ISE

IPS

ACS

JECRC University

Enterprise Network Design and Deployment

Sandeep Yadav1202061074

ASA

WSA

WLC

ISEController

A centralised security solution that automates context-aware access to

network resources and shares contextual dataIdentity Profilingand Posture Netw

ork Resources

Who

What

When

Where

How

Compliant

llISE

Role-Based Policy Access

Guest Access

BYOD Access

Role-Based Access

(Identity Services Engine)

Guest / Users

ISE-Sponsor Portal

ISE-Guest Self Service

1

2 3

Initial Connection using PEAPRedirection to Android MarketTo install provisioning utility

Provisioning Using Cisco Wi-Fi Setup Assistant

Change of AuthorizationFuture Connection using EAP-TLS

Android Device Provisioning

WLC (Wireless Lan Controller)

Wireless controllers centrally manage, secure, and configure access points throughout the organization.

WLC

WLC CAPWAP APWireless Client

WSA (Web Security Appliance)

WWW

Web Reputation

Web Filtering

Application Visibility

and ControlWebpage Parallel

AVScanning

FileReputation

Data LossPrevention

Advance MalwareProtection

CognitiveThreat Analysis

It combines Advanced Malware Protection (AMP), application visibility and control (AVC), acceptable-use policies, insightful reporting. We can address the challenges of securing and controlling web traffic.

ACS (Access Control System)

• It offers central management of access policies for device administration and for wireless and wired 802.1X network access scenarios.

• Receive support for two distinct protocols: RADIUS for network access control and TACACS+ for network device access control

• Use multiple databases concurrently for maximum flexibility in enforcing access policy

Supplicant

IP Phone

Endpoint Device

Catalyst Switch

Wireless Lan Controller

Campus Network

Nexus 7000

Protected Resources

ACS

AD

AAA• These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components.• Unauthorized access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment services and data • Using a Cisco AAA architecture enables consistent, systematic and scalable access security

Cisco provides two ways of implementing AAA services for Cisco routers, network access servers

• Self-contained AAA• Cisco Secure ACS Solution Engine

Authentication Authorization and Accounting

AAA ProtocolsAAA Protocols TACACS+ RADIUS

Layer 3 Protocols

Encryption

Standard Cisco

Entire Body

TCP/IP UDP/IP

Password Only

Open

ASA (Adaptive Security Appliance)

• A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.• Firewalls have been a first line of defence in network security• They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

Internal Network

L3 Switch

L3 Switch

L3 Switch

L3 Switch

InsideOutside

Outside

Active Firewall

Standby Firewall

Failover Link TrunkTrunk

Foundational Functionality

Stateful Firewalling VPN Capabilities Policy Enforcement Point for ISE

Stateful Firewalling

TCP Normalization

TCP Intercept

IP Options Inspection

IP Fragmentation

NAT

Routing Access Control List

VPN CapabilitiesDiverse Endpoint Support Split Tunneling Capabilities

Mobile and non-mobile devices

Cisco and Non-Cisco devices

Corporate and Sensitive info

Personal and Generic info

IPS (Intrusion Prevention System)

Intrusion prevention system is intended to prevent malicious events from occurring by preventing attacks as they are happening. There are a number of different attack types that can be prevented using an IPS including (among others):• Denial of Service• Distributed Denial of Service• Exploits (Various types)• Worms• Viruses

Edge Device

Firewall

DMZ

Inside

IPS 2

IPS 1Web Servers

Application Database

Priority 1

Priority 2

Priority 3

Automatically correlates information from intrusion events with network assets to prioritize threat investigation

Protects the Network more effectively

Blended Threats and attacks coming through multiple vectors are quickly identified

Protects the Network more effectively

Thank You