Embed Size (px)
Citation preview
Inside Cisco IT: Cisco IT’s Assured Network Access: Identity Services Engine (ISE) Deployment and
Best Practices
Bassem Khalifé: IT Technical Program Manager
Willkommen in Berlin 3
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
Agenda
Cisco IT ISE Global Deployment
4
ISE PSNs Data Center (8) Network Devices (sites/cities) Auth traffic to ISE PSNs5
6,379 3,583
2,232
2,107
6
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
7
Network ResourcesAccess Policy
TraditionalCisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
A centralized security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Physical or VM
Context
ISE pxGrid
Controller
8
NetFlow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT™ Console
CWS
WSA
ESA
FirePOWER™ Services
DURING AFTERBEFORE
ISE
How WhatWhoWhereWhen
9
Requirement Major Technical
Outcome
Major Business
Outcome
Secure Guest Network
ION (Internet Only Network)
Simplified single secure
platform (reduce server footprint
from 28 to 8)
• High availability
• Secure, scalable, and flexible
offering for guests, partners,
and employees
*CVO is Cisco Virtual Office, for small office/home office10
Requirement Major Technical
Outcome
Major Business
Outcome
Secure Guest Network
ION (Internet Only Network)
Simplified single secure
platform (reduce server footprint
from 28 to 8)
• High availability
• Secure, scalable, and flexible
offering for guests, partners,
and employees
802.1x Auth: WLAN, CVO*,
LAN, and VPN
Complete visibility and control of
devices connecting to the
network
• One scalable policy
enforcement environment
• Network segmentation
Requirement Major Technical
Outcome
Major Business
Outcome
Secure Guest Network
ION (Internet Only Network)
Simplified single secure
platform (reduce server footprint
from 28 to 8)
• High availability
• Secure, scalable, and flexible
offering for guests, partners,
and employees
802.1x Auth: WLAN, CVO*,
LAN, and VPN
Complete visibility and control of
devices connecting to the
network
• One scalable policy
enforcement environment
• Network segmentation
Consistent Assured Network
Access
Scalable enterprise secure
network
• Enhanced Risk Management
• Consistent User Experience
• Improved Operations
IT Requirements ISE Capabilities
Access
Control
Authentication
on wired &
wireless
networks as
well as VPNBYOD
Support Trusted
Device
Standard and
enable BYOD
Profiling
Ability to
identify
users and
devices on
our network
Endpoint
Protection
Protect the
network
from
infected
devices
Guest Access
Restrict
unauthorized
devices &
users to
Internet
access only
Device Control
Secure network
while allowing
mobile device
access*
* Cisco IT uses a 3 different Device Management Products
11
Contextual Data
Cross-platform
contextual data
sharing across
the entire IT
infrastructure
• Identity of a device on the network
• Quantify the risk
1. Profiling
• User and end device attribution
• Identification of endpoints on Wireless/Wired connections
2. Authentication• Device security
posture identification
• Allows for better policy & security decisions
3. Posture
• Ability to enforce policy decisions based on context
• Untrusted devices have restricted access
4. Enforcement
The Four Stages of a Secure Network
ISE 1.2 Profiling
ISE 1.2 802.1X Auth
WLAN, CVO
ISE 1.3/1.4 802.1X Auth
CVO, Wired, VPN, MDM
ISE 2.1802.1X Wired Auth Mode
MDM√ √ √
12
ISE Guest ION:
Guest Access
ISE 802.1x Auth:
Wireless, CVO
ISE 802.1x + MAB Monitor Mode:
Wired (Limited)
ISE 802.1x Auth:
VPN + AnyConnect:
• Mobile Devices with Certificate
• Laptops with OTP
ISE/MDM Integration:
Afaria, Casper
ISE SGT:
TrustSec Limited Deployment
ISE/MDM:
Posture Enforcement
ISE 802.1x Auth:
Xtranet/Partners
ISE SGT:
Network Segmentation & Optimization
ISE TACACS+:
Device Administration
ACS + NACs:
Guest Access
ACS Auth: Wireless, CVO
AD Auth + One-Time-Password:
VPN
Open Access:
Wired
Assured Network Access Roadmap
StartACS 5.x
NAC
Active Directory
ISE 1.2
ISE 1.3
ISE 1.4
ISE 2.1
Continue
ISE 802.1x Auth:
Wired (Global)
ISE/MDM Integration:
Afaria, Casper, SCCM
Posture Assessment
Endpoint Protection:
Quarantine/Remediate
√
√
√
√
13
Agenda
“However beautiful the strategy, you should occasionally look at the results.”
