Upload
cisco-public-sector
View
831
Download
2
Embed Size (px)
Citation preview
Chad Mitchell Security CSE ndash CCIE 44090
March 2016
Identity Services Engine (ISE) 20Delivering Deeper Visibility Centralized Control and Superior Protection
2copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network ResourcesRole-based policy access
Traditional TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profilingand Posture
Who
Compliant
What
When
Where
How
Introducing ISEA centralized security solution that automates context-aware access to network resources and shares contextual data
NetworkDoor
Physical or VM
ContextISE pxGridcontroller
3copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Context enhances protection across the attack continuum
BEFORE
ISE
How WhatWhoWhereWhen
DURING AFTER
bull Gain visibility into who and what is on your network
bull Grant access on a ldquoneed to knowrdquo basis
bull Provide threat context to behavioral analysis
bull Contain through network elements and security ecosystem
bull Get better forensics and prepare for the next attack by sharing information with ecosystem partners
4copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential4
Short History of Identity ServicesWhere do we come from where do we go to
In the Dark Ages there was only IEEE 8021X
IEEE 8021X(EAPoLAN)
(EAPoWLAN)
Then we had MAB Web Authentication Auth-Fail VLAN Guest VLAN Flex-Auth Deployment Modes and other features
IBNS(Identity Based-
Networking Services )
We have now arrived at an age where we take the identity networking to next level with new version of the Identity Engine for TrustSec (Identity Policy)
IBNS 20(Identity Control Policy)
5copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAPoL StartEAPoL Request Identity
BeginningSwitchport in unused VLAN
EAP-Response Identity Alice RADIUS Access Request[AVP EAP-Response Alice]
EAP-Request PEAPEAP-Response PEAP
RADIUS Access-Challenge[AVP EAP-Request PEAP]
RADIUS Access Request[AVP EAP-Response PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP EAP Success][AVP VLAN 10 dACL-n]
EndSwitchport now becomes active
in assigned VLAN
Layer 2 Point-to-Point Layer 3 LinkAuthenticator ISESupplicant EAP over LAN
(EAPoL)RADIUS
bull 8021X (EAPOL) is a delivery mechanism and it doesnt provide the actual authentication mechanisms Authentication is handled by the EAP type (TLS PEAP)
Port-Based Access Control Using AuthenticationIEEE 8021X
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
2copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network ResourcesRole-based policy access
Traditional TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profilingand Posture
Who
Compliant
What
When
Where
How
Introducing ISEA centralized security solution that automates context-aware access to network resources and shares contextual data
NetworkDoor
Physical or VM
ContextISE pxGridcontroller
3copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Context enhances protection across the attack continuum
BEFORE
ISE
How WhatWhoWhereWhen
DURING AFTER
bull Gain visibility into who and what is on your network
bull Grant access on a ldquoneed to knowrdquo basis
bull Provide threat context to behavioral analysis
bull Contain through network elements and security ecosystem
bull Get better forensics and prepare for the next attack by sharing information with ecosystem partners
4copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential4
Short History of Identity ServicesWhere do we come from where do we go to
In the Dark Ages there was only IEEE 8021X
IEEE 8021X(EAPoLAN)
(EAPoWLAN)
Then we had MAB Web Authentication Auth-Fail VLAN Guest VLAN Flex-Auth Deployment Modes and other features
IBNS(Identity Based-
Networking Services )
We have now arrived at an age where we take the identity networking to next level with new version of the Identity Engine for TrustSec (Identity Policy)
IBNS 20(Identity Control Policy)
5copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAPoL StartEAPoL Request Identity
BeginningSwitchport in unused VLAN
EAP-Response Identity Alice RADIUS Access Request[AVP EAP-Response Alice]
EAP-Request PEAPEAP-Response PEAP
RADIUS Access-Challenge[AVP EAP-Request PEAP]
RADIUS Access Request[AVP EAP-Response PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP EAP Success][AVP VLAN 10 dACL-n]
EndSwitchport now becomes active
in assigned VLAN
Layer 2 Point-to-Point Layer 3 LinkAuthenticator ISESupplicant EAP over LAN
(EAPoL)RADIUS
bull 8021X (EAPOL) is a delivery mechanism and it doesnt provide the actual authentication mechanisms Authentication is handled by the EAP type (TLS PEAP)
Port-Based Access Control Using AuthenticationIEEE 8021X
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
3copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Context enhances protection across the attack continuum
BEFORE
ISE
How WhatWhoWhereWhen
DURING AFTER
bull Gain visibility into who and what is on your network
bull Grant access on a ldquoneed to knowrdquo basis
bull Provide threat context to behavioral analysis
bull Contain through network elements and security ecosystem
bull Get better forensics and prepare for the next attack by sharing information with ecosystem partners
4copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential4
Short History of Identity ServicesWhere do we come from where do we go to
In the Dark Ages there was only IEEE 8021X
IEEE 8021X(EAPoLAN)
(EAPoWLAN)
Then we had MAB Web Authentication Auth-Fail VLAN Guest VLAN Flex-Auth Deployment Modes and other features
IBNS(Identity Based-
