Cisco Live - IsE

Demystifying Cisco Identity Services
Engine (ISE) Architecture and

Enterprise Security
Akhil Behl (CCIE X 2)
Parminder Pal Singh (CCIE X 2, CCSI)
Pre-Sales Manager
Lead Trainer
Agenda
Todays Security Trends
Introduction to Cisco Identity Services Engine (ISE)
Positioning ISE
ISE Architecture
MDM, TrustSec, and pxGrid
QA
Presentation ID
Todays Security Trends
Wheres the World Heading?

$
Mobile
Mobile Device Proliferation
55%
IP Traffic
Mobile by 2017
Cloud
Cloud Apps growing at
exponential rate
Cloud
44% Annual
Workload Growth
IoE
More than 20B Connected
Smart Objects by 2020
36X
Growth in M2M
IP Traffic 201318
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Devices, More Connectivity, More Exposure

= More Attack Surface
Adoption
IoT/IoE
Mobility Booms
Guest Access
BYOD mobile devices

increased multifold
Proliferation of
connected devices
2011
2016+
Early Days
Endpoints were
IT Procured/Managed
2000
Simple Guest
Access
2005
Time
Introduction to Cisco Identity

Services Engine (ISE)
Cisco ISE is Core to Cisco Security Construct

Attack Continuum
BEFORE
DURING
AFTER
Control
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall
VPN
NGIPS
NGFW
UTM
Web + Email Security
NAC + Identity Services
Advanced Malware Protection

Network Behavior Analysis
ISE Ecosystem + pxGrid
ISE Provides Visibility, Context, and Control Across the Entire Continuum
ISE is a Standards-Based AAA Server

Supports Cisco and 3rd Party solutions via
standard RADIUS, 802.1X, EAP, and VPN
Protocols
ISE Policy Server
Wired
802.1X = EAPoLAN
Wireless
802.1X = EAPoWLAN
VPN
VPN
SSL / IPsec
Cisco Prim e
ISE offers Secure Access at Multiple Levels

Who?
Employee
Guest
What?
Personal Device
Company Asset
How?
Wired
Wireless
VPN
Where?
@ Cafe
Headquarters
When?
Weekends
(9:00am 5:00pm) PST
Positioning ISE in an Enterprise

Network
The Different Ways ISE can be Leveraged

Guest Access Management
Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility

Seamlessly and securely onboard devices with the right levels of access
Secure Access across the Entire Network

Simplify and unify enterprise network access policy across wired, wireless, and VPN
With Cisco TrustSec

Identity-aware Network Segmentation and Access Policy Enforcement
Cisco ISE Architecture
ISE Nodes (and Personas)

ISE
Admin
Monitoring
Personaone or
more of:
Administration
Monitoring
Policy service
ISE
Policy Service
Single ISE node

(appliance or VM)
Inline Posture
Single inline
posture node
(appliance only)
Policy Administration Node (PAN)
Writeable Access to the Database
Interface to configure and view

policies
Responsible for policy sync across

all PSNs and secondary PAN
Provides:
PAN
Administration
AD/LDAP
External
ID
Store
Licensing
Admin authentication & authorization
Admin audit
Each ISE deployment must have at least one

PAN
Only 1x Primary and 1x Secondary (Backup) PAN

possible
15
Monitoring and Troubleshooting Node (MnT)
Logging and Reporting
MnT node receives logging from PAN, PSN, IPN, NAD, and ASA
Each ISE deployment must have at least one MnT
Max 1x Primary and 1x Secondary (Backup) MnT possible

PAN
Syslog
PSN
Syslog from access devices are

correlated with user/device session
MnT
IPN
Syslog from firewall is correlated
with guest access session
Syslog from other ISE nodes are

sent to monitoring node for reporting
Network Access Device (NAD)

Also Known as the RADIUS Client
Major Secure Access component that enforces network policies.
NAD sends request to the PSN for implementing authorization decisions for
resources.
Common enforcement mechanisms:
NADs
VLAN Assignment
dACLs
Security Group Access (SGA)
Basic NAD types
Cisco Catalyst Switches

Cisco Wireless LAN Controllers
Cisco ASA VPN Concentrator
17
Policy Service Node (PSN)
RADIUS Server for the Network Access Devices
Per policy decision, responsible for:
Network access (such as AAA RADIUS services)

Posture
Guest access (web portals)
Profiling
Client Provisioning, BYOD / MDM services
Directly communicates to
external identity store for user
authentication
Provides GUI for sponsors,

agent download, guests
access, device registration,
and device on-boarding
WebAuth
Posture/MDM
Client Provisioning
AD/LDAP
/RADIUS
RADIUS/Profiling
NAD
External
ID
Store
PSN
18
ISE Policy Architecture
Policy Synchronization
Changes made via Primary PAN DB are automatically synced to
Secondary PAN and all PSNs.
PAN
(Secondary)
PSN
Policy Sync
Admin
User
Policy Sync
Policy Change
PSN
PAN
(Primary)
PSN
Guest account creation
Device Profile update
Policy Sync
PSN
20
ISE Deployment Scenario 1

CENTRALIZED DEPLOYMENT EXAMPLE (<2,000 Devices)
Primary ISE Node
AD/LDAP
Wireless Controller
Switch
Secondary ISE Node
Data Center A
Admin Persona
Switch
Site B
AP
Switch
Site C
AP
Monitor Persona
Policy Services Node

CENTRALIZED DEPLOYMENT EXAMPLE (5,000 Devices)
Primary A&M Node
Secondary A&M Node
AD/LDAP
Wireless Controller
Switch
Data Center A
Admin Persona
Switch
Site B
AP
Switch
Site C
AP
Monitor Persona

DISTRIBUTED DEPLOYMENT EXAMPLE (20,000 Devices)
Primary Admin Node
AD/LDAP
Secondary Admin Node
AD/LDAP
Primary Monitor Node
WLC
Secondary Monitor Node
WLC
Data Center A
Data Center B
Admin Persona
Switch
AP
Switch
AP
Monitor Persona

Site C
Site D
ISE Software Licensing Components

MDM 3rd Party Integration
Compliance & Remediation
Unified Endpoint
Profiling / Feed Service

BYOD Device Onboarding
+ Internal CA
pxGrid + ESP
Enhanced Guest
AAA, 802.1X, TrustSec,
Multiple APIs
ISE Base
ISE Plus
ISE Apex
ISE Wireless
Wired/Wireless/VPN
[ Perpetual License ]
Wired/Wireless/VPN
[ 3Y/5Y Term ]
Wired/Wireless/VPN
[ 3Y/5Y Term ]
Wireless Only
[ 3Y/5Y Term ]
ISE Hardware Licensing Components

SNS-3495
ISE-3395
20,000 Endpoints
10,000 Endpoints
6,000 Endpoints
ISE-3355
5,000 Endpoints
SNS-3415
3,000 Endpoints
ISE-3315 / ACS-1121
Virtual Appliances
3,000 - 20,000* Endpoints
ISE Virtual Appliances are available individually, bundles of 5, and bundles of 10.
* ISE
VM instances actual scalability vary based on allocated resources and other variables.
ISE Deployment Size
26
Cisco ISE MDM, TrustSec, and

pxGrid
Presentation ID
ISE Integration with MDM (Third Party)
MDM device registration via ISE

Non registered clients redirected to
MDM registration page
Restricted access
Non compliant clients will be given
restricted access based on policy
Endpoint MDM agent

Compliance
Device applications check
MCMS
Device action from ISE

Device stolen -> wipe data on client
DC, Campus and Branch Segmentation with

TrustSec
Data Center
Segment traffic based on

classified group i.e.
Security Group Tags (SGT),
not based on topology
(VLAN, IP subnet)
Shared
Services
Application
Servers
DC Switch
Enterprise
Backbone
Allows Micro-Segmentation
in LAN (segment devices
even in same VLAN)
ISE
Switch
Switch
Employee Tag
Supplier Tag
Non-Compliant Employee
VLAN: Data-2
Voice
Voice
Employee
Supplier
Non-Compliant
Non-Compliant Tag
VLAN: Data-1
TrustSec Common Deployment Scenarios
User to Data Center Access

