Cisco ISE Design and Architecture

2011 Cisco and/or its affiliates. All rights reserved. 1 1 2013 Cisco and/or its affiliates. All rights reserved.

CiscoExpo Club ISE 1.2

Ji Tesa CCIE #14558

[email protected]

2013 Cisco and/or its aliates. All rights reserved. Cisco Connect 2

ISE Design & Architecture

3

NETWORK ENFORCED POLICY

ACCESS FW IPS VPN WEB EMAIL

APPLIANCES ROUTERS SWITCHES WIRELESS VIRTUAL

CLOUD-BASED THREAT INTEL & DEFENSE

ATTACKS APPLICATION REPUTATION

SITE REPUTATION

MALWARE

GLOBAL LOCAL PARTNER API

COMMON POLICY, MANAGEMENT & CONTEXT

COMMON MANAGEMENT

SHARED POLICY ANALYTICS COMPLIANCE

PARTNER API

IDENTITY APPLICATION DEVICE LOCATION TIME

Workloads

Apps / Services

Infrastructure

public

tenants hybrid

private

Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Cisco ISE

Wired Wireless VPN

Business-Relevant Policies

Replaces AAA and RADIUS, NAC, guest management, and device identity servers

Security Policy Attributes

Identity Context

Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control

2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5

NAC Profiler ACS5.x

Catalyst Switch

802.1X

MAB

Directory Server

NAC Guest Server

Web Auth

RADIUS

Various Authorization Methods (VLAN, Downloadable ACL, URL Redirect, etc)

Scalable / Flexible Policy & Authentication Server supporting RBAC

Guest Service to provide full guest access management with Web

Authentication

Profiling System to perform automatic device profiling for unattended device or

any type of network attached device

Cisco IOS intelligence to provide phased deployment mode for 802.1X (Monitor Mode, Low Impact Mode,

High Security Mode)

Flexible Authentication Methods (802.1X, MAB, Web Auth in any order)

Guest

Employee

Printer

ISE

Cisco Identity Solution Specifics

Agents AnyConnect 3.1 Unified access interface for

802.1X for LAN / WLAN VPN (SSL-VPN and IPSec) Mobile User Security (WSA / ScanSafe)

Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU

MACSec-capable hardware (network cards) enhance performance w/ AC 3.0

NAC Agent currently used for posture. Will be merged into AnyConnect in AC3.2

ISE Web Authentication

Need Something to intercept browser requests to provide capBve portal and /or redirecBon to local or remote web auth portal

Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications

Who?

switch Controller

Used to identify users without supplicants Misconfigured, missing altogether, etc.


Providing Network Access to Guests and Employees

On wireless:

Using multiple SSIDs Open SSID for Guest

On wired:

No notion of SSID Unified port: Need to use different auth

methods on single port Enter Flex Auth

SWITCHPORT

Employee Desktop

Printer

Guest Contractor

IP Phone

Corporate

Guest

SSID Corp

SSID Guest

Unifying network access for guest users and employees


Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS

Manage: Sponsor privileges, guest accounts and policies, guest portal

Report: On all aspects of guest accounts

Guests

Components of a Full Guest Lifecycle Solution

Authenticate/Authorize guest via a guest portal on ISE

Cisco Secure Access and TrustSec Technology Review:

Network Identity & Enforcement

Authentication - (802.1x, MAB, Web, NAC)

Authorization - (VLAN, DACL, SXP or SGT)

Enforcement (SGACL and Identity Firewall)

I want to allow guests into the network

I need to allow/deny iPADs in my network

I need to ensure data integrity and confidentiality

for my users

I need a scalable way of authorizing users or

devices in the network

I need to ensure my endpoints dont become a

threat vector

How can I set my firewall policies based on identity instead of IP addresses?

