Application Centric Infrastructure (ACI), the policy driven data centreCisco Canada
Mike Herbet, Principal Engineer, Cisco, Dave Cole, Consulting Systems Engineer, Cisco, Sean Comrie, Technical Solutions Architect, Cisco focused on the application centric infrastructure (ACI) at Cisco Connect Toronto.
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
This session will focus on typical deployment scenarios for the Adaptive Security Appliance family running FirePower Services. Also, a feature overview and comparison of the ASA with Firepower services and the new Firepower Threat Defense (FTD) image will be included with updates on the new Firepower hardware platform. Deployment use cases will include Internet Edge, various segmentation scenarios, and VPN. A configuration walk-through and accepted best practices will be covered. This session is designed for existing ASA customers and targets the security and network engineer. They will learn the benefit of a FirePower NGFW in network edge and Internet use cases
Application Centric Infrastructure (ACI), the policy driven data centreCisco Canada
Mike Herbet, Principal Engineer, Cisco, Dave Cole, Consulting Systems Engineer, Cisco, Sean Comrie, Technical Solutions Architect, Cisco focused on the application centric infrastructure (ACI) at Cisco Connect Toronto.
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
This session will focus on typical deployment scenarios for the Adaptive Security Appliance family running FirePower Services. Also, a feature overview and comparison of the ASA with Firepower services and the new Firepower Threat Defense (FTD) image will be included with updates on the new Firepower hardware platform. Deployment use cases will include Internet Edge, various segmentation scenarios, and VPN. A configuration walk-through and accepted best practices will be covered. This session is designed for existing ASA customers and targets the security and network engineer. They will learn the benefit of a FirePower NGFW in network edge and Internet use cases
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
These are the slides used in the Live Webinar August 3, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time. You can listen/watch the replay of that show at techwisetv.com. Just click on 'workshops.' The TechWiseTV Episode is also on that site or on YouTube at https://youtu.be/zZHRLsaKD3U
Demos to checkout:
ISE Streamlined Visibility: https://communities.cisco.com/videos/15260
ISE Context Visibility: https://communities.cisco.com/videos/15264
ISE EasyConnect: https://communities.cisco.com/videos/15285
ISE Threat-centric NAC (AMP): https://communities.cisco.com/videos/15269
ISE Threat-centric NAC (Qualys): https://communities.cisco.com/videos/15270
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
These are the slides used in the Live Webinar August 3, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time. You can listen/watch the replay of that show at techwisetv.com. Just click on 'workshops.' The TechWiseTV Episode is also on that site or on YouTube at https://youtu.be/zZHRLsaKD3U
Demos to checkout:
ISE Streamlined Visibility: https://communities.cisco.com/videos/15260
ISE Context Visibility: https://communities.cisco.com/videos/15264
ISE EasyConnect: https://communities.cisco.com/videos/15285
ISE Threat-centric NAC (AMP): https://communities.cisco.com/videos/15269
ISE Threat-centric NAC (Qualys): https://communities.cisco.com/videos/15270
The Cisco Unified Computing System™ is a next-generation data center platform that unites compute, network, storage access, and virtualization into a cohesive system designed to reduce total cost of ownership (TCO) and increase business agility. The
system integrates a low-latency, lossless 10 Gigabit Ethernet unified network fabric with enterprise-class, x86-architecture servers. The system is an integrated, scalable, multichassis platform in which all resources participate in a unified management domain.
Overview of my VMware vSphere 5.1 with ESXi and vCenter class. Get an overview of the most powerful, enterprise class private cloud platform available.
Share Point Server Security with Joel OlesonJoel Oleson
From Authentication and Authorization to ports, firewall rules, and server to server communication, this session goes into depth on a number of topic with further resources on SharePoint Security by Joel Oleson
Deploying Next Generation Firewalling with ASA - CXCisco Canada
This presentation will explain the technology and capabilities behind Cisco’s new context aware firewall: Cisco ASA–CX. We will introduce a new approach to firewall policy creation based on contextual attributes such as: user identity, device type and application usage.
