Tech update security 30 /

Transcription

1 Tech update security 30 /

2 ISE update

3 Context Visibility Enhancements PassiveID Enhancements WMI Agent SPAN Syslog TS Agent ISE-PIC Installation Licensing and Upgrade PxGrid Enhancements All about Wizards ISE the easy way Visibility Secure access wizard / Wireless wizard PassiveID Posture TC-NAC Tips and Tricks nice to know What s new in ISE 2.3? Roadmap Integration Status Deployment

4 Cisco ISE role based access control Cisco ISE Context aware policy service, to control access and threat across wired, wireless and VPN networks Cisco Anyconnect Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more. WHO WHAT HOW THREATS WHEN WHERE HEALTH CVSS FOR ENDPOINTS CISCO ISE ACCESS POLICY PxGRID & APIs FOR NETWORK WIRED WIRELESS VPN SIEM, MDM, NBA, IPS, IPAM, etc. Partner Eco System Role-based Access Control Guest Access BYOD Secure Access

5 ISE use cases Asset Visibility Access Control Guest Access BYOD Access Segmentation Threat Control Device Admin Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Consistent access control in to wired, wireless and VPN Networks X, MAC, Web Authentication and Easy connect for admission control. Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience. Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology. Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats. Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices

6 Context Visibility Enhancements

7 End User Context Phone Department Number of Endpoints

8 Guest Context Guest Type Daily, weekly, etc. Number of Endpoints Sponsor Portal used

9 Context Visibility: Endpoint Inactivity Endpoints that have been inactive for a set number of days without any attribute changes

10 Context Visibility: Status Trend Compliant Non Compliant

11 Network Device Summary Number of Endpoints per NAD Port Config Status

12 PassiveID Enhancements

13 PassiveID in ISE Must enable per node On by default in PIC Turns on all Passive ID features Username to IP forms the basis of PassiveID session creation!

14 Which is Which? ISE Live Sessions

15 PassiveID Wizard in ISE-PIC Simple to set up PassiveID 1. Join Active Directory 2. Select Interesting Groups 3. Chose Controllers to monitor 4. Done!

16 PassiveID Wizard in ISE

17 PassiveID Wizard Join Point AD Domain Admin user Password

18 PassiveID Wizard Security Groups Used by API

19 PassiveID Wizard All controllers Site controllers Custom

20 PassiveID Wizard

21 WMI Provider

22 WMI Provider Config WMI : The new easy button! Remotely connects to controllers Monitor specific security events: 4768 (Kerberos Ticket Granting) 4770 (Kerberos Ticket Renewal) NOTE: Requires Domain Admin Credentials Access through Windows Firewall Windows 2008 and above

23 AD Agent Provider

24 PassiveID AD Agent Native Windows app Can be installed on: Domain Controller Member Server Manual installation Automatic installation 1 agent: Up to 10 servers! Can provide visibility into past logon events

25 SPAN Provider

26 Kerberos SPAN Don t touch my AD! 2 interface max with PIC 1 interface per PassiveID node in ISE Use ISE for scale and large deployments Historical events not possible (point in time) Pro Tip: Use dedicated interface and VACL regardless of the deployment Great for PoV!

27 Syslog Provider

28 Syslog Provider Allows ISE / PIC to receive syslog messages DNS must be correctly configured TCP or UDP syslog supported TCP port UDP port Large list of built in templates Ability to create custom templates

29 REST API Provider

30 REST API Provider Designed for use with Terminal Services Agent Can also be used by custom integrations Uses certificate-based authentication User information is sent to the passive ID node over SSL in JSON format

31 ISE Passive Identity Connector

32 ISE PIC at a Glance Single ID Solution for ALL Cisco Security Portfolio Best of All Existing Solutions True Single Source of ID No Longer Need Separate Connection to AD, LDAP, etc. Very Low Cost Passive Identity Only No Authorization. No Policies. New Features & Sources Agents, WMI, Syslog, REST Remotely Check with Endpoints Is Endpoint Still on Network? Is User Still Logged In? Simple to Install and Use Scale to 100 s of DC s

33 ASA WWW FMC Legacy CDA-RADIUS Output pxgrid Pub/Sub Bus Output ISE-PIC Input to ISE-PIC / ISE WMI Kerberos SPAN ISE-PIC Agent Syslog REST API Endpoint Probe AD AD AD AD Custom Apps Same User? Still There? AD AD Almost Anything

34 ISE-PIC Installation VM only, No hardware support 3515 based VM: 100K sessions 3595 based VM: 300K sessions Setup similar to ISE VM Includes 90 Eval License Don t forget resource reservations!

35 Deployment Options Standalone node Standalone Form factors: ISE-PIC ISE-PIC Upgrade HA Pair No certificate import / export No service modification Services cannot be started/stopped HA Remember ISE has all the features of ISE-PIC. Need to Distribute? Upgrade to ISE!

