Cisco recently released the ISE (Identity Service Engine, middle of 2010) and a number of interesting features have become available which would increase the security posture of a network. The ISE is the next generation of the Cisco ACS. The ISE can be implemented as an appliance or as a VM. See http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html for more information.
Two of the features, group tags/policies and endpoint profiling are discussed here. Other intersting features, include the in-line posture checking (placed behind WLCs and RAS VPN gateways) and the guest access service. Posture assessment is still performed using a NAC agent installed on the client (Windows or MAC).
The new group policy feature allows for what looks like a simple method of filtering traffic at the edge of the network (LAN switch port). So, in addition to implementing a firewall at the edge of a secuirty zone (between trusted and untrusted networks) you can filter within the trusted network to allow access to specific servers to groups of users. The ISE can profile devices on the network. Profiling would primarily be used when open access to the network is in place and you are unsure of what is c onnecting to your network. However, in some instances, where you have a 802.1x implementation and want to monitor your network to get a better understanding of what types of end devices are installed using the profiler functionality may make sense.
Security Group Policies:
In addition to basic vlans assignment, the switch port can be configured to support group policies. Once a user authenticates to the network using 802.1x (any method, similar to ACS), the ISE can then download policies to the switches which determine what kind of access the devices would have to the network. In this case, the user would be assigned to the appropriate VLAN and then a security group tag would be applied. The Security Group Tag (SGA) is a 16-bit single label indicating the classification of a source in the SGA domain, appended to an Ethernet frame or IP packet. By inserting the group tag at the network ingress, the users packets can be filtered at any egress point, allowing for dynamic access control to resource. Tags can be assigned to different users in the same VLAN which allows for a simplified topology but granular access control. Tags can be assigned statically based on IP address directly on the switch or via the ISE for central management. The ISE would assign the tags based on a successful 802.1x or MAB authentication.
The following document was used as a reference. It describes the configuration of a Trustsec environment. It is based on ACE but I am assuming that the ISE could also be used.
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.pdf
Device Profiling:
Profiles can be generated from a variety of sources, including Netflow, DHCP requsets, DNS requests, SNMP traps, SNMP queries, etc. The switches just need to be configured to send the information to the ISE where the profiles will be matched and the database will be populated. From this database you can generate reports. It is not very clear whether you can define actions based on these profiles (e.g. block) or if it is just a source of information.
Leave a Reply
You must be logged in to post a comment.