Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TechWiseTV Workshop: Cisco Identity Services Engine (ISE)

775 views

Published on

Learn how to use Cisco Identity Services Engine (ISE) to drive business agility while obliterating malware and data breaches.

Resources:
Watch the related TechWiseTV episode: http://cs.co/9003Dqkhz
TechWiseTV: http://cs.co/9009DzrjN

Published in: Technology
  • Be the first to comment

TechWiseTV Workshop: Cisco Identity Services Engine (ISE)

  1. 1. Ziad Sarieddine Security Policy and Access Technical Marketing July 18, 2018 Monitor, Mitigate and Respond Redefine Your Network Security Architecture with ISE
  2. 2. The role of IT is more demanding than ever New IT paradigms Evolving security challenges Growing system complexity
  3. 3. The need of the hour... z Reacts to business needs and understands business roles Embraces the cloud, mobility, IoT, BYOD, and digitization Provides network visibility and security without sacrificing agility Achieves dynamic and adaptive network segmentation Is to have a network and security infrastructure that,
  4. 4. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential ISE connects trusted users and devices with trusted services Identity Services Engine (ISE): a centralized security solution that automates context-aware access Trusted Device Groups Trusted App/Services Trusted Group Partners Cloud App A Cloud App B Server A Server B Trusted Asset Trusted Group Partners Public/PrivateCloud Policy Enforcement Cloud On Prem Enforcement on every PIN on Premise Destination Source
  5. 5. Cisco DNA Center Cisco DNA Center Cisco DNA™ Center: Simple workflows Design Provision PolicyAssurance Software-Defined Access APIC-EMNetwork data platform Identity Services Engine Wireless access points Wireless LAN controllers SwitchesRouters
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Visibility ISE profiling, IOT and Contextual data sharing
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Any Threats from it? Is there a Malware? What is it accessing? The visibility problem Where is it located?Is it Vulnerable? MAC ADDRESS: 00-05-01-AA-E1-FF IP ADDRESS: 192.168.2.101 Who owns that device? What device is it? How to run the network with so many unknowns?
  8. 8. Visibility: ISE Profiling Feed Service (Online/Offline) Netflow DHCP DNS HTTP RADIUS NMAP SNMP CDP LLDP DHCP HTTP H323 SIP MDNS ACTIVE PROBES DEVICE SENSOR 1.5 million 1000 + 260+ devices with ‘50’ attributes each can be stored High-level canned profiles. +Periodic feeds Medical device profiles Cisco ISE Cisco Netw ork
  9. 9. Users •Name •Username •contact •Role •Permissions/rights Device •Type •Ownership •Compliance / Posture Location •Physical •Logical •MSE Integration Connectivity •Medium (Wired / Wireless / VPN) •Network Access Devices •State (Active Session) Time •Time of day •Day of Week •Connection duration Behavior •Historical (Now and before) •Was the device doing expected vs. Unexpected? Application and Services •Applications installed, running, allowed •Services and Processes Vulnerability •CVE, CVSS scores •Vulnerably scanfrom 3rd party scanners Threat •Malware / STIX •Fidelity •Spoofing ISE Visibility Attributes Collected
  10. 10. Visibility based on Vulnerability Integration with Vulnerability Scanners
  11. 11. Visibility based on Threat Threat Endpoints based on Incident and Indicators
  12. 12. New IOT Focus 3 major Pillars Healthcare System Manufacturing Building Automation • Biomed • Radiology • Instrumentation • POS • etc. • HVAC • Surveillance Camera • Refrigerator • Elevators • Fire Alarms • PLCs • HMIs • SCADA Servers • Historian • etc.
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential New and Updated IoT Profile Libraries • Automation and Control • Industrial / Manufacturing • Building Automation • Power / Lighting • Transportation / Logistics • Financial (ATM, Vending, PoS, eCommerce) • IP Camera / Audio-Video / Surveillance and Access Control • Other (Defense, HVAC, Elevators, etc) • Windows Embedded • Medical NAC Profile Library – Updated Auto-detectand classifyAutomation and Control endpoints 2.4
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 600+ Automation and Control Profiles 2.4
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Windows Embedded Profiles CommonOS implemented for IoT Devices 2.4
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Endpoint Profiles in the Communities https://communities.cisco.com/tags/ise-endpoint-profile
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Manufacturing floor – Cell Area Zones Devices(process focused) Controller devices Human machine interface IND Asset Identity Device: PLC Vendor: Rockwell Model: CompactLogix Serial: 236456PTX Firmware: 12.3 SE
