Dr. Chaos

Cisco ISE helps achieve at least half of SANS 20 Critical Security Controls

Posted In Cisco - By Aman Diwakar on Wednesday, July 17th, 2013 With 1 Comment

digital globe

We all know that Cisco Identity Services Engine (ISE) can fulfill many regulatory compliance requirements including FIPS/Common Criteria, FISMA, PCI, SEC, HIPAA etc. What we may not fully realize is that because of Cisco ISE integration with solutions such as Mobile Device Management, LAN Management Solutions and Netflow Security Monitoring, ISE can help achieve more than half of the SANS 20 Critical Security Controls. This is a huge win for our customers because these controls are on everyone’s mind regardless of industry. This blog will examine each of the Critical Security Controls that ISE can achieve, with the proper integration via REST APIs using complimentary systems.

Control 1: Inventory of Authorized and Unauthorized Devices: With ISE profiling, Endpoint Protection Services, White and Blacklisting, ISE can identify and deny access to unauthorized devices while permitting authorized devices. At the same time, it will inventory these devices and store it in a database for later review.

Control 2: Inventory of Authorized and Unauthorized Software: ISE and MDM work together to identify appropriate software on Mobile Devices as well as inappropriate software as well as enforce that policy on premises as well as off premises. The MDM features will also permit corporate software and policy to be pushed to the mobile devices.

Control 3: Secure configuration of hardware and software on mobile devices, PCs, laptops, workstations and servers: With Cisco ISE posture assessment as well as integration with MDM, ISE can verify software configuration compliance, detect hardware manipulation such as jailbreaking or unlocking as well enforce PIN requirements.

Control 5: Malware Defenses: ISE, when paired with Lancope’s Stealth Watch will assist in identifying Malware outbreaks, vectors, as well as sources and destinations of attack. This information may then be used to detect and prevent malicious activity.

Control 7: Wireless Device Control: ISE, together with Cisco Prime Infrastructure, can enforce 802.1x for devices accessing the wireless network, allow only authorized network access, ensure secure supplicant policy configuration such as EAP-TLS and provide for multi-factor authentication. ISE will also register all mobile devices and allow for an acceptable use policy to be enforced before access. Cisco Prime by itself can be used to identify rogue devices, ensure that only manageable Access Points (APs) are used, perform wireless intrusion detection (WIDS/WIPS) and push a singular policy to multiple  Wireless LAN Controllers (WLCs)

Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches: Once 802.1x and Network Policy Enforcement has been enabled on your network Switches, ISE can verify the switch configuration against its secure template validation troubleshooting tool. This ensures that configuration such as global Dot1x, port configuration and RADIUS information including server security, authentication, authorization and accounting information is according to security policy and recommendations.

Control 11: Limitation and Control of Network Ports, Protocols, and Services: ISE will enforce via multiple mechanisms, such as Dynamic Access Lists, Named Access Lists, VLAN assignment and Secure Gateway Tagging (SGT) access to corporate resources based on source and destination ports and protocols as well as resource tagging. Stealth Watch, via netflow monitoring and ISE integration warns if unauthorized network service access attempt is detected.

Control 14: Maintenance, Monitoring and Analysis of Audit Logs: ISE together with Cisco Prime contains an extensive realtime dashboard that alerts on unauthorized access attempts, failed logins, locked accounts, port flaps, device failures and rogue access points to name a few. Information from ISE can be sent to a SIEM for further analysis.

Control 15: Controlled Access Based on the Need to Know: ISE performs full user authorization based on Context of the user by analyzing User Identification, Time, Endpoint Type, Location, Access Type (Wired,Wireless,VPN), and Resource being access before permitting access. This is a crucial and critical control.

Control 16: Account Monitoring and Control: ISE monitors accounts for suspicious activity such as failed login attempts, password lockouts and expired account use.

Control 18: Incident Response and Management: Incident Response can be separated into the following areas: preparation, identification, containment, eradication and after action review. ISE helps you prepare by gathering critical telemetry data, identify non-compliant hosts, quarantine those hosts while permitting access to a remediation system. This process, while being complemented with other Incident Response controls will greatly close the gap between identification and remediation

network cableWhile we understand that some of these controls require integration with external tools, security is not a panacea, it is constructed of an ecosystem that must be simple enough to manage and monitor, while robust enough to provide the required protection and controls. ISE facilitates this ecosystem through its REST API programmability as well as ongoing integration of new features and capabilities. For example, upcoming releases will include TACACS and more internal MDM functionality.

 

Need to configure ISE On-Boarding for BYOD Environments? Click here!

Check out Aman give a ISE Overview on BrightTalk. Click Here 

AmanAman Diwakar

Twitter: https://twitter.com/ddos

LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 

 

Displaying 1 Comment
Have Your Say

  1. Mike Kraus says:

    Aman,
    This are great insights! One thing I would add is that these security controls are often times thought of as a framework to work towards complying to the NIST 800-137 continuous monitoring requirements of the Federal government. So, it is not only a SANS best practice, it can help directly meet compliance requirements for our Federal customers.

    Mike Kraus
    Cisco Systems