Guest Access

Profiler

Posture

MACSec Encryption

Security Group Access

Identity-Based Firewall

I need to securely allow personal devices on the

network BYOD/MDM

Administration Process & Explanation

NAD PAN Admin User

Policy Administration Node All Management UI Activities Synchronizing all ISE Nodes

PSN

All Policy is Synchronized from PAN to PSNs

Policy Service Node The Work-Horse RADIUS, Profiling, WebAuth Posture, Sponsor Portal Client Provisioning

SWITCHPORT

MnT

User

Network Access Device Access-Layer Devices Enforcement Point for all Policy

RADIUS From NAD to Policy Service Node

RADIUS From PSN to NAD w/ Enforcement Result

Logging

Monitoring and Troubleshooting Logging and Reporting Data

Logging

AD

PSN Queries AD Directly

RADIUS Accounting

How ISE is Used Today

Its easy to provide guests limited Bme and resource access

Control with one policy across wired, wireless & remote infrastructure

Users get safely on the internet fast and easy

Rules wriMen in business terms controls access

Wireless Upgrade License (ATP) Extend Policy for Wired and VPN Endpoints

Platforms

Small: Cisco ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355 Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New

Wireless License Policy for Wireless Endpoints: 5-Year Term Licensing

Authentication and authorization Guest provisioning Link-encryption policies

Device profiling Host posture Security group access

Base License (ATP) Policy for Wired, Wireless, and VPN Endpoints

Advanced License (ATP) Policy for Wired, Wireless, and VPN Endpoints

Perpetual Licensing 3- or 5-Year Term Licensing +

Cisco ISE Packaging and Licensing


ISE 1.2

New Upgrade Process that Significantly Reduces Time.

Brand-New Replication Model that Improves WAN Replication

Policy Groups (ACS Parity) Logical Profile Groups & Profile as Attribute 3rd Party MDM Integration Re-Written Reporting w/ Scheduling 3rd Party MAB Support 64-Bit Architecture Brand New Hardware (UCS Based

Appliance)

External RESTful Services (ERS) API View Logs from CLI (no Support Bundle

Needed)

Live Sessions Log Search & Session Trace Tool Guest Enhanced: Mobile Friendly Portal dACL Checker Feed Service Backup and Restore Progress Bars,

Cancel & Scheduling

Licensing for both Pri & Sec Admin Nodes

ISE 1.2 is a HUGE release!

Walks through ISE Config

Walks through NAD Config

Can Help with Quick Proof of Concept setups.

Setup Assistant

Setup Assistant

What Was Missing? Troubleshooting and Reporting

19

What Was Missing? Detailed Visibility into Successful and Failed Access Attempts

20

What Was Missing? Detailed Visibility into All Active Sessions and Access Policy Applied

Search

Solution: Search Tools

Ability to Quickly Find Information

22

Powerful Search

Session Trace Tool and Endpoint Details

Endpoint Details

Authentication logs (like seen in Live Log details) including RADIUS Auth Details Auth Result Other Attributes Steps

Accounting logs including RADIUS details Steps Other Attributes

Detailed Profiler Attributes

Authentication

Endpoint Details Accounting




Endpoint Details Profiler




2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Profiler Feed Service Zero Day availability

PSN Cisco

Partner Feed Server DB PSN

Notifications Supported

No need to wait for new ISE version Zero day support for popular endpoints is

added using Feed Server


What? ISE Posture What can be checked? Microsoft Updates

Service Packs Hotfixes OS/Browser versions

Antivirus Installation/Signatures

Antispyware Installation/Signatures

File data Services Applications / Processes Registry Keys


Identifying Corporate Assets

NAC or Web Agent check in Windows registry for domain value.

Ex: mycompany.com.

Posture Assessment


Identifying Corporate Assets

EAP Chaining uses EAP-FAST protocol extensions Ties both machine and user credentials to the device, thus the owner is using a corporate asset Machine credentials are authenticated to the network using 802.1X. Once user logs onto the device, session information from the machine auth and user credentials are sent

as part of the same authentication. If both machine + user credentials successfully validated, then owner is tied to the device (corp asset). If both or either credentials fail, restricted network access can be given according to ISE policy.

EAP-Chaining

Machine & User Credentials Validated: AD (EAP-MSCHAPv2 inner method) PKI (EAP-TLS inner method)

RADIUS

Machine Credentials

User Credentials

Machine Authentication

User Authentication

PSN


Identifying Corporate Assets EAP-Chaining: Policy Example

User Authentication includes both user & machine identity types

AnyConnect is required for EAP-Chaining

Enterprise App Distribution

& Mgmt

Inventory/Cost Management

Data Backup

Classification/Profiling Enrollment & Registration

Secure Network Access (Wireless, Wired, VPN)

Context-Aware Access Control (Role, Location, etc.)

