How Cisco Deployed Cisco Identity Services Engine …d2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKCOC-2018.pdf · Inside Cisco IT: How Cisco Deployed Cisco Identity Services Engine

Inside Cisco IT:

How Cisco Deployed Cisco Identity Services Engine (ISE) and TrustSec

Throughout the Enterprise

David Iacobacci

Bassem Khalife

BRKCOC-2018

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-2018Cisco Spark spaces will be available until July 3, 2017.


Agenda

• Introduction

• Large Enterprise ISE Deployment

• Network Security That Follows You

• Managing a Critical Global Security Service

• Evolving to Deliver Advanced Capabilities

• Q&A

BRKSEC-3699: Designing ISE for Scale and High Availability

BRKSEC-3697: Advanced ISE Services, Tips and Tricks

BRKSEC-2059: Deploying ISE in a Dynamic Environment

BRKSEC-2051: It's all about Securing the Endpoint!

LTRSEC-2002: ISE Integration with Firepower using pxGrid Protocol

BRKSEC-2695: Building and Enterprise Access Control Architecture

using ISE and TrustSec

TECSEC-3672: Identity Services Engine 2.2 Best Practices

BRKSEC-3014: Security Monitoring with Stealthwatch: The detailed

walkthrough

BRKSEC-2026: Building Network Security Policy Through Data

Intelligence

BRKSEC-2047: Operationalizing Advanced Threat Solutions

Related ISE Sessions

We’re

BRKCOC-2018

BRKCOC-2006: ACI & Tetration Analytics

BRKCOC -2019: Leveraging Cisco WAAS to Improve Network Performance

BRKCOC-2016: Containers on Enterprise Compute and Networks

BRKCOC-2014: Increasing the Speed of Business using AppDynamics

BRKCOC-2012: A Day in the life of a Network Engineer -Day 2 with ACI

BRKCOC-2023: Security Overview - Making it Work

BRKCOC-2013: Embedding Collaboration in Business Workflows using Cisco Spark

BRKCOC-2021: DNA and the Next Generation Network

BRKCOC-2017: Using Machine Learning Technologies to Drive Digital Transformation

Inside Cisco IT Sessions

We’re

“No person shall be held to answer …

nor shall be compelled …

to be a witness against himself …”


92

166182

225

276

0

50

100

150

200

250

300

CL San Diego 2015 CL Berlin 2016 CL Vegas 2016 CL Berlin 2017 CL Vegas 2017

The Cisco IT ISE Deployment Story (Attendees)

ISE 1.2 ISE 1.3 ISE 1.4 ISE 2.1 ISE 2.1 => ISE 2.3

?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCOC-2018

Feedback For Speakers…

Expected a more technical integration guide

Hoped for more technical details

Nice to see Cisco has same issues as us with its products and features

Excellent useful information for ISE deployment

The best session I've attended. The best speaker ...

The Lunch Preparations was going on and it was very loud

Little Cold in the Room

The sound was not great

Lots of outside noise. Thin walls

5

Large Enterprise ISE Deployment


What is Identity Services Engine (ISE)?

Network ResourcesAccess Policy

TraditionalCisco

TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-Based

Access

Identity Profiling

and Posture

A centralized security solution that automates context-aware access to network resources and shares

contextual data

Network

Door

Physical or VM

ISE pxGrid

Controller

Who

Compliant

What

When

Where

How

Context

Threat

Vulnerability

BRKCOC-2018 10


Defending Cisco: What We Must Protect

~130K Workforce

92 Countries (~500 Sites)

~3M IP Addresses

215K Infra Devices

275K Total Hosts

2500+ IT Applications

26K Remote Office Connections (CVO)

16 major Internet connections

~47 TB bandwidth used daily

1350 Labs

195+ Acquisitions

300 partner extranet connections

500 Cloud ASPs

WebEx, Meraki, OpenDNS and Growing Portfolio of Offers


Cisco IT Network Security Requirements

Visibility + Attribution

Control

Consistency

Centralization

Automation

Simplification

Integration

Real-Time Defense


Seamless Connectivity and Integrated Security

Identity Services Engine

Wireless Devices

AnyConnect VPNUmbrella

AMP For Endpoints

WSAESA

AMP For Network

Wired Network Devices

Adaptive Security

Appliance

Device Management

StealthWatch

AMP Threat-Grid

FireSight

Home Access (CVO)

