We live in a connected world that is digitally enabled and
is just like a small village. All the time we are constantly connected;
checking our devices for a status update, or we are the ones posting an update
or we are trying to send that status report or close a business deal online.
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. And according to Forbes.com, as cyberattacks increase in quantity and
sophistication, the global cybersecurity market is expected to be worth $170
billion by 2020 and is currently suffering from a dire skilled network security
professional’s shortage. In many cases of cyber-attacks taking place, attackers
can compromise an organization within minutes. The proportion of breaches
discovered within days always falls below that of time to resolve them and fix
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to network facilities. Today’s employees
are not tied down to desktop workstations, but instead are able to access the
organizations resources via a variety of endpoint devices such as smartphones, tablets,
and personal laptops, just to name a few.
We all know that access of resources from anywhere greatly
increases productivity for many organizations, but also increases the
possibility of data leakages and security threats because you may not be able
to control the security position of devices accessing the network from outside
of the office brick and mortar setup. Tracking all the devices accessing the
network is a huge task in itself, and as the need for more access will arise, the
more untenable it becomes to manage.
So, what can we do to
get out of this fix?
Fret not yourself, the Cisco
Identity Services Engine (ISE) 2.0 is here to help you and in such a big
way. ISE is an identity-based network access control and policy enforcement
system. It helps you take care of the time-intensive day-to-day network
management tasks, freeing up the network administrator and allowing them to focus
on other crucial tasks like keeping abreast with the current cyber threats and
how to counteract them.
According to Cisco
ISE product release notes, ISE attaches an identity to a device based on
user, function, or other attributes to provide policy enforcement and security requirements
compliance before the device is authorized to access the network resources.
Based on the results from a variety of factors, an endpoint can be allowed to access
the network with a specific set of access policies applied to the interface it
is connected to, else it can be completely denied or given guest access based
on the specific company guidelines. Therefore, this implies that Cisco ISE is a
context aware policy service, to control access and threat across wired,
wireless and VPN networks and a component of Cisco’s Borderless Networking and
the company’s TrustSec product line.
And another plus is that Cisco has Finally Released the
Identity Service Engine 2.0 (ISE) which comes with a robust array of features
and functionalities that will be a great asset to your organization.
Let us review the ISE platform in brief
The ISE Platform in
a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with three nodes handling three different Profiles: the Policy Administration
Node (PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy
Services Node (PSN). For ISE to function properly, all three roles are required.
Let us briefly look at each of this profiles and service
The PAN profile is the screen the administrator will log
into in order to configure policies that will drive the entire ISE setup. It
acts as the control center to deploy the ISE. This node allows an administrator
to make changes to the entire ISE topology, which will then be send out from
the administrator node to the Policy Services Nodes (PSN) in ISE.
Policy Services Node
The PSN profile is where policy decisions are made. The
nodes here will facilitate the network enforcement devices to send all network
messaging to; for example RADIUS messaging will be sent to the PSNs. Once the
messages are processed, the PSN will either allow or deny access to the network
based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile does the logging of all service reports, occurrences
and allows you to generate reports as needed. It will receive all the logs from
other nodes in the ISE topology and it sorts through them, assemble them in a
readable format. MnT allows you to generate various detailed and graphical reports
that can aid you and senior management make strategic decisions regarding your
companies’ network resources, as well as notify you of any threats to ISE.
Having familiarized ourselves with this three profiles, let
us look at some of the things ISE 2.0 can offer to your organization:
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Here are some of the fancy Technical
features within ISE:
TACACS+ support for
Device Administration AAA
Cisco ISE supports device administration using the Terminal
Access Controller Access-Control System (TACACS+) security protocol to control
and audit the configuration of network devices. The network devices are
configured to query ISE for authentication and authorization of device
administrator actions, and send accounting messages for ISE to log the actions.
It facilitates granular control of who can access which
network device and change the associated network settings. An ISE administrator
can create policy sets that allow TACACS results, such as command sets and
shell profiles, to be selected in authorization policy rules in a device
administration access service. The ISE Monitoring node provides enhanced
reports related to device administration. The Work Center menu contains all the
device administration pages, which acts as a single start point for ISE
administrators. ISE requires a Device Administration license to use TACACS+.
The new Endpoints
It might look like a seemingly small thing, but this is the
single most frequently viewed page in all of ISE. It was also one of the
biggest pains to use in the previous versions of ISE. But it has been revamped
in ISE 2.0, and in a great way. Some very useful functionalities have been
added to the pie charts at the top. If you click on the pie chart slice, it will
automatically filter the table below it. The table itself is completely
re-written and remembers where you were when you clicked into an endpoint for
details and then went back to the table.
ISE is a complex system with tremendous power to boot. A
system like this cannot normally come with a User Interface that is contained
within only a few pages. Most often a solution like this needs to have a menu
system, and many levels of navigation. It can be expected that ISE will
certainly be afflicted with a lot of navigation. However, ISE 2.0 rips out the
entire navigational framework and replaces it with one that is modern and lightning
fast. It’s obviously the start of a complete UI overhaul. The first time you
log into ISE 2.0, you immediately see the difference with prominent menus and
The upgrade process is a complex procedure for any large
distributed system in any technological setup. Many solutions do away with the
upgrade option all together and instead they require you to reinstall and
restore the configuration from backup. ISE has always supported upgrade and has
made significant improvements with each release. ISE 2.0 adds a new
Wizard-based GUI to handle the upgrades for you in an orderly manner. You can
specify which repository each node in the deployment should use, pre-stage the
upgrade files, and control the order in which each node is upgraded. All within
Support tunnels have been added to ISE 2.0. This feature allows
the administrator to enable a secure tunnel for Cisco’s TAC to remotely access
the appliance’s root operating system. Well, that’s to put it simply. This is
fantastic functionality, because it means fewer WebEx sessions with Cisco TAC
remotely seeing the UI of a customer’s ISE deployment – they can view it
directly if and only if the customer has enabled the support tunnel &
provided the TAC engineer with the unique key required to activate and
authenticate the access.
Stacking of Command
ISE 2.0 allows for multiple command sets to be sent in
response to an authorization request from any of the nodes. This has been done
in a Brilliant way, it will allow the command sets to stack, where a permit
statement shall always outweigh a deny statement – unless it is an explicit “deny_always”
Network Device Profiles
Network Device Profiles are completely brilliant and provide
something that many have been looking for in ISE since the very beginning, the
ability to customize the settings for network devices, including the way it should
handle Change of Authorizations, URL-Redirections and more. The implementation
of NAD profiles allows for them to be imported and exported so they can be shared.
ISE 2.0 ships with a load of pre-built profiles for many network devices.
EAP-TTLS is a tunneled EAP protocol that is fairly popular
with universities that use eduroam applications. Prior to ISE version 2.0 it
was one of the only popular EAP types that was missing support in ISE, even
though there was support for it in Cisco’s supplicant: the Cisco AnyConnect
Network Access Module.
The ISE 1.3 added the built-in Certificate Authority for bring
your own device(BYOD) endpoint certificates. It would create endpoint
certificates for devices that underwent the Cisco BYOD on-boarding process only.
In ISE 1.4 an API was added to aid and allow the creation of priv/pub
certificate key-pairs that could be imported into devices that couldn’t go
through the BYOD flows. Now in ISE 2.0 there is a much better and fully-blown
customizable portal that allows the creation of individual certificate
key-pairs, submitting and signing Certificate Signing Requests (CSRs), or even
the bulk creation of certificates. This is a gem for every network
administrator out there.
Kicking Endpoints off
the Network when Certificate is revoked
When ISE issues a certificate to a BYOD endpoint, and that
certificate was revoked, it would naturally be denied access at the next
authentication. However the endpoint would remain on the network until the next
re-authentication time. ISE 2.0 adds a CoA-Terminate (a disconnection) to any
endpoint with an active session whose certificate has been revoked, thereby
immediately kicking them off the network and reducing the clatter of endpoints
you do not need.
This are just but a few of the many economic and security
benefits to be derived from Cisco ISE 2.0 implementation in your organization.
And further to this, a research carried out by Forrester, Cost
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy a CISCO ISE 2.0 configuration and stay abreast of
the cybersecurity needs of the modern digital organizations.
Let us stay safe on the net with CISCO ISE 2.0!!