Solved: Monitor, Low-Impact, and Closed deployment phases

packetplumber9 · ‎11-12-2018

I have been reviewing the pro's and con's of each type of implementation of ISE, whether it is monitoring, low-impact, or a closed enforcement mode. So outside of the usual "It depends on your requirements", one consideration that management usually asks is "What are other organizations in our industry doing?" This is one piece of the puzzle that I can't find much information about, even just anecdotal.

So my question for those of you who have experience implementing ISE in multiple customer engagements, is how would you say the landscape looks in the last couple years? Once monitoring mode is up and running, how many organizations actually go low-impact or closed mode? How many implement posturing as well? I know each industry has their own threat models and compliance requirements but I would like to be able to at least ballpark estimate for example that say 10% of customers are in full closed mode with posturing, 50% low impact, and the rest stayed in monitoring phase.

Arne Bier · ‎01-09-2019

Hey @packetplumber9 - good questinon - have a look at a similar Forum question posted today.

View solution in original post

paul · ‎01-15-2019

We have been deploying ISE since 1.0 and we don't every use Low Impact mode (preauth ACLs) on the interfaces. We don't like dealing with ACL removal in the event ISE down. We talk to customers about:

Staying in open mode with no preauth ACL and being comfortable with the fact that a device will have 20-30 seconds of network access before ISE slams the door shut (i.e. your Dot1x timeout).
Moving to closed mode ultimately to remove the open network access for 20-30 seconds.

#1 has sort of become a moot point if you use CPL with simultaneous MAB and Dot1x. There is no longer a 20-30 second delay as MAB happens at the same time as Dot1x. I know Cisco is now saying this is not supported, but their original CPL documents still on CCO list this as a major benefit and we have many customers doing this.

It used to be we always went to closed mode, but in the past couple years I have had more customers accept the 20-30 seconds of open network access (with legacy template) and stay in open mode with no preauth ACL. This would be a similar model to ForeScout where their main method is to detect then restrict.

View solution in original post

Arne Bier · ‎01-09-2019

Hey @packetplumber9 - good questinon - have a look at a similar Forum question posted today.

Jason Kunst · ‎01-11-2019

@Arne Bier nice i have asked our PMs @yshchory @hariholla to take a look as well

Jason Kunst · ‎01-09-2019

i have asked our SMEs if they have anything like this. Maybe a gartner report.

yshchory · ‎01-14-2019

First and foremost, we need to bear in mind that the first two are actually milestones towards Closed mode. Theoretically I don't see value for staying at Low-Impact as a viable strategy.

I wonder if what you are actually asking (sorry if I sound like a politician on a news interview) is "which customers use the network for visibility only and which for both visibility and control (enforcement)". If that's the question then I'd say that on of the vanilla flavor "it depends", yet not only on the requirements.

I'd differentiate between three different types of customers here - the first and "easiest" to work with are ones that are really serious about their security, very much threat-focused and would strive to get to closed mode (and stay there) as soon as possible. There are also the "compliance-focused" customers that on one hand just need to be compliant (think healthcare, financial customers) - these would have a mix of visibility only on the admin network and some very specific control mechanisms on the networks where data under governance flows. The last one are more IoT / OT customers that are traditionally very much concerned about the impact of security on their day to day business. A city might need to comply with regulations when it comes to, say, water valve control networks (usually SCADA networks) so they really want visibility (only) and not control as they are just not ready to employ automatic systems that might disconnect the valves from the network, deeming the city dry.

So, a long answer, I'm not sure it fully helps - the statistics are totally different from one type of customer to another. But in any case, I do not believe that customers would actually have strategies to stay in monitor / low-impact modes but instead build a journey that has enforcement in them (in the first place) or not.

paul · ‎01-15-2019

We have been deploying ISE since 1.0 and we don't every use Low Impact mode (preauth ACLs) on the interfaces. We don't like dealing with ACL removal in the event ISE down. We talk to customers about:

Staying in open mode with no preauth ACL and being comfortable with the fact that a device will have 20-30 seconds of network access before ISE slams the door shut (i.e. your Dot1x timeout).
Moving to closed mode ultimately to remove the open network access for 20-30 seconds.

#1 has sort of become a moot point if you use CPL with simultaneous MAB and Dot1x. There is no longer a 20-30 second delay as MAB happens at the same time as Dot1x. I know Cisco is now saying this is not supported, but their original CPL documents still on CCO list this as a major benefit and we have many customers doing this.

It used to be we always went to closed mode, but in the past couple years I have had more customers accept the 20-30 seconds of open network access (with legacy template) and stay in open mode with no preauth ACL. This would be a similar model to ForeScout where their main method is to detect then restrict.