Network Access Control and cloud

Rafael Jimenez · ‎05-22-2020

I have a customer that start the journey to the cloud two years ago.

The solution for the perimeter, ISE was selected.

Now after the covid-19, 90% of the workers will continues as teleworker.

60% of the apps are SaaS including office 365.

Today, they don´t see the value of the ISE and the project is in standby.

My question is: is a NAC like ISE still a valid solution if today the perimeter doesn´t exits anymore?.

Thanks

Damien Miller · ‎05-22-2020

This is very much opinion but here are a few things to think about.

In your scenario there are still 10% of workers that go in to an office. This means there are still offices and enterprise ports that can be exploited, ISE can still be used here.

The other initiative I have seen taking off is the concept of remote access points. Remote access points build a VPN tunnel into an enterprise headend, these have both wired ports and enterprise WLANs on them. This extends the footprint of the enterprise network in to the home, even more reason to leverage ISE for visibility and enforcement. You certainly want to know what is coming on the network in this scenario.

Another consideration could be the 40% of those apps that aren't public cloud/SaaS likely sit in enterprise private/hybrid data centers and require users or machines to VPN in. ISE can be leveraged to authenticate employees and their devices whether they are BYOD or enterprise owned. You can leverage posture assessments to ensure they meet the security policies of the enterprise, and you can grant varying levels of access based on this.

Ping Zhou · ‎05-23-2020

For teleworkers, we are using ISE with 3rd party Firewalls that have WiFi interfaces. Teleworkers use WiFi interfaces to access the corporate resource which are NACed by ISE, just RADIUS / EAP-TLS over WiFi.

thomas · ‎05-26-2020

Please see Cisco's approach to Zero Trust @ https://cisco.com/go/zerotrust which will address your question at an architectural level.

ISE is a AAA server for network users (RADIUS) and network devices (TACACS), wherever they are.

VPN: users may now be at home now instead of the office but most likely will still need to securely connect for some apps via VPN using AnyConnect to ISE for authentication and potentially posture. ISE is licensed by active endpoints regardless of where/how they are connected: wired, wireless or VPN.
Wired: do you still have buildings? Do they still have IP phones? Printers? Network attached TVs or projectors? How about IOT devices in the form of elevators, thermostats, RFID/badge readers, surveillance, PoE-anything, etc.? You will probably want to ensure all access via those ports is authenticated and authorized appropriately via ISE and potentially profiled to minimize your threat surface.
Wireless: If you still have buildings you probably still have wireless. The first thing you do when deploying wireless is enterprise RADIUS-based authentication with ISE. You may have fewer employees in the office but you may still need to have wireless access for your guests which is also provided by ISE. And since your employees are more mobile than ever and probably using whatever device is convenient you'll want to have MDM on those devices before they get full access to your corporate data wherever it lives. MDM enforcement of MDM is also done with ISE.
CVO (Virtual Office): essentially a micro-branch whether with some combination of router, AP, and/or switch. You still want to authenticate your users - and their devices connecting to your CVO in their home - before allowing access to your infrastructure.
Network Infrastructure: as long as you still have any of the above, you will need to authenticate your network admins - or scripts/tools - for SSH/CLI access to audit who did what, when and where.

So, yes, still quite valid.