36 ISE-PIC Licensing Standalone High Availability Up to 3,000 sessions Qty 1 R-ISE-PIC-VM-K9= Qty 2 R-ISE-PIC-VM-K9= Up to 300,000 sessions Orderable today Both PIDs required for ISE-PIC Upgrade (300K sessions) 2x licenses for HA pair Qty 1 R-ISE-PIC-VM-K9= Qty 1 L-ISE-PIC-UPG= Qty 2 R-ISE-PIC-VM-K9= Qty 2 L-ISE-PIC-UPG=

37 ISE-PIC Integration Status StealthWatch 6.9 FirePower Management Center ISE-PIC 2.2 patch 1 / FMC QA Validation IDFW for ASA Requires CDA RADIUS Interface (roadmap) Web Security Appliance Requires CDA RADIUS Interface (roadmap) Cisco Solutions only with ISE-PIC! Upgrade to ISE with Plus for 3 rd party support FMC ASA WWW

38 pxgrid Enhancements

39 CA Signed pxgrid Certificates ISE Root CA Public Special cert template with EKU for both client and server authentication Public Private Key Public Private Key ISE Trusted Certificates Client Trusted Certificates Grid Controller C Grid Client

40 pxgrid Certificate Template Within pxgrid UI No Longer Have to Create Portal / Add Portal User, Etc. Generate Certificates With or W/O CSR Bulk Certs w/ CSV Download Root PKCS12 Certificate Formats Only Encrypted Options All Include Root Certs PEM or PKCS12

41 pxgrid Certificate Best Practice Friendly CN Make it something that is unique like prefix pxgrid Cert Template Hard-Coded to use the pxgrid Template. Client + Server EKU s Real FQDN in SAN Ensure the Real FQDN and IP Address are in SAN, just in-case.

42 New wizards ISE the easy way

43 Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Visibility Setup NAD s SNMP SCAN s SMB NMAP Cisco ISE Visibility Setup Discovers NAD sconnect Active Directory Discovers Devices Connected to Network Discovers Users (AD)

44 Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Secure Access Wizard Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases NAD s Setup Wireless Radius Guest BYOD Portal management Easy portal creation and customization Cisco ISE ISE ISE AuthC and AuthZ Policies ISE Policy Authz Results Customized Captive Portals & alot more. WLC WLAN s (SSID s) Radius AuthC, AuthZ and Key Account Duration Settings Redirect ACL s (Interesting Traffic) Radius COA Settings

45 Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s PassiveID Setup Easy Connect Non802.1x User NAD s Setup EasyConnect WMI Cisco ISE Active Directory ISE Create WMI connection to Active Directory Active Directory Setup WMI Security Event Logs (registry settings etc..) EasyConnect Use Case

46 ISE Secure Access Wizard (SAW) A non-security user to Setup in 10 minutes Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases Security & Access Policy Configuration ISE Policy Config s Cisco ISE 2.2 Security Settings Redirect ACL s (Interesting Traffic) Radius AuthC, AuthZ and Key - STIX - Threat Account events Duration Settings WLAN s etc.. Portal management Easy portal creation and customization Network Access Devices

47 Best Practices Design Guest Access Recommendation is to run SAW in a standalone setup. If using HA or multiple PSNs, then manually add the ISE IP address of PSNs to WLC s Primary Admin ISE Node PAN ISE Node PAN Secondary Admin Add radius config Primary Monitoring MnT MnT Secondary Monitoring PSN PSN Primary PxGrid Controller PXG PXG Secondary PxGrid Controller

48 Best Practices Design Operating System Licensing Deployment Multiple AD & WLC s Operations Cisco Identity Services Engine ISE 2.2 (Fresh Install) Guest requires an ISE Base license, BYOD requires a Plus license. We recommend using a Green Field ISE deployment An AD Domain is required to create Sponsored Guest, 802.1x, and BYOD. Only Active Directory groups and users are supported. (Manual config for others ID stores) Dual SSID is supported for BYOD. The Open SSID does not support guest access, due to conflicts. Cisco Wireless LAN Controller Cisco WLC running AireOS 8.x or higher. Standard WLC Licensing WLC can be Green Field or Brown Field with existing configuration. Multiple WLC s & AD s can be added, but the flow can configure one at a time. If you need a portal that supports both guest and BYOD, its not supported today by SAW. Do use spaces in your SSID names

49 Demo : SAW on Dcloud

50 Posture

51 What is Posture? State of Compliance with Corp Security Policies Application Anti Malware File Check Anti Spyware Compound Patch mgmt Anti Virus Disk Encryption Registry Service USB Check Others

52 Simplify posture administration and user experience Next-level posture capabilities What s new for ISE 2.2? Administrators can now gain better inventory and compliance visibility without impacting the end user. Broader support for 3 rd party NADs increases flexibility for admins. Additionally, users can onboard to AnyConnect faster and without interruptions. AnyConnect Automatic Download ENABLED Stealthmode installations in progress User123 UserABC Available NADs þ HP þ Brocade þ Aruba þ Ruckus þ Cisco Other x Terms of Service I Agree Benefits More flexibility Deploy AnyConnect even with non-cisco NADs Less user error Enforce policy automatically Better user experience Eliminate interruptions with posture in the background Capabilities Admin Set up automatic AnyConnect installations Install AnyConnect and enforce posture in the background with AnyConnect Stealthmode Gain better visibility into endpoint activity without a user-disrupting agent User123 Streamline client provisioning with 3rd party NAD support Avoid cert errors using common posture certificates