UmbrellaCisco Core

Network

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2018

ISE Deployment Ecosystem: Building Blocks

ISE

(Logical Layer)

ISE (Physical Layer) : ISE Appliance OR VM (Fabric, Compute, Storage)

Network: DNS, NTP, SFTP, Load Balancers

Network Access

Devices

Endpoints: Devices,

Users & Supplicants

Enterprise Monitoring: HTTP(S), RADIUS, PEAP, EAP-FAST, EAP-TLS

User

Provisioning

Mobile Device

Management

Network

Device

Provisioning

ISE Policy

Management

Active

Directory

Call Manager

Data

Analysis

(Syslog)

Quality

MAP

Monitor

ActPrevent

14


ISE Program Management Structure

ISE

Program

Management

Network Infra &

Services

Network Access &

Platform Mgmt, NW Ops

IT Mobility

Services

Device Management &

Posture Compliance

Architecture &

Design

Security Services & ISE

Architecture

Infra Security

Services

ISE Deployment &

Operations

ISE BU & TAC

ISE Best Practices,

Cisco-on-Cisco, Config

Optimization

InfoSec

Security Policies,

Quarantine, Trusted

Services

Directory

Services (AD)

DC & Hosting

Services (VMs)


Sample ISE Basic Deployment Roadmap

Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion

Fine tune Optimize

FoundationISE 1.2

Install

ISE 1.3

Upgrade

ISE 1.4

Upgrade

Infra

Design, Proof of Concepts, Data Analysis

Apply

patches

Fine tune Optimize

Network

Guest

Wireless

Monitor

Endpoint Analysis: Wired dot1x MM & Profiling

VPN

Wired

Guest Access

Wireless (WLAN) Auth Deployment

CVO (Home Office) Wireless Auth

VPN AuthCVO Wired Auth

Limited Sites Wired Auth

Global Wired Auth Enforcement

Quarantine/Remediation

Posture Enforcement (ISE)

Security Group Tagging (SGT)Advanced Capabilities

ISE 2.1

Upgrade

Fine tune

Posture Assessment (DM)

PxGrid Integration

Wired 802.1X Monitor Mode Deployment

ISE 2.3

Upgrade

802.1x Authentication


Cisco IT ISE Production Deployment Metrics

Internet Only

Corporate Access

WLAN, CVO, VPN, LAN

ISE 1.2, 8 VMs, 2 DCs

ISE 2.1, 24 VMs, 8 DCs

1.5 Million active profiled “Endpoints”

Max ~450K Concurrent “Endpoints”

27K CVO; ~60K EP

580 WLC; ~200K EP

70 ASA; ~90K EP

2K SW; ~200K EP

8 Sites; ~8K EP

~14K Guest/WeekCWA

Central Web Auth

17


Cisco IT ISE Global Deployment (WLAN, VPN, LAN)

ISE PSNs Data Center (8) Network Devices (sites/cities) Auth traffic to ISE PSNs

18


Single Global ISE Deployment (WLAN, CVO, LAN, VPN)

AER

RTP

ALN

SNG

Secondary ISE PAN/M&T

ISE PSNs

Primary ISE PAN/M&T

24 ISE Nodes

20 PSNs; 8 DC (Node Groups)

TYO

HKG

BGL

19

MTV


Cisco IT ISE Global Deployment (All Network Devices)

20

How many?


Authentication Statistics (24 hours)


Load Balancing Dashboard

22BRKCOC-2018

Authentication, Accounting, and Profiling events over 24 hours.


ISE Deployment High Availability ArchitectureOriginal Design

PS

N PS

N

MTV-VIPs

PS

N

PS

N PS

N

RTP-VIPs

Primary, Secondary

RADIUS Servers

NADs Proximity

HA NAD Configuration

MTV-WLAN

MTV-LAN

MTV-VPN

MTV-CVO

Modularity

ALN-VIPs

PPAN SPAN

Primary -> Secondary

Automatic Failover

PMnT SMnT

MTV ALN

ISE Product EvolutionHA SLB Configuration

Load Balancer

User-probe AuthVIP by Service

Is PSN Authenticating?

