Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
3
Replies

Cisco ISE - host isolation options

Script Kiddie
Level 1
Level 1

‎11-20-2023 11:54 AM

Dear community,

I'm ISE beginner, and my task is to design isolation options on ISE.

What I tried:
I've been reading that adaptive network control (ANC) can be great option, so I tried it with Access-Reject option - this didn't work as most of our deployments are in "Monitor" mode instead of "Close".

Then I tried dACL but I don't think that is the most reliable option.

My idea is to quarantine host the most secure way and at the same time, the easiest way to implement.
Criteria are that host should not be able to communicate with any other host (not even in the same VLAN).

Furthermore, in time I would like to create more granular isolation options like:

  • Host is not able to communicate anywhere (not even to peers on VLAN).
  • Host is only able to communicate with CLOUD so antivirus can periodically report host status.
  • etc.

Worth to mention is that we have option to use SGT. However, I'm not sure if all locations support it now.

So summarize my question based on information I've provided, what will be the most secure and best effort option to simply isolate the host? 

Thanks!

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎11-20-2023 12:29 PM

Sounds like you want Cisco TrustSec (CTS) You can either hand craft it yourself, or if you're serious and have the $$$, then get a DNAC and build yourself an SDA solution. SDA is the best solution for micro-segmentation (CTS) and macro-segmentation (Virtual Networks ... aka VRFs)

0 Helpful

Script Kiddie
Level 1
Level 1
In response to Arne Bier

‎11-21-2023 01:20 AM - edited ‎11-21-2023 01:41 AM

Hello, thanks for the answer.
Indeed we have SDA on some locations, but I would need to understand it more as its handled by our network team.
But to not complicate things at first, I can split it into 3 goals:

1. What will be initially the best way to isolate the host? Is it SGT/dACL/Isolated VLAN, etc? 
- I was thinking about dACL since its easy via ANC and also it doesn't require additional configuration on switches. We have L2 switches that by my understanding dispose with TCAM, so should be able to process it. What do you think?
2. Then the second goal will be granular isolation, SGT?
3. Third goal is microsegmentation.

Can you advise me with #1?

0 Helpful

Arne Bier
VIP
VIP
In response to Script Kiddie

‎11-21-2023 02:36 PM

Why do you think dACL is not the most reliable option? Have to tried sending a dACL that just does 'deny ip any any" ? Does that still allow peer-to-peer communication? I think if you want to get granular, then SGTs are required.  Perhaps others have a smarter idea

0 Helpful
Customers Also Viewed These Support Documents