Networking Services )
We have now arrived at an age where we take the identity networking to next level with new version of the Identity Engine for TrustSec (Identity Policy)
IBNS 20(Identity Control Policy)
5copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAPoL StartEAPoL Request Identity
BeginningSwitchport in unused VLAN
EAP-Response Identity Alice RADIUS Access Request[AVP EAP-Response Alice]
EAP-Request PEAPEAP-Response PEAP
RADIUS Access-Challenge[AVP EAP-Request PEAP]
RADIUS Access Request[AVP EAP-Response PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP EAP Success][AVP VLAN 10 dACL-n]
EndSwitchport now becomes active
in assigned VLAN
Layer 2 Point-to-Point Layer 3 LinkAuthenticator ISESupplicant EAP over LAN
(EAPoL)RADIUS
bull 8021X (EAPOL) is a delivery mechanism and it doesnt provide the actual authentication mechanisms Authentication is handled by the EAP type (TLS PEAP)
Port-Based Access Control Using AuthenticationIEEE 8021X
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
4copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential4
Short History of Identity ServicesWhere do we come from where do we go to
In the Dark Ages there was only IEEE 8021X
IEEE 8021X(EAPoLAN)
(EAPoWLAN)
Then we had MAB Web Authentication Auth-Fail VLAN Guest VLAN Flex-Auth Deployment Modes and other features
IBNS(Identity Based-
Networking Services )
We have now arrived at an age where we take the identity networking to next level with new version of the Identity Engine for TrustSec (Identity Policy)
IBNS 20(Identity Control Policy)
5copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAPoL StartEAPoL Request Identity
BeginningSwitchport in unused VLAN
EAP-Response Identity Alice RADIUS Access Request[AVP EAP-Response Alice]
EAP-Request PEAPEAP-Response PEAP
RADIUS Access-Challenge[AVP EAP-Request PEAP]
RADIUS Access Request[AVP EAP-Response PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP EAP Success][AVP VLAN 10 dACL-n]
EndSwitchport now becomes active
in assigned VLAN
Layer 2 Point-to-Point Layer 3 LinkAuthenticator ISESupplicant EAP over LAN
(EAPoL)RADIUS
bull 8021X (EAPOL) is a delivery mechanism and it doesnt provide the actual authentication mechanisms Authentication is handled by the EAP type (TLS PEAP)
Port-Based Access Control Using AuthenticationIEEE 8021X
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
5copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAPoL StartEAPoL Request Identity
BeginningSwitchport in unused VLAN
EAP-Response Identity Alice RADIUS Access Request[AVP EAP-Response Alice]
EAP-Request PEAPEAP-Response PEAP
RADIUS Access-Challenge[AVP EAP-Request PEAP]
RADIUS Access Request[AVP EAP-Response PEAP]
Multiple Challenge-Request Exchanges Possible
Middle
EAP SuccessRADIUS Access-Accept
[AVP EAP Success][AVP VLAN 10 dACL-n]
EndSwitchport now becomes active
in assigned VLAN
Layer 2 Point-to-Point Layer 3 LinkAuthenticator ISESupplicant EAP over LAN
(EAPoL)RADIUS
bull 8021X (EAPOL) is a delivery mechanism and it doesnt provide the actual authentication mechanisms Authentication is handled by the EAP type (TLS PEAP)
Port-Based Access Control Using AuthenticationIEEE 8021X
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
6copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Choosing Credentials for 8021X
Username PasswordDirectory
alicec1sC0L1v
CertificateAuthority
TokenServer
Deployment Best PracticesRe-use Existing Credentials
Understand the Limitations of Existing Systems
Common TypesPasswordsCertificates
Tokens
Deciding FactorsSecurity Policy
ValidationDistribution amp Maintenance
6
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
7copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Transport Layer Security (EAP-TLS)
Protected EAP (PEAP)
How To Submit Credentials
SERVERROOT
ROOT
SERVER
ROOT
Valid Server SERVER
Hari is Authenticated
Valid ServerROOT
Valid ClientAuthenticated SERVER
U HariP
ENCRYPTED TUNNEL
CLIENTCLIENT
User Authentication
MachineAuthentication
amp
Machine Account User AccountEg (host machine) (userexamplecom)
Machine Certificate User Certificate
Tying Machine and User Authentications User or Machine Auth supported by supplicants MAR and RADIUS Server policy can mandate both
but in different transactions EAP-Chaining supports for authentication of multiple
credentials in single EAP transaction
MAR Machine Access Restrictions7
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
8copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
EAP Chaining Explained
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoMachinerdquoRADIUS Access-Request
[EAP-TLV=ldquoMachinerdquo][EAP-ID=Corp-Win7-1]
RADIUS Access-AcceptEAP SuccessPAC
PAC
EAPOL Start RADIUS Access-Request
[EAP-Tunnel=FAST]
RADIUS Access-Challenge
[EAP-TLV=ldquoMachinerdquo]EAP RequestTLV
EAP-Response
TLV=ldquoUserrdquoRADIUS Access-Request
[EAP-TLV=ldquoUserrdquo][EAP-ID=Employee1]
RADIUS Access-AcceptEAP Success PAC
Login
EAP-TEAP (Tunneled EAP) Draft by IETF working group Next-Gen EAP method Supports EAP Chaining
Cisco Anyconnect NAM 31Only Supplicant Supporting - EAP Chaining today (EAP-FASTv2)
Cisco Identity Services EngineSupports for EAP-Chaining from 111 software version
PAC Protected Access Credential
Supplicant Switch RADIUS Server
8
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
9copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
User + Machine PolicyCombined User Identity + Machine Identity (EAP Chaining)
9
Permit Access
Start Here
No
Yes
Workstation_Corp
Yes
Internet Only
No
Access-Reject
No
Yes
