04-17-2020 12:12 AM
Hi,
I'm looking for a bit of advice regarding the segregation of our network after a recent security audit.
I am picking up the pieces on this project, so my information may be a bit light!
All our production servers and windows domain are on the same flat network. After a recent network audit our comms team are requesting that we create a network behind a firewall and move Cisco ISE to the segregated network.
I am working with the Server infrastructure team and looking at how best this should be configured.
Should we;-
Create a new domain on this segregated network away from the corporate domain that would then be able to manage administration logins for the Cisco ISE (other IT administration portals could also be moved of the Corporate domain to the new segregated domain in due course). ISE would have access to the corporate domain through the firewall.
The idea been here is that if the corporate domain was compromised, there would then be another layer of protection. As it stands, if the current corporate domain is compromised, everything on the domain could be compromised.
The new network might need to have holes on the firewall to allow access to our vmware environment which would host the domain controller for the new network.
I'm sure that other companies may have done something similar, just looking for pointer in the right direction, or case studies where this may have taken place previously.
Thanks
04-17-2020 08:00 AM - edited 04-17-2020 08:01 AM
you can deploy ISE in different segment - ISE does only profiling the users where to connect, where not.
Make sure ISE reachable where access device can be reachable, even though it behind DC FW, make sure you have recomended ports open for ISE to communicate with other network device to enforce the policies.
good Live Session :
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-2132.pdf
here is some planning guide for reference :
04-27-2020 06:59 AM
Thanks for response Balaji.
Good to know there should be no issue having it on a separate network as long as the firewall is opened for the specific ports and protocols that ISE needs to access devices on the other side of the firewall.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide