Is your network Access
Secure? Try CISCO ISE 2.0.
We live in a connected world that has embraced digital
technology enabled services and is like a small village. We are always
connected; checking our devices for a status update, or we are the ones posting
an update or we are trying to send that status report or close a business deal
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. According to Forbes.com, as cyberattacks increase in frequency and sophistication,
by the year 2020, the global security market is expected to be worth more $170
billion, and is currently suffering from a dire skilled network security professional’s
shortage. In many cases of cyber-attacks taking place, attackers can compromise
an organization within minutes. The proportion of breaches discovered within
days always falls below that of time to resolve them and fix the threats.
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to network facilities. Today’s employees
are not tied down to desktops and office desks, but alternatively are able to access
the companies’ resources through a variety of devices such as smartphones, phablets,
and personal laptops.
The current norm is for a company’s employees to be able to
access the companies resources from anywhere, this greatly increases
productivity, but also exposes the company to the possibility of leakages in
highly confidential company data and increased cybersecurity threats, due to
the fact that you may not be able to track and control the security configuration
of devices accessing the network from outside of the brick and mortar office setup.
Controlling all the devices accessing the network is a great task in itself,
which grows every day and is becoming more untenable as more devices get
connected and plugged into the company network.
So, what can we do to
get out of this fix?
Fret not yourself, using a well configured identity service
engine such as the Cisco ISE would greatly alleviate this challenges. According
to CISCO, the Cisco
Identity Services Engine (ISE) 2.0 is an identity-based network access control
and policy enforcement system. It helps you take care of the time-intensive
day-to-day network administration tasks, allowing your IT staff to focus on
other crucial tasks like keeping abreast with the current cyber threats and how
to counteract them.
According to Cisco
ISE product release notes, ISE will attach an identity to a device based on
a user, function, or other character that allows it to do policy enforcement
and security guidelines compliance before it is authorized to access the
network resources. Based on the results from different factors, a device can be
allowed access to the network based on specific set of access policies applied
to the interface it is connected to, or it can be explicitly denied or given
guest access privileges based on the specific company guidelines. Cisco ISE is a context aware policy service,
and it aims to control access and threats across wired, wireless and VPN
The ISE platform in
The ISE Platform in
a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with nodes handling three different roles: the Policy Administration Node
(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy Services
Node (PSN). For ISE to function properly, all profiles are required.
Let us briefly review each of this profiles and service
The PAN profile is the screen the administrator will log
into so they can configure policies to drive the ISE setup and configuration.
It acts as the main control entry point for configuring and deploying the ISE. PAN
allows the admin to configure the ISE topology by making changes, with this
changes being send out from the administrator node to the Policy Services Node
(PSN) in ISE.
Policy Services Node
The PSN profile allows for policy decisions to be made. The
nodes here allows the network service enforcement devices to send all network
messaging. After processing the messages, the PSN will then give or deny access
to the network based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile will log all service reports, occurrences
and give you the access to generate reports as needed. All the logs will be
received by MnT from other nodes in the ISE topology and sorted through, and compiled
in a readable configuration for you. It gives you the ability to generate various
informative and graphical reports that can aid you and the senior management
make strategic decisions regarding your companies’ network resources, as well
as notify you of any threats to ISE.
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Security and Posture
The Cybersecurity landscape is changing very first and
becoming more complex and costly for organizations running legacy traditional
security setups. The cybersecurity demands have largely increased but the
security resources tend to remain the same. This increases the potential attack
surface greatly meaning the legacy security systems with a company’s premise
has little to offer in terms of relevance and robustness to handle current
Employing the correct solution has become paramount and a
shift from on premise, traditional security setups is inevitable with many
organizations currently seeking to deploy a solution that will protect the
company from within and without. Such solutions like the Cisco ISE have some
interesting features that are likely to help organizations meet their security
needs. According to the cisco ISE
administrator security guide , this are some of the security features that
can be found within ISE:
TACACS+ Device Administration
Cisco ISE supports device administration using the Terminal
Access Controller Access-Control System (TACACS+) security protocol to control
and audit the configuration of network devices. Devices are configured to query
ISE for authentication and authorization of device user actions, and send
accounting messages for ISE to log the actions.
It offers granular control of who can access network devices
and change associated network configurations. An administrator can create
policy sets that allow TACACS+ results, such as command sets and shell
profiles, to be selected in authorization policy rules in a device
administration access. The ISE Monitoring node provides enhanced reports
related to device administration. The Work Center menu will have all the device
administration pages, which is the single start point for ISE administrators
wishing to configure the system. A Device Administration license is required in
order to use TACACS+.
It might look like seemingly irrelevant or less important
page, as the single most frequently viewed page in of the ISE, it presented the
greatest pains in usability in previous versions of ISE. It has been revamped
in ISE 2.0, and in a great way. Useful functionalities have been appended to the
pie charts at the top. On clicking a pie chart slice, you will automatically be
able to filter the table below it. The table itself is completely re-written
and will take you to your last selection since you clicked into an endpoint for
details, as you go back to the table.