• Interval = 10 sec

• Down Time = 30 sec

• Retries = 3

PSN1

PSN2

PSN3


Why Use Load Balancers?

• Ease of global configuration

• Overcome device limits for AAA servers

• Ease of migration, cluster split. No need to change thousands of network devices

24BRKCOC-2018

Request for

service at

single host

‘psn-cluster’PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

LB

Response from ise-psn-3.company.com

DNS Lookup = psn-cluster.company.com

DNS Response = 10.1.98.10

Request to psn-cluster.company.com

VIP: 10.1.98.10

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Server

VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)

Access

Device

DNS

request sent

to resolve

psn.cluster

FQDN

Request sent to Virtual IP Address

(VIP) 10.1.98.10

Response received from real server

ise-psn-3 @ 10.1.99.7


Consideration When Using Load Balancers

25BRKCOC-2018

• CoA traffic has to be NAT’ed from PSN to client by the load balancer

• Be careful what other traffic sits on udp/1700 you may catch

• Your LB may not behave as you expect…test

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-1

SLB10.1.98.10

10.1.99.5

10.1.99.6

10.1.99.7

ISE-PSN-2

CoA SRC=10.1.99.5

CoA SRC=10.1.98.10

aaa server radius dynamic-author

client 10.1.99.5 server-key cisco123






<…one entry per PSN…>aaa server radius dynamic-author


PSN

ISE-PSN-X

Before

After10.1.99.x


Guest Access Deployment (ION)

Sponsor Portal GSSinternet.cisco.com

Guest Account Creation

Wireless access

Wired access

NADs AMER

Guest Portal Auth

Pri

mary

ion-mtv-sponsor

Wireless access

Wired access

NADs EMEA/APJC

Guest Portal Auth

PPAN Alias PAN MnT

MTV

PSN PSN

AER

PSN PSN

ion-aer-sponsor

Pri

mary

ION LB

VIPs

Visitor

Management

Tool (API

Integration)

Lobby Ambassadors

(Physical & Virtual)

Guest Account Creation

Integration With Reception

Secondary

Secondary

PAN MnT

ION LB

VIPs

ion-aer-guestion-mtv-guest

Account Creation

Authentication


Top 4 cities by number of guest authentication over a 7-day period

6,379 3,583

2,232

2,107

BRKCOC-2018

Cisco IT ISE Guest Network

27


Identity, Device & Location Drive Access Permission

Internet Only

Access

Full access

No

restrictions

Limited Access

Fully Compliant

Trusted devices

Doesn’t meet

Trusted Device

Standard

Some Trusted

Device ElementsPolicy

Decision

Point

Manager

IT Analyst

Engineer

Network Security That Follows You

Wired 802.1x

Identity Based Differentiated Access

Posture Based Differentiated Access

Areas of Focus


Monitor ModeAuthentication without Enforcement

31

RADIUS Authentication & Accounting Logs:

• Passed / Failed 802.1X

(Who has bad credentials? Misconfigurations?)

• Passed / Failed MAB attempts

(What don’t I know?)

MONITOR MODE

Prepares for Enforcement Mode

Evaluates Remaining Risk

Provides Baseline NAD ISE

.1X-Pass

Known

MAC

Unknown

MAC

.1X

Failures

BRKCOC-2018


IBNS 2.0 Concurrent AuthenticationFaster on-boarding of endpoints into the network

• Faster on-boarding, good for

delay sensitive endpoints.

• An endpoint may be

authenticated by both methods,

but priority determines the

ultimate authorization.

authentication order dot1x mab

Sequential Authentication

Campus LAN

.1x

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

Concurrent Authentication

Campus LAN

.1x

EAP

EAP RADIUS

CDP/DHCP

EAP

EAP RADIUS

CDP/DHCP

• Additional load to RADIUS

Server. Multiple Authentication

requests hit the server for same

client

• Configuration simplified with

modular policy and interface

templates


IBNS 2.0 Fine Tuning

Devices w/o supplicants & minimal traffic Configure switch ports to initiate EAP transactions

“access-session control-direction in”

Dot1x timer adjustments Modify defaults per best practices, e.g.

