Is your network Access
We live in a connected world that has embraced digital
technology enabled services and is like a small village. We are always
connected; checking our devices for a status update, or we are the ones posting
an update or we are trying to send that status report or close a business deal
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. According to Forbes.com, as cyberattacks increase in frequency and sophistication,
by the year 2020, the global security market is expected to be worth more $170
billion, and is currently suffering from a dire skilled network security professional’s
shortage. In many cases of cyber-attacks taking place, attackers can compromise
an organization within minutes. The proportion of breaches discovered within
days always falls below that of time to resolve them and fix the threats.
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to network facilities. Today’s employees
are not tied down to desktops and office desks, but alternatively are able to access
the companies’ resources through a variety of devices such as smartphones, phablets,
and personal laptops.
The current norm is for a company’s employees to be able to
access the companies resources from anywhere, this greatly increases
productivity, but also exposes the company to the possibility of leakages in
highly confidential company data and increased cybersecurity threats, due to
the fact that you may not be able to track and control the security configuration
of devices accessing the network from outside of the brick and mortar office setup.
Controlling all the devices accessing the network is a great task in itself,
which grows every day and is becoming more untenable as more devices get
connected and plugged into the company network.
So, what can we do to
get out of this fix?
Fret not yourself, using a well configured identity service
engine such as the Cisco ISE would greatly alleviate this challenges. According
to CISCO, the Cisco
Identity Services Engine (ISE) 2.0 is an identity-based network access control
and policy enforcement system. It helps you take care of the time-intensive
day-to-day network administration tasks, allowing your IT staff to focus on
other crucial tasks like keeping abreast with the current cyber threats and how
to counteract them.
According to Cisco
ISE product release notes, ISE will attach an identity to a device based on
a user, function, or other character that allows it to do policy enforcement
and security guidelines compliance before it is authorized to access the
network resources. Based on the results from different factors, a device can be
allowed access to the network based on specific set of access policies applied
to the interface it is connected to, or it can be explicitly denied or given
guest access privileges based on the specific company guidelines. Cisco ISE is a context aware policy service,
and it aims to control access and threats across wired, wireless and VPN
The ISE platform in
The ISE Platform in
a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with nodes handling three different roles: the Policy Administration Node
(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy Services
Node (PSN). For ISE to function properly, all profiles are required.
Let us briefly review each
of this profiles and service entry points:
The PAN profile is the screen the administrator will log
into so they can configure policies to drive the ISE setup and configuration.
It acts as the main control entry point for configuring and deploying the ISE. PAN
allows the admin to configure the ISE topology by making changes, with this
changes being send out from the administrator node to the Policy Services Node
(PSN) in ISE.
Policy Services Node
The PSN profile allows for policy decisions to be made. The
nodes here allows the network service enforcement devices to send all network
messaging. After processing the messages, the PSN will then give or deny access
to the network based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile will log all service reports, occurrences
and give you the access to generate reports as needed. All the logs will be
received by MnT from other nodes in the ISE topology and sorted through, and compiled
in a readable configuration for you. It gives you the ability to generate various
informative and graphical reports that can aid you and the senior management
make strategic decisions regarding your companies’ network resources, as well
as notify you of any threats to ISE.
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Security and Posture
The Cybersecurity landscape is changing very first and
becoming more complex and costly for organizations running legacy traditional
security setups. The cybersecurity demands have largely increased but the
security resources tend to remain the same. This increases the potential attack
surface greatly meaning the legacy security systems within a company’s premise
has little to offer in terms of relevance and robustness to handle current
Employing the correct solution has become paramount and a
shift from on premise, traditional security setups is inevitable with many
organizations currently seeking to deploy a solution that will protect the
company from within and without. Such solutions like the
Cisco ISE have some interesting security features that are likely to help organizations
meet their security needs. According to the cisco ISE
administrator security guide , this are some of the security features that
can be found within ISE:
Greater control of endpoints with rich application
visibility which aid enforcing a granular user behavior and device compliance. With
the AnyConnect distribution option, there is resilience and ability to support
more posture functionality with non-Cisco network access devices.
A faster way to get started with enterprise-grade
network access security built-in ISE setup tool.
Efficient and scalable role-based segmentation
through TrustSec-enabled border routers.
Greater device administration features with
streamlined migration tools and resources.
Differentiated control based separate
administrative domains based on flexible criteria and responsibilities using
multiple TrustSec matrixes.
Deep visibility at application–level enabling
you to set policy based on user actions.
Simplified and agile threat responsiveness with
ability to set pre-defined policy scenarios based on the organizations threat
A vulnerability assessment and threat incidence intelligent
solutions (IoCs) that help you stop malicious devices before they connect to
ISE posture flow:
This is the detailed explanation for the
posture follow in ISE 2.2 according to the Cisco ISE posture style comparison for
pre and post 2.2
Benefits of Using an
Identity Services Engine
According to the research conducted by Forrester
on having an Identity services Engine solution such as Cisco ISE deployed
within an organization, it was found that an organization is likely to expect
the following benefits:
Reduced infrastructure management and support costs for your
guest wireless access services.
Reduced infrastructure management and support costs for BYOD
Reduced help desk support costs
Reduced risk of security issues and major outbreaks.
Reduce or eliminate IT management costs related to guest
Rich visibility of user and device details.
High end to end secure user access policy with automation
across a single network.
Low OpEx/CapEx due to
selection of the right solution
The cost of securing an organizations IT infrastructure can
go into billions of dollars. It is the intent of every organization to have the
most robust and up to date security setup. With cloud security services, many
organizations are moving from spending on their own premise security (CapEx) setup
to a cloud solution which will only require operational expenditure (OpEx) and
enjoys the facility of regular updates.
The security products deployed within an organization will
usually be funded out of the capital expenditure (CapEx) budget. The cost of
such hardware and software (for example buying a full security setup at $ 200,000)
will require an upfront payment of the total amount amortized according to the
accounting cycle, in order for the organization to enjoy those services. In contrast,
if an organization chooses to employ a cloud solution (for example costing
$100,000 annually), which usually comes at a reduced price annually, and is funded
out of the operating expense budget (OpEx), it has an advantage.
In accounting terms, it is more costly to take the first option
(CapEx) as compared to the second option (OpEx). In this two options, the cloud
services make a better option for the employment of the organizations cash,
since unlike the static hardware option that will require future replacement
and another cash outlay of $200,000, the cloud service enjoys a continual
update with the latest technology and at a cheaper price for the organization.
The question then arises, are their ways an organization can
still do an on premise cybersecurity solution deployment and enjoy a more
According to a research conducted by Forrester, regarding
the deployment of an on
premise Identity service engine such as the Cisco ISE within an
organization, a composite organization can incur risk adjusted costs, totaling
about $595,000 in one-time, initial investment and implementation costs, plus
$61,00 administration and maintenance costs per year. This costs relate to a deployment
of the Cisco ISE solution.
Having an ISE solution on premise will help you greatly
reduce the OpEx for the organization by cutting down on help desk support
costs, close major security holes avoiding major data breaches, and reduce or
totally eliminate IT management costs associated with guest wireless access
This are just but a few of the many economic and security
benefits to be derived from the use of Identity service engines such as Cisco
ISE 2.0 in your organization. And according to a research carried out by
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy an Identity service engine configuration and stay
abreast of the cybersecurity needs of the modern digital organization.