Architecture approach to Network Security Policy Enforcement:
In relation to Centralized and dynamic Network Security Policy Enforcement prior to 2004 Cisco has product named NAC and we say as Cisco NAC Solution and it was based on 802.1X and integration with network services , but it was not widely deployed.
In 2011 Cisco developed and released Cisco ISE to provide 802.1X based NAC solution to its customer and since 2011 ISE has been aggressively evolved with more and more and rich feature set.
Below figure describe how ISE works in nutshell.
ISE feature & Benefits:
Below is the composite feature and benefits of Cisco ISE.
Centralized Management: We can centrally configure, manage profile, posture, guest, authentication & authorization, via single web based GUI console.
Business Policy Enforcement: For business-relevant access control policy it provides rule based and attribute driven policy. Various attributes includes user, end point identity, posture validation, authentication protocols, profiling identity, etc. These attributes can be created dynamically and saved to use later.
It integrates with various third party external identity repository like LDAP, AD, RADIUS, certificate authority.
Access Control: It provides various access control options like dACL, VLAN assignment, URL redirection, named ACLs, SGTs.
Secure Supplicant-less network access with Easy Connect: It derives authentication & authorization from login information across application layers.
Guest Lifecycle Management: Its helps in achieving Guest Lifecycle management from guest authentication to guest onboarding and guest security policy compliance. Time limits, account expiration, SMS verification are some services provided by ISE.
Streamline Device Onboarding: It enables user to add and manage their devices with self-service portal and supports SAML 2.0 language for web portal.
It also integrates with MDM/EMM vendors to enroll mobile device and ensure that those device are compliant with security policy.
AAA Services: It uses RADIUS protocols for authentication, authorization and accounting. It also supports wide range of authentication protocols like PAP, CHAP, EAP-MD5, EAP (PEAP), EAP-FAST, EAP-TLS, and EAP-TTLS.
Device administration access control and auditing: Uses TACACS+ protocols for authentication, authorization and accounting users when they access device that supports TACACS+ protocols.
Internal Certificate Authority: Internal CA authority can be easily deployed to simplify certificate management for device. It provides single console to manage endpoints and their certificates and their status.
Device Profiling: some pre-defined templates and profiles are in build and shipped for many endpoints like IP phone, printers, IP cameras, smartphones and tables.
A custom device template can also be created to automatically detects, classify, and associate custom-defined identities when endpoints connects to network.
End-point specific authorization policy based on device type can also be created.
Endpoint Posture Service: When PC and mobile device connect to network, it performs the endpoint posture assessment.
Checks for latest OS patches, antivirus, antispyware package, registry setting, patch management, disk encryption, mobile PIN-Lock, USB attached media.
It also manages enterprise patch-management system to make sure end point does not violate company policies.
Extensive Multi-forest Active Directory support: It supports Microsoft AD 2003, 2008, 2008R2, 2012, 2016. It groups multiple disjoint domains in to logical groups.
Provides authentication & Authorization against multi-forest Microsoft AD domains.
Cisco Rapid Threat Containment: As soon as security event occurs, it takes action on investigation and then its mitigation rapidly.
Monitoring & Troubleshooting: It is in build Web-console for monitoring, reporting, and troubleshooting to assist help desk.