Skip to main content

Cisco Releases Idenity Services Engine (AKA ISE)

Introduction

After years of innovation around Network Access Control, Cisco has released its next generation NAC solution: Identity Services Engine. ISE is combines existing loosely coupled devices AAA, profiling, posture and guest management - in single, scalability appliance. As part of the Cisco TrustSec solution and Cisco’s SecureX architecture for Borderless Networks, the Cisco Identity Service Engine provides a centralized policy engine for business relevant policy definition and enforcement. This policy work horse enables centralized, coordinated policy creation and consistent policy enforcement across the entire corporate infrastructure, from head office to branch office.

ISE Features & Benefits

  • Visibility: Single Platform & Pane of Glass - Let IT see who and what is on the network for advanced discovery and troubleshooting
    • Dynamically collects & consolidates endpoint information to make adaptive policy decisions based on ‘context’
    • Integrates functions previously delivered in separate, loosely couples applications to deliver higher levels of policy enforcement 
    • Inherent benefits include simplified administration, monitoring, and troubleshooting for all these functions
  • Policy Architecture
    • Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to enable organizations to enforce contextual-based business policies across the network
    • Business-relevant policies: Create and enforce consistent policy from the head office to the branch office 
    • Coordinated Profiling: Allows for profiling data to be tightly integrated in to access policies. E.g. LDAP user with personal iPad gets a different privilege than the same LDAP user with Organization Owned iPad 
    • Mobile Device Security: Dynamically identify and provision the proper policies for tablets, smartphones, GFE, etc   
  • Compliance: Create consistent policy across the infrastructure for corporate governance. 
    • Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively mitigate network threats such as viruses, worms, and spyware 
    • Ensure configuration baselines are met
    • Ensure patches and AV/AS definitions are up to date
  • Efficiency: Increase IT staff productivity by automating labor-intensive tasks and simplifying service delivery
    • Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise
    • Dramatically reduces cost of ownership with world-class monitoring and troubleshooting features designed to streamline operations for your helpdesk and support teams
  • Compatibility: Cisco Infrastructure Integration AND a standards based platform 
    • ISE integration is thoroughly tested systematically across all cisco switches 
    • Because 802.1X is a standard, 3rd party device support is inherit
    • A Few of the Cisco Switch Features that help with deployment:
      • Open Mode – Allow customers to deploy day 1 without causing any outages and ease with deployment and rollout of 802.1X
      • Multi Authentication – Allows for hubs, desktop VMs, etc to use a single port to authenticate and apply differentiating policies
      • Security Group Access (SGA) 


Packaging and Licensing

Cisco Identity Services Engine is available as either a physical or virtual appliance. The type of license is based on functionality.
  • The Base license is intended for organizations that want to authenticate and authorize users and devices on their network. It includes AAA services, guest lifecycle management, compliance reporting, and end-to-end monitoring and troubleshooting.
  • The Advanced license expands upon the BASE and enables organizations to make policy decisions based on user and device compliance. Advanced license features include device profiling, posture services, and security group access enforcement capabilities.

Summary

ISE will be the platform that enables organizations to finally utilize port security, deal with the ever evolving enterprise and ensure they are able to deploy in days/weeks vs. months/years. Check back for some detailed technical write-ups on configuration, best practices and use cases.


ISE Documentation
Labels:

Comments

  1. Enterprise SystemsJuly 18, 2021 at 1:15 AM

    I liked your work and the way in which you have shared this article here about Wireless Network Solution Provider. It is a beneficial and helpful article for us. Thanks for sharing an article like this.

    ReplyDelete
  2. deltalineNovember 20, 2021 at 4:44 AM

    Thank you for putting all these strategies into a very readable place. It shows your ability and great skills. keep sharing such article in future. Cyber Security Assessment for IT infrastructure

    ReplyDelete
  3. Cyber CodeNovember 22, 2021 at 4:46 PM

    You are providing good knowledge. It is really helpful and factual information for us and everyone to increase knowledge. about Cyber Security Latest News Canada .Continue sharing your data. Thank you.

    ReplyDelete
  4. titaniumcyberforceApril 29, 2022 at 4:49 PM

    A very delightful article that you have shared here.Cyber Security Operations Consulting Firm Your blog is a valuable and engaging article for us, and also I will share it with my companions who need this info. Thankful to you for sharing an article like this.

    ReplyDelete
  5. ITGOLD SolutionsMay 16, 2023 at 9:08 AM

    This blog is really helpful to deliver updated affairs over internet which is really appraisable.
    Vehicle fleet tracking Brisbane

    ReplyDelete

Post a Comment

Popular posts from this blog

Cisco Zero Trust Architecture

 As a follow up to the previous post around Zero Trust Architecture , Cisco has been delivering zero trust architectures for customers for many years. With the platform approach provided by Cisco Zero Trust organizations gain better visibility across users, devices, containers, networks, and applications, verifying their security states with every access request. Adopting this model provides a balance between security and usability. Security teams can make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally), and users can get a consistent and more productive security experience, regardless of where they’re located, what endpoints they’re using, or whether their applications are on-premises or in the cloud. Cisco Zero Trust provides a comprehensive approach to securing all access across applications and environment, from any user, device and location. It protects the workforce , workloads and workplac...
6 comments
Read more

Why are Virtual Private Networks and Software Defined Perimeters mutually exclusive?

Increased remote work, vulnerabilities popping up and the #killthevpn movement has the cyber security industry laser focused on the transition from VPN to SDP. Let’s start with an acceptable definition of SDP from Wikipedia: “Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted.” I hope we all can agree that the “ground truth" of SDP is valid and any organizations will benefit by adopting SDP architecture and principals(including Zero Trust). How is a Remote Access VPN any different than the “Client-to-gateway” deployment model defined for SDP? “In the client-to-gateway implementation, one or more servers are protected behind an Accepting SDP Host such that the Accepting SDP Host acts as a gateway between ...
5 comments
Read more