Sir Winston Churchill
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
14
Products
•ISE•AnyConnect• CITEIS
• Cisco Prime Infrastructure
• Webex
• Jabber
• Spark
• Splunk
Practice
•Motivation
•Attitude
•Knowledge
•Experience
•Skills
Process
• Product Life Cycle
• Operational Excellence
• Fast IT, Continuous Delivery
• Change Management
• Agile
People
The “P” Elements
15
• Avoid the “Big Bang”• Too many new capabilities to enable in a single deployment.
• “ISE Deployment Bundle” model• Capabilities have been grouped into bundles to enable targeted & manageable deployments
• Multiple clusters consolidated• Pros and cons of single vs. distributed: ISE Limits, Scalability, # EP, Auth, Latency, AD…
• “Start with one cluster and add more if necessary”
• Global Infrastructure Foundation• Use different Virtual IPs by service (e.g., WLAN, LAN, CVO, VPN) for better manageability and ease/speed of control
• Build a parallel production infra for testing, readiness to scale, and easier upgrade
• Build a cross-functional team from the start• Everybody is an equal partner; extend to the BU
Cisco IT Deployment Strategy
16
Cross Functional Ownership for ExecutionSVP
Operations
CIO
SVP IT
VP IT
Mobility
Any Device
SVP
Infra Services
Sr. Dir
Network Services
VP
Ops/Impl
Dir
Strategy & Security
Security Services
Directory Services
Sr. Dir
Data Centers
Sr. Dir
Arch/Design
SVP
Security & Trust
VP
InfoSec
Security
Requirements
and Policy
Owns Mobile
Devices,
Responsible for
Posture
Enforcement
Provides DC
and Virtual
Infrastructure
Owns and
Manages the
Deployment of
NW Services
Owns and
Operates the
NW
Infrastructure
Team, owns the
infra for
Network and
Application
security
services
Owns Active
Directory Infra
and Services
High Level
Architecture
and Design
Operational
Excellence:
99.999%
Availability
17
AlignmentSecurity BU
Engineering
Development
Product
Development
Engineering Test
Sample ISE Basic Deployment Roadmap (6 quarters)CY14 Q3 CY14 Q4 CY15 Q1 CY15 Q2 CY15 Q3 CY15 Q4
Fine tune Optimize
Foundation ISE 1.2
Install
ISE 1.3
Upgrade
ISE 1.4
Upgrade
Infra
Design, Proof of Concepts, Data Analysis
Apply
patches
Fine tune Optimize
Network
Guest
Wireless
Monitor
Endpoint Analysis: Wired dot1x MM & Profiling
VPN
Wired
802.1x Authentication
Guest Access
Wireless (WLAN) Auth Deployment
CVO (Home Office) Wireless Auth
VPN Auth
CVO Wired Auth
Limited Sites Wired Auth
Global Wired Auth Deployment
Quarantine/Remediation Posture Assessment & Enforcement (MDM)
Security Group Tagging (SGT)Advanced Capabilities
ISE 2.0
Upgrade
Fine tune
18
Deployment Readiness
Design Engineer Personal Lab
Solution Verification Lab
Stage & Pilot
Deploy!