“dot1x timeout quiet-period 300”

Apple Thunderbolt ethernet adapter Additional EAP session initiated

Resolved: ISE 2.1 patch 2. (CSCva74189/ CSCuz17763)

33BRKCOC-2018


Wired Auth 802.1x Learning

Communicate!

Implement!

Empower!

Think User-Experience

34


Access-Accept

dACL: Permit IP any

35

Wired Connection Authentication

Access-Accept (Restricted)

Access restricted by dACL

URL-Redirect

Redirect ACL (Called by ISE)

Deny traffic for: Laptop builds,

Support portal, PWD Reset

BRKCOC-2018

Port ACL Permit

DNS, DHCP, NTP

dACL Defined on ISE:

Permit DNS, TCP 80/443

ICMP, & Redirect Traffic

Access-Request

802.1x &

MAB

Permit Access

dACL Defined on ISE:

Permit IP

Access-Accept

Access-Request

Failed Auth


Redirect ACLs Dependent Upon Device Profile

• Redirect-ACLs have size limitation Same as dACLs & per-user ACLs

Max 4000 ASCII characters

36BRKCOC-2018

ACL By Endpoint Type, Profiling Based

Windows

Cisco Linux

Others

Same ACL For All Endpoint Types

Windows

Cisco Linux

Others


To Improve Profiling

• Started with device-sensor using CDP

• Added DHCP and LLDP device-sensor

• Note: When CDP & LLDP concurrently enabled Some older UCV 89xx & 9xxxx phones with firmware > 9.2.1 reboot

Simple workaround disable LLDP on the phone

37BRKCOC-2018


Minimizing Service Disruptions

X

AuthC (automate-tester)

Access-Reject

Service Disruption

NOT Detected

Synthetic AuthC (test user)

Access-RejectService Disruption

Detected

EEM

X

Allow

Access

Temp.

EEM

AuthC

Restore

EEM

X

Access-Accept


EEM script provides assurance

End-to-end test of authentication process

If authentication fails:

1. Inserts "ip deny any any” to line 1 port ACL

2. Records which switch ports configured with dot1x

“sh run | i interface GigabitEthernet|dot1x timeout”

3. Removes commands under the Interface template

"no dot1x pae authenticator”, “no mab” …

Upon successful authentication:

802.1x restored

Users/devices must re-authenticate

39BRKCOC-2018

Identity Based Differentiated Access


Identity Software Defined Segmentation Use Cases

Divestiture IoTPartnersDevelopment

Benefits:

• Maintain existing network topologies

• Simple, cost effective

• Centralize policy management

• Consistent, faster deployments

• Quicker response to threats


Divestiture Use Case

Initiative

To divest assets including employees and

properties

Objective

To create logical separation & provide

secure access in shared workspace

Solution

TrustSec w/SGT’s dynamically assigned

based on user group membership


Example: DC Access Control with TrustSec

43

Voice Employee Suppliers Guest Quarantine

Employee Tag

Supplier Tag

Guest Tag

Quarantine Tag

Data Center

Firewall

Voice

Building 3

WLAN Data VLAN

Campus Core

Data Center

Main Building

Data VLAN

Employee Quarantine

Access Layer

• SGT assignment

• Policy creation

• Policy deployment

• IP-SGT mapping

Enforcement

BRKCOC-2018


IP-SGT Mapping

44BRKCOC-2018

Engr. App1

(1000)

10.10.0.0/16

10.20.0.0/15

10.30.96.0/20

10.40.0.0/14

cts role-based sgt-map 10.10.0.0/16 sgt 1000cts role-based sgt-map 10.3.5.0/28 sgt 1001cts role-based sgt-map 10.6.7.0/29 sgt 1003cts role-based set-map 10.50.1.0/28 sgt 1009

Static AssignmentDynamic Assignment

Cisco (1)

Technicolor (2)

