Tech update –security 30 / 5 -2017...Best Practices Design ISE 2.2 (Fresh Install) Standard WLC...
Transcript of Tech update –security 30 / 5 -2017...Best Practices Design ISE 2.2 (Fresh Install) Standard WLC...
Tech update – security30 / 5 -2017
ISE 2.2 + 2.3 update
Context Visibility Enhancements
PassiveID Enhancements
• WMI
• Agent
• SPAN
• Syslog
• TS Agent
ISE-PIC
• Installation
• Licensing and Upgrade
• Integration Status
• Deployment
PxGrid Enhancements
All about Wizards – ISE the easy way
• Visibility
• Secure access wizard / Wireless wizard
• PassiveID
Posture
TC-NAC
Tips and Tricks – nice to know
What´s new in ISE 2.3 ?
Roadmap
Cisco ISE – role based access control
ACCESS POLICY
WHO
WHAT
HOW
WHEN
WHERE
HEALTH
THREATS
CISCO ISE
CVSS Partner Eco System
PxGRID& APIs
Cisco ISE
Context aware policy service, to control access and threat across wired, wireless and VPN networks
Cisco Anyconnect
Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.
SIEM, MDM, NBA, IPS, IPAM, etc.
WIRED WIRELESS VPN
Role-based Access Control | Guest Access | BYOD | Secure Access
FOR ENDPOINTS FOR NETWORK
Device Admin
Threat Control
Segmentation
BYOD Access
Guest Access
Access Control
Asset Visibility
ISE use casesCisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources.
Consistent access control in to wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control.
Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain network threats by using Cisco TrustSec technology.
Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats.
Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices
Context Visibility Enhancements
• Email• Phone• Department• Number of Endpoints
End User Context
• Guest TypeDaily, weekly, etc.
• Number of Endpoints• Sponsor• Portal used
Guest Context
• Endpoints that have been inactive for a set number of days without any attribute changes
Context Visibility: Endpoint Inactivity
• Compliant• Non Compliant
Context Visibility: Status Trend
Network Device Summary• Number of Endpoints per NAD• Port Config Status
PassiveID Enhancements
• Must enable per node• On by default in PIC• Turns on all Passive ID
features• Username to IP forms the
basis of PassiveID session creation!
PassiveID in ISE
ISE Live Sessions
Which is Which?
• Simple to set up PassiveID1. Join Active Directory2. Select Interesting Groups3. Chose Controllers to monitor4. Done!
PassiveID Wizard in ISE-PIC
PassiveID Wizard in ISE
• Join Point• AD Domain• Admin user• Password
PassiveID Wizard
• Security Groups• Used by API
PassiveID Wizard
• All controllers• Site controllers• Custom
PassiveID Wizard
PassiveID Wizard
WMI Provider
• “Config WMI”: The new easy button!• Remotely connects to controllers• Monitor specific security events:
4768 (Kerberos Ticket Granting)4770 (Kerberos Ticket Renewal)
WMI Provider
NOTE:• Requires Domain Admin Credentials• Access through Windows Firewall• Windows 2008 and above
AD Agent Provider
• Native Windows app• Can be installed on:
• Domain Controller• Member Server
• Manual installation• Automatic installation• 1 agent: Up to 10 servers!• Can provide visibility into past
logon events
PassiveID AD Agent
SPAN Provider
• Don’t touch my AD!• 2 interface max with PIC• 1 interface per PassiveID node
in ISE• Use ISE for scale and large
deployments• Historical events not possible
(point in time)• Pro Tip: Use dedicated
interface and VACL regardless of the deployment
Kerberos SPAN
Great for PoV!
Syslog Provider
• Allows ISE / PIC to receive syslog messages
• DNS must be correctly configured• TCP or UDP syslog supported
• TCP port 11468• UDP port 40514
• Large list of built in templates• Ability to create custom templates
Syslog Provider
REST API Provider
• Designed for use with Terminal Services Agent
• Can also be used by custom integrations
• Uses certificate-based authentication
• User information is sent to the passive ID node over SSL in JSON format
REST API Provider
ISE Passive Identity Connector
• Single ID Solution for ALL Cisco Security Portfolio• Best of All Existing Solutions• True Single Source of ID
• No Longer Need Separate Connection to AD, LDAP, etc.
• Very Low Cost• Passive Identity Only
• No Authorization. No Policies.
