We live in a connected world that is digitally enabled and
is just like a small village. All the time we are constantly connected;
checking our devices for a status update, or we are the ones posting an update
or we are trying to send that status report or close a business deal online.
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. And according to Forbes.com, as cyberattacks increase in quantity and
sophistication, the global cybersecurity market is expected to be worth $170
billion by 2020 and is currently suffering from a dire skilled network security
professional’s shortage. In many cases of cyber-attacks taking place, attackers
can compromise an organization within minutes. The proportion of breaches
discovered within days always falls below that of time to resolve them and fix
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to network facilities. Today’s employees
are not tied down to desktops and office desks, but alternatively are able to access
the companies’ resources through a variety of devices such as smartphones, phablets,
and personal laptops.
We all know accessing company resources from anywhere will
greatly increase productivity for many firms, but also increase the possibility
of leakages in crucial company data and cyber-security threats due to the fact
that you may not be able to track the security position of devices accessing
the network from outside of the brick and mortar office setup. Controlling all the
devices accessing the network is a great task in itself, which grows every day
becoming more untenable to manage.
So, what can we do to
get out of this fix?
Fret not yourself, according to CISCO, the Cisco
Identity Services Engine (ISE) 2.0 is here to help you and in such a big
way. ISE is an identity-based network access control and policy enforcement
system. It helps you take care of the time-intensive day-to-day network administration
tasks, Allowing the network to focus on other crucial tasks like keeping
abreast with the current cyber threats and how to counteract them.
According to Cisco
ISE product release notes, ISE attaches an identity to a device based on
user, function, or other characteristics which allows it to do policy
enforcement and security guidelines compliance before it is authorized to
access the network resources. Based on the results from a variety of factors, a
device can be allowed access to the network with a specific set of access
policies applied to the interface it is connected to, or it can be explicitly denied
or given guest access privileges based on the specific company guidelines. This
therefore implies that Cisco ISE is a context aware policy service, to control
access and threat across wired, wireless and VPN networks and a component of
Cisco’s Borderless Networking and the company’s TrustSec product line.
And another plus is that Cisco has Finally Released the
Identity Service Engine 2.0 (ISE) which comes with a robust array of features
and functionalities that will be a great asset to your organization.
Let us review the ISE platform in brief
The ISE Platform in
a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with three nodes handling three roles: the Policy Administration Node (PAN),
the Monitoring and Troubleshooting Node (MnT), and the Policy Services Node
(PSN). For ISE to function properly, all profiles are required.
Let us briefly review each of this profiles and service
The PAN profile is the screen the administrator will log
into so they can configure policies to drive the ISE setup and configuration.
It is the control center for deploying the ISE. PAN allows the administrator to
configure the ISE topology by making changes, with this changes being send out from
the administrator node to the Policy Services Nodes (PSN) in ISE.
Policy Services Node
The PSN profile is where policy decisions are made. The
nodes here facilitate the network service enforcement devices to send all
network messaging to; for example RADIUS messaging will be sent to the PSNs. After
processing the messages, the PSN will either give or deny access to the network
based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile logs all service reports, occurrences and gives
you the ability to generate reports as needed. All the logs will be received by
MnT from other nodes in the ISE topology and sorted through, assembled in a
readable format for you. MnT gives you the ability to generate various detailed
and graphical reports that can aid you and senior management make strategic decisions
regarding your companies’ network resources, as well as notify you of any
threats to ISE.
Now that we are familiarized with this three profiles, let
us see some of the things ISE 2.0 offers to your organization:
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Here are some of the fancy Technical
features within ISE:
Cisco ISE supports device administration using the Terminal
Access Controller Access-Control System (TACACS+) security protocol to control
and audit the configuration of network devices. Network devices are configured
to query ISE for authentication and authorization of device administrator
actions, and send accounting messages for ISE to log the actions.
It offers granular control of who can access which network
device and change associated network configurations. An ISE administrator can
create policy sets that allow TACACS results, such as command sets and shell
profiles, to be selected in authorization policy rules in a device
administration access service. The ISE Monitoring node provides enhanced
reports related to device administration. The Work Center menu contains all the
device administration pages, which acts as a single start point for ISE
administrators. ISE requires a Device Administration license to use TACACS+.
