Zenprise recently released an upgrade to their flagship mobile device management MDM solution. My team has been showcasing a previous version 6.6 and went through the upgrade to Zenprise 7.01 this week. The Zenprise ZDM upgrade took around 15- 20 minutes, which steps included upgrading the software and java on the hosting server. Here is a comparison of both versions of Zenprise ZDM.
Dashboard:Zenprise 7.01 now includes a dashboard or centralized landing page. From a visual perspective, it’s a great way to quickly identify the state of the system and managed endpoints. The picture below is customized for 6 different reports. Functionality wise, the previous version of Zenprise could accomplish the same things by clicking around.
iOS and Android Enrollment: The new 7.01 version of Zenprise offers a dedicated section for device enrollment that includes options such as MDM server discovery, email or SMS notification. We felt enrollment was a weak spot for Zenprise however this release dramatically simplifies the process. The group enrollment features makes it much easier to deploy the Zenprise MDM software to a larger number of users at once. Furthermore, Zenprise 7.01 can import a CSV file to populate its database for bulk enrollment.
iOS Location Services, Geo-tracking and Geo-fencing: This is a huge feature. Admins can set location service policies to located devices at any given time. Geofencing allows admins to define a geographic perimeter and perform a selective or full wipe upon perimeter breach. We have had requests for Geofencing that range from stopping students from walking off with school issued mobile devices to military secured facilities wiping any device that leaves the controlled area. In high security areas it it possible to wipe a device on-demand as it exists a “safe” zone. Continue reading →
Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.
On-boarding simply means brining a new device onto the network for the first time. This process includes certificate enrollment and profile provisioning without involving IT as well as little interaction with the end user. ISE 1.1MR accomplishes these goals levering an existing Certificate Authority, user database such as Active Directory and ISE framework.
The ISE on-boarding process can vary however will be explained as having a new device connecting to a SSID specified for on-boarding new devices (can be open or secured with PEAP). Devices that connect to the on-boarding SSID will be redirected to a guest registration portal. The user will authenticate, which will trigger the certificate enrollment and profile provisioning process. Parameters to connect to the internal secure SSID will be included with the configuration profile that is provisioned to the mobile device post authentication. From that point on, the device will use the internal SSID for network access, which may have different ISE authorization rules depending on the design. Devices that fail to complete the on-boarding process will default to ether a guest SSID or be denied access depending on the desired policy.
WIRELESS: On-boarding can be designed many ways however for this post we will use two SSIDs called Provisioning_Wireless for new devices and Employee_Wireless for existing approved devices. An accesslist limiting access to ISE, DHCP and DNS will be enabled to prevent devices from staying on the provisioning SSID. A possible configuration for both SSIDS could be as follow
To build this, go to WLANs > Create New > Go and fill out the profile details. Use NONE for the layer 2 settings so it’s OPEN. For AAA, set the Radius server for ISE. Under advanced, enabled Allow AAA Override and change the NAC state to Radius NAC. Go to Controller > General > Fast SSID change and enabled Fast SSID to help speed up the SSID changing.
ISE: (1)First in ISE setup Active Directory by going to Admin > External Identity Sources > Active Directory and join ISE to an AD system.
(2) Next go to Admin > External Identity Sources > Certificate Authentication Profile > ADD to define the certificate authentication profile (name it and choose Common Name for X509).
(3) Next define an Identity Source Sequence by going to Admin > Identity Source Sequences > Add. Give it a name, enabled and select the certification profile you just created then add AD for the authentication search list.
(4) Next configure ISE to act as a Simple Certificate Enrollment proxy server (SCEP). Go to Admin > Certificates > SCEP CA Profiles > Add. After defining your SCEP server, ISE will download the RA and root CA certificates of the CA server (this can be verified uner the certificate store via SYSTEM > Certificate > Certificate Store).
For this scenario, we will configure ISE authentication to use MAB for on-boarding new devices. It many cases, ISE will not know the MAC address in advance so it must be configured to continue the authentication process via redirection regardless.
This is done in ISE:
(1) Going to Policy > Authentication, choose your MAB wireless policy, click the carrot after allow protocols to show the user options and click the + sign for use.
(2) Select IF USERS NOT FOUND, CONTINUE. As a reminder, ISE Authentication policies are verified top down so make sure your MAB policy used for BYOD is at the top and open for all identity stores. You should lock down the 802.1x wireless to only wireless certificates.
Client provisioning is based on how ISE classifies the client machine. There are customized packages in ISE available that include a software-provisioning wizard, which configures 802.1x settings and ability to obtain digital certificates on the endpoint.
