Cisco Identity Services Engine (ISE) is a versatile, identity-based Network Access Control and policy enforcement solution which offers Zero Trust Access utilizing the overarching concept of AAA, or Authentication (Can I have access to the network), Authorization (What do I have access to once I’m on the network?), and Accounting (record and receipt of the connection).
ISE can be utilized to achieve various customer use-cases, from Wired, Wireless, and Guest Access capabilities, to controlling access to network devices with Device Administration, to providing Asset Visibility and the ability to determine policy based on device type via device Profiling.
One of the more advanced feature of ISE is its ability to determine the compliance of a device prior to allowing access with Device Posture capabilities.
What is ISE Posture?
ISE Posturing is a feature which ensures that endpoints (such as laptops, desktops, mobile devices, etc.) connecting to the network comply with the organization’s security policies prior to being allowed access.
ISE Posture checks for the health and compliance status of the device set forth by the organization’s Security Policy defined by Security Admins to deem which checks determine that the device is within company compliance, prior to the device joining the network.
Some examples include checking if the system is up to date, if it has up-to-date AV installed or anti-spyware installed, disk encryption status, whether a host-based firewall or VPN is present, and so on.
Posture decisions in ISE are binary, in which posture is either:
Posture Remediation:
Should a device be found to be non-compliant, ISE can enforce remediation steps either via end-user manual remediation or automated remediation.
Remediation can entail directing users via a captive portal to update software, install patches, or enable certain security features.
Once the device meets the security requirements, it may be allowed full access to the network.
Posturing Software:
For a device to endure a compliance scan, it must have some form of posturing software enabled.
Posture Software either be:
Once posture assessment has been completed, ISE can control the level of access a device receives.
Full access is allowed for compliant devices, whereas non-compliant devices can either be given limited access or put onto the guest VLAN, both of which would restrict access to certain parts of the network or resources.
Organizations may also elect for devices to be quarantined or isolated from the network until they’re brought into compliance.
ISE may also continuously monitor devices to make sure they remain compliant throughout the entirety of their network session.
If a device falls out of compliance during a session (e.g., antivirus becomes outdated), it can be restricted or prompted to take remediation actions.
Posture Workflow in Cisco ISE:
In conclusion, ISE Posturing ensures that the devices accessing the network are secure and do not pose a risk to the environment.
For more information on how ModernCyber can assist in deploying ISE Posture for your Organization, please check out our recently announced ISE Expert as a Service offering.