Cisco Identity Services (ISE) Posture

Cisco Identity Services Engine (ISE) is a versatile, identity-based Network Access Control and policy enforcement solution which offers Zero Trust Access utilizing the overarching concept of AAA, or Authentication (Can I have access to the network), Authorization (What do I have access to once I’m on the network?), and Accounting (record and receipt of the connection).

ISE can be utilized to achieve various customer use-cases, from Wired, Wireless, and Guest Access capabilities, to controlling access to network devices with Device Administration, to providing Asset Visibility and the ability to determine policy based on device type via device Profiling.

One of the more advanced feature of ISE is its ability to determine the compliance of a device prior to allowing access with Device Posture capabilities.

What is ISE Posture?

ISE Posturing is a feature which ensures that endpoints (such as laptops, desktops, mobile devices, etc.) connecting to the network comply with the organization’s security policies prior to being allowed access.

ISE Posture checks for the health and compliance status of the device set forth by the organization’s Security Policy defined by Security Admins to deem which checks determine that the device is within company compliance, prior to the device joining the network.

Some examples include checking if the system is up to date, if it has up-to-date AV installed or anti-spyware installed, disk encryption status, whether a host-based firewall or VPN is present, and so on.

Posture decisions in ISE are binary, in which posture is either:

• Compliant and meets all security checks/policies
• Non-compliant should it fail one or more security checks
• Compliance can also be deemed “unknown,” should its compliance status either not have been evaluated or is undeterminable

Posture Remediation:

Should a device be found to be non-compliant, ISE can enforce remediation steps either via end-user manual remediation or automated remediation.

Remediation can entail directing users via a captive portal to update software, install patches, or enable certain security features.

Once the device meets the security requirements, it may be allowed full access to the network.

Posturing Software:

For a device to endure a compliance scan, it must have some form of posturing software enabled.

Posture Software either be:

• Cisco Secure Client (Formerly Anyconnect) with ISE Posture Module
  
  
• CSC Stealth Agent: Available in Stealth Mode: CSC Agent runs on the device unbeknownst to the end-user
  
  
• Temporal Agent: A temporary posture agent capability provided by an executable file that runs on a client device, runs the posture scan, then removes itself from the device after the compliance scan is completed
  
  
• Agentless: Ability to apply basic checks without requiring a client via software connecting to the client as an admin user, provides posture information from client, and then removes itself when finished

Once posture assessment has been completed, ISE can control the level of access a device receives.

Full access is allowed for compliant devices, whereas non-compliant devices can either be given limited access or put onto the guest VLAN, both of which would restrict access to certain parts of the network or resources.

Organizations may also elect for devices to be quarantined or isolated from the network until they’re brought into compliance.

ISE may also continuously monitor devices to make sure they remain compliant throughout the entirety of their network session.

If a device falls out of compliance during a session (e.g., antivirus becomes outdated), it can be restricted or prompted to take remediation actions.

Posture Workflow in Cisco ISE:

• Endpoint attempts to connect to the network
• From there, the posture agent or ISE agentless software checks the device for compliance
• ISE will then evaluate the device's posture based on predefined policies.
• Depending on the posture result (compliant, non-compliant, unknown), ISE will either allow full access, provides limited access, or redirect the user to a remediation portal
• If deemed non-compliant, the device must perform required actions to become compliant.
• After remediation, ISE rechecks the device to confirm compliance
  
  

In conclusion, ISE Posturing ensures that the devices accessing the network are secure and do not pose a risk to the environment.

For more information on how ModernCyber can assist in deploying ISE Posture for your Organization, please check out our recently announced ISE Expert as a Service offering.