As ISE is a complex system with great power to boot, you normally
would not expect it to come with a User Interface that is contained within only
a few pages. Most often a solution like this needs to have a menu system, and
many levels of navigation. It can be expected that ISE will certainly be afflicted
with a lot of navigation. However, ISE 2.0 rips out the entire navigational
framework and replaces it with one that is modern and lightning fast. It’s
obviously the start of a complete UI overhaul. The first time you log into ISE
2.0, you immediately see the difference with prominent menus and side
The upgrade process is usually a complex procedure in any
large distributed system in any technological setup. Many solutions do away
with the upgrade option all together and instead they require you to reinstall
and restore the configuration from backup. ISE has always supported upgrade and
has made significant improvements with each release. ISE 2.0 adds a new
Wizard-based GUI to handle the upgrades for you in an orderly manner. You can
specify which repository each node in the deployment should use, pre-stage the
upgrade files, and control the order in which each node is upgraded. All within
Support tunnels have been added to ISE 2.0. This feature allows
the administrator to enable a secure tunnel for Cisco’s TAC to remotely access
the appliance’s root operating system. Well, that’s to put it simply. This is
fantastic tool, because it implies fewer WebEx sessions with Cisco TAC remotely
seeing the UI of a user’s ISE deployment – they can see it directly if and only
if the customer has enabled the support tunnel & provided the TAC engineer
with a unique access key needed to activate and authenticate the access.
Stacking of Command
ISE 2.0 allows for multiple command sets to be sent in
response to an authorization request from any of the nodes. This is done in a Brilliant
way and it will allow command stacking, a permit statement shall always
outweigh a deny statement – unless it is an explicit “deny_always”
Network Device Profiles are completely brilliant and provide
something that many look for in ISE since the very beginning, the ability to
customize the settings for network devices, including how it should handle
Change of Authorizations, URL-Redirections and more. The implementation of NAD
profiles gives a way to import and export so they can be shared. ISE 2.0 comes
with an array of pre-built profiles for many network devices.
EAP-TTLS is a tunneled EAP protocol that is fairly popular
with universities that use eduroam applications.
In ISE 1.3 the built-in Certificate Authority for bring your
own device (BYOD) endpoint certificates was added. It would help create
endpoint certificates for devices that underwent the Cisco BYOD on-boarding
process only. In ISE 1.4 an API was added to aid and allow the creation of
priv/pub certificate key-pairs that could be imported into devices that couldn’t
go through BYOD flows. Now ISE 2.0 there is a better, fully-blown customizable
portal that allows the creation of individual certificate key-pairs, submitting
and signing Certificate Signing Requests (CSRs), or even the bulk creation of
certificates. This is a gem for every network administrator out there.
Kicking Endpoints off
the Network when Certificate is revoked
ISE issues a certificate to a device endpoint, and that
certificate was revoked, it would naturally be denied access at the next
authentication. However the endpoint would remain on the network. ISE 2.0 has
improved the process and adds ability to completely disconnect any endpoint
with an active session whose certificate has been revoked, thereby immediately
kicking them off the network and reducing the clatter of endpoints you do not
Benefits of Using an
Identity Services Engine
According to the research conducted by Forrester
on having an Identity services Engine solution such as Cisco ISE deployed
within an organization, it was found that an organization is likely to expect
the following benefits:
Reduced infrastructure management and support costs for your
guest wireless access services.
Reduced infrastructure management and support costs for BYOD
Reduced help desk support costs
Reduced risk of security issues and major outbreaks.
Reduce or eliminate IT management costs related to guest
due to selection of the right solution
The cost of securing an organizations IT infrastructure can
go into billions of dollars. It is the intent of every organization to have the
most robust and up to date security setup. With cloud security services, many
organizations are moving from spending on their own premise security (CapEx) setup
to a cloud solution which will only require operational expenditure (OpEx) and
enjoys the facility of regular updates.
The security products deployed within an organization will
usually be funded out of the capital expenditure (CapEx) budget. The cost of
such hardware and software (for example buying a full security setup at $ 200,000)
will require an upfront payment of the total amount amortized according to the
accounting cycle, in order for the organization to enjoy those services. In contrast,
if an organization chooses to employ a cloud solution (for example costing
$100,000 annually), which usually comes at a reduced price annually, and is funded
out of the operating expense budget (OpEx), it has an advantage.
In accounting terms, it is more costly to take the first option
(CapEx) as compared to the second option (OpEx). In this two options, the cloud
services make a better option for the employment of the organizations cash,
since unlike the static hardware option that will require future replacement
and another cash outlay of $200,000, the cloud service enjoys a continual
update with the latest technology and at a cheaper price for the organization.
The question then arises, are their ways an organization can
still do an on premise cybersecurity solution deployment and enjoy a more
According to a research conducted by Forrester, regarding
the deployment of an on
premise Identity service engine such as the Cisco ISE within an
organization, a composite organization can incur risk adjusted costs, totaling
about $595,000 in one-time, initial investment and implementation costs, plus
$61,00 administration and maintenance costs per year. This costs relate to a deployment
of the Cisco ISE solution.
Having an ISE solution on premise will help you greatly
reduce the OpEx for the organization by cutting down on help desk support
costs, close major security holes avoiding major data breaches, and reduce or
totally eliminate IT management costs associated with guest wireless access
This are just but a few of the many economic and security
benefits to be derived from the use of Identity service engines such as Cisco
ISE 2.0 in your organization. And according to a research carried out by
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy an Identity service engine configuration and stay
abreast of the cybersecurity needs of the modern digital organization.