We live in a connected world that is digitally enabled and
is just like a small village. All the time we are constantly connected;
checking our devices for a status update, or we are the ones posting an update
or we are trying to send that status report or close a business deal online.
Our access to the internet as increased tenfold from the
previous years with many more plugging in to the World Wide Web every second,
we like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example the year 2017 as we knew it, every IT
security professional will tell you that it was a terrible year in the network
security home front especially in the malware category with Wannacry wreaking
havoc on company networks in a spat of ransomware attacks that led to losses in
millions of dollars.
Such occurrences are a network security professional’s worst
nightmare. And according to Forbes.com, as cyberattacks increase in quantity and
sophistication, the global cybersecurity market is expected to be worth $170
billion by 2020 and is currently suffering from a dire skilled network security
professional’s shortage. In many cases of cyber-attacks taking place, attackers
can compromise an organization within minutes. The proportion of breaches
discovered within days always falls below that of time to resolve them and fix
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to network facilities. Today’s employees
are not tied down to desktop workstations, but instead are able to access the
organizations resources via a variety of endpoint devices such as smartphones, tablets,
and personal laptops, just to name a few.
We all know that access of resources from anywhere greatly
increases productivity for many organizations, but also increases the
possibility of data leakages and security threats because you may not be able
to control the security position of devices accessing the network from outside
of the office brick and mortar setup. Tracking all the devices accessing the
network is a huge task in itself, and as the need for more access will arise, the
more untenable it becomes to manage.
So, what can we do to
get out of this fix?
Fret not yourself, the Cisco
Identity Services Engine (ISE) 2.0 is here to help you and in such a big
way. ISE is an identity-based network access control and policy enforcement
system. It helps you take care of the time-intensive day-to-day tasks like BYOD
device onboarding, guest onboarding, switchport VLAN changes for end-users,
access list management, and many more, freeing up the network administrator and
allowing them to focus on other crucial tasks like keeping abreast with the
current cyber threats and how to counteract them.
According to Cisco
ISE product release notes, ISE attaches an identity to a device based on
user, function, or other attributes to provide policy enforcement and security requirements
compliance before the device is authorized to access the network resources.
Based on the results from a variety of factors, an endpoint can be allowed to access
the network with a specific set of access policies applied to the interface it
is connected to, else it can be completely denied or given guest access based
on the specific company guidelines. Therefore, this implies that Cisco ISE is a
context aware policy service, to control access and threat across wired,
wireless and VPN networks and a component of Cisco’s Borderless Networking and
the company’s TrustSec product line.
And another plus is that Cisco has Finally Released the
Identity Service Engine 2.0 (ISE) which comes with a robust array of features
and functionalities that will be a great asset to your organization.
Let us review the ISE platform in brief
The ISE Platform in
a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with three nodes handling three different Profiles: the Policy Administration
Node (PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy
Services Node (PSN). For ISE to function properly, all three roles are required.
Let us briefly look at each of this profiles and service
The PAN profile is the screen the administrator will log
into in order to configure policies that will drive the entire ISE setup. It
acts as the control center to deploy the ISE. This node allows an administrator
to make changes to the entire ISE topology, which will then be send out from
the administrator node to the Policy Services Nodes (PSN) in ISE.
Policy Services Node
The PSN profile is where policy decisions are made. The
nodes here will facilitate the network enforcement devices to send all network
messaging to; for example RADIUS messaging will be sent to the PSNs. Once the
messages are processed, the PSN will either allow or deny access to the network
based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile does the logging of all service reports, occurrences
and allows you to generate reports as needed. It will receive all the logs from
other nodes in the ISE topology and it sorts through them, assemble them in a
readable format. MnT allows you to generate various detailed and graphical reports
that can aid you and senior management make strategic decisions regarding your
companies’ network resources, as well as notify you of any threats to ISE.