Tech update security 30 /

Similar documents
Business Resiliency Through Superior Threat Defense

Cisco Secure Access Control

Cisco ISE Ports Reference

Support Device Access

Guest Access User Interface Reference

Cisco ISE Features Cisco ISE Features

Cisco ISE Ports Reference

Introduction to ISE-PIC

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

ISE Identity Service Engine

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

What Is Wireless Setup

Support Device Access

Identity Based Network Access

Configure Guest Access

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

2012 Cisco and/or its affiliates. All rights reserved. 1

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Cisco Network Admission Control (NAC) Solution

Cisco ISE Ports Reference

How to securely connect user endpoints to network access wireless or wired. Gyorgy Acs Consulting Systems Engineer Cisco

What do you want for Christmas?

Cisco ISE Ports Reference

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Reports. Cisco ISE Reports

Configure Guest Access

Set Up Cisco ISE in a Distributed Environment

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Navigate the Admin portal

User Identity Sources

Configure Guest Access

Configure Guest Access

Integrating Meraki Networks with

Set Up Cisco ISE in a Distributed Environment

Borderless Networks. Tom Schepers, Director Systems Engineering

Enterprise Guest Access

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Cisco ISE Licenses. Your license has expired. If endpoint consumption exceeds your licensing agreement.

ForeScout Extended Module for VMware AirWatch MDM

Cisco Day Hotel Mons Wednesday

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Compare Security Analytics Solutions

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Configure Client Posture Policies

ForeScout Extended Module for Carbon Black

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

ForeScout Extended Module for MaaS360

ISE Version 1.3 Self Registered Guest Portal Configuration Example

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Configure Client Posture Policies

Cisco Identity Services Engine

Secure wired and wireless networks with smart access control

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Visibility, control and response

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Network Deployments in Cisco ISE

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Stop Threats Before They Stop You

Configure Guest Flow with ISE 2.0 and Aruba WLC

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Forescout. Configuration Guide. Version 2.4

Navigate the Admin portal

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Intelligent Edge Protection

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

ForeScout Extended Module for MobileIron

Configure Client Provisioning

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

BYOD: BRING YOUR OWN DEVICE.

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

CertKiller q

Network Deployments in Cisco ISE

Configure Client Posture Policies

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

P ART 3. Configuring the Infrastructure

Guest Service Changes

Guest Management. Overview CHAPTER

ISE Version 1.3 Hotspot Configuration Example

Unleashed & Cloud Wi-Fi Updates

ClearPass Design Scenarios

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Access and Policy License Double Click

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Infoblox as Part of the Ecosystem

Inside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise

ForeScout Agentless Visibility and Control

Networks with Cisco NAC Appliance primarily benefit from:

Manage Certificates. Certificate Management in Cisco ISE. Certificates Enable Cisco ISE to Provide Secure Access

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management

ISE Express Installation Guide. Secure Access How -To Guides Series

Transcription:

Tech update security 30 / 5-2017

ISE 2.2 + 2.3 update

Context Visibility Enhancements PassiveID Enhancements WMI Agent SPAN Syslog TS Agent ISE-PIC Installation Licensing and Upgrade PxGrid Enhancements All about Wizards ISE the easy way Visibility Secure access wizard / Wireless wizard PassiveID Posture TC-NAC Tips and Tricks nice to know What s new in ISE 2.3? Roadmap Integration Status Deployment

Cisco ISE role based access control Cisco ISE Context aware policy service, to control access and threat across wired, wireless and VPN networks Cisco Anyconnect Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more. WHO WHAT HOW THREATS WHEN WHERE HEALTH CVSS FOR ENDPOINTS CISCO ISE ACCESS POLICY PxGRID & APIs FOR NETWORK WIRED WIRELESS VPN SIEM, MDM, NBA, IPS, IPAM, etc. Partner Eco System Role-based Access Control Guest Access BYOD Secure Access

ISE use cases Asset Visibility Access Control Guest Access BYOD Access Segmentation Threat Control Device Admin Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Consistent access control in to wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control. Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience. Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology. Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats. Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices

Context Visibility Enhancements

End User Context Email Phone Department Number of Endpoints

Guest Context Guest Type Daily, weekly, etc. Number of Endpoints Sponsor Portal used

Context Visibility: Endpoint Inactivity Endpoints that have been inactive for a set number of days without any attribute changes

Context Visibility: Status Trend Compliant Non Compliant

Network Device Summary Number of Endpoints per NAD Port Config Status

PassiveID Enhancements

PassiveID in ISE Must enable per node On by default in PIC Turns on all Passive ID features Username to IP forms the basis of PassiveID session creation!