VMworld 2013
Jerry Breaud, VMware
Allen Shortnacy, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Gartner report on Cisco TrustSec assessing technical components, interoperability considerations, Cisco’s progress in implementing support across product lines and customer deployment experiences.
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Ping Identity
Ping Identity Principal Technical Architect, Pam Dingle’s slides on how organisations can meet PSD2 and Open Banking Standard requirements while delivering excellent customer experiences in today’s challenging digital business environments. Using software that’s based on the OAuth family of standards, organisations are protecting RESTful APIs, combining a critical blend of intuitive user interactions, highly scalable certification of clients and interoperability.
A Modern Identity Architecture for the Digital Enterprise: http://bit.ly/2lPNiCM
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
What it is –
The CSA recently completed its revision of “Software-Defined Perimeter” Glossary, gauging market technologies and proltocols of this modern security architecture.
The Software Defined Perimeter (SDP) Glossary is a reference document that brings together SDP related terms and definitions from various professional resources. The terms and supporting information in the SDP glossary cover a broad range of areas, including the components of SDP and common supporting technologies.
Why we did this –
Bringing together all the information in this document is meant to minimize misinterpretation about SDP and provide a good understanding in the least amount of time. A balance has also been struck between length of the definitions and understandability with reliance on the reference source as the final arbiter. The result is a common language to communicate, understand, debate, conclude, and present the results of the SDP framework.
How it was developed –
The SDP Working Group (WG) set out to author a comprehensive resource on the terms and definitions within SDP architectures. SDP has changed since 2014, so the WG wanted to update the original SDP Glossary (v1.0, released in 2014). Relevant technologies and protocols not on the original Glossary were encapsulated and inserted to the latest Glossary. The WG held regular meetings over the course of 8 months to bring the new Glossary to fruition.
How to use this –
SDP Glossary v2.0 was intended as a reference document to draw Enterprises (and Service providers) that are interested in learning more about the underlying technologies and protocols. Those that are new to SDP will notice many familiar technologies involved, expediting their awareness of SDP. Ultimately, we see this glossary as a tool to familiarize practicianers with SDP. Awareness of the SDP toolkit is the first step to SDP Adoption.
Based on this Glossary revision effort, we’re pleased to see this level of familiarity (awareness), We are confident that SDP will continue to gain momentum, but realistic that we as proponents of SDP have some work to do. Clearly organizations face challenges in making the case for using SDP instead of traditional security technologies. The CSA will fill this gap with SDP resources and information.
The Glossary, along with SDP Specification, and SDP Architecture Guide, are vital pieces of SDP adoption and deployments within Industry.
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
API orchestration: to build resilient applications
Cherish Santoshi, Sr. Developer Relations Engineer at Orkes
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Are you a systems integrator (SI), small, or mid-size enterpriser required to secure controlled unclassified Information (CUI) data in order to meet NIST 800-171 security requirements? Learn how to simplify and automate compliance for your government customers. Learn how to architect and document IT workloads to meet NIST 800-171 security requirements in AWS GovCloud (US) – Amazon’s isolated cloud region built for sensitive data and regulated workloads.
The slides present:
· How to use AWS Enterprise Accelerator for Compliance Quick Start tools to accelerate compliance.
· The steps necessary to modify the security control matrix (SCM) for specific customer workloads.
· AWS tools and techniques to make security and compliance easier, while improving the security posture of your system.
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure Web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder Secure Proxy Server). This presentation provides a comprehensive overview of the new features in CA Single Sign On.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
From Cisco ACS to ISE
1. From cisco ACS To ISE
Comparison of two technologies
M.Zahedi
2015
2. In The Name Of God2
Contents
ACS Introduction
Policy terminology
Access Service /Examples
Why ISE
New features Of ISE
3. Cisco secure Access Control
Network security officers and administrators need solutions that support flexible
authentication and authorization policies that are tied not only to a user’s identity
but also to context such as the network access type, time of day the access is
requested, and the security of the machine used to access the network.