To download wizard packages in ISE, go to Policy Elements > Results > Client Provisioning > Resources > Add. Common mobile devices such as iOS typically have these settings enabled natively so a wizard is not needed.
To configure client provisioning in ISE:
(1) Go to Policy Elements > Results > Client Provisioning > Resources > Add.
(2) Create a native suppliant profile by giving it a name, selecting the Wireless Checkbox, your on-boarding SSID, WPA2 for security, TLS for allow protocals and key size 2048.
(3) Next go to Policy > Client > Provisioning to build your provisioning resources. Create one for native devices and select the mobile profile you just created for the results (example RULE = IOS, Identiy Group = Any, Operating systems MAC IOS ALL and your new mobile profile for results).
(4) Create another that is similar however use Android for the operating systems. Create a third for generic MacOsX devices and use the downloaded wizard. You may also want to create a separate one for Wired and Wireless. The same goes for two more to cover wireless and wired Windows devices. Here is an example of my Client Polices
The final steps are verifying profiling for wireless is working as well as your authorization profiles are setup for redirection, employee and guest access (see previous postings for these configs). These can vary depending on how you want to restrict devices that pass and fail your polices.
Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1orISE 1.1MR. ISE 1.1.1 is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).
You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to
www.cisco.com/go/ise for more information and
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation
Here is a breakdown of what is new with ISE 1.1.1
New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated
Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration
New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end users
Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and Android
Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)
SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the network
RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication.
EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP
Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
New Reports in Cisco ISE 1.1.1
Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.
Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time.
Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases
Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.
ISE-10MR2/admin# application upgrade ise-appbundle-22.214.171.1248.i386.tar.gz ftp Save the current ADE-OS running configuration? (yes/no) [yes] ? Generating configuration… Saved the ADE-OS running configuration to startup successfully Initiating Application Upgrade… Stopping ISE application before upgrade… Running ISE Database upgrade… Upgrading ISE Database schema… Upgrading Session Directory… Completed. ISE Database schema upgrade completed. Running ISE Global data upgrade as this node is a STANDALONE… Running ISE data upgrade for node specific data… % NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully. The mode is licensed. % This application Install or Upgrade requires reboot, rebooting now… Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012): The system is going down for reboot NOW!
Cisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.
APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.
Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology. Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.
Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.
MY Lancope LAB
When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Once launched, the management interface of Lancope looks like this.
I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.
This Lancope dashboard shows traffic by hosts and bandwidth usage.
This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.
This Lancope diagram shows a global map of host relationship usage.
Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.
The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.
Many network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.
Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.
To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.
My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.
I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)
Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.
Cisco’s flagship network management solution LMS has come a VERY long way. I was a Cisco LAN Manager LMS hater for a long time however the latest version is a completely new program. I’m now using LMS as my go to assessment tool and extremely happy with its capabilities. Here are a few steps to setup your own Cisco LMS environment.
Go to www.cisco.com/go/LMS and download the latest LMS software (4.2). You will have a full 90-day license upon installation. The requirements for LMS are pretty large however they offer a few options regarding storage (thick takes up around 270 gigs even though its not all used while thin uses around 90 gigs). See the cisco LMS website on the exact specs. I’m currently using ESXI 5 on a customized MACMINI to host my LMS 4.2.
You will be prompted with standard questions upon starting up LMS via command line (IP, Default Gateway, DNS, NTP, Passwords, etc.). Fill out the questions and let the installation complete. Once complete, you should be able to access the LMS 4.2 GUI using your IP:1741 (ex 192.168.45.12:1741).
Login with the username and password you created during the setup. You will hit the LMS Getting Started landing page (also found under the admin tab).
To start capturing network devices, click device management / device addition. Use the workflow to walk through adding devices. First add Credentials (IE login name, Cisco CCO, passwords and SNMP). Next a Policy (IE IP scope to be scanned). The last step is adding Devices. You can do this manually or by bulk. Best practice is to ensure your credentials are setup properly by manually adding one device. Click the manually add a device and try adding one device using the credentials you created.
To launch a capture in LMS, click edit custom discovery. LMS 4.2 offers many ways to discover the network. You can choose a “seed” as a starting point from which LMS captures meaning you can select a device and discover neighbor devices from that point. Options for device captures include ARP, BGP, OSPF, Routing tables, CDP, CCDP, Ping, Cluster Discovery Module, and HSRP. Like most Network Management Systems, SNMP is a foundational element of read-only communications from the network devices to the management platform in LMS 4.2. Options are SNMP V1, V2 and V3. Chose how you want new devices labeled / organized and launch the capture. As devices are discovered and logged, your LMS DCR count will increase.
Click on Inventory to see your network
Under Reports you will find a TON of options for reports. My favorites are detailed device information, Hardware / Software statistics, IPV6 support, and Utilization reports. One huge add on with the new LMS 4.2 release is the Compliance and Audit report. It includes a End of Sale / Life report for Cisco hardware and software, Smartnet contract verification and a ton of compliance reports such as HIPPA, NSA’s best practices, PSIRT (Cisco Security Advisory), etc.
The LMS Work Centers tab has an awesome dedicated section for 802.1x. It shows if your devices are 802.1x capable and provides methods to update software and push down configurations using step-by-step templates. This is huge for those looking at 802.1x via Cisco ACS or Identity Services Engine ISE.
There are other dashboards to check out like Energy Wise (aka ability for switches to reduce power for POE devices during non business hours), Medianet (optimizing the network for collaboration technologies), etc. Lots of good stuff. Its worth checking out the latest LMS. Hopefully this guide helps!
Today you may have Cisco NAC appliance or ACS and have heard great things about Cisco’s latest access control technology known as Identity Services Engine (ISE). What are you options to migrate to ISE? Here are some things you should know.
NOTE: These tips apply to how things are August 2011.
ISE provides all the functionality of legacy NAC appliance, NAC Profiler and NAC Guest server. ISE provides all the functionality of ACS except device administration. This makes all existing customers running these services except ACS device administration (TACACS /RADIUS) an upgrade candidate. Many customers are keeping ACS for device management and purchasing new ISE solutions.
ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
ISE is a 50% software discount for customers who have ACS or NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
ISE is supported on current generation NAC appliance hardware (3315, 3355,3395) and ACS (1121) hardware.
ISE is not support on any previous generation hardware (3310,3350, 3390, 1120, 3140, etc.). There are hardware/vmware migration discounts for customers moving from these platforms to the latest appliance or VMware systems.
ISE is available in appliance and VMware. There are VMware bundle options to increase discount when purchasing multiple VMware instances.
ISE hardware is discounted if the customer owns older NAC appliance (3310,3350 or 3390) or ACS appliance (1120).
Example 1: Customer has a NAC manager appliance, 2000 user Cisco NAC Server appliance, Cisco Profiler appliance and Cisco Guest server. All hardware is the newer model IBM appliances (3315,3355 or 3395). The customer can get ISE software at no cost. They can download ISE .ISO for free from cisco.com and reimage the appliances to the latest ISE software. They can order a license from a Cisco partner at no cost as long as they have an active Smartnet contract and the supported hardware. The customer only needs one license since license management is centralized regardless of the number of existing appliances.
Example 2: Customer has a NAC manager appliance, 2000 user NAC Server, Cisco Profiler and Cisco Guest server. All hardware is older HP servers (3310,3350 or 3390). The customer can download ISE .ISO for free from cisco.com and order a license at no cost. The hardware will not support ISE. This customer will have to migrate to the latest ISE appliance or vmware system for each NAC appliance server. The cost of the hardware will be discounted.
Example 3: Customer has Cisco ACS supporting 2000 users and wants to migrate to ISE. They will need to purchase the 50% discounted ISE base and full advance licenses. They will need to migrate to ISE via VMware or Appliance if they don’t own an ACS 1121 appliance.
IPads and iPhones are pretty awesome. They are slick looking and fun to play with. My friend’s Android is pretty cool as well. I had to find an app that gave my iPhone a slider login to counter his coolness. Regardless of the cool factor, many agencies are afraid these devices bring lots of risk if permitted on the cooperate network.
As C-level executives / high-ranking commanders get their hands on fancy mobile devices, they start to demand for a policy to bring mobile devices onto the network.
My recommendation to secure mobile devices is to look at this from two sides:
1) NETWORK: How do I provision network access for approved and non-approved mobile devices?
2) END POINT: How do I manage approved mobile devices such as enforcing polices around what applications are used, avoiding jail broken devices, etc.
To answer question 1, the best way to look at this is as an access control problem. Many customers I have worked with provision non-approved devices on a limited network through the use of VLAN redirection, ACLs or separate wireless SSID. For cooperate issued devices, they leverage authentication to see if the user is approved and scan for policy checks to verify the device is safe before provisioning access. Failure to meet these checks either defaults the device to the guest network, limits the cooperate access or completely denies the device. Some examples of access control solutions are Cisco ISE, Cisco NAC appliance and Forscout.
To answer question 2, this comes down to end point management. Vendors like Symantec offer mobile device management solutions, which offer an agent to enforce policy. They have features like password enforcement, remote wiping only corporate data (key for not upsetting users violating policy), checking for jailbreaks, and offering additional authentication methods.
