are they so challenging?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
BRKSEC-2059 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
Kenny Louie under Creative Commons License BRKSEC-2059 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
• Devices add new technology enhancements, i.e. TLS versions, mini browsers
New and Improved - http://tvtropes.org
BRKSEC-2059 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• On average each person carries 2.9devices
• Each year new devices are introduced
• Devices add new technology enhancements, i.e. TLS versions, mini browsers
• Device behavior differs from one OS version to the next
Dilbert 2010
BRKSEC-2059 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
Source – www.huffingtonpost.com
BRKSEC-2059 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
“Where’s the ANY key?”
BRKSEC-2059 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
• Users expect a simple experience, similar to home use
BRKSEC-2059 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public environments, Why are they so challenging?
• Devices are mostly unmanaged
• End users have different levels of knowledge when it comes to configuring their own devices
• Users expect a simple experience, similar to home use
• Lots of configuration parameters on ISE/Wireless Controller, which are correct?
BRKSEC-2059 25
Advice – Words to live by in any environment(Best Practice)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PSN
PSN
PSN
NODE GROUP A
(JGROUP A)
L2 or L3
PAN PAN
PSN
PSN
PSNPSN4 PSN5
PSN6
Inter-Node CommunicationsRadius Flapping can be a real mess!
MnT MnT
PSN1 PSN2
PSN3
NODE GROUP B
(JGROUP B)
• Profiling sync leverages JGroup channels
• All replication outside node group must traverse
PAN—including Ownership Change!
• If Local JGroup fails, then nodes fall back to
Global JGroup communication channel.
WLC
PSN5 says “I own this mac address”
PSN3 says “Ok PSN5 owns this mac address”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PSN
PSN
PSN
NODE GROUP A
(JGROUP A)
L2 or L3
PAN PAN
PSN
PSN
PSNPSN4 PSN5
PSN6
Inter-Node CommunicationsRadius Flapping can be a real mess!
MnT MnT
PSN1 PSN2
PSN3
NODE GROUP B
(JGROUP B)
• Ok, now Radius flapping occurs.
• This could be due to timeouts received to WLC
or due to the “Radius NAC” accounting bug
• This will also happen if a PSN receives profiling
information for an endpoint that it doesn’t own
WLC
PSN5 says “Ok PSN3 owns this mac address”
PSN3 says “I own this mac address”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling and Data ReplicationBefore Tuning
PSNPSN PSNPSN PSN
PAN
MnT
MnT
PSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1 DHCP 2
3
NMAP
NetFlow
14 5
#Ownership
Change
Global
Replication
2
BRKSEC-2059 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of Ownership ChangesBefore Tuning
PSNPSNPSN PSNPSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1 DHCP 2
NMAP
NetFlow
PSN
Owner? Owner? Owner? Owner? Owner?
BRKSEC-2059 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
Displaying a Clock Collection - www.doityourself.com
BRKSEC-2059 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
WLC: Radius
BRKSEC-2059 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
• During busy times, Authentication latency may increase and exceed the default value
WLC: Radius
BRKSEC-2059 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Default timer value of 2 seconds is too short
• During busy times, Authentication latency may increase and exceed the default value
• Use best practice value between 5-10 seconds, typically
WLC: Radius
BRKSEC-2059 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: TimersWLC: Radius
• Use timers appropriate to the environment (tune for your environment)
BRKSEC-2059 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: TimersWLC: Radius
• Use timers appropriate to the environment (tune for your environment)
• Some remote/cloud based radius servers may have higher authentication latency and require some tweaking.
BRKSEC-2059 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Setting timers too long and the client might restart its session, retries from radius server will be dropped
• Avoid unnecessary radius server flaps with timers that are too short
• Radius flapping can have some major impacts on an ISE deployment
WLC: Radius - Continued
PSN1 PSN2
Superman II, Warner Brothers 1980
BRKSEC-2059 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - Radius
Typically 5-10 seconds
BRKSEC-2059 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - Radius
Typically 5-10 seconds
Usually matches Auth
server timeout value
BRKSEC-2059 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers
• Make sure that Aggressive Failover is disabled in the command line of the WLC
WLC: Radius - ContinuedThis can have a big impact
on ISE and Wireless Auths
in general
(Cisco Controller) >config radius aggressive-failover disable
BRKSEC-2059 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
Increase Session Timeout
to 2+ hours (7200+ sec), if
Enabled (recommended)
BRKSEC-2059 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
This can also be sent as a Radius attribute in ISE under the AuthZProfile
BRKSEC-2059 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
Increase Client Exclusion
to 180+ seconds (3+ mins)
BRKSEC-2059 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
For 802.1X SSIDs, Increase
Client Idle Timeout to
1 hour (3600 sec)
For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected
BRKSEC-2059 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANs
• WLC 7.6:
• Recommended setting: Disabled
• Behavior: Only send update on IP address change
• Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates.