• New Features & Sources• Agents, WMI, Syslog, REST• Remotely Check with Endpoints
• Is Endpoint Still on Network?• Is User Still Logged In?
• Simple to Install and Use• Scale to 100’s of DC’s
ISE PIC at a Glance
AD
AD
AD
WWW ASAFMC
pxGrid Pub/Sub BusLegacy CDA-RADIUS
REST APISyslogWMI
AD
AD
AD
Input to ISE-PIC / ISE
SPANKerberos
Almost Anything
OutputOutput
Custom Apps
EndpointProbe
Still There?
Same User?
ISE-PIC Agent
ISE-PIC
• VM only, No hardware support• 3515 based VM: 100K sessions• 3595 based VM: 300K sessions• Setup similar to ISE VM• Includes 90 Eval License
ISE-PIC Installation
Don’t forget resource reservations!
• Standalone node• Form factors:
ISE-PICISE-PIC Upgrade
• HA PairNo certificate import / export
• No service modificationServices cannot be started/stopped
Deployment Options
HA
Standalone
Remember ISE has all the features of ISE-PIC. Need to Distribute? Upgrade to ISE!
• Orderable today• Both PIDs required for ISE-PIC Upgrade (300K sessions)• 2x licenses for HA pair
ISE-PIC LicensingStandalone High Availability
Up to 3,000 sessions Qty 1 – R-ISE-PIC-VM-K9= Qty 2 – R-ISE-PIC-VM-K9=
Up to 300,000 sessions Qty 1 – R-ISE-PIC-VM-K9=Qty 1 – L-ISE-PIC-UPG=
Qty 2 – R-ISE-PIC-VM-K9=Qty 2 – L-ISE-PIC-UPG=
• StealthWatch 6.9• FirePower Management Center
ISE-PIC 2.2 patch 1 / FMC 6.2 + QA Validation
• IDFW for ASARequires CDA RADIUS Interface (roadmap)
• Web Security ApplianceRequires CDA RADIUS Interface (roadmap)
• Cisco Solutions only with ISE-PIC!• Upgrade to ISE with Plus for 3rd party support
ISE-PIC Integration Status
FMC
WWW
ASA
pxGrid Enhancements
CA Signed pxGrid Certificates
ISE
Client
CGrid Controller Grid Client
Trusted Certificates
Public Private Key
Trusted Certificates
Public Private Key
Public
ISE Root CASpecial cert template with EKU for both client and server authentication
pxGrid Certificate Template
Generate CertificatesWith or W/O CSRBulk Certs w/ CSVDownload Root PKCS12
Certificate FormatsOnly Encrypted OptionsAll Include Root CertsPEM or PKCS12
Within pxGrid UINo Longer Have to Create Portal / Add Portal User, Etc.
pxGrid Certificate Best Practice
Cert TemplateHard-Coded to use the pxGrid Template.Client + Server EKU’s
Friendly CNMake it something that is unique – like prefix pxGrid
Real FQDN in SANEnsure the Real FQDN and IP Address are in SAN, just in-case.
New wizards ISE the easy way
All About Wizard’s
SMB NMAPSNMP
SCAN’s
Cisco ISE
NAD’s
Active Directory
Visibility Setup
§ Discovers NAD’sConnect
§ Discovers Devices Connected to Network
§ Discovers Users (AD)
Visibility Setup
Visibility Setup
Secure Access Wizard (BETA)
PassiveID Setup
All About Wizard’sVisibility Setup
Secure Access Wizard (BETA)
PassiveID Setup
Radius
BYODGuest
Setup Wireless
Cisco ISE
NAD’s
Secure Access Wizard
WLC• WLAN’s (SSID’s)• Radius AuthC, AuthZ and
Key• Account Duration Settings• Redirect ACL’s (Interesting
Traffic)• Radius COA Settings
ISE• ISE AuthC and AuthZ
Policies• ISE Policy Authz Results• Customized Captive
Portals• & alot more ….
Easy Wireless ManagementOne place to configure all security and access setting
For Major Use casesEnterprise (802.1X), Guest and BYOD Use cases
Portal managementEasy portal creation and customization
All About Wizard’sVisibility Setup
Secure Access Wizard (BETA)
PassiveID Setup
WMISetup EasyConnect
Cisco ISE
NAD’s
PassiveID Setup
Active Directory• Setup WMI Security Event
Logs (registry settings etc..)