19
• Production Infrastructure• Network Access ISE 1.4, P6 24 VM servers in one global deployment
• Guest Services ISE 1.2, P13 8 VM servers in one dedicated deployment
• Services In Production• Guest services (ION) (400+ sites, potential 130K+ users & 14K guests per week)
• Internet Only Network access requires pre-registration via ISE guest portal for all users; CWA (central web auth)
• 802.1X Wireless Auth Mode (400+ wlan sites, 90K+ users, ~150K endpoints)
• 802.1X Auth CVO (wireless/wired) (27K Network Devices for home access; ~60K endpoints)
• 802.1X Wired Monitor Mode* (3.5K LAN Switches and Gateways, ~200K endpoints)
• 802.1X VPN Access (AnyConnect) (70 ASAs; ~110K users; 150K+ endpoints)
• 802.1X Wireless Partners/Xtranet (3 sites; ~1K Users/Endpoints)
• SGT/TrustSec (wireless/wired) (3 sites; ~6K Users/Endpoints)
• To-date: 1M+ Profiled Endpoints; Max of 75K+ Concurrent Endpoints
Cisco IT ISE Production Deployment Metrics
20
21
How many?
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
22
Original Design for Multiple ISE Deployments
Guest Global
Services
TYO
BGL
AER
RTPALNMTV
HKG
SNG
Secondary ISE PAN/M&T
ISE PSN
Primary ISE PAN/M&T
Primary Secondary Admin Nodes
MTV AER
All-in-one23
Single Global ISE Deployment (WLAN, CVO, LAN, VPN)
AER
RTP
ALN
MTV
SNG
Secondary ISE PAN/M&T
ISE PSN
Primary ISE PAN/M&T
24 ISE Nodes
20 PSNs; 8 DC (Node Groups)
TYO
HKG
BGL
24
Users/Endpoints by Node Group
25
18,362
9,961
23,969 26,070
32,651
28,124
12,870
5,317
32,856
14,765
40,995
37,481
58,846
51,878
21,384
9,445
-
10,000
20,000
30,000
40,000
50,000
60,000
70,000
AER ALLN BGL HKG MTV RTP SNG TYO
Users
Endpoints/MAC
Avg. 33K Endpoints
Guestnet Original Deployment
MTV
Sponsor
Portal
(GSS)
internet.cisco.com
Guest Account
Creation
Wireless access
Wired access
NADs AMER
Guest Portal Auth
VMS
Tool
Lobby
Ambassadors
Guest Account
Creation
Wireless access
Wired access
NADs EMEA/APJC
Guest Portal Auth
AER
Before MTV AER
All-in-onePrimary
SecondarySingle Point of FailureAll services will be affected, and
likely to also impact the
secondary node.
26
Guestnet (ION) Redesigned DeploymentGeo Proximity Based NAD & GSS Configuration
MTV
Sponsor Portal GSSinternet.cisco.com
Guest Account Creation
Wireless access
Wired access
NADs AMER
Guest Portal Auth
Pri
mary
ion-mtv-guest
ion-mtv-sponsor
Wireless access
Wired access
NADs EMEA/APJC
Guest Portal Auth
AER
PPAN Alias
PAN
PAN MnT
MnT
PSN PSN PSN PSN
Primary
MTV
Secondary
AER
ion-aer-guest
ion-aer-sponsor
Pri
mary
ION LB
VIPs
VMS
Tool
Lobby Ambassadors
Guest Account Creation
Integration With Reception
Secondary
Secondary
ION LB
VIPs
27
• All users must authenticate to the guest network for Legal and Security reasons.
• Cisco employees acting as sponsors are responsible and accountable for the actions of their guests.
• Cisco guests and employees must accept the policy and liability disclaimer to receive Internet access.
• Cisco employees do not need to create a guest account, they use their corporate credentials.
• Guest User Accounts can have a maximum lifetime of seven days.
• Cisco guests will not be able to print on Cisco's printer network.
• Only one active Guest User Account is permitted per user. Users or guest cannot have multiple active accounts or sessions.
• Technical support for personal computing devices is the responsibility of the guest or Cisco employee. Technical support will not be provided for personal devices under any circumstances.
