ISE and IOE
At a recent offsite, the Identity Services Engine (ISE) project team, and our InfoSec and Mobility teams spoke at length about how we will tackle the challenge of getting all Internet of Everything (IoE) devices securely on the network. Cisco IT has an aggressive schedule for the deployment of ISE capabilities in our FY15 (Fiscal Years in Cisco start on August 1 and go to the following calendar year July 30).Wired Authentication is one of the main capabilities to deploy globally. We completed Wireless Authentication deployment in early July 2014. By the end of July 2015, we should be doing posture assessment, and by the end of January 2016, full posture enforcement. To accomplish this, we need to account for the universe of current and expected IoE devices connected to the network.
It’s a large discussion for the group to understand how we can accomplish the task. Who owns the devices, where are users located, what type of access do users really need and other very pertinent questions are part of the equation. As discussed in a recent blog, our Internet Only Networking (ION) – what was commonly called “guest networking” but is fast becoming a ‘default’ network – will likely be a network for some or many of these devices. For example, there could be an external, third-party building control system (HVAC, alarms, etc…) that don’t need corporate network access, so, we’d put them on the ION network. ION provides, as it is described an “Internet Only” network access, some services for things like VPN. It is very likely a lot of devices only need the ION access. In addition to lowering the security concerns, giving them ION access only ensures that we don’t have to contend with verifying whether or not these devices are 802.1X compliant or can live up to the posture enforcement policies we deploy.
For those devices that will require corporate network access (Digital Media Players, security cameras, Smart Energy, etc…), a working group needs to be created. Stakeholders are needed to review the listed items and ensure all “devices” are captured, reviewed, and where needed, remediated to access the network once posture assessment is in place. This working group is needed at an enterprise-sized company like Cisco, for better visibility and transparency into security.
Many of these capabilities can be deployed alongside the 802.1X Monitor Mode deployment. 802.1X Monitor Mode acts just like 802.1X Authentication, but if the device fails, it still allows the device on the network while logging the failure in the ISE logs. Subsequently, we use an analytics engine to review and remediate these failed items. For posture enforcement, we are still formulating our overall policy (given that the dates for cut-over are over a year out, this will be a living document changing frequently) for what we’ll do.
Cisco IT has a large investment in the deployment of IoE capabilities within Cisco and it goes hand-in-hand with the ISE deployment to ensure we are keeping the network secure and productive.