Cisco Secure ACS, a core component of the Cisco TrustSec® solution, is a highly
sophisticated policy platform providing RADIUS and TACACS+ services.
Cisco Secure ACS provides central management of access policies for device
administration and for wireless, wired IEEE 802.1x, and remote (VPN) network access
scenarios.
3
4. Features
Unique, flexible, and detailed device administration in IPv4 and IPv6 networks, with full
auditing and rules-based policy model that flexibly addresses complex policy needs
A lightweight, web-based GUI with intuitive navigation and workflow accessible from
both IPv4 and IPv6 clients
Integrated advanced monitoring, reporting, and troubleshooting capabilities for
excellent control and visibility
Integration with external identity and policy databases, including Microsoft Active
Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases,
simplifying policy configuration and maintenance
A distributed deployment model that enables large-scale deployments and provides a
highly available solution
4
5. Main Features and Benefits of Cisco Secure
ACS 5.8
Features Benefit
Complete access control and
confidentiality solution
It can be deployed with other Cisco TrustSec components, including
policy components, infrastructure enforcement components, endpoint
components, and professional services.
Authentication, authorization, and
accounting (AAA) protocols
supporting two distinct AAA protocols: RADIUS and TACACS+
Database options
integration with existing external identity repositories such as Microsoft
AD servers, LDAP servers, and RSA token servers.
Authentication
protocols
PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5,
Protected EAP (PEAP), EAP-Flexible Authentication through Secure
Tunneling (FAST), EAP-Transport Layer Security (TLS), and PEAP-TLS. It
also supports TACACS+ authentication with CHAP/MSCHAP protocols
and PAP-based password change when using TACACS+ and EAP-GTC
with LDAP servers.
5
6. Cont. Main Features and Benefits of Cisco
Secure ACS 5.8
Features Benefit
Access policies
a rules-based, attribute-guided policy model that provides greatly increased power
and flexibility for access control policies, which can include authentication protocol
requirements, device restrictions, time-of- day restrictions, and other access
requirements. Cisco Secure ACS can apply downloadable access control lists
(dACLs), VLAN assignments, and other authorization parameters. Furthermore, it
allows comparison between the values of any two attributes that are available to
Cisco Secure ACS to be used in identity, group-mapping, and authorization policy
rules.
Centralized
management
Cisco Secure ACS 5.8 supports a completely redesigned lightweight, web-based
GUI that is easy to use. An efficient, incremental replication scheme quickly
propagates changes from primary to secondary systems, providing centralized
control over distributed deployments. Software upgrades are also managed
through the GUI and can be distributed by the primary system to secondary
instances.
Support for high
availability in larger
Cisco Secure ACS
deployments
Cisco Secure ACS 5.8 supports up to 22 instances in a single Cisco ACS cluster: 1
primary and 21 secondary. One of these instances can function as a hot (active)
standby system, which can be manually promoted to the primary system in the
event that the original primary system fails.
If <identity-condition, restriction-condition> then <authorization-profile>
6
7. Cont. Main Features and Benefits of Cisco
Secure ACS 5.8
Feature Benefit
Programmatic
interface
cisco Secure ACS 5.8 supports a programmatic interface for create, read,
update, and delete operations on users and identity groups, network devices,
and hosts (endpoints) within the internal database. It also adds the capability
to export the list of Cisco Secure ACS administrators and their roles through
the same web services API.
Monitoring, reporting,
and troubleshooting
Cisco Secure ACS 5.8 includes an integrated monitoring, reporting, and
troubleshooting component that is accessible through the web-based GUI.
This tool provides excellent visibility into configured policies and
authentication and authorization activities across the network.