Cert + Supplicant Provisioning

Network Policy Enforcement

Policy Compliance (Jailbreak,

PIN Lock, etc.)

Data Loss Prevention (Container, encryption,

wipe)

ISE MDM

Enterprise App Policy

Identity and Policy

Management

Native ISE functionality Profiling Authentication Policy Enforcement etc.

ISE 1.0 & 1.1

Native ISE functionality Enrollment/Registration Self-Enroll Portal Certificate Enrollment Blacklisting

ISE 1.1.x

ISE MDM API Additional device data Policy compliance Data wipe

ISE 1.2

Evolving Roles of ISE and MDMs

MDM Vendors

Only ONE may be active at a time in ISE

Cisco Published API Specs to 5 Vendors: AirWatch Version 6.2 Mobile Iron Version: 5.0 ZenPrise Version: 7.1 Good Version: 2.3 SAP Sybase

Requires a new API in MDM Server Ini$al Vendors

BYO-X

MDM Compliance Checking

Compliance based on: General Compliant or ! Compliant status

OR

Disk encryption enabled Pin lock enabled Jail broken status

MDM attributes available for policy conditions Passive Reassessment: Bulk recheck against

the MDM server using configurable timer (4 hours default). If result of periodic recheck shows that a connected

device is no longer compliant, ISE sends a CoA to terminate session.

Compliance and Attribute Retrieval via API

Micro level

Macro level

MDM Integration

Prole Encryp$on JailBroken Registered

BYO-X

2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public

BYOD Onboarding Flow

Access-Accept

Registered Device No

MyDevices ISE BYOD Registration

Yes

MDM Registered No

ISE Portal Link to MDM Onboarding

Yes

2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2022 Cisco Public

MDM Integration

Administrator / user can issue remote actions on the device through MDM server (Example: remote wiping the device) MyDevices Portal ISE Endpoints Directory

Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock

Options

Remediation

Basic 2-Node ISE Deployment (Redundant) Maximum Endpoints = 10,000 (Platform dependent)

Campus A

Campus B

Branch A

AP

WLC

AP

ASA VPN

Switch 802.1X

WLC

All Services run on both ISE Nodes

Set one for Primary Admin / Secondary M&T

Set other for Primary Monitoring / Sec. Admin

Max Endpoints is platform dependent: 33x5 = Max 2k endpoints 3415 = Max 5k endpoints 3495 = Max 10k endpoints

Sec. Admin Sec. M&T

PSN

AP Switch 802.1X

Branch B

Switch 802.1X

AP

Switch 802.1X

PSN

HA Inline Posture Nodes

Pri. Admin Pri. M&T

Basic Distributed Deployment Maximum Endpoints = 10,000 / Maximum 5 PSNs

Branch A

AP

WLC

AP

ASA VPN

Switch 802.1X

WLC

Dedicated Management Appliances Pri. Admin / Sec MNT Pri MNT / Sec Admin

Dedicated Policy Service Nodes Up to 5 PSNs

No more than 10,000 Endpoints Supported 3355/3415 as Admin/MnT = Max 5k endpts 3395/3495 as Admin/MnT = Max 10k endpts

AP Switch 802.1X

Branch B

Switch 802.1X

AP

Switch 802.1X


Pri. Admin Sec. M&T

Pri. M&T Sec. Admin

Campus B

PSN PSN

PSN

PSN

Campus A

Fully Distributed Deployment Maximum Endpoints = 250,000 / Maximum 40 PSNs

Branch A

AP

WLC

AP

ASA VPN

Switch 802.1X

WLC

Dedicated Management Appliances Pri. Admin Sec. Admin Pri MNT Sec Admin

Dedicated Policy Service Nodes Up to 40 PSNs

Up to 100k endpoints using 3395 Admin and MnT Up to 250k endpoints using 3495 Admin and MnT

AP Switch 802.1X

Branch B

Switch 802.1X

AP

Switch 802.1X


Pri. Admin

PSN PSN

PSN

PSN Sec. Admin Pri. MnT Sec. MnT

Campus A Campus B

New Appliances

Cisco Secure Network Servers Based on the Cisco UCS C220 Server, but designed for

v Cisco Identity Services Engine (ISE) v Network Admission Control (NAC) v Access Control Server (ACS)