Control
Context--based access control
Compliance requirements PCI,
HIPAA, export controlled
information
Merger and acquisition
integration, divestments
Data Center Segmentation

Server zoning & Micro-segmentation
Production vs Development Server
segmentation
Compliance requirements, PCI, HIPAA
Firewall rule automation
Campus and Branch

Segmentation
Line of business segregation
PCI, HIPAA and other compliance
regulations
Malware propagation
control/quarantine
Cisco Platform Exchange Grid pxGrid

INFRASTRUCTURE FOR A
ROBUST ECOSYSTEM
SIO
Single framework develop once,

instead of multiple APIs
Customize and secure what

context gets shared and with which
platforms
Context
Sharing
Bi-directional share and consume

context
Single, Scalable
Framework
Enables any pxGrid partner to

share with any other pxGrid partner
Integrating with Cisco ONE SDN

for broad network control functions
Direct, Secured
Interfaces
pxGrid
Unified Threat Response by Sharing Data Across

Network
2
pxGrid
controller
ISE collects contextual

data from network
Context is shared via

pxGrid technology
Who
What
Partners use context to

3 improve visibility to detect
threats
When
Where
ISE
Cisco and Partner

Ecosystem
How
Partners can direct ISE to

rapidly contain threats
Context
5
Cisco Network
ISE uses partner data to

5 update context and refine
access policy
QA
Presentation ID
Thank You

Cisco Live - IsE

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Live - IsE

Uploaded by

Copyright:

Available Formats

Demystifying Cisco Identity Services

Engine (ISE) Architecture and

Parminder Pal Singh (CCIE X 2, CCSI)

Todays Security Trends

Introduction to Cisco Identity Services Engine (ISE)

MDM, TrustSec, and pxGrid

Todays Security Trends

Wheres the World Heading?

More Devices, More Connectivity, More Exposure

BYOD mobile devices

Introduction to Cisco Identity

Cisco ISE is Core to Cisco Security Construct

Web + Email Security

NAC + Identity Services

Advanced Malware Protection

ISE Ecosystem + pxGrid

ISE is a Standards-Based AAA Server

ISE offers Secure Access at Multiple Levels

(9:00am 5:00pm) PST

Positioning ISE in an Enterprise

The Different Ways ISE can be Leveraged

BYOD and Enterprise Mobility

Secure Access across the Entire Network

With Cisco TrustSec

Cisco ISE Architecture

ISE Nodes (and Personas)

Single ISE node

Policy Administration Node (PAN)

Writeable Access to the Database

Interface to configure and view

Responsible for policy sync across

Each ISE deployment must have at least one

Only 1x Primary and 1x Secondary (Backup) PAN

Monitoring and Troubleshooting Node (MnT)

Logging and Reporting

Max 1x Primary and 1x Secondary (Backup) MnT possible

Syslog from access devices are

Syslog from other ISE nodes are

Network Access Device (NAD)

Major Secure Access component that enforces network policies.

Common enforcement mechanisms:

Basic NAD types

Cisco Catalyst Switches

Policy Service Node (PSN)

RADIUS Server for the Network Access Devices

Per policy decision, responsible for:

Network access (such as AAA RADIUS services)

Provides GUI for sponsors,

ISE Policy Architecture

ISE Deployment Scenario 1

Primary ISE Node

Secondary ISE Node

Policy Services Node

ISE Deployment Scenario 2

Primary A&M Node

Policy Services Node

Secondary A&M Node

Policy Services Node

Policy Services Node

ISE Deployment Scenario 3

Primary Admin Node

Policy Services Node

Secondary Admin Node