• EasyConnect Use Case
ISE• Create WMI connection to
Active Directory
Easy ConnectNon802.1x User
Active Directory
- STIX- Threat events
ISE Secure Access Wizard (SAW)
Cisco ISE 2.2
ISE Policy Config’s
Security & Access Policy Configuration
Easy Wireless ManagementOne place to configure all security and access setting
For Major Use casesEnterprise (802.1X), Guest and BYOD Use cases
Portal managementEasy portal creation and customization
Network Access Devices
Security Settings
Redirect ACL’s (Interesting Traffic)
Radius AuthC, AuthZ and Key
Account Duration Settings
WLAN’s etc ..
A non-security user to Setup in 10 minutes
Best PracticesDesign
Guest Access
Recommendation is to run SAW in a standalone setup.
ISE NodeISE Node
Primary Admin
Primary Monitoring
Secondary Admin
Secondary Monitoring
PSN
MnT
PAN
PSN
MnT
PAN
PXG PXGPrimary PxGridController
Secondary PxGridController
If using HA or multiple PSNs, then manually add the ISE IP address of PSNs to WLC’s
Add radius config
Cisco Identity Services Engine Cisco Wireless LAN Controller
Guest requires an ISE Base license, BYOD requires a Plus license.
We recommend using a Green Field ISE deployment
An AD Domain is required to create Sponsored Guest, 802.1x, and BYOD.
Only Active Directory groups and users are supported. (Manual config for others ID stores)
Best PracticesDesign
ISE 2.2 (Fresh Install)
Standard WLC Licensing
WLC can be Green Field or Brown Field with existing configuration.
Multiple WLC’s & AD’s can be added, but the flow can configure one at a time.
Dual SSID is supported for BYOD. The Open SSID does not support guest access, due to conflicts.
Cisco WLC running AireOS 8.x or higher.
If you need a portal that supports both guest and BYOD, its not supported today by SAW.
Do use spaces in your SSID names
OperatingSystem
Licensing
Deployment
Multiple AD & WLC’s
Operations
Demo : SAW on Dcloud
Posture
What is ‘Posture’ ?
State of Compliance with Corp Security Policies
Application Anti Malware File Check
Anti Spyware Compound Patch mgmt
Anti VirusDisk
Encryption Registry
Service USB Check Others
Capabilities
Benefits
What’s new for ISE 2.2?
Next-level posture capabilitiesSimplify posture administration and user experience
Admin
AnyConnectAutomatic Download
ENABLED
Available NADsþ HPþ Brocadeþ Arubaþ Ruckusþ Cisco¨ Other
Stealthmode installations in progressUser123UserABC…
User123
– x
Terms of Service
I Agree
Administrators can now gain better inventory and compliance visibility without impacting the end user. Broader support for 3rd party NADs increases flexibility for admins. Additionally, users can onboard to AnyConnect faster and without interruptions.
• Set up automatic AnyConnect installations
• Install AnyConnect and enforce posture in the background with AnyConnect Stealthmode
• Gain better visibility into endpoint activity without a user-disrupting agent
• Streamline client provisioning with 3rd party NAD support
• Avoid cert errors using common posture certificates
More flexibilityDeploy AnyConnect even with non-Cisco NADs
Less user errorEnforce policy automatically
Better user experienceEliminate interruptions with posture in the background
Key Posture Highlights in ISE 2.2Enhanced Posture Discovery and Client Provisioning
Posture on 3rd party devices (non URL redirect agent to ISE communication)
AnyConnect Headless Win/OS X option (no UI module)
Firewall enabled checks and remediation
AnyConnect Profile Provisioning using JSON (OpenDNS Umbrella provisioning support)
UDID context sharing (exposure in Context Directory)
Common Certificates and http ports for Posture (avoiding the un-known Cert errors)
Apex enforcement (Posture admin UI shuts down)
FOR YOUR REFERENCE
Application Visibility, Control and Enforcement
TC-NAC
- STIX- Threat events- CVSS- IOC
- Vulnerability assessments- Threat notifications
What is Threat Centric NAC ?
AMP
Cisco ISE
Endpoints
Cisco ISE protects your network from data breaches by segmenting compromised and vulnerable endpoints for remediation.