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential IND and ISE Integration – Bringing OT Visibility into ISE Enterprise Zone IE 5000s Industrial Zone Level 3 Industrial DMZ Enterprise Zone Levels 4 and 5 ISA 3000 IE 1000 IE 4010 Cell Area Zone Levels 0–2 PLC IO Drive HMI NGFW Stealthwatch IND ISE Asset Identity Dev ice: PLC Vendor: Rockwell Model: CompactLogix Serial: 236456PTX Firmware: 12.3 SE User Identity pxGrid Subscribe pxGrid Subscribe Netflow pxGrid Publish Internet Cloud 2.4
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential pxGrid “Context In” for IND Profiler Attributes • MAC Address • IP Address • iotAssetDeviceType • iotAssetProductCode • iotAssetProductName • iotAssetRetrievedFrom • iotAssetSerialNumber • iotAssetTrustLevel • iotAssetVendorName • iotAssetVendorID • iotAssetSwRevision • iotAssetHwRevision • iotAssetProtocol • iotAssetBusinessOwner • iotAssetLocation • iotAssetTag IND • MAC Address • IP Address • iotAssetDeviceType • iotAssetProductCode • iotAssetProductName • iotAssetRetrievedFrom • iotAssetSerialNumber • iotAssetTrustLevel • iotAssetVendorName • iotAssetVendorID • iotAssetSwRevision • iotAssetHwRevision • iotAssetProtocol • iotAssetBusinessOwner • iotAssetLocation • iotAssetTag • IND communicateswith Industrial Switchesand SecurityDevices and collects detailed informationabout the connectedmanufacturingdevices. • IND vX adds pxGridPublisher interface to communicateIoT attributesto ISE. pxGrid Controller Publisher Subscriber ISE
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMO | ISE Visibility
  21. 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ISE integration with IND – Use Case Simplified RBAC for Remote Maintenance IND ISE Context-In ISA 3000SXP SGFW Manufacturer X Controllers Field Engineer Maintenance From Manufacturer X Manufacturer Y Controllers Level 1~3 Level 1~2 DMZ 70+ Cisco and Ecosystem Partner Integrations Context-Out Open MAB (Monitor Only/Full Access) on IE switches tracks session/SGT IND gathers detailed inventory of Industrial Devices. Publishes the information via PxGrid to ISE
  22. 22. Context build, summarize, exchange Directory Services Vulnerability Scanners System managers Threat Intelligence Mobility Services Engine Mobile Device Managers ENDPOINTS CISCO ISE Visibility and Access Control ISE builds context and applies access control restrictions to users and devices Context Reuse by eco-system partners for analysis & control Security Group Who What When Where How Posture Threat Vulnerability  STEALTHWATCH FIREPOWER SERVICES WEB SECURITY + 3rd PARTY PARTNERS • pxGrid • REST API • Syslog
  23. 23. Firewall & Access Control Vulnerability Assessment Packet Capture & Forensics SIEM UEBA Threat Defense IAM & SSO Cisco ISE & pxGrid 80+ Partner integrations & Growing Net/App Performance IoT Security MDM Cisco WSA Cloud Access Security Cisco FirePower Cisco StealthWatch Rapid Threat Containment (RTC) DDI ? ISE PxGrid Growing Partner Ecosystem Benefits Improve Response Enhance Controls Simplify operations Deception Application
  24. 24. ISE PxGrid Ecosystem Sharing Contextual data with Stealthwatch pxGrid Real-time visibility at all networklayers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response Cisco ISE Mitigation Action Context Information NetFlow Cisco Stealthwatch
  25. 25. Cisco ISE Mitigation Action Context Information Splunk ISE PxGrid Ecosystem Sharing Contextual data with Splunk
  26. 26. Context based ‘Web filtering’ With Cisco WebSecurityAppliance (WSA) and Identity Service Engine (ISE) Who: Doctor What: Laptop Where: Office Who: Doctor What: iPad Where: Office Who: Guest What: iPad Where: Office Enterprise Backbone Internet W ww Web Security Appliance PxGRIDRADIUS
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Policy Simplification ISE + DNA integration
  28. 28. How do you define your policy goals? What are your priorities? Business Intent? Compliance? Risk Reduction? Asset protection?
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How do you define your policy goals? • Segregate clinical devices in IT infra without disrupting current healthcare application flow • Disarm policy in case of emergency to ensure patient safety Healthcare • Ensure manufacture engineer performs remote maintenance securely for their devices only • Permit only intended communication from ICS devices in the manufacturing lines Manufacturing • Control access to regulated apps, simplify audit & compliance, accelerate security policy provisioning for new server Financial • Scope reduction for PCI compliance, protecting sensitive information from other connected devices Retail
