topic Re: Access-list (ACL) configuration for ISE PSN in Network Security

Access-list (ACL) configuration for ISE PSN

Suzukikoki — Mon, 26 Jun 2023 07:33:59 GMT

I am following the URL below for ISE Hardening, but I am having trouble finding the settings to meet the following requirements.

https://community.cisco.com/t5/security-knowledge-base/ise-security-best-practices-hardening/ta-p/3640651

<Requirement>
"Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any)."

For IP, I can filter by Administration ==> Admin Access ==> Settings ==> Access ==>IP Access from the GUI, but I cannot specify even the Port number.

I tried to configure it with ACLs as described in the requirements, but the CLI did not appear to have ACL settings.

If anyone knows of a setting, either GUI or CLI, that would allow only a specific Port (a setting that meets the requirements), please let me know.

Re: Access-list (ACL) configuration for ISE PSN

Marius Gunnerud — Mon, 26 Jun 2023 12:53:12 GMT

The only way I know of for restricting access to the ISE on a port or protocol basis is by placing a firewall or router with ZBFW between the admin PC and the ISE.

Re: Access-list (ACL) configuration for ISE PSN

Aref Alsouqi — Mon, 26 Jun 2023 17:06:05 GMT

Those ports would be used in the guest traffic flow, the 8443/tcp would be the default port for the guest portal, and the 8905/tcp port would be for client provisioning, so I agree with @Marius Gunnerud , that seems to be referred as a general rule in case there is a security device in between ISE and the endpoint, but I think @Jason Kunst can add more on this.

Re: Access-list (ACL) configuration for ISE PSN

Suzukikoki — Tue, 27 Jun 2023 01:20:55 GMT

Hi @Marius Gunnerud
Thank you for your response.
Thank you for the very helpful information. Am I correct in assuming that ISE does not support Port-based ACLs?

Re: Access-list (ACL) configuration for ISE PSN

Suzukikoki — Tue, 27 Jun 2023 01:25:44 GMT

Hi @Aref Alsouqi

Thank you for your response.
This is the same additional question as above, but am I correct in assuming that Port-based ACLs are not supported by ISE itself?

We are currently configuring it in the relaying FW, but if it is supported in ISE itself, we may be pointed out to configure it, since double blocking is considered to be stronger security.

Re: Access-list (ACL) configuration for ISE PSN

Ambuj M — Tue, 27 Jun 2023 01:56:51 GMT

Port based ACLs are supported but not the way you are trying between PSNs, when you configure dynamic ACL you can configure specific ports to permit or deny.

The example of best practices point you are referring to means be as precise as you can when configuring ACL.For example when you configure redirect ACL.

you can write option1 as

deny udp any eq bootpc <dhcp serverIP> eq bootps

deny udp any <dns server IP> eq domain

deny tcp any host <ISE SERVER(S) IP ADDRESS> eq 8443

permit tcp any any eq 443

permit tcp any any eq 80

Option 2

deny ip any <DHCP Server IP>

deny udp any any eq domain

deny ip any host <ISE SERVER(S) IP ADDRESS>

permit ip any any

both will work but option 1 is more precise, you should try to make it as precise as possible to get the job done.

Re: Access-list (ACL) configuration for ISE PSN

Suzukikoki — Tue, 27 Jun 2023 02:28:39 GMT

Hi @Ambuj M
Thank you for your response.
I see that it is supported.

I just tried it and the command deny does not seem to exist in config mode.

Do you know what the command would be if we were to implement it from the CLI? Also, is it not possible to configure it in the GUI?

Re: Access-list (ACL) configuration for ISE PSN

Ambuj M — Tue, 27 Jun 2023 03:20:13 GMT

if you don’t mind can you state clearly what is the end goal you are trying to achieve?

Re: Access-list (ACL) configuration for ISE PSN

Suzukikoki — Tue, 27 Jun 2023 04:11:46 GMT

Hi @Ambuj M

Sorry for the lack of clarity.
Company policy requires the following requirements to be met by ISE, but I am being asked if the FW settings alone are sufficient security measures.

https://community.cisco.com/t5/security-knowledge-base/ise-security-best-practices-hardening/ta-p/3640651

Even if we say that we are taking countermeasures with FW, we are making this inquiry because we have to explain the basis on which the FW countermeasures are sufficient.

If it is clear that ISE does not provide support, we can explain that the only way is to use FW countermeasures, but if they do provide support, we need to explain why we do not configure them.

Re: Access-list (ACL) configuration for ISE PSN

Marius Gunnerud — Tue, 27 Jun 2023 07:26:00 GMT

This really depends on what you mean when you say "does not support Port-based ACLs". It does support port based ACLS for dACL that is pushed to switches to control access. But for management access to the ISE itself this is not supported within the ISE configuration. to restrict access to the ISE based on ports, you would need to use a firewall to perform this restriction.

Re: Access-list (ACL) configuration for ISE PSN

Ambuj M — Tue, 27 Jun 2023 11:05:16 GMT

if you are trying to restrict communication between ise nodes then as Marius mentioned in beginning there has to be some firewall between nodes where you allow only port required for ise to communicate, here are the ports used between different nodes.

Re: Access-list (ACL) configuration for ISE PSN

Aref Alsouqi — Tue, 27 Jun 2023 11:24:45 GMT

As already mentioned by the others, ISE doesn't support restricting the accesses to itself based on ports. The ports shown on the link you provided are used for the guest and client provisioning. There is no such thing on ISE to say allow accesses to port 8443 only from this subnet or IPs. This takes to @Marius Gunnerud original response, this could be done on a security device setting in the middle between the endpoints and ISE.

The downloadable ACLs (dACLs) are the access lists that you push to the network devices for enforcement, for example, if you are doing posture assessment you can push a dACL restricting the traffic to everything with the exception for a remediation portal where the non compliance endpoints could connect and download the latest antimalware patches, but again those won't be applied to the traffic destined to ISE itself.