RegisteredGuest
Machine Employee
User
Yes
I-Device
AD LoginAccess VDI Access
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
10copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
NIPRSIPR Cross-Domain Violations
Permit Access
Start Here
No
Yes
UNCLASS No
Access-Reject
ApprovedVisitor
Machine CLASSIFIED
Yes
NoEmployee+WS_Corp
MachineUser
Employee Yes
No
Access-RejectInternet Only
Yes
Syslog is sent detailing the credential
(workstation or user name)
Which can be used to send an email to the
security admin
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
11copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
8021X Passed
Unauthenticated
Real Networks Canrsquot Live on 8021X Alone
SWITCHPORT
DHCP
SWITCHPORT
TFTP
KRB5 HTTP
EAPoL
KRB5 HTTP
EAPoL
DHCP TFTP
Employee(bad credential)
1X enabled
Guest
Managed Assets
Rogue
Employee
11
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
12copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Profile Conditions PROFILED+ =Example
MAC OUI + LexmarkIf DHCP Class ID Contains E260dn
Itrsquos a Lexmark E260n Printer
Probe-Gathered Information
12
Building Your MAB DatabaseProfiling Tools Are Evolving
SNMP Probe
DHCP Probe
HTTP ProbeDNS Probe
ISE
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
13copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential13
Building Your MAB DatabaseProfiling Tools Are Evolving
ISE
RADIUS Probe
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
CDPLLDPDHCPMAC
Just One Type of Probe
Device Sensor150(1)SE1
ISE 11
Device Classifier
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
14copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
TACACS CLI CAC Login
DoD CAC Capable for Administration tooAdmin UI Login
(Sponsor Portal Login Coming Soon)
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
15copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Aruba w ISE Configuration Guide
Works with any RADIUS Compliant Device
httpwwwciscocomcdamenustddocssecurityisehow_toHowTo-85-Integrating_Aruba_Networkspdf
Third Party Switches Tested and Configured
Brocade
Juniper
Alcatel HP Avaya Aruba and more
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
16copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Unified Capabilities Approved Product List (UC APL)
bull FIPS 140-2bull Common Criteriabull USGv6 IPv6 Ready
Certifications
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
17copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
18copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Extensive context awareness
Bob
Tablet
Building 200 1st floor
1100 AM EST on April 10th
Wireless
Make fully informed decisions with rich contextual awareness
Who
What
Where
When
How
Poor context awareness
IP Address 192168151
Unknown
Unknown
Unknown
Unknown
The right user on right device from the right place is granted the right access
Any user any device anywhere gets onthe networkResult
Context
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
19copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Better Visibility Revamped the Endpoints Identity Page
Clicking Filters Below
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
20copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
New TrustSec Dashboard amp WorkCenter
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
21copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
22copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improved Matrix Color Coded + Condensed
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
23copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enhance control with location-based authorization
Location-based authorizationAdmin defines location hierarchy and grants users specific access rights based on their location
Benefits
Feature HighlightThe integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user andor endpoint to the context by which access is authorized
Enhanced policy enforcement with automated location check and reauthorization
Simplified managementby configuring authorization with ISE management tools
Granular control of network access with location-based authorization for individual users
Capabilitiesbull Enables configuration of location hierarchy across all location entitiesbull Applies MSE location attributes into access request to be used in authorization policy bull Checks MSE periodically for location changesbull Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient room Lab ER
DoctorNo access to patient data
Access to patient data
No access to patient data
Access to patient data
Patient data
Patient data access locations
Patient room
ER
Lab
Lobby
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
24copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20
Location Based AuthorizationAuthorize user access to the Network based on their location
UI to Configure MSE
I have Location DataCampusBuildingFloorZone
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
25copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administrator will configure authorizations rule with location based attribute such as MSELocation Equals LND_Campus1Building1Floor2SecureZone
bull + 150 TPS (transactions per second)
How it works
End Point Movement ISE can be configured to Track Movement of
the endpoint after authentication using MAC ISE will query this endpoint location about every
5 minutes or so (based on TPS of 150) after the last check to verify if the location was changed
If no location change do nothing New location was received update the