• Device Sensor updates not impacted
Interim Update
BRKSEC-2059 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Timers - WLANsInterim Update
• WLC 7.6:
• Recommended setting: Disabled
• WLC 8.0:
• Recommended setting: Enabled with Interval set to 0
• Behavior: Only send update on IP address change
• Device Sensor updates not impacted
• Settings mapped correctly on upgrades
BRKSEC-2059 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
Specifications listed in ISE 1.3+ Installation Guide
BRKSEC-2059 48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
Specifications listed in ISE 2.0.1+ Installation Guide
BRKSEC-2059 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
BRKSEC-2059 50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
BRKSEC-2059 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance.
• In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS-3595 platforms as well.
• It is highly recommended that you use these templates!
BRKSEC-2059 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations
• Admin and MnT nodes rely heavily on disk usage (read/writes).
• Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances
• Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node.
BRKSEC-2059 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations - Before & After Chart
BRKSEC-2059 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM ResourcesReservations – Before & After Graph
BRKSEC-2059 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: VM SettingsSettings
• Snapshots are not supported!
BRKSEC-2059 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
BRKSEC-2059 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
AdministrationSettingsProtocolsRadius
BRKSEC-2059 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications
• Only use the profiling probes/information that you need. Don’t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device
AdministrationDeploymentProfilingBRKSEC-2059 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Enable EndPoint Attribute Filter
AdministrationSettingsProfiling
BRKSEC-2059 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing RADIUSSample Flow
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
Load Balancer
RADIUS AUTH response from 10.1.98.8
RADIUS AUTH request to 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to different PSN because round-
robin(RR) load balancing is used without persistance (sticky).
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from different PSN based on RR and no sticky
2
4
5
1 radius-server host 10.1.98.8
3
RADIUS ACCTG response from 10.1.98.8
BRKSEC-2059 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Load Balancing RADIUSSample Flow
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
Load Balancer
RADIUS AUTH response from 10.1.98.8
RADIUS AUTH request to 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Access
Device
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based on
RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS response received from VIP @ 10.1.98.8
(originated by real server ise-psn-3 @ 10.1.99.7 and source translated by LB)
5. RADIUS Accounting sent to/from same PSN based on sticky
2
4 5
1 radius-server host 10.1.98.8
3
RADIUS ACCTG response from 10.1.98.8
BRKSEC-2059 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling and Data ReplicationAfter Tuning
PSNPSN PSNPSN PSN
PAN
MnT
MnT
PSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
RADIUS Auth
RADIUS Acctng
DHCP 1
NMAP
NetFlow
1
#Ownership
Change
Global
Replication
2
BRKSEC-2059 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of Ownership ChangesAfter Tuning
PSNPSN PSNPSN PSNPSNPSNPSN PSN
Node Group = DC1-group Node Group = DC2-group
NetFlow
RADIUS Auth
RADIUS Acctng
DHCP 1
NMAP
Owner
BRKSEC-2059 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Avoid MeltdownsISE Settings
• Enable EndPoint Attribute Filter
• Avoid Radius Flapping
BRKSEC-2059 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs!!!
BRKSEC-2059 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs!!!
BRKSEC-2059 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
CSCuu68490 - duplicate radius-acct update message sent while roaming
BRKSEC-2059 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Same data
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
• These packets are unique (different radius IDs) but contain the same information
CSCuu68490 - duplicate radius-acct update message sent while roaming
≈ 47ms
Different
ID
BRKSEC-2059 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: Bugs
• If “Radius NAC” is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets
• These packets are unique (different radius IDs) but contain the same information
• Currently resolved in 8.1.131.0+ and 8.2.100.0+ WLC code versions. 8.0 MR3+
CSCuu68490 - duplicate radius-acct update message sent while roaming
BRKSEC-2059 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner
BRKSEC-2059 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCvc52228 - ISE does not delete endpoint mapping in REDIS when endpoint group is deleted from GUI
BRKSEC-2059 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advice: BugsCSCvc40801 - ISE MnT sluggishness and high I/O when integrated with Prime Infrastructure
BRKSEC-2059 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Avoid Radius Flapping…
USE BEST PRACTICE!!!
BRKSEC-2059 74
Education – What we have learned
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latency
• eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet.
• eduroam is a “cloud based” Radius proxy. It acts as a federation point between education/research based entities and their Radius servers.
• eduroam’s Radius proxy is accessed via the internet.
eduroam
BRKSEC-2059 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latencyeduroam
username: [email protected] Radius: Accept
High Latency?
BRKSEC-2059 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: High Authentication Latency
• Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers.
• If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs)
• If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible
eduroam
BRKSEC-2059 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: Students Converge at Lunch…High Density
• Student’s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure.
• Make sure that you have enough wireless density to handle this converged access.