Guest Network (ION) Policies
28
• Scaling ISE for large scale distributed deployments
• Don’t let replication or misconfiguration become an issue for authentication:
• Tuning the “deployment” (ISE, NADs, and Endpoints)• RADIUS Accounting
• Profiling
• Authentication(s)
• Latency & Distributed Replication
• Failover & Redundancy
• Tuning the “environment”• Load Balancers
• Active Directory
Cisco IT Early Deployment Challenges
29
Iceberg (īs’bûrg’)
(Former state)
ISE Burj
(Current state)
Replication
Issues
Profiling
Error notification
Load Balancer misbehavior
NAD misbehavior
Endpoint misbehavior
Latency
Radius
accounting
SNMP errorsMisconfiguration
Replication Challenges
30
Octo
ber
September November
Tune the Deployment and the Environment
Configuration
Changes:
NAD and ACE
(LB)
Accounting
Suppression
Fix:
CSCur42723
Removing IP
as Significant
Attribute Fix:
CSCur44879
31
ISE Global Deployment Profiling Setting
1
ISE Global Deployment Profiling Setting
PSN Configuration
1
ISE Global Deployment Profiling Setting
PSN Configuration
1
ISE Global Deployment Profiling Setting
PSN ConfigurationEvery 24 hours (86400 seconds), any and all PSNs start
SNMP polling 27K CVO devices, whether they are
connected or not, in the same region - latency friendly -
or not, causing 600K errors, affecting replication.
1
Network Device Configuration
ISE Global Deployment Profiling Setting
PSN ConfigurationEvery 24 hours (86400 seconds), any and all PSNs start
SNMP polling 27K CVO devices, whether they are
connected or not, in the same region - latency friendly -
or not, causing 600K errors, affecting replication.
1
Network Device Configuration
CSCur95329
Simple fix; Great
value!
ISE Global Deployment Profiling Setting
PSN ConfigurationEvery 24 hours (86400 seconds), any and all PSNs start
SNMP polling 27K CVO devices, whether they are
connected or not, in the same region - latency friendly -
or not, causing 600K errors, affecting replication.
1
Network Device Configuration27K CVO Network Devices configured under 29 subnets
in ISE. SNMP polling is disabled using the new option
“zero” as the devices were not always connected,
resulting in timeout errors (600K), affecting replication.
CSCur95329
Simple fix; Great
value!
Explicitly choose
the polling PSN
Large Deployments – Bandwidth and Latency
PSN PSN
PAN MnT MnTPAN
PSN PSN
PSN
PSN PSN
PSN
PSN PSN
PSN PSN
PSN PSN
PSN PSN
PSN PSN
PSN PSN
200ms
Max round-trip
(RT) latency
between any two
nodes in ISE
1.2/1.3
• Bandwidth most critical between:
• PSNs and Primary PAN (DB Replication)
• PSNs and MnT (Audit Logging)
• Latency most critical between PSNs and Primary PAN.
• RADIUS generally requires much less bandwidth and is more
tolerant of higher latencies – Actual requirements based on
many factors including # endpoints, auth rate and protocols
WLC Switch
RADIUS
40
Latency Resolution Options
AER
169msALN RTP
TYO
134ms
SNG
186ms
HKG
154ms
MTV
BGL
219ms
45ms
AER
169msALN RTP
TYO
134ms
SNG
186ms
HKG
154ms
MTV
BGL
219m
sX
Option 1
Option 2
+ 45ms
- 45ms
41
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
42
ISE Deployment Ecosystem: Building Blocks
ISE (Logical Layer)
ISE (Physical Layer) : ISE Appliance OR VM (Fabric, Compute, Storage)
Network: DNS, NTP, SFTP, UDP, TCP, (& Load Balancers)
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
Enterprise Monitoring: HTTP(S), RADIUS, PEAP, EAP-FAST, EAP-TLS
User
Provisioning
Mobile Device
Management
Network
Device
Provisioning
ISE Policy
Management
Active
Directory
Call Manager100’s K
10’s K
1 PAN
Data
Analysis
(Syslog)
43
Quality
MAP
Monitor
ActPrevent
To Trust or ... Risk vs. Access
• Create device access policies based on risk/assurance criteria, your level of control, and risk tolerance:
• Company managed devices
• Vendor/Partner managed devices
• BYOD (OS dependent: iOS, Android, Windows Mobile, Linux, Samsung, etc.)
• Printers, Cameras, Badge Readers, etc.
• IoE/IoT devices
e.g.