Collection with the new info Invoke COA on the Session
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
26copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
27copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Wired
Branch
Wireless
Control it all from a single locationNetwork data and application
Enterprise Mobility
Apply access and usage policies across entire network
Secure access from any location regardless of connection type
Monitor access activity and compliance of non-corporate assets take containment actions when needed
VPN
Partner
Remote UserHeadquarters
Admin
ContractorGuest
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
28copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Internal Employee Intranet
www
Enable faster and easier device onboarding without any IT support
IT Staff
Confidential HR Records
Device Profiling
Employee
Simplified device management from self-service portal
Automated authentication and access to business assets
Rapid device identification with out-of-the-box profiles
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
29copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable an easier and faster device Onboarding
bull Full onboarding solution that does not require IT workbull Flexible solution supporting single and multiple SSID deploymentsbull Built in Certificate authority and portal to simplify certificate deployments Also integrates with PKI Infrastructurebull End User ldquoMydevicesrdquo Portal for personal device administrationbull Supports integration with most MDM solutions including Cisco Meraki MobileIron Citrix JAMF Software and
many more
Capabilities
Bring Your own Device (BYOD)
Benefits
Better SecurityMinimize risk of personal devices connecting to the network
FlexibilityWorks for Wired and Wireless devices
Improve network operations Offload the onboarding of personal devices from IT
Feature HighlightEasy and Secure Access to the network from any device Simple configuration flow and Onboarding experience
Effectively design manage and control the access of BYOD User tries to connect to the network using a personal device
ISE identifies the user as an employee using a personal device and directs the user to BYOD device registration
After successful Authentication ISE on boards the device by installing a certificate and applying the right policy
Now that the device has been registered the user is allowed access to the network
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
30copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Improve guest experiences without compromising security
Immediate uncredentialed Internet access with Hotspot
Simple self-registration
Role-based access with employee sponsorship
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
31copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementHotspot
4
User Associates to an open SSID
User tries to access the Web Identified by ISE as a guest and is redirected to the guest captive portal
After checking the Acceptable use policy the user is than allowed access to the network
At the end of the day the user is kicked off the network
1 2 3
Day Ends
Feature HighlightImmediate Un-credentialed access with Hotspot
Guest Access made easy
bull Built in templates for hotspot self registration and more
bull Create corporate-branded customized pages within minutes
bull Supports multiple languagesbull Supports multiple landing pagesbull Hotspot flow supports passcode
Capabilities
Secret codechemist
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
32copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Guest lifecycle ManagementSelf Registration
Guest is redirected to a captive portal for self registration
After filling in registration request the credentials are sent by ISE via SMS
Guest enters credentials Guest is allowed on the network
1 2 4
Flexible efficient and scalable solution that fits all your needs
3
Feature HighlightSimple and flexible Guest Self Registration
bull Flexible flows including self-registration with approval
bull Multiple methods can be used for delivering credentials including Email printing and Instant messaging
bull Supports multiple languagesbull All pages are customizedbull Time limits and Account expiration
renewals
Capabilities
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
33copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
OS patches
AV installed
Registered
CustomCriteria Vulnerable
Endpoint Compliance Rest assured that ISE is keeping track
EMM integrationsIdentifies Device Checks postureEnsures policy
complianceQuarantines non-compliant devices
X
XX
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
34copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Posture Assessment
Enforce endpoint compliance prior allowing access to the network
Authenticate
Authenticate UserAuthenticate EndpointPosture = UnknownNon-compliant
Quarantine
dVLANdACLsSGT
Posture Assess
OSHotfixAV ASPersonal FWMorehellip
Remediate
WSUSLaunch AppScriptsEtchellip
Posture = Compliant
Authorize
Permit AccessbulldACLbulldVLANbullSGTbullEtchellip
Capabilitiesbull Multiple Agents (AnyConnect and
Dissolvable agent) are supported and used for checking endpoint compliance
bull Mandatory Optional and Audit Posture modes provide flexibility for different deployment rollouts
bull Ability to build granular rules for checking many conditions
bull Supports periodic assessment and automatic remediation
AnyConnect
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
35copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE 20 Highlights DescriptionFile Check Enhancements