7
8. Policy terminology
Access service : A sequential set of policies used to process access request
Policy element : Global, shared object that defines policy conditions and
permission
Shell profile: permissions container for TACACS+ based device administration
policy
Authorize profile: permissions container for RADIUS based network
Command set: contains the set of permitted commands
Policy: A set of rules that are used to reach a specific policy decision
Identity policy: policy for choosing how to authenticate and acquire identity
attributes for a given request.
8
9. Access Services
Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for
users and devices that connect to the network and for network administrators who administer
network devices
In ACS 5.x, authentication and authorization requests are processed by access services.
An access service consists of the following elements:
Identity Policy—Specifies how the user should be authenticated and includes the allowed
authentication protocols and the user repository to use for password validation.
Group Mapping Policy—Specifies if the user's ACS identity group should be dynamically
established based on user attributes or group membership in external identity stores. The user's
identity group can be used as part of their authorization.
Authorization Policy—Specifies the authorization rules for the user.
9
10. Cont. Access Services : A Sample
Access Service List
Service selection Policy
10
11. WHY Cisco identity services Engine?
The Evolving Workplace Landscape
Device proliferation
15 billion Devices by 2015
that Will Be
Connecting to Your
Network
40% of staff Are
Bringing Their
Devices to Work
On Average Every Person Has 3-
4 Devices On them that
Connects to the Network
Gartner:
until 2020 26 billion Devices in IOE
(Internet of Everything)
11
12. Key Functions
Combines authentication, authorization, accounting (AAA), posture, and profiler into one
appliance
Provides for comprehensive guest access management for Cisco ISE administrators
Enforces endpoint compliance by providing comprehensive client provisioning measures and
assessing the device posture for all endpoints that access the network, including 802.1X
environments
Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint
devices on the network
Employs advanced enforcement capabilities including Trustsec through the use of Security Group
Tags (SGTs) and Security Group Access Control Lists (SGACLs)
Supports scalability to support a number of deployment scenarios from small office to large
enterprise environments
12
13. Features of ISE
Features Benefit
Highly secure
supplicant-
less network access
Provides organizations with the ability to swiftly roll out highly
secure network access without configuring endpoints for
authentication and authorization. Authentication and
authorization are derived from login information across
application layers and used to allow user access without
requiring a 802.1X supplicant to exist on the endpoint
Guest lifecycle
management
Time limits, account expirations, and SMS verification offer
additional security controls, and full guest
auditing can track access across your network for security and
compliance demands.
Source-Group
Tagging
Easier access controls
13
14. Cont. Features of ISE
Feature Benefit
AAA protocols RADIUS /TACACS+ protocols
Authentication
protocols
wide range of authentication protocols, including, but not
limited to, PAP, MS-CHAP, Extensible Authentication Protocol
(EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication
via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS)
and EAP-Tunneled Transport Layer Security (TTLS).
Device profiling
Ships with predefined device templates for many types of
endpoints, such as IP phones, printers, IP cameras, smartphones,
and tablets. Administrators can also create their own device
templates. These templates can be used to automatically detect,
classify, and associate administration-defined identities when
endpoints connect to the network
14
15. Cont. Features of ISE15
Feature Benefit
Internal certificate
authority
Offers organizations an easy-to-deploy internal certificate
authority to simplify certificate management for personal
devices without adding the significant complexity of an
external certificate authority application.
Endpoint posture
Verifies endpoint posture assessment for PCs and mobile
devices connecting to the network.
Ecosystem with pxGrid
integrating through pxGrid with SIEM and threat defense
solutions, web security
solutions, and operational technology control
Monitoring and
troubleshooting
Includes a built-in web console for monitoring, reporting, and
troubleshooting.
Extensive multiforest
AD support
Provides comprehensive authentication and authorization
against multiforest Microsoft Active Directory domains.
