In any operational data network, the two high-level outcome possibilities are connectivity and isolation. If every device can connect to every other device by enabling full connectivity, networking is relatively easy to create, but inherently unsecure. If a network fully isolates all forms of traffic, it is unusable.
Between these two extremes of connectivity and isolation exists an optimal balance for any organization.
In our previous white paper, we discuss how to achieve that optimal balance by implementing 802.1X with Cisco ISE. In this white paper we take the next critical steps to add security for authenticating devices.
An important question to ask when dealing with a data network is where should security be applied? If an intruder or unauthorized user attempts access to a network, the best place to apply security is as close to the source as possible.
The protocol 802.1X does a great job of applying the first line of defense. However, after the user authenticates with a username or password, what are the rest of the facets of network security for the authenticated device?
A Shift to Enable B.Y.O.D., or Bring Your Own Device
In recent years, the diversity and value of personal computing products such as smartphones and tablets have become so great that employees need and desire to use their own technology in the workplace.
Today, the term B.Y.O.D., or Bring Your Own Device, refers to any type of computing device brought into a production network by an employee or guest that has not been pre-authorized by any IT staff policies or procedures.
For a long time, the only technology that had access to a production network was only that which was provided by an organization’s IT department. Today, that’s no longer the case.
Cisco ISE Profiling Identifies Device Connections
How much security can be applied to a computing device when nothing is known about it?
That’s where ISE profiling comes in.
Profiling can be enabled in Cisco ISE that detects and identifies all types of computing devices that access your network either by a wired connection, wireless or VPN.
ISE has an extensive library of profiles of devices such as laptops running Windows or Linux, Mac products, smartphones, tablets as well as a wide array of Internet of Things (IoT).
Profiling can then be leveraged to provide any degree of network access from just connecting to the internet all the way to full internal network and data center connectivity.
Cisco ISE Posturing Helps Protect Against Malware
Posturing in Cisco ISE refers to compliance.
If a user brings their own tablet and authenticates with a valid username and password to an internal wireless access point, what ensures they don’t have malicious software like a virus, malicious software (malware), keylogger software to capture keystrokes, ransomware or adware?
After a B.Y.O.D. device authenticates with 802.1x, it is then identified with profiling. Now that the device is fully identified, the next most effective steps can be taken to ensure the device is fully secure to access the network.
Cisco ISE Posturing takes all these points and ties them together by not only checking the compliance definitions you define for virus detection, malware detection, but then also ensures that the computing device meets the requirements you define. Posturing is performed by the posturing agent software built into Cisco AnyConnect.
Cisco ISE: A Deeper Understanding of Security
Cisco ISE leverages the RADIUS protocol to add several additional security features such as identifying the details of the client and suggesting or requiring added software such as virus detection, malware prevention, etc., to be installed on the client for authentication and authorization to different network services.
Take the Global Knowledge Cisco class, “SISE Implementing and Configuring Cisco Identity Services Engine v30,” to gain a comprehensive understanding of Cisco ISE.
About the author
Chris Olsen has been an IT trainer since 1993 and an independent consultant and technical writer since 1996. He has taught over 80 different IT, security, data center and telephony classes to over 15,000 students. He is a technical editor for Global Knowledge’s lab manuals and has published three books with Cisco Press, CIPT part 2 version 6 and 8 and CCNA Voice Flash Cards. He is an author and technical editor on both Microsoft OCS 2007 and 2007 R2 certification exams. He is a technical author for Cisco-certified courses. He has also authored technical exams for Cisco’s certification program. Mr. Olsen can be reached at firstname.lastname@example.org