Enhanced Osx File Checks SHA 256 plist on OSx Windows User directories such as ldquoDesktoprdquo and ldquoUser Profilerdquo
OSx Daemon Check User Agent Check User based process check
Disk Encryption Check Checks can be based on Installation location and Disk Encryption State
Native Patch Management
Patch Management supported via OPSWAT (Install Enable Up-to-date)
Desktop Posture EnhancementsAre My Desktop Endpoints Compliant
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
36copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
File Checks -- Posture Enhancements
OSx Similar to registry check on Windows
ISE 20 Any Connect 42
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
37copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Posture Enhancements -- OSx Daemon Checkbull A daemon is a program that runs in
the background as part of the overall system (not tied to user)
bull A user agent is a process that runs in the background on behalf of a particular user
bull ISE 20 supports feature to check user agent as well as the daemon
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
38copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Disk Encryptionbull Based on Opswat OESIS library which is the same
library we use for antivirus antispyware and patch management applications
bull Administrator would be able to Import the new disk encryption support chart from the update server
bull Checks can be based on bull Installation of specified disk encryption applicationbull Disk encryption state
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
39copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Disk Encryption
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
40copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Windows ISE Posture ndash Native Patch Management via OPSWAT
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
41copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementWindows OS Example Product Name and Version
Install is default support for allOptionally may support checks for ldquoEnabledrdquo or ldquoUp to Daterdquo
Min Version of compliance module that provides support
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
42copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ISE Posture ndash Patch ManagementMac OS Example
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
43copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Patch Management Remediationbull Remediation type ndash same as AV and AS remediation
bull Operation System ndashWindows only supported
bull Vendor Name ndash List is loaded from the OPSWAT update
bull Remediation optionsbull Enabledbull Install missing patchesbull Activate patch management
software GUI
bull Product list is updated according to selected vendor and Remediation option Product can be selected only if supported for related option
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
44copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Endpoint Compliance Mobile Device Management integration
Posture Compliance assessment for Mobile devices
bull Allows for multi-vendor integration on the same ISE setup
bull Macro and Micro-level compliance (Pin Lock Jailbroken status)
bull MDM attributes available for policy conditions (Manufacturer Model IMEI Serial Number OS Version Phone Number)
bull Device action from ISE and from MyDevices Portal (Device Stolen Wipe Corporate data)
Capabilities
Internet
4
1 2
3
Register with ISEAllow Internet Access
Register with MDMAllow Corp Access
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
45copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Streamline management using a single workspace
bull New TrustSec administrator console and servicesndash TrustSec dashboardndash Matrix overhaulndash Automatic SGT creationndash ISE as SXP speaker listener
bull Revised UXndash Improved menu structure for ease of navigationndash Search capability within the GUI
bull Enhanced reportingndash PDF print and local save reintroducedndash Improved filtering for live log and reports
Capabilities
Intuitive work center and access policy matrix
Feature HighlightThe TrustSec Work Center provides an updated user experience allows simplified and streamlined deployment troubleshooting and monitoring
Benefits
Simplify managementwith a dedicated work centers allowing you to visualize comprehend and manage policy in a single place
Enable TrustSec rapidly for initial use cases including user-to-datacenter access control
and user-to-user segmentation
With TrustSecrsquos new user interface
Automate configuration of new SGT policies and authorization rules
TrustSec Work Center
Access policy matrix
Guest
Contractor
Employee
Infected
Source
Destination
Internet Contractor Resources
HR ServerEmployeeResources
Remediation
Permit IP
Permit IP
Permit IP Permit IP Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Permit IP
Deny IP Deny IP Deny IP
Deny IP
Deny IP
Deny IP
Deny IP
Deny IPDeny IPDeny IP
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
46copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
High OPEX Security Policy Maintenance
Adding destination Object
Adding source Object
ACL for 3 source objects amp 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSHPermit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resourcesto manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACLFW RuleSource Destination
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
NY1023402410235024 10236024103102024103152024104111024 hellipSJC DC-RTP (VDI)