53 Key Posture Highlights in ISE 2.2 Enhanced Posture Discovery and Client Provisioning FOR YOUR REFERENCE Posture on 3 rd party devices (non URL redirect agent to ISE communication) AnyConnect Headless Win/OS X option (no UI module) Firewall enabled checks and remediation Application Visibility, Control and Enforcement AnyConnect Profile Provisioning using JSON (OpenDNS Umbrella provisioning support) UDID context sharing (exposure in Context Directory) Common Certificates and http ports for Posture (avoiding the un-known Cert errors) Apex enforcement (Posture admin UI shuts down)

54 TC-NAC

55 What is Threat Centric NAC? Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation. Compliments Posture Vulnerability data tells endpoint s posture from the outside Expanded control driven by threat intelligence and vulnerability assessment data Faster response with automated, real-time policy updates based on vulnerability data and threat metrics Create ISE authorization policies based on the threat and vulnerability attributes - Vulnerability assessments - Threat notifications Endpoints AMP Qualys Network Access Policy - STIX - Threat events - CVSS - IOC Cisco ISE P Who What When Where How Posture Threat ISE 2.2 Vulnerability CT A STIX over TAXII Common Vulnerability Scoring System (CVSS) Indicators of Compromise

56 Threat Centric NAC Pick Vulnerability Assessment vendor of your choice ISE 2.2 Cisco CTA STIX Starting from ISE 2.2, TC-NAC supports Tenable, Cisco Threat Analytics (CTA) and Rapid7. SCANNER VULNERABILITY SCANS SCAN REQUEST CVSS Score A standard listener will be supported for threats using the STIX framework for automatic quarantining of critically infected endpoints.

57 Tips and tricks - nice to know

58 Network Device Address Ranges Flexible Pattern Matching for multiple NADs Last Octet Only Configure NAD with single or multiple IP address ranges + wildcard support Single Range Example: / * Multiple Range Example (each range listed separately): or * * Note: Last octet only, but possible to define multiple class C entries to achieve same ranges at higher subnet level

59 Network Device Group (NDG) Hierarchies Before ISE 2.2 ISE 2.2

60 Custom User Attributes New Attribute Types include IP / Boolean / Date Administration > Identity Management > Settings

61 Per-PSN LDAP Servers Assign unique Primary and Secondary to each PSN Allows each PSN to use local or regional LDAP Servers BRKSEC

62 MySQL Support Reintroduced in ISE 2.2 (Last-minute Pull from ISE 2.1)

63 Guest Enhancements Sponsor Enhancements Single-Click guest account approvals Pending approval filtering based on person visited (AD/LDAP support) Sponsor Portal enhancements Guest Enhancements Background image support Hotspot COA (Change of Authorization) Sponsor Portal set password on import ERS API update Dynamic variable message Id for SMS message Legacy Guest Features Custom portal files Sponsor Group by additional attributes Auto-send notification to guest when address present Allow guest credentials to be hidden from Sponsor but guest still be notified

64 What s new in ISE 2.3?

65 Read-Only Admin, a.k.a RO Admin

66

67

68 Social Network Guest Login

69 Supported Flows Facebook login will be supported for Self Registration only; with and without sponsored approval With Social Login the registration form is optional. If displayed, some fields will be pre-populated with information from social media providers. Admin may allow guests to override information (except Facebook Username) Facebook login is on top of regular guest flows. Hotspot can be achieved by using self registration without sponsored approval and without displaying the registration form. Guests will be able to click on the Facebook button and get access to the network immediately.

70

71 Facebook login for guest (phase 1) Login using local ISE account Create local ISE account Login with social account

72 First Time Access Upon first access the guest must approve ISE to get basic information from Facebook. Cisco ISE *************** Endpoints

73 Posture Improvements

74 Posture Features Temporal Agent Push Better SCCM Integration Flexible Notifications Framework Even Better Application Visiblity

75 Group Policy Connector

76 Simplifying Security Policy Across Domains In Progress Planning Goal: Share group information between cloud domains and Enterprise to simplify policy management AWS Security Groups Azure Network Security Groups TBD Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available Group Policy Connector Enable adoption of different cloud environments without duplicating group policy management ACI EndPoint Groups APIC DC Enterprise Security Groups

77 ACS Migration

78 ACS End of Life is a fact! ACS will soon reach End of Sale (August 30 th ), followed by 1 year of software maintenance (Sev1s and PSIRT fixes only) ISE Base Migration Licenses will reach EoS the same time The clock is ticking NOW is the time to migrate ISE 2.3 is the LAST Release to Include ACS Migration Features

79 ISE Public Resources ISE Public Community Customer Connection Program > Security ISE Compatibility Guides ISE Design & Integration Guides ISE Licensing / Ordering Guide Free, 90-day ISE Evaluation

80 Q&A

81