Item: Cisco Identity Services Engine (ISE)
Rating: 9
Author: Verified User

Use Cases and Deployment Scope

Cisco ISE is leveraged internally to address network access control across wired, wireless, and remote client VPN authentication and authorization. Providing protection through Cisco ISE, the compliance of the machines is evaluated, and proper access is granted to compliant PCs. In addition, the device administration allows for infrastructure to be authenticated and authorized from a centralized location, providing a single account for device administration driven by Active Directory or any identity provider.

Pros and Cons

Centralized Identity Management
User and Device Authentication and Authorization
Device Posture Compliance
Device Administration
Persistent Session Network Access

Third-Party Integration
Resource Consumption
Intuitive GUI

Return on Investment

Alignment to regulatory requirements for Zero Trust Architectures
Increase in visibility of assets equating to less lost or missing
Centralized infrastructure authentication resulting in single administrative accounts

Alternatives Considered

Aruba ClearPass

Aruba ClearPass and Cisco ISE are very similar in nature. The biggest differentiator that I have seen is the Cisco ISE ecosystem around native Adaptive Network Controls, programmable interfaces, pxGrid, and Cisco TrustSec environment. Due to the span of products Cisco has in its portfolio, the integrations between these products is both robust and native to each product.

Key Insights

Do you think Cisco Identity Services Engine (ISE) delivers good value for the price?

Yes

Are you happy with Cisco Identity Services Engine (ISE)'s feature set?

Yes

Did Cisco Identity Services Engine (ISE) live up to sales and marketing promises?

Yes

Did implementation of Cisco Identity Services Engine (ISE) go as expected?

Yes

Would you buy Cisco Identity Services Engine (ISE) again?

Yes

Other Software Used

Cisco DNA Center, Cisco Catalyst 9300 Series Switches, Cisco Firepower 2100 Series, Cisco Secure Network Analytics (StealthWatch), Juniper EX Series Ethernet Switches

Likelihood to Recommend

Cisco ISE works excellently as a NAC for network onboarding, maintaining persistent sessions, and overall alignment for Zero Trust Architectures. As a cornerstone to the Cisco TrustSec (CTS) environment, Cisco ISE provides the ability to tag hosts as they are onboarded and distribute this information throughout a security ecosystem, to be leveraged by firewalls, switching infrastructure, and server policing mechanisms. Its ability to maintain a persistent session allows other data reporting mechanisms to change the level of access to hosts if the compliance status were to change. The programmable back end allows for the management to be performed from a centralized console, or via the built-in GUI of the Cisco ISE product itself.

Goals and Objectives

Security is the investment in prevention. However, leveraging these inspection products to augment other areas of IT provides a richer ROI. As an example, reporting on the type of traffic passing a firewall allows the organization to better understand what the network is used for, or using MFA to determine what users/user groups are accessing resources.

Expected Outcomes

The Cisco security ecosystem provides native integrations between the product line to provide a la carte security. Cisco ISE provides authentication for the service edge, but this decision could be bolstered when using Cisco Secure Network Analytics (SNA) to review traffic in transit. When bolstered with deep packet inspection using a Firepower NGFW, the end to end data flow is observed and enforced - with all components sharing their information.

Cisco has products for each part of Network Security and reporting. The additional tools with SIEM/SOAR to provide automated response and remediation shortens the Mean Time to Resolution of security incidents, with robust reporting to provide forensics. Other vendors only addressed certain aspects creating difficulties for full integration.

Reason for Selection

Cisco ISE provide programmatic APIs to deliver policy or customize endpoints, create an information sharing for security using the pxGrid, granular reporting, and the ability to "hold" the connection to issue Change of Authorization as the endpoint or user changes role. This is done through RADIUS protocols at the connection level versus other vendor's SNMP Read Write to the port. This difference can cause issues for multi-host ports in which the SNMP Read Write authorizes the first host and puts all additional hosts into the same VLAN for segmentation.

Cybersecurity and AI

I envision AI moving security and threats to that of machine versus machine. In this future environment, the AI of the security must detect new anomalies and attack vectors while the AI of attackers will attempt to go undetected by acting as an authenticated/authorized user of the network. These attacks may take longer but go unnoticed without deeper inspection of the security product.

Predictive Threat Hunting

I leverage Firepower for predictive threat detection and analysis to date. Firepower is able to send sample of encrypted data to the Cisco cloud to determining the credibility of the flow or threat of an attack. However, overall, no in-house AI/ML is used for threat detection currently, as the resources required can be quite extensive.

Cisco ISE for ZTA

Overall Satisfaction with Cisco Identity Services Engine (ISE)