TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)

See It All, Secure It Now with Cisco ISE 2.1
Tim Abbott
August 3, 2016

Tim Abbott
Security Business Group
August 2016
What’s New
Cisco Identity Services
Engine (ISE) 2.1

4© 2016 Cisco and/or its affiliates. All rights reserved.
Today’s network requires better visibility and stronger
control
Key trends
creating weaknesses
in legacy networks
Mobility and BYOD
in the workplace
Digitization
of data
Internet Of Things (IOT)
connecting everything

While protecting an ever increasing amount of data in
your system
300% Digitization
Attack surface
expansion
Fragmentation
Average enterprise
network data growth
over next 5 years1
1Cisco Global Cloud Index: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.html

Stop and contain threats
With ISE you can
See and share rich user
and device details
Control all access
throughout the network
from one place

What is new in ISE 2.1 and AnyConnect 4.3
Threat-Centric NAC
Cisco
ISE 2.1ACS to ISE Migration
Rapid Threat Containment (RTC)
TrustSec / ACI Policy
Plane Integration
Streamlined
Visibility Wizard
Easy Connect
Context Visibility
ISE Technology Partner
& pxGrid Enhancements
AnyConnect NVM Enhancements
with Version 4.3
Dashboard Enhancements

Control all access from one place
Simplify access
delivery across
wired, wireless, and
VPN connections
Gain awareness of everything
hitting your network
Provide access consistently and efficiently
Relieve the stress of
complex access management

Simplify access management while maintaining security
Easy Connect
Benefits
What’s new for ISE 2.1?
Easy Connect is a quick, flexible user
authentication method that applies
when endpoints don’t support 802.1x.
Easy Connect monitors user login via
Active Directory and maps the user’s
identity to give access.
Capabilities
• Active-session monitoring across
both AD and Network log-ins
• Session maintenance from Wired
MAB clients to NADs
• Directory notification publication via
pxGrid
• Address legacy and unsupported
NADs with TrustSec
• Assignment of VLANs, dACLs, SGTs
and more for users authorized via
Easy Connect
Easy Connect merges RADIUS identity with AD
Login identity to deliver differentiated access
Most secure
with integrated 802.1x,
supplicants
and certificates
Basic
with whitelisting
Access
Security
Better and flexible
with ISE Easy Connect
Complexity
Identity
mapping
Active Directory
(AD) Login
Publish
to pxGrid
SXP
speaker
Access Security
Complexity
Access
Security Complexity
Easy Connect, a secure alternative to whitelistingIncreased visibility
into active network sessions
authenticated against AD
Immediate value
with no need to touch each
endpoint or require users to
authenticate again
Flexible deployment
that doesn’t require a supplicant
or PKI, allowing ISE to issue
COA for added security
Publish
to pxGrid
MnTNetwork
Access Device
w/o 802.1x

Integration of TrustSec and ACI policy
groups enables customers to address
breach, segmentation and compliance
challenges by sharing policy groups
between TrustSec-enabled networks
and ACI datacenters.
Enable consistent security policy across the enterprise
TrustSec - ACI policy plane integration
Consistent security policy groups can be shared between TrustSec and ACI domains:
• Campus security groups can be used in ACI policies: ACI learns TrustSec Security Group Tags (SGTs), and
these SGTs are available for use by the APIC policy
• Endpoint groups (EPGs) can be used in campus policies: ISE retrieves EPGs and creates SGTs in harmony
Capabilities
Policy integration example – Campus and Data Center
Benefits
Unified security policy
leveraging user, device, application &
threat state in group-based policies
Simplified security management
Complementary group-based policy
approaches simplify security design,
operations and compliance
Consistent segmentation
across the datacenter, branches,
users and devices
Campus / Branch
TrustSec Policy Domain
Voice BYODAuditorEmployeeNon-
Compliant
Campus
Networks
Branch WAN
APIC
Data Center
ACI Policy DomainTrustSec SGTs mapped to and from ACI EPGs
ACI FabricTrustSec domain
AppWeb
www
Database
Point of
Sale

Make policy changes in a flexible manner
TrustSec change management and workflow capabilities
• Modify SGACLs using a Staging Matrix and test them
before pushing to production
• View changes in comparison to the production matrix
• Leverage seamless integration with ISE RBAC
• Choose to apply changes to all TrustSec-enabled
network devices or only to selected devices
• Request and gain approval on policy changes using a
new workflow
Capabilities
Stage and test policy changes to verify impact, and roll out on your terms
Benefits
New change management capabilities
enable you to test TrustSec security
policy changes before deployment,
and gradually deploy changes to
different parts of the network.
Reduced risk
Minimize the likelihood of
changes causing problems
Greater control
See impact of policy adjustments
in a controlled environment and
fine-tune them before deployment
Increased flexibility
Roll out policies when you want,
where you want
HR Finance
BYOD-
Corp
BYOD-
Vendor
HR PERMIT DENY PERMIT PERMIT
Finance DENY PERMIT PERMIT PERMIT
BYOD-
Corp
DENY DENY PERMIT DENY
BYOD-
Vendor
DENY DENY DENY PERMIT
Source
Protected Assets
Stage policy changes Deploy changes in production
to all devices or a selected sub-set
HR Finance
BYOD-
Corp
BYOD-
Vendor
HR DENY PERMIT PERMIT PERMIT
Finance DENY DENY PERMIT DENY
BYOD-
Corp
PERMIT PERMIT DENY PERMIT
BYOD-
Vendor
DENY DENY PERMIT DENY
Source
Protected Assets
X X
Test and
fine-tune

