Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
2
Replies

How Best to segregate Cisco ice on a flat corporate network

CalumMackenzie82991
Level 1
Level 1

‎04-17-2020 12:12 AM

Hi,

I'm looking for a bit of advice regarding the segregation of our network after a recent security audit.

 

I am picking up the pieces on this project, so my information may be a bit light!

All our production servers and windows domain are on the same flat network. After a recent network audit our comms team are requesting that we create a network behind a firewall and move Cisco ISE to the segregated network.

I am working with the Server infrastructure team and looking at how best this should be configured.

 

Should we;-

Create a new domain on this segregated network away from the corporate domain that would then be able to manage administration logins for the Cisco ISE (other IT administration portals could also be moved of the Corporate domain to the new segregated domain in due course). ISE would have access to the corporate domain through the firewall.

 The idea been here is that if the corporate domain was compromised, there would then be another layer of protection. As it stands, if the current corporate domain is compromised, everything on the domain could be compromised.

The new network might need to have holes on the firewall to allow access to our vmware environment which would host the domain controller for the new network.

 

I'm sure that other companies may have done something similar, just looking for pointer in the right direction, or case studies where this may have taken place previously.

 

Thanks

 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎04-17-2020 08:00 AM - edited ‎04-17-2020 08:01 AM

you can deploy ISE in different segment - ISE does only profiling the users where to connect, where not.

 

Make sure ISE reachable where access device  can be reachable, even though it behind DC FW, make sure you have  recomended ports open for ISE to communicate with other network device to enforce the policies.

 

good Live Session :

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-2132.pdf

 

here is some planning guide for reference :

 

https://community.cisco.com/t5/security-documents/ise-amp-nac-community-resources/ta-p/3621621#Planning

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CalumMackenzie82991
Level 1
Level 1
In response to balaji.bandi

‎04-27-2020 06:59 AM

Thanks for response Balaji.

Good to know there should be no issue having it on a separate network as long as the firewall is opened for the specific ports and protocols that ISE needs to access devices on the other side of the firewall.

Thanks

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents