How IT Works: Cisco Identity Services Engine

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
INTRO: This is the IT Roadshow. We're taking you with us, as we go coast to coast, East to West, on the tricked-out CDW Technoliner —anywhere and everywhere there's technology, talking to and learning from real engineers, swapping stories with real techies, seeing real technology in action. So if you're ready to geek out, hop on and let's go. Nathan: Welcome to another Pit Stop on the IT Roadshow. I'm Nathan Coutinho, and I'm here today with Allen Schmidt to talk about Cisco ISE. Allen: Yep. Nathan: Identity Services Engine? Allen: That's correct. Nathan: So tell me all about ISE. What is ISE? Allen: So Cisco ISE is network admission control. You know, for years we've been used to securing the public perimeter, the outside perimeter, so we've had firewalls and intrusion prevention and those kinds of solutions to protect us from the outside world. ISE and network admission control are protecting that internal perimeter. It's that access layer infrastructure where people are connecting to our network, and we assume they are trusted. But we really can't make that assumption, so that's where ISE comes in. Nathan: So, network admission control, it's not a new thing, right? So what's different about Cisco ISE? Allen: So network admission control, it's been around for a long time. It uses 802.1x, but there's a lot of components to that. The endpoints had supplicants, which weren't terribly stable. The access layer infrastructure, like the wired switches and the wireless LAN controllers, they didn't necessarily always have the services that you needed. And then the place where you built the policy — who gets on it and who gets off — it was really complex. It was not easy or intuitive at all to build those policies. ISE came along, and it improved that policy engine and, over time, the access layer infrastructure now holds all of those capabilities that we need. The supplicants that come with Mac computers and Windows computers — and, you know, mobile devices like iPhones and tablets — they're very stable now and operating exactly the way we would want. Nathan: So this explains why when I get to the office with my Wi-Fi–enabled toaster, it doesn't actually work. Allen: I'm not sure why you're bringing a toaster to the office … Nathan: [Laughs] Allen: … but, yes, it will identify that that is not our toaster, and it will prevent it from getting on the network. Nathan: What would you say is critical for managing NAC? Allen: The key to a successful network admission control implementation is to understand things like: Who are the users that you're going to allow on to the network? What are the kinds of devices that you're going to let on the network? And then, you know, what are the permissions you're going to give to them? So, you have employees that want to get on the network — maybe they want to get onto the campus wireless, maybe they want to get onto the wired network. And this is where Identity Services Engine comes in — so that we can identify that that's a legitimate user. So we can tell who this user is based on their Active Directory credential, for instance. ISE can work on the back end with Active Directory, so we can identify who that user is. But if we'd like to know that it's our device, the best way to do that is with a certificate. Again, ISE can work on the back end with a certificate authority, so now we can know this is our user and our device, which is an important part of network admission control. I tell all of the people I talk to: If you really want to do this, start to implement PKI, public key infrastructure, in your environment. It really helps. So this will allow you to get to internal systems, like get on to the local network, talk to printers, email, file servers. But you also have people who bring in their own devices. It's not a toaster, but it's a tablet, for instance. Nathan: Mm-hmm. Allen: So, you can let them on, they have a valid credential, but they don't have that certificate. We can know that, and we can say, all right, maybe we'll let them get on to parts of the network but not all of the network. So now you can limit where they can get to. Nathan: Hmm. Allen: We also have guest access. We have visitors that show up with their tablets that want to get onto the guest Wi-Fi. You can give them sponsored access, where we can have an employee-created credential for them. They could use that visitor credential directly on that smart phone if they want or on that machine, so that they can get to the internet, for instance. This also works for wired. So this is how you control user-based access, but then there's also those other kinds of devices that join the network. There are IP phones, there's streaming video, and there's video surveillance cameras. There's display screens that connect to the network. These are things that don't have a keyboard or a thumb board, or something like that. So this is where profiling comes in, which ultimately can identify a device based on the characteristics it presents when it connects. So now you can address BYOD employee access, bring your own device, guest access, connecting devices — all controlled from the ISE server. Nathan: That makes sense from a policy control perspective, right? Allen: Mm-hmm. Nathan: So how does this make it simpler, because it still sounds fairly complex? Allen: The key to the whole thing is that it's very dynamic. When you connect to the network, it identifies who you are, it identifies the device that you're using, and then it brings the appropriate level of access — down to the connection you made, down to the very port that you're connected to. And the same goes for wireless, the same goes for VPN. So now, you've got wired, wireless and remote-user access all coming under the same access control structure. And I think one of the key benefits is those nonuser machines, like the phones and the cameras — and those kinds of things. By dynamically figuring out what they are, you don't have to go around and collect information about each phone that you have and each camera that you have. It looks when you connect and says, "I can tell. I'm 99 percent sure that thing that's connecting is an IP phone. IP phones go on this vLAN; they get this kind of connection." Nathan: So it sounds pretty straightforward. As long as you create the right policies for the right people based on role, you can also change those once they actually log in to the network and then the devices essentially follow those policies and so does the user profile. Allen: Right, and you're changing that centrally. You're not having to visit … Nathan: Right. Allen: … each access layer device to put that policy in there. You're doing it in a central location. Nathan: That does seem a lot easier. Allen: Very much so. Nathan: So this sounds like a really comprehensive solution; a lot of features, lots of functionality, especially with the policies. Allen: Sure. Nathan: Can small businesses use this as well? Allen: That's one of the nice things about Identity Services Engine. It's very scalable. So you can start small, maybe with a single location. You can extend that to additional locations as time goes on and as you build your policy. You can also start at particular parts of your network. It's very common for people to start with Wi-Fi. You know, Wi-Fi has been doing network admission control for years. So introduce ISE on the wireless side and then, over time, you can start to introduce it to the wired side. And you can pick again, you know, a particular location as the pilot site and then start to add additional locations over time. So it can scale in size, it can scale in mission. It can also do network administrative access control so you can control administrators' access to routers and switches and firewalls, and those kinds of things. So it's above and beyond just getting connection to the network; it's who has permission to manage and to configure the network. Nathan: Allen, thank you so much for your time. It's been fantastic really learning about network admission control. Allen: It's been my pleasure. Nathan: Thank you so much for watching another Pit Stop on the IT Roadshow. For more information, go to CDW.com/security. Have a great day.
Info
Channel: CDWPeopleWhoGetIT
Views: 110,334
Rating: undefined out of 5
Keywords: CDW, CDW Corporation, network admission control, ISE, Identity Services Engine, Cisco NAC, IT Roadshow, CDW IT Roadshow, network access control, CDW NAC, How Cisco ISE Works
Id: cXde4AAnO7o
Channel Id: undefined
Length: 6min 49sec (409 seconds)
Published: Fri Oct 06 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.