Printer(3)Profiling

Tag assigned by

ISE at Authentication

Mail

(1001)

10.3.5.0/28

10.70.24.0/28

10.80.64.0/28

10.90.32.0/28

DNS

(1003)

10.6.7.0/29

10.60.24.0/29

AD

(1009)

10.50.1.0/28

10.100.2.0/29


Destination SGT

En

gin

ee

rin

g A

pp

(10

00

)

Ma

il

(10

01

)

MD

M

(10

02

)

DN

S

(10

03

)

Un

kn

ow

n

(10

05

)

Cis

co

Em

plo

ye

e

(1)

Te

ch

nic

olo

r E

mp

.

(2)

Pa

rtn

er

A

(3)

So

urc

e

SG

T

Technicolor Emp. (2) O SGACL SGACL SGACL SGACL O SGACL O

Partner A (3) O O SGACL SGACL O O O SGACL

Untrusted (1666) O O O O O O O O

Policy Matrix

Source SGT SGACLs Destination SGT

Technicolor Emp. (2)UDP_53

TCP_53DNS (1003)


Where to Enforce Policy

IT Objective: • Enforce as close to user as possible

• Ideally on the access switches and WLCs

Challenge:• 3850 has Destination SGT limit of 255

• 4510 could not enforce policies for destination subnets – only hosts

• ASAs configured to support Remote Access VPN (AnyConnect) could not enforce TrustSec policies

46BRKCOC-2018


Solution: Enforce at 1st Hop Router

Dynamically assigned SGT’s propagated to the policy enforcement point (PEP)

Cisco

Technicolor

SXP Listener

SXP Speaker

SXP = Security Group Exchange Protocol

SXP Speaker


Putting It All Together

SXP

SXPSXP

SXP

Configure SXP Speaker - Listener pairs on access switches/WLC & first-hop routerA

Configure ISE with SG, SGT, SG ACLs, TrustSec policies & IP-SGT mappingB

SGT, Policies

IP-SGT mapping

BRKCOC-2018 58


Differentiated Access For AnyConnect VPN

Problem• Different VPN solutions for

different user communities

• Overhead of HW and

management

Solution• Use consolidated VPN clusters

• Tag traffic and enforce policies as required

• Allows greater resiliency and availability

Before TrustSec

Employee High Risk Partner

After TrustSec

Employee Partner High Risk

Single Cluster

Posture Based Differentiated Access


What is ‘Posture’?How are we approaching it?

Posture defines the state of compliance with the company’s security policy

Anti-Virus?

Posture Conditions

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

Application Condition

Compound Condition

Disk Encryption Condition

File Condition

Patch Management Condition

Registry Condition

Service Condition

USB Condition

Posture status determines the level of access a device is granted

Assessment

Enforcement


AnyConnect Posture For Desktop

ISE Service Condition: MDM Agent Service is

running

AnyConnect Posture Scan

Managed Windows Device?

Managed Mac Device?

ISE Registry Condition: Cisco IT SCCM Server

ISE File Condition: Cisco IT Casper Server

Remediation &

Internet only

Conditions Fail

Internal

Network

& Internet

Conditions Pass


Unknown Device

1 Device is unknown – Internal access restricted to enrollment

2 ISE instructs NAD to redirect device to its AnyConnect portal

3 AnyConnect posture agent downloaded & installed on device

4 AnyConnect sends posture status to ISE

1

34

URL redirect

2

Desktop

53BRKCOC-2018

Desktop Device Enrollment


Mobile Device Posture

Managed

Compliant

Daily inventory

Every day

MDM-ISE API

MDM Compliance Job

Every x hours

Is device compliant?

