topic Re: ISE Internal DataBase in Network Access Control

ISE Internal DataBase

gugonza2 — Fri, 09 Mar 2018 09:18:22 GMT

Hi Team,

I have some questions about ISE internal database:

What is the database engine of ISE internal databases ?
Is the content of ISE database encrypted ?
Is it possible to connect to ISE database using a AD domain user ?
What controls or functionalities does the solution have to safeguard the integrity and security of the information received, stored, modified and / or processed?

Thanks in advance,

Re: ISE Internal DataBase

dmh — Fri, 09 Mar 2018 13:02:15 GMT

ISE uses an Oracle database.

The best way to access ISE information remotely is using the REST API interface which also ensures the database integrity.

The database tables and structure would can (and does) change between versions so using an API abstracts this so your code doesn't need to be updated every time this happens.

See the following for the REST API documentation:

Cisco Identity Services Engine API Reference Guide, Release 2.x - Cisco

Re: ISE Internal DataBase

Craig Hyps — Fri, 09 Mar 2018 14:44:09 GMT

See ISE Security Best Practices (Hardening)or more details including some info on DB encryption on FAQ.

There is no direct access the the underlying databases. Yes, there is more than one. Access to config is provided via the ISE Admin UI or via ERS API.

Re: ISE Internal DataBase

gugonza2 — Fri, 09 Mar 2018 14:45:15 GMT

Thx, Just a last question; are these DBs encrypted ?

Re: ISE Internal DataBase

gugonza2 — Fri, 09 Mar 2018 14:45:45 GMT

Any document or references with that information ?

Re: ISE Internal DataBase

Craig Hyps — Fri, 09 Mar 2018 15:07:14 GMT

Please refer to the link already provided. It states that database is not encrypted. Data fields other than passwords are not encrypted, but ISE admin users do not have direct accesses to the database in normal operations.