ProductionServers
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
47copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Low OPEX Security Policy Maintenance
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDPDeny BYOD to Production_ServersPermit BYOD to VDI eq RDP
Security GroupFiltering
NYSFLA
DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)
SJC DC-RTP (VDI)
ProductionServers
VDI ServersBYOD
Employee
Source SGTEmployee (10)
BYOD (200)
Destination SGTProduction_Servers (50)
VDI (201)Policy Stays with Users Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)Simpler Security Operation (Resource Optimization)
(eg Bank now estimates 6 global resources)
Clear ROI in OPEX
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
48copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Policy and segmentation
Voice Data Suppliers GuestQuarantine
Access Layer
Aggregation Layer
VLAN Addressing DHCP ScopeRedundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors buildings offices and other facilities Cost could be extremely high
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
49copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Data Center Firewall
Segmentation with Security group
Voice Data Suppliers Guest Quarantine
Retaining initial VLANSubnet Design
Regardless of topology or location policy (Security Group Tag) stays with users devices and servers Access Layer
Data TagSupplier TagGuest TagQuarantine Tag
Aggregation Layer
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
50copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enforce business role policies for all network services and decisions
Define security groups and access policies based on business roles
Implement granular control on traffic users and assets
Give the right people on the right devices the right access to the right resources with TrustSec
Internet
Confidential Patient Records
Internal Employee Intranet
Who Guest
What iPad
Where Office
Who Receptionist
What iPad
Where Office
Who Doctor
What Laptop
Where Office
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
51copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ldquoEffective network segmentationhellip restricts communication between
networks and reduces the extent to which an adversary can move across
the networkrdquo
US-CERT
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
52copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467access-list 102 permit udp 1261839085 000255 eq 3256 11453254245 255255255255 lt 1780access-list 102 deny icmp 2033611037 255255255255 lt 999 2292169232 000127 gt 3611access-list 102 permit tcp 13124933123 000127 lt 4765 7121920789 0255255255 eq 606access-list 102 deny tcp 112174162193 0255255255 gt 368 4151192136 000255 gt 4005access-list 102 permit ip 18971213162 000127 gt 2282 746718147 000127 eq 199access-list 102 deny udp 1302376656 255255255255 lt 3943 1416848108 000255 gt 3782access-list 102 deny ip 193250210122 001255 lt 2297 130113139130 0255255255 gt 526access-list 102 permit ip 1789711359 255255255255 gt 178 111184163103 255255255255 gt 959access-list 102 deny ip 16414913673 000127 gt 1624 16341181145 000255 eq 810access-list 102 permit icmp 207221157104 000255 eq 1979 9978135112 0255255255 gt 3231access-list 102 permit tcp 100126449 0255255255 lt 1449 2823788171 000127 lt 3679access-list 102 deny icmp 157219157249 255255255255 gt 1354 60126167112 0031255 gt 1025access-list 102 deny icmp 761766641 0255255255 lt 278 1694810537 001255 gt 968access-list 102 permit ip 888141113 000127 lt 2437 10514519667 001255 lt 4167access-list 102 permit udp 602429562 0031255 eq 3181 3319171166 255255255255 lt 2422access-list 102 permit icmp 18624640245 0255255255 eq 3508 1911396754 001255 eq 1479access-list 102 permit ip 209111254187 001255 gt 4640 939917334 255255255255 gt 28access-list 102 permit ip 1842328841 0031255 lt 2247 1863310431 255255255255 lt 4481access-list 102 deny ip 1067924750 0031255 gt 1441 9662207209 000255 gt 631access-list 102 permit ip 3913660170 001255 eq 4647 96129185116 255255255255 lt 3663access-list 102 permit tcp 3017518993 0031255 gt 228 48333091 000255 gt 1388access-list 102 permit ip 16710052185 001255 lt 4379 25420220026 255255255255 gt 4652access-list 102 permit udp 17216184148 0255255255 gt 4163 12438159247 000127 lt 3851access-list 102 deny icmp 20610773252 0255255255 lt 2465 171213183230 0031255 gt 1392access-list 102 permit ip 961743879 0255255255 eq 1917 1156181180 0031255 eq 1861access-list 102 deny icmp 2361236753 0031255 gt 1181 311157519 001255 gt 2794access-list 102 deny udp 144520820 000255 lt 419 16124159166 000255 lt 2748access-list 102 permit udp 25240175155 0031255 lt 4548 871121020 001255 gt 356access-list 102 deny tcp 12410219259 000255 eq 2169 153233253100 0255255255 gt 327access-list 102 permit icmp 681462179 255255255255 lt 2985 235228242243 255255255255 lt 2286access-list 102 deny tcp 9119821334 000255 eq 1274 20613632135 0255255255 eq 4191access-list 102 deny udp 76150135234 255255255255 lt 3573 15233106211 255255255255 eq 3721access-list 102 permit tcp 1269711332 001255 eq 4644 221610540 0031255 eq 3716access-list 102 permit icmp 1473193130 000255 gt 968 15444194206 255255255255 eq 4533access-list 102 deny tcp 1545712891 000255 lt 1290 106233205111 0031255 gt 539access-list 102 deny ip 914817648 001255 eq 1310 64618873 001255 lt 4570access-list 102 deny ip 124236172134 255255255255 gt 859 568114184 25555255255 gt 2754access-list 102 deny icmp 22716168159 0031255 lt 3228 78113205236 25555255255 