Tech update security 30 / 5-2017
ISE 2.2 + 2.3 update
Context Visibility Enhancements PassiveID Enhancements WMI Agent SPAN Syslog TS Agent ISE-PIC Installation Licensing and Upgrade PxGrid Enhancements All about Wizards ISE the easy way Visibility Secure access wizard / Wireless wizard PassiveID Posture TC-NAC Tips and Tricks nice to know What s new in ISE 2.3? Roadmap Integration Status Deployment
Cisco ISE role based access control Cisco ISE Context aware policy service, to control access and threat across wired, wireless and VPN networks Cisco Anyconnect Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more. WHO WHAT HOW THREATS WHEN WHERE HEALTH CVSS FOR ENDPOINTS CISCO ISE ACCESS POLICY PxGRID & APIs FOR NETWORK WIRED WIRELESS VPN SIEM, MDM, NBA, IPS, IPAM, etc. Partner Eco System Role-based Access Control Guest Access BYOD Secure Access
ISE use cases Asset Visibility Access Control Guest Access BYOD Access Segmentation Threat Control Device Admin Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Consistent access control in to wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control. Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience. Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology. Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats. Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices
Context Visibility Enhancements
End User Context Email Phone Department Number of Endpoints
Guest Context Guest Type Daily, weekly, etc. Number of Endpoints Sponsor Portal used
Context Visibility: Endpoint Inactivity Endpoints that have been inactive for a set number of days without any attribute changes
Context Visibility: Status Trend Compliant Non Compliant
Network Device Summary Number of Endpoints per NAD Port Config Status
PassiveID Enhancements
PassiveID in ISE Must enable per node On by default in PIC Turns on all Passive ID features Username to IP forms the basis of PassiveID session creation!
Which is Which? ISE Live Sessions
PassiveID Wizard in ISE-PIC Simple to set up PassiveID 1. Join Active Directory 2. Select Interesting Groups 3. Chose Controllers to monitor 4. Done!
PassiveID Wizard in ISE
PassiveID Wizard Join Point AD Domain Admin user Password
PassiveID Wizard Security Groups Used by API
PassiveID Wizard All controllers Site controllers Custom
PassiveID Wizard
WMI Provider
WMI Provider Config WMI : The new easy button! Remotely connects to controllers Monitor specific security events: 4768 (Kerberos Ticket Granting) 4770 (Kerberos Ticket Renewal) NOTE: Requires Domain Admin Credentials Access through Windows Firewall Windows 2008 and above
AD Agent Provider
PassiveID AD Agent Native Windows app Can be installed on: Domain Controller Member Server Manual installation Automatic installation 1 agent: Up to 10 servers! Can provide visibility into past logon events
SPAN Provider
Kerberos SPAN Don t touch my AD! 2 interface max with PIC 1 interface per PassiveID node in ISE Use ISE for scale and large deployments Historical events not possible (point in time) Pro Tip: Use dedicated interface and VACL regardless of the deployment Great for PoV!
Syslog Provider
Syslog Provider Allows ISE / PIC to receive syslog messages DNS must be correctly configured TCP or UDP syslog supported TCP port 11468 UDP port 40514 Large list of built in templates Ability to create custom templates
REST API Provider
REST API Provider Designed for use with Terminal Services Agent Can also be used by custom integrations Uses certificate-based authentication User information is sent to the passive ID node over SSL in JSON format
ISE Passive Identity Connector
ISE PIC at a Glance Single ID Solution for ALL Cisco Security Portfolio Best of All Existing Solutions True Single Source of ID No Longer Need Separate Connection to AD, LDAP, etc. Very Low Cost Passive Identity Only No Authorization. No Policies. New Features & Sources Agents, WMI, Syslog, REST Remotely Check with Endpoints Is Endpoint Still on Network? Is User Still Logged In? Simple to Install and Use Scale to 100 s of DC s
ASA WWW FMC Legacy CDA-RADIUS Output pxgrid Pub/Sub Bus Output ISE-PIC Input to ISE-PIC / ISE WMI Kerberos SPAN ISE-PIC Agent Syslog REST API Endpoint Probe AD AD AD AD Custom Apps Same User? Still There? AD AD Almost Anything
ISE-PIC Installation VM only, No hardware support 3515 based VM: 100K sessions 3595 based VM: 300K sessions Setup similar to ISE VM Includes 90 Eval License Don t forget resource reservations!
Deployment Options Standalone node Standalone Form factors: ISE-PIC ISE-PIC Upgrade HA Pair No certificate import / export No service modification Services cannot be started/stopped HA Remember ISE has all the features of ISE-PIC. Need to Distribute? Upgrade to ISE!
