https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4312733#M566383 <P>Is there a prescriptive guide on ISE for IOT devices ?</P> Wed, 24 Mar 2021 04:18:06 GMT damode 2021-03-24T04:18:06Z https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4312733#M566383 <P>Is there a prescriptive guide on ISE for IOT devices ?</P> Wed, 24 Mar 2021 04:18:06 GMT https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4312733#M566383 damode 2021-03-24T04:18:06Z https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4313035#M566396 <P>Link for ISE/NAC resources:&nbsp;<A href="https://community.cisco.com/t5/security-documents/cisco-ise-amp-nac-resources/ta-p/3621621#Design" target="_blank">Cisco ISE &amp; NAC Resources - Cisco Community</A></P> <P>HTH!</P> Wed, 24 Mar 2021 12:15:20 GMT https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4313035#M566396 Mike.Cifelli 2021-03-24T12:15:20Z https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4313494#M566410 <P>No prescriptive guide - It's really a process depending on your tools, environment (IT, OT, your specific vertical) and politics (Layer 8!). The Prescription is to identify and minimize (eliminate!) all unknown endpoints using whatever you've got (or can afford). Identify the areas you believe present the biggest risk(s) to the business and start there.</P> <P>You will never have 100% automation. Just because you know <STRONG>What</STRONG> something is (according to a tool) doesn't tell you <STRONG>Who</STRONG> owns it, exactly <STRONG>Where</STRONG> it is located, <STRONG>When</STRONG> it was put there, or <STRONG>Why</STRONG> it is there at all. There will still be a strong need for some sort of asset management database or registration tool for various department owners or even individuals to add, update and maintain inventories of devices. </P> <P>From top to bottom, more automation to least automation.</P> <UL> <LI>ISE Profiles and Profiling Libraries <UL> <LI><A href="https://community.cisco.com/t5/security-documents/cisco-ise-automation-and-control-profile-library-v1-0/ta-p/3637957" target="_self">Automation &amp; Control Profiles</A></LI> <LI><A href="https://community.cisco.com/t5/security-documents/cisco-ise-industrial-network-director-ind-iot-profile-library-v1/ta-p/3638113" target="_self">Industrial Network Director (IND) Profile Library</A></LI> <LI><A href="https://community.cisco.com/t5/security-documents/cisco-ise-medical-nac-profile-library-v2-0/ta-p/3638736" target="_self">Medical NAC Profiles</A></LI> <LI><A href="https://community.cisco.com/t5/security-documents/cisco-ise-windows-workstation-embedded-iot-profile-library-v1-0/ta-p/3637975" target="_self">Windows Embedded Profiles</A></LI> </UL> </LI> <LI>Traffic based analytics <UL> <LI><A href="https://community.cisco.com/t5/networking-documents/cisco-ai-endpoint-analytics-deployment-guide/ta-p/4266702" target="_self">Endpoint Analytics</A></LI> <LI><A href="https://www.cisco.com/c/en/us/products/cloud-systems-management/industrial-network-director/index.html" target="_self">Industrial Network Director</A></LI> <LI><A href="https://www.cisco.com/c/en/us/products/security/cyber-vision/index.html" target="_self">Cybervision</A></LI> <LI><A href="https://www.cisco.com/go/stealthwatch" target="_self">Stealthwatch</A></LI> <LI><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216128-cisco-ise-ecosystem-partner-integration.html" target="_self">Cisco Security Technology Partners</A> (using pxGrid to share context-in)</LI> </UL> </LI> <LI>Analysis of ISE Endpoint attribute database - using Excel or EAT tool (<A href="https://iseeat.cisco.com" target="_self">iseeat.cisco.com</A>) - to build your own custom profiles</LI> <LI>Existing sources of truth that may either push to <A href="https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId--972098705" target="_self">ISE via REST APIs</A> or ISE may query (LDAP, SQL) for MAB authorization:<BR /> <UL> <LI>Network Tools</LI> <LI>CMDB</LI> <LI>Existing network inventory / asset management database</LI> <LI>Control Systems</LI> <LI>custom device registration systems</LI> </UL> </LI> <LI>ISE Device Registration Portal for BYOD devices</LI> <LI>Direct Inspection (trace the cable!)</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/107261iBADD13452AC86B7E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Thu, 25 Mar 2021 00:51:03 GMT https://community.cisco.com/t5/network-access-control/ise-prescriptive-guide-for-iot/m-p/4313494#M566410 thomas 2021-03-25T00:51:03Z