• Distribute the load across multiple PSNs to avoid overwhelming a single server.
BRKSEC-2059 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Education: User w/Multiple devices – PEAP ProblemGood reason to use EAP-TLS
• Students carry multiple devices
• PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices.
• Locked accounts generate Help desk calls.
• A single device with old password may cause repeated AD lockouts
BRKSEC-2059 80
Hospitals/Medical – Protecting the heart of your network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
BRKSEC-2059 82
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling
Encrypt!
BRKSEC-2059 83
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical DevicesSecuring and Profiling
• Most medical devices don’t support 802.1X
• To protect patient data, use WPA2-PSK with Mac Filtering and Profiling
• Use unique attributes to profile your medical devices
• Typical attributes that work well for medical devices are dhcp-class-identifier, dhcp-parameter-request-list and host-name
BRKSEC-2059 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise BusinessPress Releases 2014
ZIH Corp
BRKSEC-2059 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
What this means…Before acquisition:
BRKSEC-2059 86
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
What this means…After acquisition:
BRKSEC-2059 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
www.apple.com
BRKSEC-2059 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new or different profiling attributes
BRKSEC-2059 89
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesCauses for change
• OUI information changes and Device Feed Service updates.
• Device OS/Firmware updates
• Spoofed MAC Addresses with new or different profiling attributes
BRKSEC-2059 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
BRKSEC-2059 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
BRKSEC-2059 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
• You can then add an alarm to send an
email, whenever a device matches that
policy. Currently we can enable for a
single policy only.
BRKSEC-2059 93
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Beware of Profiling ChangesAlternate Policy Match with Alarms
• It is possible to build a fallback policy
below your original policy that relies on
a static MAC Whitelist (No profiling)
• This policy would catch any device that
was in the configured whitelist and allow
network access, simple right?
• You can then add an alarm to send an
email, whenever a device matches that
policy. Currently we can enable for a
single policy only.
BRKSEC-2059 94
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Paging Dr. IhatelogginginSuggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
BRKSEC-2059 95
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Paging Dr. IhatelogginginSuggestions for better user experience
• Doctors by nature are usually very busy
and the last thing they want to do is to
spend time logging into a webportal or
changing a PEAP password.
• Use EAP-TLS
• A better option, if available would be to
use EAP-TLS and CWA-Chaining to a
Single Sign On (SSO) server. This
would allow the end user to leverage the
SSO token for other portals as well. Add
an AUP check rule to stay logged in.
BRKSEC-2059 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Nurse Carts/IP PhonesAdvice on corporate devices
• Nurses typically use rolling computer
carts for charting patient information.
• To ensure continuous connections for
these devices, survey your wireless for
Voice applications.
• For ease of use and manageability, use
Active Directory Group Policy Objects
(GPO) to manage the supplicants and
certificates of AD joined devices.
BRKSEC-2059 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hospital: Medical NACProfiles custom built for medical devices
● Secure-access options for
healthcare-specific devices
● Identification and
classification of healthcare-
specific devices (250+
devices)
● Profiling methods and best
practices
● Segmentation of medical
devices
Thanks
Craig!
BRKSEC-2059 98
Public Transportation – Tips for the thrifty traveler
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
BRKSEC-2059 100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
BRKSEC-2059 101
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing AP groups/names
• You can use ISE to target
advertising to your clients
• AP groups/names or some unique
Radius attributes returned from the
WLC during authentication can be
used as location
• Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user.
• Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server.
BRKSEC-2059 103
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Airport: Hotspot setup with custom redirectUsing MSE and ISE 2.0
• New to ISE 2.0, you can now
leverage Mobility Services Engine
(MSE) for physical location tracking
• Location information returned from
the MSE can be used in the
Authorization rule for directing
clients to the portal serving their
location.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Soapbox: Buy Public CertificatesStop teaching users to accept Man-in-the-middle attacks!
Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConclusionReview
• Public Environments can be challenging
• Avoid ISE “meltdowns”
• Keep up to date with versions and patches, be aware of software defects that might affect your environment
• Use advice in this guide to solve challenges in your environment
• Use Real Best Practice to ensure that you have a successful deployment.
BRKSEC-2059 107
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public ISE Community
• Public ISE Community: http://cs.co/ise-community
• Monitored and Responded to by TME’s on my Team
• Ask Questions There
• Get Answers by Cisco Experts & Partners
BRKSEC-2059 108
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+
Members
Strong• Who can join: Cisco customers, service
providers, solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of Solutions
Security zone Customer Connection stand
Learn about CCP and Join
New member thank-you gift*
Customer Connection Member badge ribbon
Join Online
www.cisco.com/go/ccp
Come to Security zone to get your new member gift*
and ribbon
* While supplies lastBRKSEC-2059 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKSEC-2059 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2059 111
Q & A
Thank You