SNS-3415-K9 & SNS-3495-K9

New Appliances

P/N Popis Cena SNS-3415-K9 Small Secure Network Server for ISE NAC & ACS ApplicaBons - CON-SNT-SNS3415 SMARTNET 8X5XNBD Small Secure Server $2 643 SW-3415-ISE-K9 Cisco ISE So_ware for the SNS-3415-K9 $11 990

P/N Popis Cena SNS-3495-K9 Large Secure Server for ISE and NAC ApplicaBons - CON-SNT-SNS3495 SMARTNET 8X5XNBD Large Secure Server $3 362 SW-3495-ISE-K9 Cisco ISE So_ware for SNS-3495-K9 $22 990

Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 45

Migran politika pro HW nebo SW NAC -> ISE

Pokud plat: Current ACS, NGS, NAC Appliance, or Profiler product Any Version / Any Quantity

Plat nrok na upgrade: Any Quantity of Any Appliance Migration SKU (includes physical or VM appliance SKUs)


Migran politika pro licence ACS -> ISE

Pokud plat: ACS or NAC Guest Server - Any Version - Any Quantity

Plat nrok na upgrade: Any Base License Migration SKU, = 50% off standard list


Migran politika pro licence NAC -> ISE

Pokud plat: NAC Server, N = souet vech licenc na uivatele

Plat nrok na upgrade: Base License pro N koncovch bod Advanced licence pro N koncovch bod na 3 roky

New Appliances Migration P/N P/N Popis Cena Kusu SNS-3415-M-ISE-K9 SNS 3415 MigraBon Server: Loaded with ISE So_ware $0 1 CON-SNTP-SNS3415 SMARTNET 24X7X4 Small Secure Network $2 643 1 CAB-9K10A-EU Power Cord 250VAC 10A CEE 7/7 Plug EU $0 1 SNS-4GBSR-1X041RY 4GB 1600 Mhz Memory Module $0 4 SNS-600GB-HDD 600 GB Hard Disk Drive $0 1 SNS-650W-PSU 650W power supply for C-series rack servers + cord (congur $0 1 SNS-CPU-2609-E5 2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz $0 1 SNS-N2XX-ABPCI01 Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI $0 1 SNS-RAID-ROM5 Embedded SW RAID 0/1/10 8 ports SAS/SATA $0 1 SW-3415-M-ISE-K9 Cisco ISE So_ware for the SNS-3415-M-ISE-K9 $9 400 1

ISE-SNS-ACCYKIT ISE SNS Accessory Kit $0 1 SNS-UCS-TPM Trusted Plakorm Module for UCS servers $0 1

P/N Popis Cena Kusu SNS-3495-M-ISE-K9 SNS 3495 MigraBon Server: Loaded with ISE So_ware $0 1 CON-SNTP-SNS3495 SMARTNET 24X7X4 Large Secure Server $5 379 1 SW-3495-M-ISE-K9 Cisco ISE So_ware for the SNS-3495-M-ISE-K9 $18 990 1

ISE-SNS-ACCYKIT ISE SNS Accessory Kit $0 1 CAB-9K10A-EU Power Cord 250VAC 10A CEE 7/7 Plug EU $0 2 SNS-4GBSR-1X041RY 4GB 1600 Mhz Memory Module $0 8 SNS-600GB-HDD 600 GB Hard Disk Drive $0 2 SNS-650W-PSU 650W power supply for C-series rack servers + cord (congur $0 2 SNS-CPU-2609-E5 2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz $0 2 SNS-N2XX-ABPCI01 Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI $0 1 SNS-RAID-11-C220 Mezanine RAID for C220 $0 1 SNS-UCS-SSL-CATD Cavium Card $0 1 SNS-UCS-TPM Trusted Plakorm Module for UCS servers $0 1

klovn

Policy Service Node (PSN) and Concurrent Endpoint Max Number Specifications by Deployment Model

Deployment Model Platform Max # PSNs Max # Endpoints

Standalone (all personas on same node)

