ISE: The Network Protection and Administration Future
ISE, Cisco’s unique RADIUS protocol-based technology, is at the smart network protection strategies heart – and is in the Nap IT portfolio, which has the Advanced Security Enterprise level, for being certified by the manufacturer’s security products.
While there are a number of technologies utilizing the Remote Authentication Dial In User Service (RADIUS) protocol to authenticate and control access to corporate networks, no other product offers the Cisco Identity Services Engine, or simply ISE capability and functionality. The technology, exclusive to the American network equipment manufacturer, is deployed throughout Brazil by a qualified Nap IT team.
Nap IT is an Advanced Security Enterprise, that is, it has all the requirements to be a security equipment integrator, such as ISE. Alexsandro Reimann, Senior Network Engineer at Nap IT’s Global Advanced Services unit, is one of this team leaders.
In an interview for the Nap IT Blog, Reimann lists the ISE advantages and its superiority over other network access control solutions, as well as its features, integrations and demand in Brazil. It also talks about Nap IT’s security project delivery capability.
Nap IT Blog: What is ISE and who are its suppliers?
Alexsandro Reimann: Identity Services Engine (ISE) is a Cisco exclusive product. It acts as an authentication and access control server that is better known in the market by the Remote Authentication Dial In User Service (RADIUS) protocol. However, ISE is a differentiated product because it incorporates features other than the RADIUS service itself. It can handle authentication, authorization, and access auditing layers.
Blog: How does ISE differ from conventional network security technologies?
Reimann: Especially for this authentication, authorization and auditing chain that can be used from Wi-Fi access to wired or via VPN. This means that all control of who is accessing network resources is under centralized ISE policy management, where I can determine different actions based on the user type and which device requests access. You can have policies that ensure an employee has unrestricted access if they are using a company laptop, for example; but if using a personal smartphone ISE can detect and give limited access, for example without access to private company resources. Unlike other market solutions, ISE has a feature called Profiling, which simultaneously queries the device for access credentials and tests that device.
Blog: How exactly does Profiling work?
Reimann: In a hypothetical situation, I may have a printer attached to the network via cable. ISE authenticates username and password for all printers. With this username and password I could access using another machine, but ISE identifies which printer comes from. They are additional layers that allow you to be sure that that equipment is who it claims to be.
Blog: You mentioned auditing features. What does that mean?
Reimann: The ISE log allows an installed park overview, either from a single site or all sites the company has, in a centralized dashboard that responds to the famous 5 Ws: who, where, how, why, when. It tells me which user accessed which device, whether cable or wireless, and for what. Everything is registered in the ISE console.
Blog: Are there any other features besides security?
Reimann: Parallel to the authentication service, ISE provides portals. I can have a single Wi-Fi network that everyone connects to, whether it’s employee, visitor, or partner. The access will depend on the credentials informed. If there is an employee accessing Wi-Fi, ISE returns privileged access, if a visitor has a portal where he can register and tell who is visiting and receive an approval request via email. It is an automatic self-registration portal service. You don’t have to have a dedicated person, which makes you much more dynamic.
ISE can be linked to other solutions, such as an agent installed on every machine on the corporate network where ISE goes on to do what we call “stance”: in addition to validating authentication, it informs about operating system updates, antivirus, or any other information from the equipment itself that ISE could not receive through pure and simple authentication. It is possible to take actions based on this. There is also an integration with the Cisco firewall line. If the user already has access to the network and receives a maliciously linked email, the firewall identifies that user as non-compliant, vulnerable, and informs the ISE to quarantine or block the equipment based on the rule set.
Blog: How big does a company need to be to get the most out of ISE? Does it fit the big ones better?
Reimann: It is a solution that serves small, medium and large companies. It is available on physical equipment, servers or virtual machines. VMs come in sizes based on the number of users and sessions they will support. ISE works with only one server, but of course there won’t be high availability and resiliency there. You can work from a single appliance up to 50. If you are a large company you can start small, with a smaller cluster, and over time add on. Licenses are per node, the customer purchases the number of servers, and each has a supported authentication number based on memory requirements.
Blog: Is it an agnostic technology, i.e. interoperable with equipment from other manufacturers?
Reimann: ISE base allows Cisco and non-Cisco equipment insertion. When we talk about the access control process, ISE works on the RADIUS basis, an open, non-proprietary standard. The network can have [equipment] Cisco, HPE, Fortinet etc., it is not a problem as it works on the top of an open protocol that all manufacturers support.
Blog: How is ISE managed? By the contracting company or Nap IT?
Reimann: ISE comes as part of a project, both deployment and training. Having policies built and implemented within the environment, maintenance is very low. Typically, technology professionals create rules based on Microsoft Active Directory (AD) groups, so the management of who will gain access is not entirely consolidated within ISE itself. Whether or not the user is in a particular group has more privileged access than the other. The backup routines are all
automated; if the user is not gaining access, has been changed or removed, auditing will make this situation easier to understand. In addition to this, ISE has a function called TACACS, which is another authentication service that manages network equipment. You can only access the configuration or make changes using local user base or external base.
Blog: How is Nap IT ready for ISE offering?
Reimann: Within Nap IT there is a certified, specialized team. Nap IT is an Advanced Security Enterprise, has met all requirements to be certified in security products. We now manage more than 30 servers around the world from multiple clients, and our NOC [Network Operations Center] serves and monitors the entire ISE servers and equipment deployed pool by the project team. Project professionals are Professional and Expert certified, and the NOC part also requires Associate and Professional level safety certifications. Within these certifications, of course, are other safety solutions, but when we talk about safety topology ISE is the center gear. From it all other equipment will receive additional intelligence.
Blog: How do you rate the demand for ISE in Brazil?
Reimann: The market still lacks maturity regarding security solutions. Many companies still see it as an optional cost. When a project starts to go out of budget, the first cut line ends up being safety. In an data leakage age, I see controlling access to information as crucial. ISE enters as if it were vigilant, this protection layer. We are talking a lot about ISE, and lately customers have been more interested just because of the leaks, which last year were several.