IoE/IoT
devices
e.g. Company
managed
devices
LOW HIGH
H
I
G
H
L
O
W
ACCESS
AS
SU
RA
NC
E
L
O
W
H
I
G
H
RIS
K
BYOD
Vendor/Partner
managed devices?
44
UnderstandingWhat Is ConnectingTo TheNetwork
45
‘Misbehaving’ SupplicantsEndPoint Profile Auths Per Day
Count of EndPoints
% of Total EndPoints
Avg Auths Per Endpoint
Windows7-Workstation 98,394 25,918 20.99 3.8
Apple-iPhone 745,807 17,820 14.43 41.85
Microsoft-Workstation 69,216 16,469 13.34 4.2
Apple-Device 67,167 8,720 7.06 7.7
Workstation 49,834 8,408 6.81 5.93
Android 115,839 5,160 4.18 22.45
OS_X_Mavericks-Workstation 17,529 4,644 3.76 3.77
OS_X_Yosemite-Workstation 17,718 4,276 3.46 4.14
Apple-iDevice 97,862 3,813 3.09 25.67
Android-Samsung-Galaxy-Phone 78,539 3,146 2.55 24.96
Android-Samsung 39,250 3,132 2.54 12.53
Apple-MacBook 14,014 2,883 2.34 4.86
Android-Motorola 70,695 2,226 1.8 31.76
Android-Google 44,835 1,761 1.43 25.46
Wireless auth over 24 hours. 46
ISE Authentication Storm/Meltdown From a “Simple” Change
Data
Analysis
(Syslog)
Call Manager
IP Phones
accidentally
enabled for
802.1x auth
Luckily only ~4M auth requests per day due
to limited deployment of a dozen switches. Target scope is 100K IP Phones = 250M Auth
Detection &
troubleshooting
ISE (Logical Layer)
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
1,600 IP Phones
started MAB/dot1x
auth frenzy: 2,600
attempts per day,
per phone= ~4M
47
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
48
• Trained support team with broad knowledge of environment, across multi time zones
• Troubleshooting using both ISE and Big Data
• Enterprise monitors, load balancer & NAD probes
• Reporting and alerting, covering the ecosystem:• Number of Devices, Endpoints, Auth, failed/passed, by region, device type…
• Profiled devices by group, analysis and validation of profiling results (if used in policy)
• Measure progress of deployment based on pre-migration data
• Splunk ISE app, dashboards providing detailed usage
• Infra utilization, and alerting on CPU, Disk, Memory
• Correlate events with the rest of the network components and tools
Operations Maintenance & Monitoring
49
Resources for Operations + Resources for Deployment
2 Sr. Engineers + 2 Support Engineers (multi-zone)
• Performance monitoring and tuning, scalability for growth
• HW/SW issues
• Troubleshooting, field issues
• Provisioning of Network Devices, and Users support
• Monitoring and Reporting (ISE reports and Splunk)
• Patch/Upgrade
• Infra/VM issues, Change Request support
• Policy Management
2 Sr. Engineers, 1 Analyst, 1 PM• Learning and Testing new capabilities
• Solution Verification Lab testing and certification support
• Automation of new operational activities
• Limited Availability validation of new features
• Product and platform bug identification and validation
• Data analysis and scalability for new capabilities
• Acquiring knowledge of new capabilities & cross functional environment support
• Documentation
50
Splunk Cisco ISE App
51
Testing High Availability When 1 DC Fails (AER => RTP)
52
Consolidated Dashboards
53
Load Distribution Deep Dive
54
Traced Back to Load Balancer
Configuration (Stickiness by Source IP)
Splunk Custom Dashboards For Troubleshooting
55
• Document it as you build it
• Leverage the tools that you have; build the ones that you need
• Automate monitoring & alerting; cover all building blocks
• Thoroughly test every change; create baselines
Quality MAP:
• Monitor & Measure; Assess & Act; Predict & Prevent
The Framework
56
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
58
Forrester 2011
“Cisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is
both needed and lacking in the enterprise today.”