Compliments PostureVulnerability data tells endpoint’s posture from the outside
Expanded controldriven by threat intelligence and vulnerability assessment data
Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics
Who
What
When
Where
How
Posture
Threat
Vulnerability
P
Create ISE authorization policies based on the threat and vulnerability attributes
Network Access Policy
STIX over TAXII | Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
Qualys
CTA
ISE 2.2
Threat Centric NACPick Vulnerability Assessment vendor of your choice
SCAN REQUEST
VULNERABILITY SCANS
SCANNERCVSS Score
• Starting from ISE 2.2, TC-NAC
supports Tenable, Cisco Threat
Analytics (CTA) and Rapid7.
• A standard “listener” will be
supported for threats using the
STIX framework for automatic
quarantining of critically infected
endpoints.
ISE 2.2
STIX
Cisco CTA
Tips and tricks - nice to know
§ Configure NAD with single or multiple IP address ranges + wildcard support
§ Single Range Example:• 192.168.1.100-120/192.168.1.*
§ Multiple Range Example (each range listed separately):• 192.168.1.100-120 or 192.168.1.*• 192.168.1.121-130• 192.145.2.*
Flexible Pattern Matching for multiple NADs – Last Octet OnlyNetwork Device Address Ranges
Note: Last octet only, but possible to define multiple class C entries to achieve same ranges at higher subnet level
§ Before ISE 2.2…
§ ISE 2.2…
Network Device Group (NDG) Hierarchies
New Attribute Types include IP / Boolean / DateCustom User Attributes
Administration > Identity Management > Settings
61BRKSEC-3699
Per-PSN LDAP Servers
• Assign unique Primary and Secondary to each PSN
• Allows each PSN to use local or regional LDAP Servers
Reintroduced in ISE 2.2 (Last-minute Pull from ISE 2.1)MySQL Support
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210521-Configure-ISE-2-2-for-integration-with-M.html
§ Sponsor Enhancements§ Single-Click guest account approvals§ Pending approval filtering based on person
visited (AD/LDAP support)
§ Sponsor Portal enhancements
§ Guest Enhancements§ Background image support
§ Hotspot COA (Change of Authorization)§ Sponsor Portal set password on import
§ ERS API update
§ Dynamic variable message Id for SMS message
§ Legacy Guest Features§ Custom portal files§ Sponsor Group by additional attributes
§ Auto-send notification to guest when email address present
§ Allow guest credentials to be hidden from Sponsor but guest still be notified
Guest Enhancements
What´s new in ISE 2.3 ?
Read-Only Admin, a.k.a RO Admin
Social Network Guest Login
Supported Flows• Facebook login will be supported for Self Registration only; with and without
sponsored approval • With Social Login the registration form is optional.
• If displayed, some fields will be pre-populated with information from social media providers.
• Admin may allow guests to override information (except Facebook Username)
• Facebook login is on top of regular guest flows. Hotspot can be achieved by using self registration without sponsored approval and without displaying the registration form. Guests will be able to click on the Facebook button and get access to the network immediately.
Facebook login for guest (phase 1)
Login using local ISE account
Create local ISE account
Login with social account
First Time Access
Endpoints
***************
Cisco ISE
Upon first access the guest must approve ISE to get basic information from Facebook.
Posture Improvements
§ Temporal Agent Push§ Better SCCM Integration§ Flexible Notifications Framework§ Even Better Application Visiblity
Posture Features
Group Policy Connector
TBD
Simplifying Security Policy Across Domains
Goal:Share group information between cloud domains and Enterprise to simplify policy management
Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks
Enable adoption of different cloud environments without duplicating group policy management
Enterprise Security Groups
APICDC
ACI EndPoint Groups
AWSSecurity Groups
Azure Network Security Groups
Planning
Available
In Progress
Group Policy ConnectorODL
Groups
ACS Migration
• ACS will soon reach End of Sale (August 30th), followed by 1 year of software maintenance (Sev1s and PSIRT fixes only)
• ISE Base Migration Licenses will reach EoS the same time
• The clock is ticking – NOW is the time to migrate
• ISE 2.3 is the LAST Release to Include ACS Migration Features
ACS End of Life is a fact!
ISE Public ResourcesISE Public Communityhttp://cs.co/ise-community
Customer Connection Programhttp://cisco.com/go/ccp > Security
ISE Compatibility Guideshttp://cs.co/ise-compatibility
ISE Design & Integration Guideshttp://cs.co/ise-guides
ISE Licensing / Ordering Guidehttp://cs.co/ise-licensinghttp://cs.co/ise-ordering
Free, 90-day ISE Evaluationhttp://cs.co/ise-eval
Q&A