lt 486access-list 102 deny udp 167160188162 000255 gt 4230 24811187246 0255255255 eq 2165access-list 102 deny udp 321242171 255255255255 lt 907 113813082 0031255 gt 428access-list 102 permit ip 649877248 000127 eq 639 122201132164 0031255 gt 1511access-list 102 deny tcp 24754117116 000127 gt 4437 13668158104 001255 gt 1945access-list 102 permit icmp 136196101101 000255 lt 2361 90186112213 0031255 eq 116access-list 102 deny udp 2424189142 001255 eq 1112 1994101166 000127 eq 959access-list 102 deny tcp 8212211 255255255255 eq 2587 17422214125 0031255 lt 4993access-list 102 deny tcp 1031093140 255255255255 eq 970 7110314191 000127 lt 848access-list 102 deny ip 321578227 000127 eq 1493 7292200157 000255 gt 4878access-list 102 permit icmp 100211144227 001255 lt 4962 9412721449 0255255255 eq 1216access-list 102 deny icmp 88917930 000255 gt 26 2074250132 001255 gt 1111access-list 102 deny ip 1671717435 001255 eq 3914 140119154142 255255255255 eq 4175access-list 102 permit tcp 378517024 000127 lt 3146 772623298 000127 gt 1462access-list 102 permit tcp 15523722232 000127 gt 1843 239163519 001255 lt 4384access-list 102 permit icmp 13623766158 255255255255 eq 946 119186148222 0255255255 eq 878access-list 102 permit ip 12910041114 255255255255 gt 3972 4713528103 000255 eq 467
with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWirelessFlexible and Scalable Policy Enforcement
segmentationsoftware defined
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
53copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Centralized Control
Deeper Visibility
Superior Protection
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
54copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=CMsp8WiBxzM
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
55copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
httpswwwyoutubecomwatchv=I3IeWw_vu9Q
The Cisco System is Self Defending
24 Season 4
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
56copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Netflow
NGIPS
Lancope StealthWatch
AMP
AMP Threat Grid
FireSIGHT Console
CWS
WSA
ESA
FirePOWER Services
ISE is the cornerstone of your Cisco solutions
ISE
How WhatWhoWhereWhen
DURING AFTERBEFORE
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
57copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
And easily integrates with partner solutions
How WhatWhoWhereWhen
ISE pxGridcontroller
Cisco Meraki
copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential 23
SIEM EMMMDM Firewall VulnerabilityAssessment
Threat Defense IoT IAMSSO PCAP Web
Security CASB Performance Management
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
58copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidentialcopy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Enable unified threat response by sharing contextual dataCisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner Ecosystem
ISE
Cisco Network
pxGridcontroller
ISE collects contextual data from network1
Context is shared via pxGrid technology2
Partners use context to improve visibility to detect threats
3
Partners can direct ISE to rapidly contain threats4
ISE uses partner data to update context and refine access policy
5
Context
32
1
45
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
59copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Telemetry sharing using PxGridWith Cisco Web Security Appliance (WSA) and Identity Service Engine (ISE)
Enhance Web Access Policy with user and device Awareness Feature HighlightCisco Web Security Appliance integrates with ISE and uses PxGrid to retrieve contextual data for writing Web access policies
Benefits
bull Integrate with Cisco Web Security Appliance for controlling who can access what on the Web
bull Retrieve classification data from ISE over PxGrid Use TrustSec for simplifying operations
bull Use TrustSec for policy classification abstraction and ease of operations
Capabilities
Simplify AdministrationSingle source of identity and Contextual data Using TrustSec for contextual data abstraction makes classification much simpler on the WSAComplianceCreate device-specific policies that allow or deny web content access based on endpoint compliance
Who DoctorWhat LaptopWhere Office
Who DoctorWhat iPadWhere Office
Who GuestWhat iPadWhere Office
Identity Service Engine
WSA
Confidential Patient Records
EmployeeIntranet
Better VisibilityDetailed reporting to understand how when and from what devices users access Web resources
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
60copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Protect automatically with rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)
Automatically defend against threats with FMC and ISEFeature HighlightCisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity based on pre-defined security policies
Benefits
bull Integrate with Cisco Advanced Malware Protection (AMP) for malware protection
bull Trigger quarantine actions per policy with Cisco FireSight and ISE integration
Capabilities
FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious
Device is contained for remediation or mitigationmdashaccess is denied per security policy
Automate threat defenseLeveraging ISE ANC to alert the network of suspicious activity according to policy
Detect threats earlyFireSight scans activity and publishes events to pxGrid
Corporate user downloads file
Leverage a growing ecosystemof partners that provide rapid threat containment by integrating with ISE
FMC scans the user activity and downloaded file