Which is Which? ISE Live Sessions

PassiveID Wizard in ISE-PIC Simple to set up PassiveID 1. Join Active Directory 2. Select Interesting Groups 3. Chose Controllers to monitor 4. Done!

PassiveID Wizard in ISE

PassiveID Wizard Join Point AD Domain Admin user Password

PassiveID Wizard Security Groups Used by API

PassiveID Wizard All controllers Site controllers Custom

PassiveID Wizard

WMI Provider

WMI Provider Config WMI : The new easy button! Remotely connects to controllers Monitor specific security events: 4768 (Kerberos Ticket Granting) 4770 (Kerberos Ticket Renewal) NOTE: Requires Domain Admin Credentials Access through Windows Firewall Windows 2008 and above

AD Agent Provider

PassiveID AD Agent Native Windows app Can be installed on: Domain Controller Member Server Manual installation Automatic installation 1 agent: Up to 10 servers! Can provide visibility into past logon events

SPAN Provider

Kerberos SPAN Don t touch my AD! 2 interface max with PIC 1 interface per PassiveID node in ISE Use ISE for scale and large deployments Historical events not possible (point in time) Pro Tip: Use dedicated interface and VACL regardless of the deployment Great for PoV!

Syslog Provider

Syslog Provider Allows ISE / PIC to receive syslog messages DNS must be correctly configured TCP or UDP syslog supported TCP port 11468 UDP port 40514 Large list of built in templates Ability to create custom templates

REST API Provider

REST API Provider Designed for use with Terminal Services Agent Can also be used by custom integrations Uses certificate-based authentication User information is sent to the passive ID node over SSL in JSON format

ISE Passive Identity Connector

ISE PIC at a Glance Single ID Solution for ALL Cisco Security Portfolio Best of All Existing Solutions True Single Source of ID No Longer Need Separate Connection to AD, LDAP, etc. Very Low Cost Passive Identity Only No Authorization. No Policies. New Features & Sources Agents, WMI, Syslog, REST Remotely Check with Endpoints Is Endpoint Still on Network? Is User Still Logged In? Simple to Install and Use Scale to 100 s of DC s

ASA WWW FMC Legacy CDA-RADIUS Output pxgrid Pub/Sub Bus Output ISE-PIC Input to ISE-PIC / ISE WMI Kerberos SPAN ISE-PIC Agent Syslog REST API Endpoint Probe AD AD AD AD Custom Apps Same User? Still There? AD AD Almost Anything

ISE-PIC Installation VM only, No hardware support 3515 based VM: 100K sessions 3595 based VM: 300K sessions Setup similar to ISE VM Includes 90 Eval License Don t forget resource reservations!

Deployment Options Standalone node Standalone Form factors: ISE-PIC ISE-PIC Upgrade HA Pair No certificate import / export No service modification Services cannot be started/stopped HA Remember ISE has all the features of ISE-PIC. Need to Distribute? Upgrade to ISE!

ISE-PIC Licensing Standalone High Availability Up to 3,000 sessions Qty 1 R-ISE-PIC-VM-K9= Qty 2 R-ISE-PIC-VM-K9= Up to 300,000 sessions Orderable today Both PIDs required for ISE-PIC Upgrade (300K sessions) 2x licenses for HA pair Qty 1 R-ISE-PIC-VM-K9= Qty 1 L-ISE-PIC-UPG= Qty 2 R-ISE-PIC-VM-K9= Qty 2 L-ISE-PIC-UPG=

ISE-PIC Integration Status StealthWatch 6.9 FirePower Management Center ISE-PIC 2.2 patch 1 / FMC 6.2 + QA Validation IDFW for ASA Requires CDA RADIUS Interface (roadmap) Web Security Appliance Requires CDA RADIUS Interface (roadmap) Cisco Solutions only with ISE-PIC! Upgrade to ISE with Plus for 3 rd party support FMC ASA WWW

pxgrid Enhancements

CA Signed pxgrid Certificates ISE Root CA Public Special cert template with EKU for both client and server authentication Public Private Key Public Private Key ISE Trusted Certificates Client Trusted Certificates Grid Controller C Grid Client

pxgrid Certificate Template Within pxgrid UI No Longer Have to Create Portal / Add Portal User, Etc. Generate Certificates With or W/O CSR Bulk Certs w/ CSV Download Root PKCS12 Certificate Formats Only Encrypted Options All Include Root Certs PEM or PKCS12

pxgrid Certificate Best Practice Friendly CN Make it something that is unique like prefix pxgrid Cert Template Hard-Coded to use the pxgrid Template. Client + Server EKU s Real FQDN in SAN Ensure the Real FQDN and IP Address are in SAN, just in-case.