Get all non compliant devices

When device connects

BRKCOC-2018 54

Trusted Device

Registration

Anti-Malware

Encryption

Minimum OS

Not Rooted

Passcode enabled

Inventory available

Configuration & Policy

Status and Inventory

Internal

Network

& Internet

Remediation

& Internet

ManagedBy:

MDM

• And Compliant

• And NOT Compliant


Mobile Device ISE Policy Set And Enrollment

DMsISE

Enrolls

Enrollment job

Detects new devices

Every 10 mins

Updates ManagedBy custom attribute

(if device not found, Create new device)

Device Enrollment


ISE vs MDM Deployment

AER

RTP

ALN

MTV

SNG

TYO

HKG

BGL

Many to One Relationship

MDM Server


NAD

Enforcement

Point

Access based on

Policy Matrix from ISE

57BRKCOC-2018

Posture Based Differentiated Access Enforcement

Assign tag based on

device postureSend IP <-> SGT Mapping

& Policy Matrix

Internal

Network

& Internet

Remediation

& Internet

COMPLIANT

Non-COMPLIANT 21

20

COMPLIANT

Non-COMPLIANT 21

20


NAD

Enforcement

Point

SSH

ISE

PAN

Speaker Listener

58BRKCOC-2018

IP <-> SGT Mapping Via SSH

Static Connection Dynamic Connection


NAD

Enforcement

Point

SXP

ISE PSN 1

ISE PSN 2

ISE PSN 3

59BRKCOC-2018

IP <-> SGT Mapping Via SXP

Speaker Listener

Speaker

Tip 1: SXP pushes IP-SGT mapping immediately upon configuration

Tip 2: IP-SGT mapping is lost if SXP connection drops!


ISE

Reflector

Reflector

Enforcement

Point

60BRKCOC-2018

Best Of Both Alternatives – SXP Reflectors

Hybrid IP <-> SGT mapping via SSH and SXP

Speaker

Listener

Listener

Speaker

Speaker

Managing a Critical Global Security Service


Lessons From Deployment Challenges

Scaling ISE for large scale distributed deployments:

• Don’t let replication or misconfiguration become an issue for authentication:

• Tuning the “deployment” (ISE, NADs, and Endpoints)• RADIUS Accounting

• Profiling

• Authentication(s)

• Latency & Distributed Replication

• Failover & Redundancy

• Tuning the “environment”• Load Balancers

• Active Directory

BRKCOC-2018 62


Active Directory Dedicated Infra For ISE

Before:

• Highly recommended by the BU

• Highly avoided by the teams

• Highly costly, causing few outages

After:

• Better fine-tuning to suit ISE requirements

• Better – and faster – troubleshooting

• Better monitoring for preventative measures

Active

Directory

63

Active

DirectoryISE (Logical Layer)

Network Access

Devices

Endpoints: Devices,

Users & Supplicants

Active

Directory


ISE Deployment Failover Architecture (Target)

NADs (Wireless, Wired, CVO, VPN)

ISE-MTV ISE-ALN ISE-RTP ISE-DR-MTV ISE-DR-ALN ISE-DR-RTP

1 2 3 5 64

PSNPSN

PSN

ISE-MTV-VIP

PSNPSN

ISE-ALN-VIP

PSNPSN

PSN

ISE-RTP-VIP

ISE Primary Cluster - US Sites

PSNPSN

PSN

DR-MTV-VIP

PSNPSN

DR-ALN-VIP

PSNPSN

PSN

DR-RTP-VIP

ISE Disaster Recovery Cluster - US Sites

US AD DCs

Main Forest

US AD DCs

Failover Forest

Automatic ISE VIP

Failover

Manual AD

Forest Failover


ISE Services Failover (Target)

Wired Auth

ISEPrimary Cluster

Fail-Open Access

ISEFailover Cluster

Primary AD

Backup AD

Wireless Auth

IBNS 2.0 EEM


Deployment Health Monitoring

Drill-down troubleshootingTransaction focused, Step-by-step breakdown

Basic Reporting

ISE Out-of-Box

Dashboard, Alarms & Alerts

Dependency MonitoringISE, AD, DNS, NTP, Filer

ISE Infra Monitors

VMs, LB VIPs,

Resource Utilization

ISE Protocol MonitorsRadius, HTTPS, PEAP, EAP

Enterprise MonitorsSNMP Based,

Integrated Monitoring

Event CorrelationISE, NADs, DM, AD

Early-detection of potential issuesPattern analysis, Benchmark comparative analysis