Based on the new tag ISE automatically enforces policy on the network
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
61copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Administration-gtpxGrid Services
FireSIGHT Management CenterRegistered FMC pxGrid client
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
62copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
bull Policies-gtActions-gtRemediations-gtModules-gtpxGrid remediation
FireSIGHT Management CenterCreate pxGrid mitigation action based on mitigate Source
bull Mitigation Actionsbull Quarantinebull Un-Quarantinebull Port Bouncebull Port Shutdownbull Session Re-Authenticatebull Session Terminate
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
63copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
See how endpoints act on the network with better visibilityNetwork as a Sensor
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatch
Data
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
64copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
ADMINZONE
ENTERPRISEZONE
POSZONE
VENDOR ZONE
And make visibility actionable through segmentation and automation Network as an Enforcer
bull Cisco ISEbull Cisco Networking Portfoliobull Cisco NetFlowbull Lancope StealthWatchbull Cisco TrustSec Software-Defined
Segmentation
EMPLOYEEZONE
DEV ZONE
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
65copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Role-based access control
Simplify security management with role-based access
bull Role-based access controlbull Flow-based user experiencebull Command level authorization with detailed logs for auditingbull Dedicated TACACS+ workcenter for network administratorsbull Support for core ACS5 features
Capabilities
TACACS+ Device Administration
Benefits
Feature HighlightCustomers can now use Terminal Access Controller Access Control System (TACACS) with ISE to simplify device administration and enhance security through flexible granular control of access to network devices
Simplified centralized device administrationIncrease security compliancy auditing for a full range of administration use cases
Flexible granular controlControl and audit the configuration of network devices
Security Admin Team
TACACS+Work Center
Network Admin Team
TACACS+Work Center
TACACS+ Device Administration Support for ISE 20
Holistic centralized visibilityGet a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
66copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Device Admin Service is not Enabled by Default
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
67copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Some Device Admin Best Practices
bull Different Policy Sets for IOS than AireSpace OS
bull Different for Security Apps than Routers
bull Different for ASAbull Differentiate based on location of
Device
USE NDGrsquoS
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
68copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Use Policy Sets Based on Device Type
Cisco IOS Switches
Airespace WLCs
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
69copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Wireless LAN Controllers
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
70copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Example Cisco IOS
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
71copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Customers can now deploy ISE services such as Profiling Posture Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco non-Cisco vendors
Get the same great security across more devices
Benefits
Feature Highlight
Protect consistently Deploy ISE across network devices including non-Cisco NADs
Simplify administrationLeverage pre-configured profile templates for automatically configuring non-Cisco NAD access
Maximize value Realize additional value from your existing infrastructure
Compatible device vendors
Aruba Wireless HP Wireless
Motorola Wireless Brocade Wired
HP Wired Ruckus Wireless
bull Templatized MAB configuration for select non-Cisco vendor devices
bull CoA and URL re-direction to work with ISEbull Non-Cisco NADs enabled to drive regular
8021x operations
Capabilities
ISE services now available for non-Cisco network access devices
With non-Cisco device integration
ISE 10 8021x
New with ISE 20
Profiling
Posture
Guest
BYOD
For additional information refer to the Cisco Compatibility Matrix
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
72copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Network Device ProfilesReady-to-Use 3rd-Party Packages
Create new profiles ldquofrom scratchrdquo or duplicate existing
ImportExport simplifies sharing of custom profiles
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
73copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Recognized as a LEADER Four Years in a Row- Gartner Magic Quadrant for NAC 2014 2013 2012 2011
ldquoCisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise todayrdquo
- Forrester 2011
Recipient of the 2014 Frost amp Sullivan Global NAC Market Leadership AwardldquoIn this generation NAC platform Cisco wanted to make an easier more intuitive platform while adding features and functionality Cisco has gone a long way toward achieving these objectivesrdquo
- Frost amp Sullivan 2014
A CHAMPION in Info-Tech Vendor Landscape for NAC- Info-Tech Research Group 2014
Donrsquot just take it from us
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo
74copy 2015 Cisco andor its affiliates All rights reserved Cisco Confidential
Live Demo