17. Identity Awareness
IEEE 802.1x Mac Auth Bypass web Authentication
Consistent identity feature supported on all Catalyst switch models
Authentication Features
17
18. Device identification/Device Profiling
Automated Device Classification using Cisco Infrastructure
Cisco
Innovation
Profiling operations:
Determining The Manufacture of
endpoint
Function of endpoint (IP phone, IP
camera, net printer)
Other network level assessments of
endpoint
18
19. Context Awareness: Posture Assessment
ISE Posture Ensures Endpoint Health before network access
Posturing:
Using NAC agent, Posturing will
ensure that endpoint is adhering to
security policies.
If security policy is matched
additional network access can be
allowed via authorization policy.
Depth of posturing ->3party software
such as MDMs
19
23. Cont. S security Group Tagging support
Enforcement is based on the Security Group Tag, can control communication in
same VLAN
23
24. Cont. Security Group Tagging support:
Example
Source/Des PCI HR
PCI
HR
PCI User attempting to talk to HR user on same switch same VLAN is denied.
HR User on Switch 1 is able to communicate with HR User on Switch 2.
HR User is denied access to the PCI Server.
PCI User is granted access to the PCI Server.
24
25. Platform Exchange Grid (pxGrid )
context sharing
pxGrid is a robust context-sharing platform that takes the deep level of contextual
data collected by ISE and delivers it to external and internal ecosystem partner
solutions
ISE can integrate through pxGrid with SIEM and threat defense solutions, web
security solutions, and operational technology control (including supervisory
control and data acquisition, or SCADA, operational and security policy
integration).
The list of ecosystem partners who are taking advantage of this simple unified
framework continues to expand ( The Page: partner security ecosystem page)
25
26. Conclusion26
Features ACS ISE
AAA protocol
(TACACS+/RADUISE)
* *
External DB (AD,LDAP) * *
Auth protocols * * + TTLS
Auth features 802.1x 802.1x,MAB,webAuth
Endpoint posture *
Device profiling *
Guest management *
Access policies Vlan , ACL +SGT
Internal CA *
Complete access
control
With other TrustSec
solutions
With SIEM and security
solutions using pxGrid
Monitoring, reporting,
and troubleshooting
Using columns view Using real-time
dashboard metrics
Cisco Secure ACS 5.6 includes an integrated monitoring, reporting, and troubleshooting component that is accessible
through the web-based GUI. This tool provides excellent visibility into configured policies and authentication and
authorization activities across the network. Logs are viewable and exportable for use in other systems as well. A new
report generation mechanism in Cisco Secure ACS 5.6 provides significantly better performance and improved ease of
use. However, it does not have report customization capabilities under the “Interactive Viewer” option for reports that
were available in Cisco UCS ACS 5.5 and earlier releases. A subset of those options such as “Show/Hide columns”
and “Sort columns” will be added in a subsequent Cisco Secure ACS release or patch.
PAP=password authentication protocol _> no secure clear text password
MSCHAP= Microsoft Challenge Handshake authentication protocol -> hash password no encryption and clear text username
Assume that we have 2 groups: 1 has unlimited access to network and the other has limited.
1-we create two shell profile (Adminprofile :previlege15/NetProfile:privilege 1)
Next in Command Sets :
2-We create two commandsets one : Name:AllowAllCommand the other Name : AlloowShowCommand
3-In identity groups Section : Name RWGroup , Name:ROGroup
4-In DefaultDeviceAdmin>Group Mapping : from AD-AD1 condition:any user in x domain Result: RWGroup from AD-AD1 any user in y domain result :Rogroup
5-Authorizatipn section: Rwpolicy (identitygroup,location,devicetype,time and date) result : AllowAllcommand , AdminshellProfile and the other Ropolicy too.
The enterprise network no longer sits within four secure walls. It extends to wherever employees are and wherever
data goes. Employees today want access to work resources from more devices and through more non-enterprise
networks than ever before. Mobility and the Internet of Everything (IoE) are changing the way we live and work. As
a result, enterprises must support a massive proliferation of new network-enabled devices. However, a myriad of
security threats and highly publicized data breaches clearly demonstrate the importance of protecting this evolving
enterprise network.