33xx N/A 2,000 3415 N/A Target 5,000 3495 N/A Target 10,000

Admin + MNT on same node; Dedicated PSN

3355 as Admin+MNT 5 5,000 3395 as Admin+MNT 5 10,000 3415 as Admin+MNT 5 5,000 3495 as Admin+MNT 5 10,000

Dedicated Admin and MNT nodes 3395 as Admin and MNT 36 (1.1) 40 (1.2) 100,000

3495 as Admin and MNT 40 (1.2) 250,000

Dedicated PSN Max Concurrent Endpoint Count (All Services)

ISE-3315 3,000 ISE-3355 6,000 ISE-3395 10,000 SNS-3415 5,000 SNS-3495 20,000

For Your Reference

Sizing Production VMs to Physical Appliances Summary

Appliance used for sizing comparison

CPU Memory (GB) Physical Disk

(GB)* # Cores Clock Rate

ISE Small (ACS-1121/ISE-3315) 4 2.66 4 500

ISE Medium (ISE-3355) 4 2.0 4 600 ISE Large (ISE-3395) 8 2.0 4 600 SNS Small (ISE-3415) 4 2.4 16 600 SNS Large (ISE-3495) 8 2.4 32 600

* Actual disk requirement is dependent on persona(s) deployed and other factors. See slide on Disk Sizing.

Porovnn fyzick a virtuln appliance

Virtuln appliance

Fyzick appliance

Poadavky na virtuln appliance

SNS Large (ISE-3495) 8 2.4 32 600

Appliance used for sizing comparison

CPU Memory (GB) Physical Disk

(GB)* # Cores Clock Rate

P/N Popis Cena ISE-VM-K9= Cisco IdenBty Services Engine VM $5 990 CON-SAU-ISEVM SW APP SUPP + UPGR Cisco IdenBty Services Engine Virtual M $1 198

P/N Popis Cena SNS-3495-K9 Large Secure Server for ISE and NAC ApplicaBons -

CON-SNT-SNS3495 SMARTNET 8X5XNBD Large Secure Server $3 362 SW-3495-ISE-K9 Cisco ISE So_ware for SNS-3495-K9 $22 990


WSA

Identity Policies Passive Authentication Architecture

Active Directory Domain Controller

Cisco CDA Server

Domain user

Cisco ASA + CX

User Login Event

User Login Event Security Log (WMI)

Domain Username/Group to IP Mapping (Radius)

Domain username and group information (LDAP)

Traffic controlled by Access Policies which leverage Identity

LAN

Identity Policy Enforcement (FW, switch, router,) How to Identify the User ??

TrustSec

Fidelity

Breadth

TRUSTSEC* Network Identity

Group information Any tagged traffic User Authentication

Auth-Aware Apps Mac, Windows, Linux AD/LDAP user credential

AD/LDAP Identity Non-auth-aware apps Any platform AD/LDAP credential

IP Surrogate AD Agent

NTLM Kerberos

Lets use information from access layer => TrustSec

Rich Context Classification with ISE BYOD Use Case

DC Resource Access

Restricted Internet Only

Distributed Enforcement based on

Security Group

Security Group Policy

Wireless LAN Controller

AP

Personal asset

Company asset

Employee ID

&

Pro

filin

g D

ata

ISE (Identity Services Engine)

DCHP HTTP

RADIUS SNMP

SGT

NetFlow DNS OUI

NMAP

Device Type: Apple iPAD User: Mary Group: Employee Corporate Asset: No

Classification Result: Personal Asset

SGT

ISE Profiling Along with authentication, various data is sent to ISE for device profiling

SGT Overview

Enforcing Traffic on Firewall (ASA) - SGFW

Enforcement

Source Tags Destination Tags

TrustSec Switch Support SXP ----------------------------------------------------------------------- 2960-S (LAB) 15.0.2(SE) 3560-CG (IPB) 12.2(55)EX2 3560-SMI (IPB) 12.2(55)SE 3560-EMI (IPS) 12.2(55)SE 3560v2-SMI (IPB) 12.2(55)SE 3560v2-EMI (IPS) 12.2(55)SE 3750-SMI (IPB) 12.2(55)SE 3750-EMI (IPS) 12.2(55)SE 3750v2-SMI (IPB) 12.2(55)SE 3750v2-EMI (IPS) 12.2(55)SE 3560-E (IPB) 12.2(55)SE 3560-E (IPS) 12.2(55)SE 3560-X (LAB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-E (IPB) 12.2(55)SE 3750-E (IPS) 12.2(55)SE 3750-X (LAB) 15.0.2(SE) 3750-X (IPB/IPS) 12.2.53(SE2)