ISE-PIC Licensing Standalone High Availability Up to 3,000 sessions Qty 1 R-ISE-PIC-VM-K9= Qty 2 R-ISE-PIC-VM-K9= Up to 300,000 sessions Orderable today Both PIDs required for ISE-PIC Upgrade (300K sessions) 2x licenses for HA pair Qty 1 R-ISE-PIC-VM-K9= Qty 1 L-ISE-PIC-UPG= Qty 2 R-ISE-PIC-VM-K9= Qty 2 L-ISE-PIC-UPG=
ISE-PIC Integration Status StealthWatch 6.9 FirePower Management Center ISE-PIC 2.2 patch 1 / FMC 6.2 + QA Validation IDFW for ASA Requires CDA RADIUS Interface (roadmap) Web Security Appliance Requires CDA RADIUS Interface (roadmap) Cisco Solutions only with ISE-PIC! Upgrade to ISE with Plus for 3 rd party support FMC ASA WWW
pxgrid Enhancements
CA Signed pxgrid Certificates ISE Root CA Public Special cert template with EKU for both client and server authentication Public Private Key Public Private Key ISE Trusted Certificates Client Trusted Certificates Grid Controller C Grid Client
pxgrid Certificate Template Within pxgrid UI No Longer Have to Create Portal / Add Portal User, Etc. Generate Certificates With or W/O CSR Bulk Certs w/ CSV Download Root PKCS12 Certificate Formats Only Encrypted Options All Include Root Certs PEM or PKCS12
pxgrid Certificate Best Practice Friendly CN Make it something that is unique like prefix pxgrid Cert Template Hard-Coded to use the pxgrid Template. Client + Server EKU s Real FQDN in SAN Ensure the Real FQDN and IP Address are in SAN, just in-case.
New wizards ISE the easy way
Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Visibility Setup NAD s SNMP SCAN s SMB NMAP Cisco ISE Visibility Setup Discovers NAD sconnect Active Directory Discovers Devices Connected to Network Discovers Users (AD)
Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s Secure Access Wizard Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases NAD s Setup Wireless Radius Guest BYOD Portal management Easy portal creation and customization Cisco ISE ISE ISE AuthC and AuthZ Policies ISE Policy Authz Results Customized Captive Portals & alot more. WLC WLAN s (SSID s) Radius AuthC, AuthZ and Key Account Duration Settings Redirect ACL s (Interesting Traffic) Radius COA Settings
Visibility Setup Secure Access Wizard (BETA) PassiveID Setup All About Wizard s PassiveID Setup Easy Connect Non802.1x User NAD s Setup EasyConnect WMI Cisco ISE Active Directory ISE Create WMI connection to Active Directory Active Directory Setup WMI Security Event Logs (registry settings etc..) EasyConnect Use Case
ISE Secure Access Wizard (SAW) A non-security user to Setup in 10 minutes Easy Wireless Management One place to configure all security and access setting For Major Use cases Enterprise (802.1X), Guest and BYOD Use cases Security & Access Policy Configuration ISE Policy Config s Cisco ISE 2.2 Security Settings Redirect ACL s (Interesting Traffic) Radius AuthC, AuthZ and Key - STIX - Threat Account events Duration Settings WLAN s etc.. Portal management Easy portal creation and customization Network Access Devices
Best Practices Design Guest Access Recommendation is to run SAW in a standalone setup. If using HA or multiple PSNs, then manually add the ISE IP address of PSNs to WLC s Primary Admin ISE Node PAN ISE Node PAN Secondary Admin Add radius config Primary Monitoring MnT MnT Secondary Monitoring PSN PSN Primary PxGrid Controller PXG PXG Secondary PxGrid Controller
Best Practices Design Operating System Licensing Deployment Multiple AD & WLC s Operations Cisco Identity Services Engine ISE 2.2 (Fresh Install) Guest requires an ISE Base license, BYOD requires a Plus license. We recommend using a Green Field ISE deployment An AD Domain is required to create Sponsored Guest, 802.1x, and BYOD. Only Active Directory groups and users are supported. (Manual config for others ID stores) Dual SSID is supported for BYOD. The Open SSID does not support guest access, due to conflicts. Cisco Wireless LAN Controller Cisco WLC running AireOS 8.x or higher. Standard WLC Licensing WLC can be Green Field or Brown Field with existing configuration. Multiple WLC s & AD s can be added, but the flow can configure one at a time. If you need a portal that supports both guest and BYOD, its not supported today by SAW. Do use spaces in your SSID names
Demo : SAW on Dcloud
Posture
What is Posture? State of Compliance with Corp Security Policies Application Anti Malware File Check Anti Spyware Compound Patch mgmt Anti Virus Disk Encryption Registry Service USB Check Others
Simplify posture administration and user experience Next-level posture capabilities What s new for ISE 2.2? Administrators can now gain better inventory and compliance visibility without impacting the end user. Broader support for 3 rd party NADs increases flexibility for admins. Additionally, users can onboard to AnyConnect faster and without interruptions. AnyConnect Automatic Download ENABLED Stealthmode installations in progress User123 UserABC Available NADs þ HP þ Brocade þ Aruba þ Ruckus þ Cisco Other x Terms of Service I Agree Benefits More flexibility Deploy AnyConnect even with non-cisco NADs Less user error Enforce policy automatically Better user experience Eliminate interruptions with posture in the background Capabilities Admin Set up automatic AnyConnect installations Install AnyConnect and enforce posture in the background with AnyConnect Stealthmode Gain better visibility into endpoint activity without a user-disrupting agent User123 Streamline client provisioning with 3rd party NAD support Avoid cert errors using common posture certificates
