Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2351
Views
0
Helpful
1
Replies

ISE Posture / Profiling for containers / „Windows Subsystem for Linux“ (WSL2).

carlo.taddei1
Level 1
Level 1

‎08-14-2020 07:39 AM

Hi,

I would like to ask for experts' opinion on how to address the following design scenario:

 

We currently rely on Posture (Anyconnect based) for NAC via ISE for granting endpoint access to our network (per VPN as well as WLC based) based on a given set of conditions. This works flawlessly.

 

Our Development end user base (accessing our infrastructure upon Posture Compliant status) would also like to have the possibility to host containers / VMs (via the Windows 10 "Windows Subsystem for Linux") on the same endpoints that are postured via ISE for NAC.

 

Would the Anyconnect Posture Agent locally running on the Win 10 endpoint be capable to directly posture those Containers / VMs as well ? I expect this not to be the case. Is there any roadmap from cisco for Anyconnect + ISE aimed at addressing this issue? or do I need to have on each Linux VM an anyconnect client (and an according posture configuration on the ISE) installed and running in order to grant that VM network access ?

 

Any additional suggestions or design guide to cope with this issue / requirement (from the network security and NAC perspective) ?

 

Is there another Cisco Endpoint Security Visibility and Reporting Product that perhaps covers specifically this scenario and integrates together with ISE in terms of NAC for the VMs / Containers running on an endpoint ?

I would assume this to be nowadays a fairly common scenario / security requirement.

 

Thank you

 

0 Helpful
1 Reply 1

Colby LeMaire
VIP Alumni
VIP Alumni

‎08-14-2020 08:12 AM

Quick and simple answer is that posture is not supported for Linux.  It is supported for Windows and Mac OS so if you run Windows or Mac OS within a VM, then you can posture the VM, assuming the VM's would have their own MAC address/IP address and not NAT'd by the host OS.  Containers are not a full OS and are more so an application instance.

With that said, I think you have to take a step back and look at your security policy as a whole.  What are the risks that these containers/VM's pose to your environment?  What is the worst that can happen?  Perhaps it makes more sense to isolate development machines onto their own segment of the network and apply tighter controls at the network level.  Because developers won't have standard builds I assume.  And trying to enforce the installation of anti-virus or other packages in a development environment may not make sense and may negatively impact productivity.

0 Helpful
Customers Also Viewed These Support Documents