Identity Services Engine
 

Like this? Share it with your network

Share

Identity Services Engine

on

  • 5,692 views

Cisco’s Next-Generation Network Access Control Solution ...

Cisco’s Next-Generation Network Access Control Solution
Identity Market Drivers
802.1X Overview
ISE Overview
Posture Services
Profiling Services
Guest Services

By: George Nazarey

Statistics

Views

Total Views
5,692
Views on SlideShare
5,692
Embed Views
0

Actions

Likes
3
Downloads
476
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Identity Services Engine Presentation Transcript

  • 1. Identity Services Engine Cisco’s Next-Generation Network Access Control Solution George Nazarey Security Consulting Systems EngineerPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
  • 2. Agenda Identity Market Drivers 802.1X Overview ISE Overview Posture Services Profiling Services Guest ServicesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
  • 3. Identity Market DriversPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
  • 4. Disciplines of Security: Identity Is the Base Information Access Control Audit Sharing Encryption Forensics Threat Mitigation Threat Migration Data Leakage Availability Policy/ Non- Inventory Governance RepudiationPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
  • 5. Today’s Network Is Not Like Yesterday’s Network Rossi Barks Printer Laptop Employee Agentless asset Managed asset HR MAC: B2 CF 81 A4 02 D7 Diverse Environment Main Laboratory Wireline 11 a.m. 11 a.m. Employees, Sergei Balazov Contractor contractors, guests, Security Camera G/W and non-PCs IT Agentless asset Wireline MAC: F5 AB 8B 65 00 D4 10 a.m. Francois Didier Consultant Mission-Critical Vicky Sanchez HQ - Strategy Bill Graves Technologies Employee Remote Access Employee Marketing 6 p.m. R&D Network, devices, Wireline Wireless 3 p.m. 2 p.m. and applications IP Phone G/W Frank Lee Managed asset Multiple Access Guest Finance dept. Susan Kowalski Wireless 12:00 p.m. Employee Methods 9 a.m. CEO Remote Access Different devices, 10 p.m. locations, and times All need policies and controlsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
  • 6. Five Aspects of Identity Who are you? 802.1X authenticates (or other methods) the user Are you healthy? Using NAC, the end-station and network can check whether device complies with corporate host security policy Where can you go? Based on authentication, user is placed in correct workgroup or VLAN What service level do you receive? User can be given a per-user access control list or given specific QoS priority on the network What are you doing? Using the identity and location of the user, tracking and accounting can be better managedPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
  • 7. Policy: Areas of Focus Context-Based Service Virtualization Security Personalization & Cloud Resource Policies User, Device, Location, Server, Data Tenant Reqs vDC Capabilities Mobile Access Security Laptop Media Energy Gartner: “We are seeing a Video Conf Network & Application Policies shift to context-aware, adaptive security Services automatically infrastructure across all delivered to appropriate areas of information users, devices, Virtual application and security today.” applications. infrastructure policyPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
  • 8. 802.1X OverviewPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
  • 9. Why 802.1X? Industry- Most secure Complements Provides standard user/machine other switch Easier to foundation for approach to authentication security deploy additional services identity solution features (e.g., posture) 9Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
  • 10. How Does 802.1X Work? Authenticator Switch, router, WAP Identity Store/Management Active directory, LDAP Layer 3 Layer 2 Request for Service Back-End Authentication Identity Store (Connectivity) Support Integration Authentication Server RADIUS server SupplicantPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
  • 11. Who (or What) Can Be Authenticated? User Authentication Device Authentication alice hostXP2 hostXP2 •  Enables Devices To Access •  Enables User-Based Access Network Prior To (or In the Control and Visibility Absence of) User Login •  If Enabled, Should Be In •  Enables Critical Device Traffic Addition To Device (DHCP, NFS, Machine GPO) Authentication •  Is Required In Managed Wired EnvironmentsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
  • 12. Various Authorization Mechanisms   802.1X provides various authorization mechanisms for policy enforcement   Three major enforcement / segmentation mechanisms: • Dynamic VLAN assignment – Ingress • Downloadable per session ACL – Ingress • Security Group Access Control List (SGACL) - Egress   Three different enforcement modes: • Monitor Mode • Low Impact Mode (with Downloadable ACL) • High-Security Mode   Session-Based on-demand authorization: • Change of Authorization (RFC3576 RADIUS Disconnect Messages)Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
  • 13. Putting it All Together: Flex-Auth One Configuration Fits Most Multiple Methods Configurable order and priority•  802.1X: managed devices/users•  MAB: non-802.1X devices of methods•  WebAuth: non-802.1X users Flex-Auth enables Employee Valid MAC Address Partner 1X most use cases EAP 802.1x timesSent or Validated Credentials out & fails with a single EAP Host 802.1X Guest Valid Port Authorized Known Unknown MAC Accept MAC - Access configuration 802.1X Faculty MAC Client MAB MAB Change Client User Guest Addr Sub WEB Port Authorized URL User Contractor Valid Host Asset Configurable behavior after Configurable behavior when 802.1X timeout and failure AAA server dies / recoversPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
  • 14. ISE OverviewPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
  • 15. Cisco TrustSec Cisco TrustSec is a security solution that provides policy-based access control, identity-aware networking, and data integrity and confidentiality servicesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
  • 16. Identity Services Engine Next Generation PMBU Solution Portfolio Identity & Access Control Access Control Solution Identity & Access Control + Posture NAC Manager NAC Server Device Profiling & Provisioning + Identity ISE Monitoring NAC Profiler NAC Collector Standalone appliance or licensed as a module on NAC Server Guest Lifecycle Management NAC Agent NAC Guest ServerPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
  • 17. A single appliance deployment Single ISE Node providing all services For smaller environments 2 boxes for resiliencyPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