  30. 30. ISE and DNA-C Integration PolicyAutomation and better usability Campus Fabric Authentication Authorization Policies Fabric Management Policy Authoring Workflows Groups and Policies pxGrid REST APIs Cisco Identity Services Engine Cisco DNA Center
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ISE-PAN ISE-PXG ISE-MNT ISE-PSN DNA-Center Employee VN/SGT-10If then Contractor VN/SGT-20If then Things VN/SGT-30If then Authorization Policy Exchange Topics TrustSecMetaData SessionDirectory* SGT Name: Employee = SGT-10 SGT Name: Contractor = SGT-20 ... Bob w ith Win10 on CorpSSID * - Not used today Network DevicesEndpoints REST pxGrid Admin/Operate Config Sync Context DNA-C knows all PSN IPs ISE and DNA-C Integration ISE and DNAC Node communication
  32. 32. SDA policy workflow Employees Contractors Production Development Source Destination FABRIC NODES Contract CISCO DNA CENTER CISCO ISE FABRIC POLICIES PERMIT Employees Production Employees Production API POLICY DOWNLOAD
  33. 33. ISE DEFCON Activate up-to 5 Failsafe Policies on Cloud and Premise Networks Destination LoB1Employee LoB2Employee Partner1 Partner2 PCIServer SharedApps LoB1Apps LoB2Apps Source LoB 1 Employee LoB 2 Employee Partner 1 Partner 2 POS Terminal Destination LoB1Employee LoB2Employee Partner1 Partner2 PCIServer SharedApps LoB1Apps LoB2Apps Source LoB 1 Employee LoB 2 Employee Partner 1 Partner 2 POS Terminal DEFCON3 Policy Stops Lateral Movement Multiple levels of “failsafe” policy setsStandard Policy 5 4 3 2 1 DEFCON
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Host Isolation to block Lateral Movement deny icmp deny udp employee employee eq domain deny tcp employee employee eq 3389 deny tcp employee employee eq 1433 deny tcp employee employee eq 1521 deny tcp employee employee eq 445 deny tcp employee employee eq 137 deny tcp employee employee eq 138 deny tcp employee employee eq 139 deny udp employee employee eq snmp deny tcp employee employee eq telnet deny tcp employee employee eq www deny tcp employee employee eq 443 deny tcp employee employee eq 22 deny tcp employee employee eq pop3 deny tcp employee employee eq 123 Employee Employee Supplier Quarantine Shared Server Server High Risk Segment Internet Block Lateral Movement & Privilege Escalation
  35. 35. Security Group Based Access Control for Firewalls Security Group Firewall (SGFW) 35 Source Tags Destination Tags
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Threat Containment
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Get Ahead of Threats with a Growing Intelligence Ecosystem Threat-Centric NAC Enhancements Quarantine and remediation Dynamic policy changes Cisco ISE NEW AMP CTA NEW 5 100 1 2 3 6 7 8 94 Common Vulnerability Scoring System (CVSS) CatastrophicUnknown Insignificant Distracting Painful Damaging STIX Framework Standardized Reporting With the 2.2 release, ISE now takes in threat intelligence from Tenable, Rapid7 and Cisco Cognitive Threat Analytics (CTA). These new solutions enhance posture assessment with a broader range of threat-incident intelligence. • Supports third-party vulnerability and threat data sources on an open platform • Automates CoA based on vulnerability intelligence • Supplements existing ISE reporting with easy- to-read STIX and CVSS-based reports • Decreases the time to threat remediation and supports dynamic policy changes Broader threat insight Apply multiple vulnerability data sources Expanded coverage Leverage an open platform and standards-based framew ork Fast remediation Update policy dynamically to prevent or change access NEW
  38. 38. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public BENEFITS 38DEVNET-1010 Cisco pxGrid – Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners ISE Makes Customer IT Platforms User/Identity, Device and Network Aware ISE Shares User/Device & Network Context with IT Infrastructure 1 ISE ECO-PARTNER CONTEXT Puts “Who, What Device, What Access” w ith Events. Way Better than Just IP Addresses! Make ISE a Better Network Policy Platform for Customers ISE Receives Context from Eco-Partners to Make Better Network Access Policy 2 ISE ECO-PARTNER Creates a Single Place for Comprehensive Netw ork Access Policy thru Integration CONTEXT 3 Help Customer IT Environments Reach into the Cisco Network ECO-PARTNER ISE CISCO NETWORK MITIGATE Decreases Time, Effort and Cost to Responding to Security and Netw ork Events ACTION
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Context based Threat Detection & Containment Employee Employee Supplier Quarantine Shared Server Server High Risk Segment Internet Lancope StealthWatch Or Firepower Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine ISE Change Authorization Quarantine Network Fabric W ww
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMO | Solution Demo
  41. 41. Thank you for watching.

×