Avatar

Connected devices are spreading like kudzu on the Carolina roadside. Cisco Identity Services Engine (ISE) is a great way to manage the devices on your network and with implementing some best practices, I can say you will save time. Below are 7 ideas that will help:

1. Find an Executive Sponsor.

Security policies can now be supported at a network level using ISE. Official IT policies around accessing information based on BYOD were often circumvented. But now with ISE, we’ve been able to implement policies that provide the right access, but can’t be circumvented. This makes it more important than ever that you have executive-level sponsorship. Truth be told, which IT project wouldn’t benefit from the executive backing? My first experience with an executive sponsor was with an excellent CIO who resembled Pope Francis and spoke like a wicked good Bostonian. He tasked me with pursuing business groups and obtaining feedback on IT process changes. The CIO called me his “Man in Havana”. My coworkers lovingly changed it to “Cabana boy” because we made fun of each other at every opportunity. The point is, busy manufacturing and software development directors found time for my questions and follow-up meetings because an executive was driving the effort.

2. Go to lunch.

Get involved with the right key stakeholders. You would be wise to meet with the desktop, networking, security, and authentication directory teams. And don’t forget the team supporting BYOD. What company isn’t faced with the challenge of supporting of personal user devices? So why is it important to interact with these various individuals? First, it helps so there will be full commitment to the project. Second, ISE takes advantage of many existing infrastructure components working together to reach your goals. For example, Active Directory for authentication and patch management, RADIUS for attributes, desktop for troubleshooting, and networking for change management. A great way to start the project is go out to eat with people on these teams and get to know them. Find out how they work, what their problems are, and how you might help.

3. Keep it simple.

The old adage that simple is secure is still excellent advice, especially in an age of increasing complexity. Policy decisions should be your guide to simplicity when deploying ISE. I will elaborate on policy in a moment.

4. Be clear concerning business goals.

Before creating policy, be clear concerning business goals. Below are some examples of business goals:

  • Provide guests a way to register devices and access WiFi
  • Authorize sensitive data via a wired connection on the internal network but not when the traffic originates from a home VPN
  • Route traffic from point-of-sale systems with quality of service (QoS)

5. Whiteboard the ISE security policies.

This step will be the biggest time saver over the long-haul. Combine lunch (Step 2) with a whiteboard session where you will describe your authentication, authorization, posture and profile security policies. The authentication policy will describe your user/password database, such as Active Directory or LDAP, and the order to use them. The authorization policy describes the users by attribute/authorization. For example, users in the Active Directory group “employees” may access the CORP ssid. Label the authorization policies in logical and physical terms or terms that make sense for your security policy and your business goals. For example, Guest wireless, VPN users, Wired Corporate user, student dorms and administration offices are all examples. These are common ways to differentiate the security of the network. Next, design a posture policy that describes the acceptable patch levels or application requirements that must be met for network access. For example, Windows 7 machines must have critical patches and supported antivirus installed in order to access the network. Finally, you will complete the profiling policy which is for unauthenticated devices (for example, printers).

6. Be realistic.

You want to do things right the first time so develop a plan. Start with the policy goals. Next, inventory the hardware and upgrade code on existing infrastructure where needed. You will need to ensure that wired and wireless users on the end devices meet the capabilities of your user authentication database. There will need to be testing, deploying, auditing and finally full-blown policy mode. So plan your project accordingly.

7. Stop and review.

At this point in the process you have solidified the commitment from management to the success of the project. Your business goals are defined which will help avoid scope creep. Other teams are involved and well fed. The policies are spelled out in clear terms that can be directly translated into policy configurations in ISE. You are now well positioned to have a successful deployment and less administrative cost over the life of the project.

In my next post, I will explain ISE integration with Active Directory, DNS requirements and how to leverage your existing user directory for ISE authentication and authorization.

Post updated 5/31/13



Authors

Jeremy McGuinn

Customer Support Engineer, Applied Security Intelligence COBC signed

Security Research & Operations