The final point I’ll bring up is its best practice to enforce the end point management piece through the access control solution. For example, develop a policy that looks for an iPad and checks for who is authenticated as well as if the end point management agent is installed, up to date and running. As long as the end point management agent is doing its job, you know the iPad is used by a approved user and is not brining on additional risk since it meets all cooperate policies enforced by the end point management agent. There are many ways to design this type of solution but hopefully this helps understand how to approach this situation from a high level viewpoint.
Many people have invested into an automated access control solution from Cisco. In the past, Cisco offered NAC Framework and NAC appliance. There are Cisco press books explaining NAC Framework as the go to enterprise solution utilizing the network as the enforcement point while NAC appliance was the simple “turn-key” solution leveraging SNMP or in-band / bump in the wire type designs. Eventually Framework died and was replaced by an 802.1x-based solution. The release of ACS 5.0 added new features for 802.1x authentication, which left customers with the option to have remediation using the NAC Appliance solution or only authentication with the 802.1x NAC solution.
Cisco found that they had some gaps in their NAC solutions and eventually added bolt on products to their appliance and 802.1x offerings. To manage non-NAC capable devices, which include printers, card readers, X-boxes, IP-phones, etc., Cisco re-branded Great Bay Software’s Beacon appliance as Cisco Profiler. Another gap was around sponsoring guest users, which Cisco offered Cisco Guest server as an additional appliance to handle advanced guest user features.
This spring, Cisco released their latest access control solution Identity Services Engine (ISE). ISE takes on the features of NAC appliance, ACS 802.1x, Cisco Profiler and Cisco Guest server. ISE can be purchased as a VMware or appliance and licensed centrally which is different from how NAC appliance was sold. Smaller networkers can utilize one appliance or VMware to provide what use to be multiple appliances, which saves money as well as centralizes management. Mid to larger deployments can scale by breaking out the functions of ISE into separate Vmware / appliance components. If customers need to support none 802.1x COA switches, hubs or VPN concentrators, they will need to purchase a separate ISE iPEP appliance which cannot be virtualized or include any other ISE functions.
There are some features that are not available in the ISE 1.0 release. ACS customers who use TACACS/Radius support for network device management and 802.1x NAC will need to keep their ACS solutions for device management while ISE can take over the 802.1x NAC function. Another feature missing is the ability to intergrade ACS or NAC with ISE. These and other features are rumored to be road mapped into the solution as well as advancements in profiling to enhance how ISE identifies devices accessing the network. More information on Cisco ISE, NAC appliance and ACS can be found on the NAC links in this blog.
Why is there so much hype around Network Admission Control (NAC)? Some believe it’s to satisfy DISA regulations or other mandates like 802.1x requirements. However people who really understand the need for NAC are engineers supporting Port Security manually. The harder they try to lockdown the network, the more error disables they have to run off to repair. Plus some agencies believe random scans or signs stating, “all new devices should be scanned” are going to actually enforce network policy. In the end, you either have automated access control or you don’t have control of what’s on your network.
What are the top things to look for in a Network Admission Control (NAC) solution? First off the solution should categorize all devices as authenticating or non-authenticating. Usually devices that can authenticate have operating systems, which can be scanned for anti-virus, updates, etc. as well as leverage some type of single or multi-factor authentication solution. The best NAC solutions can leverage an existing authentication solution so users don’t have any additional logins unless it’s by design for temporary users such as guests or contactors.
Non-authenticating devices typically use the network for specific purposes such as printers, card readers, IP phones, etc. and don’t have operating systems. This makes it hard to control these devices since they don’t belong to a naming database that can be leveraged to assign network access. Weak access control solutions whitelist non-authenticating devices by MAC address which opens the door to any hacker who can spoof a known MAC. Strong NAC solutions develop roles for non-authenticating devices based on behavior and factors that can be scanned using network based protocols. Profiling devices make deployments easier since many administrators have heartburn developing a master whitelist of all devices. Profiling also maintains security by monitoring devices for anomalies. A simple way to think of this is catching a user spoofing a known printer by identifying the printer surfing the web as well as a change in the NIC card chipset.
Strong NAC solutions group authentication and policy into a category, which should be enforced prior to permitting network access. Common factors NAC solutions leverage for policies are device certificates, operating system types, installed applications and existing patch management solutions. The best solutions manage users and devices for LAN, VPN and Wireless in one GUI including detailed reporting capabilities.
Finally, design elements such as high availability, load balancing and scalability should be top of mind. Everybody is virtualizing so brownie points should be awarded to VMware friendly solutions. Make sure to ask what happens when your network grows beyond the design capacity, how failover works and what the process is to update code levels. Also don’t get cheap and skip the maintenance contact since most NAC solutions will blow up your helpdesk if they die during business hours without a backup solution.