Stefan Dürnberger
CCIE Security | Sourcefire Certified Expert
Secure Access
Cisco 2014 Annual Security Report
Most organizations, large and small, have
already been compromised and don’t even
know it: 100 percent of business networks
•
The security problem
Changing Business Models
Dynamic Threat Landscape
Complexity and Fragmentation
•
60% data in breaches is
stolen in hours
•
54% of breaches
remain undiscovered
for month
•
Information of up to 750 million individuals on the
black market
over
last three years
“How would you do security
„
Cisco ISE is not just a single
product. It is a system, securing
your wired, wireless and RA VPN
infrastructur including guest
•
Secure Access on wired, wireless and VPN
Control with one policy across
wired, wireless and VPN
•
XYOD
Users get safely on the network –
fast and easy
•
Guest Access
It´s easy to provide
guests
limited time and resource access
•
TrustSec Network Policy
Rules written in
business terms
controls access
•
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
•
Based on the Cisco UCS C220 M3 Server
•
Virtual Appliance based on VMWare Hypervisor
SNS-34x5 Appliances- Specs
Platform
Secure Network Services Appliance
SNS-3415-K9
Secure Network Services Appliance
SNS-3495-K9
Processor
1 - QuadCore Intel Xeon
2.4 GHz
2 - QuadCore Intel Xeon
2.4 GHz
No. of Cores per CPU
4 (4 total cores)
4 (8 total cores)
Memory
16 GB DDR3-1066 (4 x 4GB)
32 GB DDR3-1066 (8 x 4GB)
Hard disk
1- 2.5 Inch
600 GB SAS 10K RPM
600 GB SAS 10K RPM
2- 2.5 Inch
RAID
No
Yes - RAID 1 (600 GB Total Storage)
Ethernet NICs
4 (2 on board; 2 on NIC)
4 (2 on board; 2 on NIC)
Power Supplies
1 x 650W
2 x 650W
Trusted Platform Module
Yes
Yes
SSL Acceleration Card
No
Yes
Cisco ISE Architecture
View/Configure
Policies
Attributes
Query
Access
Distributed Topology Deployment
Data Center A DC B Branch A Branch B AP AP AP WLC 802.1X AP ASA VPN Switch 802.1X Switch 802.1X Switch 802.1X WLC 802.1X Switch 802.1X Admin (P) Admin (S) Monitor (P) Monitor (S) Policy Services ClusterHA Inline Posture Nodes Distributed Policy Services AD/LDAP (External ID/
ISE Software
-Secure Access: Classification Attributes
PersonalISE- Identity Stores
Identity Store
OS / Version
ISE Internal Endpoints, Internal Users
RADIUS RFC 2865-compliant RADIUS servers
Active Directory
Microsoft Windows Active Directory 2003, 32-bit only Microsoft Windows Active Directory 2003 R2, 32-bit only Microsoft Windows Active Directory 2008, 32-bit and 64-bit Microsoft Windows Active Directory 2008 R2, 32-bit and 64-bit Microsoft Windows Active Directory 2012(ISE 1.2)
LDAP Servers SunONE LDAP Directory Server, Version 5.2Linux LDAP Directory Server, Version 4.1 NAC Profiler, Version 2.1.8 or later
Token Servers
RSA ACE/Server 6.x Series
•
PEAP/TLS is supported on all OS and compatible with compliance module
Compliance module is supported on Windows & MAC
•
Profiling Database is filled up with endpoint information
•
Using these information in policies will consume licenses
•
State of compliance with the company’s security policy
Is the system running the current Windows patches
Do you have anti-virus software installed? Is it up to date
Do you have anti-spyware software installed? Is it up to date
Services, Applications/processes & Registry Keys
Cisco ISE- Compliance
•
VLANs
•
DACLs
•
SGTs
•
Downlink Encryption
Sponsor & Guest
Local users or Active Directory Users/Groups are allowed to generate guest accounts
Different types of Guests (daily – weekly – monthly – user defined)
•
Different sponsor portals can be configured. Fully customizeable (HTML, CSS)
•
Concept of „sponsor all accounts“, „group accounts“ and „own accounts“
Sponsor & Guest cont.
Locallobby user can just see and manage their own created guest accounts
•
Guest Flow
Sponsor & Guest cont.
All unknown Endpoints (wired or wireless) are treated as guests. This make your network a closed infrastructure
•
More Options for Guest
Guest self-registration- SMS, Email
Guest self-registration with sponsord approval
Daily code for trainings