ISE now includes all of the core the
device administration capabilities
found in ACS, delivering contextual
awareness and device administration
capabilities in a single, central solution.
Unify device administration and access control
Enhanced device administration support
• Migration tool automatically migrates ACS
configuration data to ISE
• Support for core ACS5 features and dedicated device
administration Work Center supporting TACACS+
• Command-level authorization with detailed logs
for auditing
• Dynamic, role-based access control
• Discover, identify & monitor all IP-enabled endpoints
Capabilities
Manage device administration and access control policies in a single place
Benefits
Richer contextual policies
Build policies informed by
contextual data from devices,
infrastructure, and services
Flexible, granular control
Control and audit network device
configuration
Unified, centralized management
Get a full view of all policy
elements in a single management
console
Cisco ISE
Threat &
Vulnerability
Who
WhatWhen
How
Where
Deviceadministration
ACS
ISE
ContextAwareness
Security
Admin Team
TACACS+
Work Center
Network
Admin Team
TACACS+
Work Center

See and share rich user and device details
See who and what
is on your network
and share across
network solutions
Consistent Cross-Platform User/Device
Visibility & Control
Improve your existing security and network
solutions
Make Network Events Actionable

Get the information YOU need faster than ever
Dashboard customization and workflow enhancements
• Build custom dashboards; user controls what to view
• Add/remove/rename tabs and dashboard
components (“dashlets”)
• Adjust layout – re-order dashlets, select from
layout templates, and drag and drop dashlets
• Export to Excel and PDF
• Use new task-oriented Work Centers focused on
BYOD, Posture, and Profiling
Capabilities
Benefits
Enhanced reporting and easier
customization using dashlets to quickly
adjust and create views that fit your
specific needs. New task-oriented
workcenters for guest, BYOD, posture,
profiling, and network access.
See the details that matter to you
Easily create your own single
pane of glass for quick insights
Integrate with existing analytics
Connect with your Office
analytics through Excel exports
Get things done more easily
Use new Work Centers to
accelerate core activities
Each individual can customize the
main screen easily and quickly
Three new Work Centers streamline management activities
Director of Security
NOC EngineerSecurity Engineer
Dashboard Customization New Work Centers

• Deploy quickly and easily; network access device
discovery is set up as an asynchronous process
• Get the data you need for network access device
configuration in a few clicks
• View network devices and user details in a
convenient, easily-consumable interface
• Access historical context data on endpoints that have
been on the network in prior weeks and months
Capabilities
Benefits
ISE 2.1 delivers a new level of visibility
into users & endpoints by making data
more consumable. It includes a
redesigned user interface (UI) that
enables you to get set up and gain
insights faster and more easily.
Improve visibility through an intuitive interface
Streamlined Visibility Wizard enhancements
Faster time to value
with extensive, easy-to-read
reports in a matter of hours
Insightful reporting
That pulls from a rich, broad set
of network and user data
Plug-and-play setup
that takes just a few clicks and
as little as 10 minutes
User
Location
User
Location
Company Network
?
?
? ??
?
?
??
??
?
Visibility Wizard

Gain a deeper understanding of endpoint activity
Context Visibility enhancements
• Store data on 1.5M endpoints across 50 attributes,
not just endpoints that are currently active
• Benefit from in-disk storage (elastic search)
• Get insight more easily through a better UI
• Perform forensic analysis on endpoints on the
network in a previous week or month
• Import/export data as needed
• Aggregate endpoint information in one place
Capabilities
Benefits
The ability to aggregate, store and
search high volumes of endpoint data,
giving you greater visibility. ISE 2.1
collects data from multiple sources into
one place, and its enhanced database
stores more historical data than ever.
Unified view
Access all of the endpoint data
you need from one place
Simple, fast discovery
Get to the information you’re
looking for in a few seconds
Deeper visibility
Perform detailed, retroactive
forensic analysis after an
endpoint has left the network
LogsSys logsReports
II00 I0I0 0I
John on his iPad in Building
8 has Vulnerability <XYZ>

