Cisco Blogs


Cisco Blog > Perspectives

Cisco ISE 1.3: Welcomed Improvements

I’ve finally had a chance to stop and smell the roses. The roses being Cisco ISE 1.3 that is. It’s been a much anticipated update to Cisco’s core TrustSec component and there are a number of improvements, many dealing with Guest users. So what has Cisco done to improve? Let’s look at 5 areas related to Guest access:

1.     End-User Web Portals
2.     Notifications
3.     Guest Portals
4.     Sponsor Portals
5.     Non-Guest Portals

End-User Web Portals

One of the new features that I really like is how the interface has been modified to centralize the portal configuration tasks and customization into a single location. The first thing you notice when you navigate to Configure Guest Access and Sponsor Access is that the interface is designed to make life easy. Three steps to Guest Access are overviewed and each step is clearly identified. We don’t usually find this information in the user interface. Normally we’re looking for this in an End User Guide or a Lab Guide for one of the courses I teach. So, in my opinion, this is a fresh new approach to making a complex device like ISE much easier to use.

ise-guest-access

Read More »

Tags: , ,

Access Control with Cisco TrustSec: Moving from “IP Addresses” to “Roles and Attributes”

Today’s enterprise is a highly dynamic, and hyper connected environment where IT plays a critical role in connecting the users, devices, resources and corporate IT systems. Today’s employees are also highly mobile in nature and do not necessarily have a single workspace assignment. The IT departments are constantly being challenged by the organization’s Line of Business owners to keep up with the pace of rolling out new services to address market needs, while keeping up with user expectations.

At the same time, IT departments also are responsible for ensuring business continuity and an uninterrupted service. However, the toughest challenge that any IT organization faces is implementing a security architecture which not only satisfies the compliance and industry regulatory requirements, but also provides a sufficient amount of protection against unauthorized access, data breaches, etc.

The traditional way to implement a security architecture in this kind of an environment is by implementing security rules in Firewall for traffic traversing the network’s extranet/intranet or data-center perimeters. For implementing security policies within an organizations network, Identity-Based Networking using IEEE 802.1X is generally used. Read More »

Tags: , , , , , , , , , , , ,

Judge for yourself: Taking Dell to task on “holistic” security claims

In case you missed it, Network World’s Ellen Messmer published a rather surprising article on how Dell was going to “trump” Cisco in the information security market as a result of some recent acquisitions. Now certainly Dell is entitled to their beliefs. They’re in a difficult position right now, as Michael Dell and Silver Lake maneuver the company through a very complex set of buy-out related transactions. They need to give their customers assurance that they won’t be distracted through this process. And if you want to set a big impression with your customers, you might as well go after the market leader in security.  Be it as it may, we can’t just sit back and let these blatant statements go unchecked. So, in the spirit of “fair and balanced” reporting, we thought we’d issue our own little fact check and let you conclude for yourself.

  • “Cisco is a great competitor but they don’t have our holistic view” – Acquiring assets and bundling them together doesn’t constitute a “holistic” approach.  Those assets must be closely integrated, which is the approach Cisco is delivering with its next generation security architecture. This architecture will be built on top of a multi-function security platform with deep network integration. There are many proof points today that demonstrate we are delivering against this strategy and architecture. Today our customers are deploying Cloud Web Security with their Cisco ISR G2 and ASA Next Generation Firewall through connectors built from Cloud Web Security. In addition we’ve brought market leading application, visibility and control to ASA, embedded deep in the firewall.  But it doesn’t stop here.
  • Now what about Dell’s comment that Cisco “doesn’t have an identity business“?  Cisco’s Identity Services Engine provides the backbone of Cisco’s secure Unified Access solution. The real network security action is in delivering access privileges based on more than just user identity and group which is all Dell can do today with Quest. In the BYOD world customers also require action based on the type of device, posture of the device, and location. Cisco’s Identity Services Engine is the industry leading platform to deliver context based policy controls and then leveraging the network for distributed enforcement consistently across wired, wireless, and VPN access. This is a game-changer for the enterprise and our next generation end-to-end security architecture. Enterprises can now implement context-based policy from the access layer through the data center switching fabric without using brittle and costly network segmentation methods tied to VLANs and ACLs. This is real synergy, and it is delivering a holistic solution as opposed to a holistic press sound bite.  But don’t just take our word for it; check out Gartner’s latest Magic Quadrant for NAC.  Cisco’s ISE combines identity, device, and network with a market leading platform deployed in over 3000 customers.
  • Just weeks ago we announced another key milestone with the introduction of ISE 1.2.  With this latest release we also became the first vendor in the industry to offer automated profiling feeds making us better and faster at identifying new devices and operating systems.  We’ve increased the speed and scalability of ISE to address the increasing demands brought on by the “Internet of Everything”.  And we’ve added a new set of partner APIs enabling integration into key MDM partners – SAP, AirWatch, Citrix, Mobile Iron and Good.  This expands the reach of ISE and enables customers to drive common context and identity management from the network all the way to the end point.  Dell talk’s about their direction to advance the “concept” of embedded security to virtually any type of device.  We’re not just talking about it, we’re doing it. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

New Nexus 1000V Free-mium Pricing Model

October 1, 2012 at 4:00 am PST

[See Also: Follow-Up Q&A on Freemium Pricing Model]

[Update 11/26/12: the free Nexus 1000V virtual switch is available for download from here.]

Following on the heels of the announcement of our Nexus 1000V 2.1 release last month, Cisco is today announcing a new pricing and packaging strategy for its flagship virtual switch portfolio. Starting with that new 2.1 release, which is now in beta, we will have two editions of the Nexus 1000V, an Essential Edition and an Advanced Edition. The Nexus 1000V Essential Edition will be available for free, plus a nominal annual support fee, in a move that we believe will encourage customers and our partners to proliferate what has already become the most popular virtual switch in the industry with over 6,000 customers to date.

The Nexus 1000V Essential Edition provides all the rich Layer-2 networking features to connect virtual applications to the network and integrate into VMware environments, including: VXLAN capability, Cisco vPath service insertion, integration with vCloud Director, and a plug-in for management and monitoring in VMware’s vCenter Server. This free version will enable rapid, low-risk adoption of Cisco’s virtual network technology environments.

The Advanced Edition, priced at $695 per CPU, the same price as the current 1.5 release, includes:

  • The Cisco Virtual Security Gateway (VSG) for Nexus 1000V, a virtual firewall with visibility to virtual machine attributes for building sophisticated compliance policies, and logical trust zones between applications (VSG was previously sold as a separate product).
  • Support for advanced capabilities, such as DHCP snooping, IP Source Guard, Dynamic ARP inspection and Cisco TrustSec Security Group Access (SGA).

Read More »

Tags: , , , , , , , , , , , , ,

DCID Protection Level 3 and Multi-tenant Cloud

The former Director of Central Intelligence Directives 6/3 established specific protection levels based on an information system’s assessed level of concern. In 2008  The Office of the Director of National Intelligence (ODNI) began releasing Intelligence Community Directives (ICD) that were to eventually supersede the DCID. I’m no longer an active practitioner of Certification and Accreditation so it is unclear to me whether the ICD 500 series has actually superseded or cancelled the DCID 6/3. From my interactions over the past 18 months I’m thinking that the DCID 6/3 is still alive combined with specific ICD 500 guidance and 800-53. Regardless, in my opinion the DCID 6/3 offers some great legacy guidance for multi-tenant clouds.

Read More »

Tags: , , , , , , , , ,