New wizards ISE the easy way

Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Visibility Setup NAD s SNMP SCAN s SMB NMAP Cisco ISE Visibility Setup Discovers NAD sconnect Active Directory Discovers Devices Connected to Network Discovers Users (AD)

Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Secure Access Wizard Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases NAD s Setup Wireless Radius Guest BYOD Portal management Easy portal creation and customization Cisco ISE ISE ISE AuthC and AuthZ Policies ISE Policy Authz Results Customized Captive Portals & alot more. WLC WLAN s (SSID s) Radius AuthC, AuthZ and Key Account Duration Settings Redirect ACL s (Interesting Traffic) Radius COA Settings

Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s PassiveID Setup Easy Connect Non802.1x User NAD s Setup EasyConnect WMI Cisco ISE Active Directory ISE Create WMI connection to Active Directory Active Directory Setup WMI Security Event Logs (registry settings etc..) EasyConnect Use Case

ISE Secure Access Wizard (SAW) A non-security user to Setup in 10 minutes Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases Security & Access Policy Configuration ISE Policy Config s Cisco ISE 2.2 Security Settings Redirect ACL s (Interesting Traffic) Radius AuthC, AuthZ and Key - STIX - Threat Account events Duration Settings WLAN s etc.. Portal management Easy portal creation and customization Network Access Devices

Best Practices Design Guest Access Recommendation is to run SAW in a standalone setup. If using HA or multiple PSNs, then manually add the ISE IP address of PSNs to WLC s Primary Admin ISE Node PAN ISE Node PAN Secondary Admin Add radius config Primary Monitoring MnT MnT Secondary Monitoring PSN PSN Primary PxGrid Controller PXG PXG Secondary PxGrid Controller

Best Practices Design Operating System Licensing Deployment Multiple AD & WLC s Operations Cisco Identity Services Engine ISE 2.2 (Fresh Install) Guest requires an ISE Base license, BYOD requires a Plus license. We recommend using a Green Field ISE deployment An AD Domain is required to create Sponsored Guest, 802.1x, and BYOD. Only Active Directory groups and users are supported. (Manual config for others ID stores) Dual SSID is supported for BYOD. The Open SSID does not support guest access, due to conflicts. Cisco Wireless LAN Controller Cisco WLC running AireOS 8.x or higher. Standard WLC Licensing WLC can be Green Field or Brown Field with existing configuration. Multiple WLC s & AD s can be added, but the flow can configure one at a time. If you need a portal that supports both guest and BYOD, its not supported today by SAW. Do use spaces in your SSID names

Demo : SAW on Dcloud

Posture

What is Posture? State of Compliance with Corp Security Policies Application Anti Malware File Check Anti Spyware Compound Patch mgmt Anti Virus Disk Encryption Registry Service USB Check Others

Simplify posture administration and user experience Next-level posture capabilities What s new for ISE 2.2? Administrators can now gain better inventory and compliance visibility without impacting the end user. Broader support for 3 rd party NADs increases flexibility for admins. Additionally, users can onboard to AnyConnect faster and without interruptions. AnyConnect Automatic Download ENABLED Stealthmode installations in progress User123 UserABC Available NADs þ HP þ Brocade þ Aruba þ Ruckus þ Cisco Other x Terms of Service I Agree Benefits More flexibility Deploy AnyConnect even with non-cisco NADs Less user error Enforce policy automatically Better user experience Eliminate interruptions with posture in the background Capabilities Admin Set up automatic AnyConnect installations Install AnyConnect and enforce posture in the background with AnyConnect Stealthmode Gain better visibility into endpoint activity without a user-disrupting agent User123 Streamline client provisioning with 3rd party NAD support Avoid cert errors using common posture certificates

Key Posture Highlights in ISE 2.2 Enhanced Posture Discovery and Client Provisioning FOR YOUR REFERENCE Posture on 3 rd party devices (non URL redirect agent to ISE communication) AnyConnect Headless Win/OS X option (no UI module) Firewall enabled checks and remediation Application Visibility, Control and Enforcement AnyConnect Profile Provisioning using JSON (OpenDNS Umbrella provisioning support) UDID context sharing (exposure in Context Directory) Common Certificates and http ports for Posture (avoiding the un-known Cert errors) Apex enforcement (Posture admin UI shuts down)