Leverage our growing partner ecosystem
Integration with new ecosystem solutions across many use cases
Threat-Centric NAC Cloud Access Security Broker User Behavior Analytics
Partner use cases
Identity Access Management Network Visibility Mobile Device Management
Rapid Threat Containment & Threat Defense
Benefits
Integration with new ecosystem
partner solutions through the pxGrid
framework, and expansion of existing
partnerships to new use cases.
Improved responsiveness & control
Unify security and network event
data and respond faster by
facilitating access to the Cisco
network
Greater visibility
Gain visibility into user and device
activity, threats, vulnerabilities, and
more for deeper analytics & reports
Simplified management
Manage policy in a single place by
integrating ISE with other vendor
solutions

Gain increased visibility across your network
Detect suspicious behavior more effectively
AnyConnect Network Visibility Module (NVM) enhancements
• Stay informed with continuous monitoring and
always-on” capability that limits blindspots
• Collect and send data when on-premises and/or
VPN-connected (including split tunneling)
• Get 24-hour rolling cache of netflow data when
disconnected
• Receive auditing intelligence with built-in reporting
and analytics
• Limit user experience impact with stream-level
interception
• Benefit from flexibility and customization – e.g. collect
only the attributes needed, cached data throttling
Capabilities
Benefits
ISE 2.1 includes enhancements that
deliver more flexibility in AnyConnect
NVM use. NVM enables greater
visibility across users, endpoints, and
applications, and facilitates analytics
on contextual telemetry data.
Gain a holistic view
across your entire network with
greater insight from behavioral
analytics and contextual data
Defend more effectively
against potential threats with
greater visibility extended to all
endpoints
Improve network operations
with forensic analysis to inform
design, capacity planning and
troubleshooting
AhsidhiaoshdalAhsidhiaoshdalsdkladjhkskadjsndAhsidhiaoshdalsdkl
adjhkskadjsnd, asdnxAhsidhiaoshdalsdkladjhkskadjsnd,
Ahsidhiaoshdalsdkladjhkskadjsnd,
dnxsdkladjhkskadjsnd,asdnxAhsidhiaoshdalsdkladjhkskadjsnd,dnx
Collect Analyze Report

Stop and contain threats
Reduce risk and
contain threats by
dynamically
controlling network
access
Ease security policy setting
Limit unnecessary network exposure
Prevent threats from compromising your
network in real time

Compliant
Where
How
Vulnerability
Gain greater visibility and control with new threat and
vulnerability data
Threat-centric NAC
• Author intelligent policies informed with new threat
and vulnerability data
• Eliminate unknowns and ensure device compliance
• Take immediate action on high-priority issues
• Gain awareness when a vulnerability score changes
or a threat is detected, and adjust network privileges
• Automate containment of vulnerable endpoints
based on vulnerability score
Capabilities
Threat
Who
What
When
Benefits
ISE now incorporates vulnerability
assessments from Qualys and threat
incident intelligence from Talos and
AMP, helping you ensure your policies
account for the latest vulnerabilities
and threats.
Deeper visibility
that extends to all endpoints on
the network
Expanded control
driven by threat intelligence and
vulnerability assessment data
Faster response
with automated, real-time policy
updates based on vulnerability
data
Cisco ISE
AMP

Use the latest rapid threat containment (RTC) capabilities
Firepower Management Center (FMC) 6.1 and Identity Service Engine (ISE) 2.1 integration
• Integrated pxGrid remediation module - no more
pxGrid connection agent
• Session information obtained from ISE via pxGrid
• SGTs can be used in FMC 6.1 access control policies
• Ability to integrate with AMP for malware protection
• Remediation options: Quarantine, Unquarantine, Port
Shutdown
• Quarantine actions triggered per policy with Cisco
Firepower and ISE integration
• Infected users can be notified and directed to a portal
for remediation
Capabilities
Benefits
Cisco Firepower Management Center
6.1 integrates with ISE 2.1, helping
you automatically address suspicious
activity on your network based on pre-
defined policies and dynamically stop
threats before they spread.
Automate threat defense
by leveraging ISE to alert the
network of suspicious activity
according to policy
Gain greater scalability
by using the pxGrid framework
Leverage a growing ecosystem
of partners that provide rapid
threat containment by integrating
with ISE
Automatically defend against threats with FMC and ISE
FMC correlates
sensor data,
detects file and
alerts ISE to
change access
policy to
suspicious
Device is
contained; user is
redirected to
remediation portal
User downloads a
malicious file;
sensors scan user
activity and file
Network access is
restored after
remediation
ISE automatically
restricts access
based on new
policy
Improved
scalability
pxGrid
controller

Get started today
Talk to your Cisco account
manager
Find out more on
cisco.com/go/ise

Thank you for watching.

TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)

Similar to TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine) (20)

More from Robb Boyd

More from Robb Boyd (20)

Recently uploaded

Recently uploaded (20)

TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)

Editor's Notes