SGACL ----------------------------------------------------------------------- 3560-X (IPB/IPS) 15.0.2(SE) 3750-X (IPB/IPS) 15.0.2(SE)

802.1AE - MACsec (SAP) ----------------------------------------------------------------------- 3560-CG (IPB) 15.0.2(SE) 3560-X (IPB/IPS) 12.2(53)SE2 3750-X (IPB/IPS) 12.2.53(SE2)

For Your Reference


Enabling the Potential of Network-Wide Context Sharing

I have NBAR info! I need identity

SIO

I have location! I need identity

I have MDM info! I need location

I have app inventory info! I need posture

I have identity & device-type! I need app inventory & vulnerability

I have firewall logs! I need identity

I have threat data! I need reputation

I have sec events! I need reputation

I have NetFlow! I need entitlement

I have reputation info! I need threat data

I have application info! I need location & auth-group

pxGrid Context Sharing

Single Framework

Direct, Secured Interfaces


Available July 2013

Mobile Device Management

NEW! SIEM & Threat Defense

ISE provides user and device context to SIEM and Threat Defense partners Partners uBlize context to idenBfy users, devices, posture, locaBon and network privilege level associated with SIEM/TD security events

Partners may take network acBon on users/devices via ISE

Priori$ze Events, User/Device-Aware Analy$cs, Expedite Resolu$on

ISE serves as policy gateway for mobile device network access MDM provides ISE mobile device security compliance context ISE assigns network access privilege based on compliance context

Ensure Device Enrollment and Security Compliance


Cyber Security

70

Cyber Threat Defense Solution

Network Components Provide Rich Context Unites NetFlow data with identity and application ID to provide security context

Device? User? Events?

65.32.7.45

Posture? Vulnerability AV Patch

NetFlow Enables Security Telemetry

NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices

Cisco ISE

Cisco Network

Lancope Partnership Provides Behavior-Based Threat Detection

Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting

Cisco ASR 1000 or ISR G2 + NBAR

Application?

+ +

+ NetFlow

FlowSensor FlowCollector StealthWatch Management

Console

Cisco ASA

Cisco NGA

71

Drilling into a single flow yields a wealth of information

71

72

Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope StealthWatch

Policy Start Active Time

Alarm Source Source Host

Group

Source User Name

Target

Inside Hosts 8-Feb-2012 Suspect Data Loss 10.34.74.123 Wired Data

Bob Multiple Hosts


Cisco Security

74

Cisco Security Product Highlights: 2012-2013

Cognitive Security Acquisition ASA Mid-range Appliances

ASA CX and PRSM Secure Data Center Launch

ISE 1.1 & 1.2 / TrustSec 2.1

Product Milestones

ASA 9.0 ASA 1000V IPS 4500 CSM 4.3 AnyConnect 3.1


Dkujeme za pozornost.


Network Complexity - Michael H. Behringer: Classifying Network Complexity; slides; ACM ReArch'09 workshop; 2009 http://networkcomplexity.org/wiki/index.php?title=References

Cisco TrustSec 2.1 Design and Implementation Guide http://www.cisco.com/go/trustsec/

Cisco Wireless LAN Security - http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540

Managing Cisco Network Security - http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031

Cisco Firewalls http://www.ciscopress.com/bookstore/product.asp?isbn=1587141094 Cisco LAN Switch Security: What Hackers Know About Your Switches -

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563

Recommended Reading

76


Where To Find Out More Whitepapers

Deployment Scenario Design Guide http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html

Deployment Scenario Config Guide http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html

IEEE 802.1X Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html

MAB Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html Web Auth Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html

Flex Auth App Note http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27- 573287_ps6638_Products_White_Paper.html

IP Telephony Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

MACSec Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

www.cisco.com/go/ibns

Cisco ISE Design and Architecture

Documents

Transcript of Cisco ISE Design and Architecture