Enhanced Reporting

SplunkData Analytics,

Pro-active Alerting

ISE Deployment : Monitoring & Troubleshooting

BRKCOC-2018 66

Preventive PredictiveProtective


Splunk Dashboards To Monitor ISE


Splunk Dashboards To Monitor ISE (continued)


Anomaly Detection With IQR: Interquartile Range

• Splunk monitoring detects “anomalies”:

• New type of syslog events

• Sudden surge or drop in number of events

• Email alert sent to Admin(s)

• Admin clicks on link to open Splunk dashboard

• Active alerts displayed; further investigation to assess severity

• Preventative actions taken

69


Splunk Custom Dashboards For Troubleshooting

70


Beware of Misbehaving Endpoints

Over 800K Failed Attempts per day from only 3 misconfigured IP Phones


Restricted Access Enforcement Reporting


Collaboration Device Landscape

Device 802.1x support Certificate Authentication methods

7960^ Yes LSC LSC, MAB

79XX Yes MIC, LSC LSC, MIC, MAB

88XX Yes MIC, LSC EAP-TLS, EAP-FAST, MAB

99XX Yes MIC, LSC MIC, LSC

DX650 Yes MIC, LSC LSC, MIC, MAB

EX-Series* Yes, not centrally managed

CA-Signed EAP-TLS, PEAP, MAB

S-Series* Yes, not centrally managed


C-Series* Yes, not centrally managed


MXP* Yes, not centrally managed


CTS No No MAB

TX No No MAB

VG310 No No MAB


New Endpoints Connecting To The Network

Long. 0

Lat. 0


MDM Data Integration in Splunk


Testing High Availability When 1 DC Fails

76


Modular Virtual IP Address by Service

WLC

Switch

PSN

PSN

PSN

DC1_Dep1

iseDC1-prd-wlan

iseDC1-prd-lan

ASA (VPN)

iseDC1-prd-vpn

PSN

PSN

PSN

DC1_Dep2X

Solution used for a controlled product upgrade, or the eventual need to split the deployment.

Change done on the load balancer. No need to change the Network Device configuration

BRKCOC-2018 77

Evolving to Deliver Advanced Capabilities


Unified Threat Response by Sharing Contextual DataCisco Platform Exchange Grid (pxGrid)

When

Where

Who

How

What

Cisco and Partner

Ecosystem

ISE

Cisco Network

pxGrid

Controller

Context

32

1

45

Cisco® ISE collects

contextual data from network1

Context is shared via

pxGrid technology2

Partners use context to

improve visibility to

detect threats3

Partners can direct Cisco ISE

to rapidly contain threats4

Cisco ISE uses partner data

to update context and

refine access policy5


Network

SecurityCisco

ISE

Network Context

WHO, WHAT, HOW, WHERE,

WHEN

Connector

Context-

Aware App

Security

Network + App

Security Context

WHO, WHAT, HOW, WHERE, WHEN

Network

Limited

Context

AFARIA CASPER

SCCMMDMs

2

ISE pxGrid

1 3

4

Application

Security

Network

Rich Context

Better Security(Layered Sec, Elevated Auth)

Better User Experience(Zero Sign-On Experience)

Flexible & Granular

Access Policies

5

6Device Context

WHAT

User Context

WHO

Other Context

HOW, WHERE, WHEN

Risk Context

Vulnerability, Threat

Context-Aware Security : Bridging The Gap…

BRKCOC-2018 80


Service Oriented Orchestration

Service Grouping

Access Control

ACI TrustSec IOS

EPG

Contract SGACL

SGTObject Group

ACL

IPv4

IPv6

IPv4

IPv6

Change ipv4/6 hosts

once

Change service port

information onceBRKCOC-2018 81


TrustSec and ACI Integration


In Conclusion…

• Scaling, sizing, and operating your

deployment

• Cross functional teams for success

• Dependencies and business value

• Ecosystem enabling greater reach

• Security is a business enabler

• Speed and automation critical to

meeting challenges

83BRKCOC-2018


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

85BRKCOC-2018

Thank you

Documents

How Cisco Deployed Cisco Identity Services Engine …d2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKCOC-2018.pdf · Inside Cisco IT: How Cisco Deployed Cisco Identity Services Engine