59
Business Driver
InitiativeTo divest Assets including employees and
properties to Technicolor
ObjectiveTo create logical separation on network
infrastructure and provide secure resource
access in shared workspace
SolutionTo utilize TrustSec Security Group Tagging
solution based on user ID for authentication
and authorization
Dynamic User Policy (DUP)
60
SHN4/7/15 Campus Overview
61
Lawrenceville Campus Overview
62
SHN7/LWR01-06 DUP Solution Summary
Desktop Switch Desktop GatewayBB/SBB
Gateway
WAN
GatewayWLC WLC Gateway
SHN7
12th Floor
HW
ModelC4510-SUP8E C6K-SUP2T C4500X N/A WiSM2 C6K-SUP2T
CTS /
DUP
• 802.1X Authenticator
• Wired SGT Classifier
• SXP Speaker
• PreAuth/Permit-Any
ACL
• Wired SGT Enforcer
• SXP Listener
• Downloadable SGACL
• 802.1X Authenticator
• Wireless SGT Classifier
• SXP Speaker
• Wireless SGT
Enforcer
• SXP Listener
• Downloadable
SGACL
LWR01-06
HW
ModelC6K-SUP32 C6K-SUP2T C4500X N/A WiSM2 C6K-SUP2T
CTS /
DUP
• 802.1X Authenticator
• Wired SGT Classifier
• SXP Speaker
• PreAuth/Permit-Any
ACL
• Wired SGT Enforcer
• SXP Listener
• Downloadable SGACL
• 802.1X Authenticator
• Wireless SGT Classifier
• SXP Speaker
• Wireless SGT
Enforcer
• SXP Listener
• Downloadable
SGACL
63
DUP High Level Scope Overview
SXPSGACL
SGACL
SGACL
SXPSXP
SXP
64
Preconfigured
PreAuth ACL on
interfaces
Configure TrustSec, 802.1X, ACLs on desktop switch/gateway, WLC and WLC gatewayA
Configure SXP Speaker and Listener on “desktop switch/gateway” peer, and “WLC/WLC gateway” peer B
Configure ISE with Tags, SGACLsC
DUP Wired User Classify/Enforce Flow
* Cisco
* Technicolor
* Unauthenticated
SXP
cts role-base permissions (on Desktop gateway)
Destination SGT
Source SGT Cisco Internal Technicolor PreAuth (DT SW)
Cisco Permit Permit Permit
Technicolor Deny Permit Permit
Unauthenticated Deny Deny Permit
Untrusted Deny Deny Permit
MAB/
SXP
SXP
65
Permit
Any
Pre-
Auth
Pre-Configuration
Enforcement Flow
Preconfigure PreAuth and “permit any”
ACLs on Desktop switch and SGACLs on
ISE
A
User connects to Desktop switch, 802.1X
sends user credential info to ISE 1
A
C
B
ISE forwards assigned SGT to the Desktop
switch based on user’s AD and policy2
B SXP Tunnels Established
C SGACL Downloaded from ISE Periodically
2
1
3
Desktop switch replaces PreAuth ACL with
“permit any” if a Cisco or Technicolor user
authenticated. Otherwise, PreAuth ACL
remains.
Desktop Gateway enforces traffic
According to user SGT and SGACL.
3
3
3
1
“Magic Quadrant for Network Access Control”, Gartner, Dec 2014
67
IAM/SSO
EMM/MDM
Security Information and Event Management (SIEM)
Packet Capture
Operational/Industrial Network Security
(IoT)Vulnerability Management
Risk Modeling
Custom Detection
And
Forensics
& IR
Rapid Threat Containment
(RTC)
Firewall
Access Control
68
Context Aware Security Spectrum
Who?
When?
Where?
How?
What?