Key Posture Highlights in ISE 2.2 Enhanced Posture Discovery and Client Provisioning FOR YOUR REFERENCE Posture on 3 rd party devices (non URL redirect agent to ISE communication) AnyConnect Headless Win/OS X option (no UI module) Firewall enabled checks and remediation Application Visibility, Control and Enforcement AnyConnect Profile Provisioning using JSON (OpenDNS Umbrella provisioning support) UDID context sharing (exposure in Context Directory) Common Certificates and http ports for Posture (avoiding the un-known Cert errors) Apex enforcement (Posture admin UI shuts down)
TC-NAC
What is Threat Centric NAC? Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation. Compliments Posture Vulnerability data tells endpoint s posture from the outside Expanded control driven by threat intelligence and vulnerability assessment data Faster response with automated, real-time policy updates based on vulnerability data and threat metrics Create ISE authorization policies based on the threat and vulnerability attributes - Vulnerability assessments - Threat notifications Endpoints AMP Qualys Network Access Policy - STIX - Threat events - CVSS - IOC Cisco ISE P Who What When Where How Posture Threat ISE 2.2 Vulnerability CT A STIX over TAXII Common Vulnerability Scoring System (CVSS) Indicators of Compromise
Threat Centric NAC Pick Vulnerability Assessment vendor of your choice ISE 2.2 Cisco CTA STIX Starting from ISE 2.2, TC-NAC supports Tenable, Cisco Threat Analytics (CTA) and Rapid7. SCANNER VULNERABILITY SCANS SCAN REQUEST CVSS Score A standard listener will be supported for threats using the STIX framework for automatic quarantining of critically infected endpoints.
Tips and tricks - nice to know
Network Device Address Ranges Flexible Pattern Matching for multiple NADs Last Octet Only Configure NAD with single or multiple IP address ranges + wildcard support Single Range Example: 192.168.1.100-120/192.168.1.* Multiple Range Example (each range listed separately): 192.168.1.100-120 or 192.168.1.* 192.168.1.121-130 192.145.2.* Note: Last octet only, but possible to define multiple class C entries to achieve same ranges at higher subnet level
Network Device Group (NDG) Hierarchies Before ISE 2.2 ISE 2.2
Custom User Attributes New Attribute Types include IP / Boolean / Date Administration > Identity Management > Settings
Per-PSN LDAP Servers Assign unique Primary and Secondary to each PSN Allows each PSN to use local or regional LDAP Servers BRKSEC-3699 61
MySQL Support Reintroduced in ISE 2.2 (Last-minute Pull from ISE 2.1) https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210521-configure-ise-2-2-for-integration-with-m.html
Guest Enhancements Sponsor Enhancements Single-Click guest account approvals Pending approval filtering based on person visited (AD/LDAP support) Sponsor Portal enhancements Guest Enhancements Background image support Hotspot COA (Change of Authorization) Sponsor Portal set password on import ERS API update Dynamic variable message Id for SMS message Legacy Guest Features Custom portal files Sponsor Group by additional attributes Auto-send notification to guest when email address present Allow guest credentials to be hidden from Sponsor but guest still be notified
What s new in ISE 2.3?
Read-Only Admin, a.k.a RO Admin
Social Network Guest Login
Supported Flows Facebook login will be supported for Self Registration only; with and without sponsored approval With Social Login the registration form is optional. If displayed, some fields will be pre-populated with information from social media providers. Admin may allow guests to override information (except Facebook Username) Facebook login is on top of regular guest flows. Hotspot can be achieved by using self registration without sponsored approval and without displaying the registration form. Guests will be able to click on the Facebook button and get access to the network immediately.
Facebook login for guest (phase 1) Login using local ISE account Create local ISE account Login with social account
First Time Access Upon first access the guest must approve ISE to get basic information from Facebook. Cisco ISE john.doe@gmail.com *************** Endpoints
Posture Improvements
Posture Features Temporal Agent Push Better SCCM Integration Flexible Notifications Framework Even Better Application Visiblity
Group Policy Connector
Simplifying Security Policy Across Domains In Progress Planning Goal: Share group information between cloud domains and Enterprise to simplify policy management AWS Security Groups Azure Network Security Groups TBD Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available Group Policy Connector Enable adoption of different cloud environments without duplicating group policy management ACI EndPoint Groups APIC DC Enterprise Security Groups
ACS Migration
ACS End of Life is a fact! ACS will soon reach End of Sale (August 30 th ), followed by 1 year of software maintenance (Sev1s and PSIRT fixes only) ISE Base Migration Licenses will reach EoS the same time The clock is ticking NOW is the time to migrate ISE 2.3 is the LAST Release to Include ACS Migration Features
ISE Public Resources ISE Public Community http://cs.co/ise-community Customer Connection Program http://cisco.com/go/ccp > Security ISE Compatibility Guides http://cs.co/ise-compatibility ISE Design & Integration Guides http://cs.co/ise-guides ISE Licensing / Ordering Guide http://cs.co/ise-licensing http://cs.co/ise-ordering Free, 90-day ISE Evaluation http://cs.co/ise-eval
Q&A