The new Endpoints
It might look like a seemingly small thing, being the single
most frequently viewed page in all of ISE, it also was one of the biggest pains
in usability in previous versions of ISE. Has been revamped in ISE 2.0, and in
a great way. Some very useful functionalities have been added in the pie charts
at the top. If you select a pie chart slice, it will automatically filter the
table below it. The table itself is completely re-written and remembers your
last selection when you clicked into an endpoint for details and then went back
to the table.
ISE is a complex system with tremendous power to boot. A
system like this cannot normally come with a User Interface that is contained
within only a few pages. Most often a solution like this needs to have a menu
system, and many levels of navigation. It can be expected that ISE will
certainly be afflicted with a lot of navigation. However, ISE 2.0 rips out the
entire navigational framework and replaces it with one that is modern and lightning
fast. It’s obviously the start of a complete UI overhaul. The first time you
log into ISE 2.0, you immediately see the difference with prominent menus and
The upgrade process is a complex procedure for any large
distributed system in any technological setup. Many solutions do away with the
upgrade option all together and instead they require you to reinstall and
restore the configuration from backup. ISE has always supported upgrade and has
made significant improvements with each release. ISE 2.0 adds a new
Wizard-based GUI to handle the upgrades for you in an orderly manner. You can
specify which repository each node in the deployment should use, pre-stage the
upgrade files, and control the order in which each node is upgraded. All within
Support tunnels have been added to ISE 2.0. This feature allows
the administrator to enable a secure tunnel for Cisco’s TAC to remotely access
the appliance’s root operating system. Well, that’s to put it simply. This is
fantastic tool, because it implies fewer WebEx sessions with Cisco TAC remotely
seeing the UI of a user’s ISE deployment – they can see it directly if and only
if the customer has enabled the support tunnel & provided the TAC engineer
with the unique key required to activate and authenticate the access.
Stacking of Command
ISE 2.0 allows for multiple command sets to be sent in
response to an authorization request from any of the nodes. This has been done
in a Brilliant way, it will allow command stacking, where a permit statement
shall always outweigh a deny statement – unless it is an explicit “deny_always”
Network Device Profiles
Network Device Profiles are completely brilliant and provide
something that many look for in ISE since the very beginning, the ability to
customize the settings for network devices, including how it should handle
Change of Authorizations, URL-Redirections and more. The implementation of NAD
profiles gives a way to import and export so they can be shared. ISE 2.0 comes
with an array of pre-built profiles for many network devices.
EAP-TTLS is a tunneled EAP protocol that is fairly popular
with universities that use eduroam applications. Prior to ISE version 2.0 it
was one of the only popular EAP types that was missing support in ISE, even
though there existed support for it in Cisco’s supplicant: the Cisco AnyConnect
Network Access Module.
The ISE 1.3 added the built-in Certificate Authority for bring
your own device(BYOD) endpoint certificates. It would create endpoint
certificates for devices that underwent the Cisco BYOD on-boarding process only.
In ISE 1.4 an API was added to aid and allow the creation of priv/pub
certificate key-pairs that could be imported into devices that couldn’t go
through the BYOD flows. Now in ISE 2.0 there is a much better and fully-blown
customizable portal that allows the creation of individual certificate
key-pairs, submitting and signing Certificate Signing Requests (CSRs), or even
the bulk creation of certificates. This is a gem for every network
administrator out there.
Kicking Endpoints off
the Network when Certificate is revoked
ISE issues a certificate to a device endpoint, and that
certificate was revoked, it would naturally be denied access at the next
authentication. However the endpoint would remain on the network up to the next
re-authentication time. ISE 2.0 adds CoA-Terminate (a disconnection) to any
endpoint with an active session whose certificate has been revoked, thereby
immediately kicking them off the network and reducing the clatter of endpoints
you do not need.
This are just but a few of the many economic and security
benefits to be derived from Cisco ISE 2.0 implementation in your organization.
And further to this, a research carried out by Forrester, Cost
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy a CISCO ISE 2.0 configuration and stay abreast of
the cybersecurity needs of the modern digital organizations.
Let us stay safe on the net with CISCO ISE 2.0!!