Employee Customer/Partner Guest
Personal Device Company
Asset
Wired Wireless VPN
@ Starbucks Headquarters
Weekends (8:00am – 5:00pm) PST
Context-Aware Security Opportunity
69
Context-Aware Security Use Cases
ACCESS POLICY – “Sensitive Data”
WHO = Exec Group Only
WHAT = Registered Corp device only
WHERE = US Only
WHEN = US Business Hours Only
HOW = Corporate Network
or VPN Access
Access Criteria
Sensitive
Non-Sensitive
Critical Data
1. Sensitive Data Access Policies 2. Portable Assurance Level for Cloud Apps
Financial Reports
Café Menus
HR Database
70
Context-Aware Security : Bridging The Gap…
Network
SecurityCisco
ISE
Device Context
WHAT
User Context
WHO
Other Context
HOW, WHERE, WHEN
Network Context
WHO, WHAT, HOW, WHERE,
WHEN
ConnectorIdentity Over IP
(ID/IP)
Context-
Aware App
Security
Network + App
Security Context
WHO, WHAT, HOW, WHERE, WHEN
Network
Limited Context
AFARIA CASPER
SCCMMDMs
2
ISE pxGrid
71
1 3
4
Application
Security
Network
Rich Context
Better Security(Layered Sec, Elevated Auth)
Better User Experience(Zero Sign-On Experience)
Flexible & Granular
Access Policies
5
6
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
72
• Acquire ISE expertise upfront; invest in design
• Fine tune deployment and environment, they must work in tandem
• People, Process, Practice, and Products will derive success – or not
• Build the foundation and grow with the product and its ecosystem
• Follow BU guidelines; will cover 80% of the known challenges
• Listen to the data, and the alerts/alarms
• Do not take the network for granted
• Trust is utopic…Think risk
• Plan for the unexpected!
Lessons Learned
73
We are here. We are ready!
References
• Cisco.com/go/ise; Cisco.com/go/anyconnect; Cisco.com/go/trustsec
• Annual Security Report 2016
• ISE Design Guides
• Bringing Context-aware Security to Applications
• Securing the Internet of Everything with ISE
• Securing Cloud Applications
• Ping and ID Over IP Leveraging PxGrid
• Forrester: “The Total Economic ImpactTM Of Cisco TrustSec” [March 2015]
74
Call to Action I
• Recommended Related Sessions:
• Monday:• Advanced - Network Access Control with ISE (Identity Service Engine) 2.0 [TECSEC-3672]
• Tuesday:• Lunch and Learn - Cisco Identity Services Engine (ISE) [LALSEC-0003] (12:45)
• Innovation Talk, Protect and Grow Your Business with Cisco Security (14:15)
• Advanced - Designing ISE for Scale & High Availability [BRKSEC-3699]
• Inside Cisco IT: IOE/IOT, User Devices and Security -- Cisco's Internal Strategy [COCSEC-2003]
• Wednesday• Using Cisco pxGrid for Security Platform Integration [DevNet-1124]
• What's new in ISE Active Directory Connector [BRKSEC-2132]
• Deploying ISE in a Dynamic Public Environment [BRKSEC-2059]
• Thursday• Advanced ISE Services, Tips and Tricks [BRKSEC-3697]
• Inside Cisco IT: Evolving Application Security on the Cloud [COCCLD-2016]
• Customer Appreciation Event
Call to Action II
• Visit the World of Solutions for
• Cisco Campus – Security Demos (ISE 2.0, AnyConnect, VPN, MERAKI, AMP, etc.)
• Walk in Labs –
• Technical Solution Clinics
• Meet the Engineer/PM
• I am available until Thursday
• Lunch and Learn Topics
• Lunch and Learn - Cisco Identity Services Engine (ISE) [LALSEC-0003]
• DevNet zone related sessions
• Using Cisco pxGrid for Security Platform Integration [DevNet-1124]
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
• Booth Number: C3 (just to the left of the Cisco Campus in Hall 4.2)
• Speak with our subject matter experts, sharing their real-world experience using and deploying Cisco technologies in our own environment.
The Cisco on Cisco Booth
Live Demos…
• Internet of Things: In the Workplace
• Network Infrastructure Security
• Application Centric Infrastructure (ACI)
• Collaboration & Video
Agenda
• Deployment Overview
• Requirements & Roadmap
• Strategy & Execution
• Design & Challenges
• Deployment Ecosystem
• Operations Framework
• Business Outcomes
• Lessons Learned
79
Thank you
85
We are here. We are ready!