  • 18. A multi-box deployment Multiple ISE Nodes in a system More than 1 box for medium to large environments, or distributed organization.Services can be turned on or off on each individual node asPresentation_ID necessary 18 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 19. Example ISE Deployment Admin and PAP PDP Cluster Logging M&T nodes PAP PDP PDP Distributed PDP M&T PDP HA IPEPs PEP Division PEP X ASA VPN WLC HQ WLC Switch 802.1X Switch AP 802.1X AP •  Active/Standby PAP/M&T •  Centralized Wired 802.1X Services for Branch Branch HQ and Branches A B •  Distributed PDP services in Division X Switch Switch •  VPN (non-CoA) support via HA iPEPs AP 802.1X AP 802.1XPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
  • 20. Packaging / Licensing SpecificsAre my endpoints Advanced Package secure? Profiler | Posture | SGA Term LicenseAre my endpoints Base Package Perpetual authenticated? Basic Network Access | Guest License Platforms Small | Medium | Large | VM   3 different hardware appliances   Software license model or VMware-based appliance   Licenses based on   Small = 3315/1121 concurrent # endpoints appliances counted centrally (not tied to HW)   Medium = 3355 appliances   Floating (active) device/user   Large = 3395 appliances based pricing   ESX v4.x, ESXi v4.x and Server 2.0 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
  • 21. UX: LoginPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
  • 22. Now called ISE! UX: Dashboard Metric Meters Feedback! Search All Attribute Endpoint Sources Distributio All ISE nodes ns registered to PAP Compliance Error Rates Stats & and Failures Distributions Profile Distributio ns Summarized AlarmsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
  • 23. Robust UI Tabular View is also available Drag-and-Drop Reusable simple and functionality for compound ‘Condition’ re-ordering rules objects In-context configuration of New Identity Identity Groups Groups can be created without leaving Policy screen Object Selector pop- up with search and filtering capabilitiesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
  • 24. Developing Authorization Policy – Adding RulesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
  • 25. UX: Authentications “Live” Authentications! Filters Passed / Failed row colorsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
  • 26. Posture ServicesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. PositronWiki 26
  • 27. Posture Services Overview Posture Runtime Services   Must have advanced licensing enabled on your ISE devices   Must enable Posture Services on your ISE Policy server.   Same Posture evaluation as in NAC Appliance   Passive Re-Assessment Support   Remediation Actions same as NAC Appliance   Posture automatic updates available with advanced licensingPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
  • 28. Posture Conditions Policy > Policy Elements > Conditions > Posture   File   Registry   AV/AS   Service   Compound Conditions (Pre- Configured)   AV/AS Compound ConditionsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
  • 29. Posture Policy   Posture Policies tie the Requirements to Identity Groups and other Conditions together to make a Policy   Once a User is Authenticated, Posture Policy is checked for the Identity Group/User   If Posture passes, users will be assigned a new Authorization PolicyPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
  • 30. Profiling ServicesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. PositronWiki 30
  • 31. NAC Gap: Non-PC Endpoint DevicesDo you have a full record of devices on the network? Enterprises without VoIP Enterprises with VoIP Wired Endpoints Distribution Wired Endpoints Distribution 33% 33% 50% 50% Windows IP phones Windows Other 33% Other Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
  • 32. Examples of Non-PC Endpoints Printers IP Cameras Alarm Systems Wireless APs Turnstiles Fax Machines Video Managed UPS HVAC Systems Conferencing Stations Cash Registers RMON Probes IP Phones Medical Imaging Vending Hubs Machines Machines . . . and many othersPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
  • 33. UX: Profiling Many built-in profiles for Cisco and other common devices!Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
  • 34. MAC Authentication – Endpoints List Administration > Identity Management > Identities > Endpoints Use the Filter! Find your MAC Address in list of endpoints Static ?Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
  • 35. Guest ServicesPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. PositronWiki 35
  • 36. Managing the Guest User Lifecycle Increased Productivity, Operational Efficiency PROVISIONING NOTIFICATION Create Guest Accounts Give Accounts to Guests Create a single Guest Account Print Account and Access Details Create multiple Guest Accounts Send Account Details via Email by Importing a CSV file Send Account Details via SMS Manage Guest Accounts Report on Guests View, edit or suspend your View audit reports on individual Guest Accounts Guest accounts Manage batches of accounts Display Management reports on you have created Guest Access MANAGEMENT REPORTINGPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
  • 37. ISE Guest Server – Overview  ISE Guest Server can provide : -  Self-Registration -  Full Sponsored Access -  Device Registration  ISE Guest Server has : –  Multiple Portal Options –  Guest User Policies –  Sponsor Groups & Policies –  Guest User Policies –  Sponsor Portal SettingsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
  • 38. ISE Sponsored Guests – Sponsor Portal  Customizable Web Portal for Sponsors as well  Authenticate Sponsors with corporate credentials –  Local Database –  Active Directory –  LDAP –  RADIUS –  KerberosPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
  • 39. ISE Sponsored Guest Creation   Sponsor can create One or Multiple Accounts   Sponsor Sets which Group Role/Identity Store Guests will be placed   Different Time Profiles can be used for Access   User Accounts can be provided by different means of notification (Email,Print,SMS)Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
  • 40. Guest User Account Detail DeliverySend accountinformation viaprint-out, email,or SMSPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
  • 41. Guest Verification   Monitor > Authentications window will show all Authentications including Guests   Identity and Authorization can be found for GuestsPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
  • 42. Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42