TC-NAC

What is Threat Centric NAC? Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation. Compliments Posture Vulnerability data tells endpoint s posture from the outside Expanded control driven by threat intelligence and vulnerability assessment data Faster response with automated, real-time policy updates based on vulnerability data and threat metrics Create ISE authorization policies based on the threat and vulnerability attributes - Vulnerability assessments - Threat notifications Endpoints AMP Qualys Network Access Policy - STIX - Threat events - CVSS - IOC Cisco ISE P Who What When Where How Posture Threat ISE 2.2 Vulnerability CT A STIX over TAXII Common Vulnerability Scoring System (CVSS) Indicators of Compromise

Threat Centric NAC Pick Vulnerability Assessment vendor of your choice ISE 2.2 Cisco CTA STIX Starting from ISE 2.2, TC-NAC supports Tenable, Cisco Threat Analytics (CTA) and Rapid7. SCANNER VULNERABILITY SCANS SCAN REQUEST CVSS Score A standard listener will be supported for threats using the STIX framework for automatic quarantining of critically infected endpoints.

Tips and tricks - nice to know

Network Device Address Ranges Flexible Pattern Matching for multiple NADs Last Octet Only Configure NAD with single or multiple IP address ranges + wildcard support Single Range Example: 192.168.1.100-120/192.168.1.* Multiple Range Example (each range listed separately): 192.168.1.100-120 or 192.168.1.* 192.168.1.121-130 192.145.2.* Note: Last octet only, but possible to define multiple class C entries to achieve same ranges at higher subnet level

Network Device Group (NDG) Hierarchies Before ISE 2.2 ISE 2.2

Custom User Attributes New Attribute Types include IP / Boolean / Date Administration > Identity Management > Settings

Per-PSN LDAP Servers Assign unique Primary and Secondary to each PSN Allows each PSN to use local or regional LDAP Servers BRKSEC-3699 61

MySQL Support Reintroduced in ISE 2.2 (Last-minute Pull from ISE 2.1) https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210521-configure-ise-2-2-for-integration-with-m.html

Guest Enhancements Sponsor Enhancements Single-Click guest account approvals Pending approval filtering based on person visited (AD/LDAP support) Sponsor Portal enhancements Guest Enhancements Background image support Hotspot COA (Change of Authorization) Sponsor Portal set password on import ERS API update Dynamic variable message Id for SMS message Legacy Guest Features Custom portal files Sponsor Group by additional attributes Auto-send notification to guest when email address present Allow guest credentials to be hidden from Sponsor but guest still be notified

What s new in ISE 2.3?

Read-Only Admin, a.k.a RO Admin

Social Network Guest Login

Supported Flows Facebook login will be supported for Self Registration only; with and without sponsored approval With Social Login the registration form is optional. If displayed, some fields will be pre-populated with information from social media providers. Admin may allow guests to override information (except Facebook Username) Facebook login is on top of regular guest flows. Hotspot can be achieved by using self registration without sponsored approval and without displaying the registration form. Guests will be able to click on the Facebook button and get access to the network immediately.

Facebook login for guest (phase 1) Login using local ISE account Create local ISE account Login with social account

First Time Access Upon first access the guest must approve ISE to get basic information from Facebook. Cisco ISE john.doe@gmail.com *************** Endpoints

Posture Improvements

Posture Features Temporal Agent Push Better SCCM Integration Flexible Notifications Framework Even Better Application Visiblity

Group Policy Connector

Simplifying Security Policy Across Domains In Progress Planning Goal: Share group information between cloud domains and Enterprise to simplify policy management AWS Security Groups Azure Network Security Groups TBD Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available Group Policy Connector Enable adoption of different cloud environments without duplicating group policy management ACI EndPoint Groups APIC DC Enterprise Security Groups

ACS Migration

ACS End of Life is a fact! ACS will soon reach End of Sale (August 30 th ), followed by 1 year of software maintenance (Sev1s and PSIRT fixes only) ISE Base Migration Licenses will reach EoS the same time The clock is ticking NOW is the time to migrate ISE 2.3 is the LAST Release to Include ACS Migration Features

ISE Public Resources ISE Public Community http://cs.co/ise-community Customer Connection Program http://cisco.com/go/ccp > Security ISE Compatibility Guides http://cs.co/ise-compatibility ISE Design & Integration Guides http://cs.co/ise-guides ISE Licensing / Ordering Guide http://cs.co/ise-licensing http://cs.co/ise-ordering Free, 90-day ISE Evaluation http://cs.co/ise-eval

Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback