cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

New Hall of Fame Member-Peter PAluch

ISE Security Best Practices (Hardening)

18204
Views
48
Helpful
14
Comments

 

Secure Development

ISE follows the Cisco Secure Development Lifecycle (CSDL) Process.

 

Vulnerability Testing

As part of CSDL ISE undergoes vulnreability testing.  This involves both industry standard testing tools and custom testing targeted at the product functionality.  Some of the industry standard tools that are used:

  • IBM AppScan
  • Codenomicon
  • Retina
  • Nessus
  • SkipFish


When is testing completed?

Testing is completed on those releases where new features are released Example ISE 2.1. Patch releases are not subjected to vulnerability testing as we do not introduce new features in patches. Instead we fix reported PSIRTs in patches.

 

ISE Hardening and Security Best Practices

General

Follow the same as in the Cisco Prime Infrastructure Admin Guidewherever applicable.In summary, the underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall. Vulnerability testing is also performed. ISE follows the Cisco Secure Development Lifecycle (CSDL) process:

 

There is no official hardening document, but here are some items compiled from a previous request:

  • Upgrade to current patch levels.
  • Use of strong password policies for CLI and Web UI.  (complexity, expiry, history, etc.)
  • Differentiated access for admins, each with own account whether local or via external ID store.
  • Policy of least privileges
  • Do not use superadmin account for daily maintenance.
  • Restrict console access and admin web access by configuring the access restriction under Administration > System > Admin Access; LHS: Settings
  • Disable SSH for higher security, or per above, update access restrictions for SSH access.
  • Update pre-and post-banner config for admin
  • Implement 1.2 connection limit settings via CLI to set max TCP connections and TCP/UDP/ICMP rates.
  • Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any)
  • Enable FIPS to enforce higher security algorithms
  • Review internal user accounts and disable those not in use
  • Limit access returned for health probe accounts used by access devices and load balancers.
  • Deploy unique certs per node versus wildcard certs for higher security
  • Deploy firewalls and other security devices that restrict access to nodes to required operational ports.
  • Use of offline updates for posture and agent files is more secure than live access which requires direct Internet access; firewalls and proxy as compensating controls.
  • Use separate, dedicated interfaces for management and user services (new to 1.2)
  • Secure store used for backup files, support bundles, log files, and associated encryption keys.

 

 

Underlying Operating System (OS)

Customers do not have direct access to the OS.

Version Underlying OS
ISE 1.2 Redhat Enterprise Linux (RHEL) 5.8 x86_64 running ADE-OS 2.0.5.250
ISE 1.3 RHEL 6.4 x86_64 ADE-OS 2.2.0.162
ISE 1.4 RHEL 6.4 x86_64 ADE-OS 2.2.0.421
ISE 2.0 RHEL 6.4 x86_64 ADE-OS 2.3.0.187
ISE 2.0.1 RHEL 7.1 x86_64 ADE-OS 2.4.0.147
ISE 2.1 RHEL 7.1 x86_64 ADE-OS 3.0.0.202

 

Main 3rd Party Components

As of ISE 2.0.0.306 (ISE 2.0 FCS):

  • Apache Tomcat/8.0.23
  • Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

 

Ports Used in ISE

The Cisco ISE Ports Reference for each version of ISE details all of the network ports and their uses.

 

Connection and Rate Limiting

ISE 1.2 introduces two independent types of network limits:

  • Connection Limits.
    • Limit TCP connections.
  • Rate Limits.
    • Limit packet rate to average number of packets per second.
    • Applied to TCP, UDP and ICMP.

Network Limit Notes:

  • Enhances security by limiting connections from known addresses
  • Mitigates DOS attacks by limiting connections and floods
    • Remote addresses may be spoofed so beware
  • Limits operate at the firewall (iptables) level
    • Not traffic shaping
    • No indication when limit reached

Certificates in ISE

SSL/TLS CipherSuite in ISE

SSH

ISE 2.0

aes256-cbc

aes128-cbc

 

ISE 1.3 / 1.4

aes256-cbc

aes128-cbc

3des-cbc

 

Web Portals

ISE 1.2

Supports TLS 1.0, 1.1, 1.2

 

== 443 (ISE web admin)

(TLS 1.1 and 1.2 only, but no TLS 1.0)
DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA
AES256-SHA256
AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-SHA256
AES128-SHA

 

== 8443 (ISE guest)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

 

== 9060 (ISE ERS)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

== 9002 (ISE sponsor “managed account”)
(TLS 1.1 and 1.2 only, but no TLS 1.0)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

== 8905 (ISE client provisioning and posture)

 

DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES256-SHA256
AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-SHA256
AES128-SHA

 

== 8910 (ISE pxGrid session bulk download; client certificate required)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

 

ISE 1.3 and 1.4

(supports TLS 1.0 only)

 

     == 443 (ISE web admin)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8443 (ISE guest)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 9060 (ISE ERS)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 9002 (ISE sponsor “managed account”)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8905 (ISE client provisioning and posture)

 

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8910 (ISE pxGrid session bulk download; client certificate required; ISE 1.4 and above)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

 

------------

 

XMPP

 

Port TCP 5222

  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA

 

EAP

 

EAP Ciphers in ISE versions

 

ISE 1.3/1.4 ISE 2.0 FIPS
     
EAP-TLS, PEAP EAP-TLS, PEAP, (EAP-TTLS)  
  DHE_RSA_WITH_AES_256_SHA256  
  DHE_RSA_WITH_AES_128_SHA256  
RSA_WITH_AES_256_SHA RSA_WITH_AES_256_SHA  
RSA_WITH_AES_128_SHA RSA_WITH_AES_128_SHA  
  RSA_WITH_AES_256_SHA256  
  RSA_WITH_AES_128_SHA256  
DHE_RSA_WITH_AES_256_SHA DHE_RSA_WITH_AES_256_SHA  
DHE_RSA_WITH_AES_128_SHA DHE_RSA_WITH_AES_128_SHA  
RSA_DES_192_CBC3_SHA (added back in ISE 2.0 Patch 2)  
DHE_DSS_WITH_AES_256_SHA (added back in ISE 2.0 Patch 2)  
DHE_DSS_WITH_AES_128_SHA (added back in ISE 2.0 Patch 2)  
EDH_RSA_DES_192_CBC3_SHA (added back in ISE 2.0 Patch 2)  
EDH_DSS_DES_192_CBC3_SHA (added back in ISE 2.0 Patch 2)  
RSA_RC4_128_SHA (added back in ISE 2.0 Patch 2) non-FIPS
RSA_RC4_128_MD5 (added back in ISE 2.0 Patch 2) non-FIPS
EDH_RSA_DES_64_CBC_SHA* (added back in ISE 2.0 Patch 2) non-FIPS
EDH_DSS_DES_64_CBC_SHA* (added back in ISE 2.0 Patch 2) non-FIPS
     
     
EAP-FAST EAP-FAST  
  DHE_RSA_WITH_AES_256_SHA256  
  DHE_RSA_WITH_AES_128_SHA256  
  RSA_WITH_AES_256_SHA256  
  RSA_WITH_AES_128_SHA256  
  DHE_RSA_WITH_AES_256_SHA  
DHE_RSA_WITH_AES_128_SHA DHE_RSA_WITH_AES_128_SHA  
RSA_WITH_AES_256_SHA RSA_WITH_AES_256_SHA  
RSA_WITH_AES_128_SHA RSA_WITH_AES_128_SHA  
RSA_RC4_128_SHA (added back in ISE 2.0 Patch 2) non-FIPS
     
     
EAP-FAST anon provisioning EAP-FAST anon provisioning  
ADH_WITH_AES_128_SHA ADH_WITH_AES_128_SHA  
     
     

 

  • CSCux27365 added back the ciphers removed in ISE 2.0 FCS.
  • (*) EDH_RSA_DES_64_CBC_SHA and EDH_DSS_DES_64_CBC_SHA are theortically supported but will practically never be negotiated due to crytographic restrictions.

 

 

ISE 2.1

 

TLS 1.0/1.1/1.2 are supported

 

EAP-TLS, PEAP, EAP-FAST, EAP-TTLS

  • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • DHE_DSS_WITH_AES_128_GCM_SHA256
  • DHE_DSS_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • ECDHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE_ECDSA_WITH_AES_128_SHA256
  • ECDHE_ECDSA_WITH_AES_256_SHA384
  • ECDHE_RSA_WITH_AES_128_SHA256
  • ECDHE_RSA_WITH_AES_256_SHA384
  • RSA_WITH_AES_256_SHA256
  • DHE_RSA_WITH_AES_128_SHA256
  • RSA_WITH_AES_256_SHA256
  • RSA_WITH_AES_128_SHA256
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA

 

ISE 2.0

All these ciphers can be used with TLS 1.0 and TLS 1.1/1.2

  • EAP-TLS, PEAP, EAP-FAST, EAP-TTLS
  • DHE_RSA_WITH_AES_256_SHA256
  • DHE_RSA_WITH_AES_128_SHA256
  • RSA_WITH_AES_256_SHA256
  • RSA_WITH_AES_128_SHA256
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA

 

ISE 2.0 Patch 2 added back ciphers below:

  • RSA_DES_192_CBC3_SHA
  • DHE_DSS_WITH_AES_256_SHA
  • DHE_DSS_WITH_AES_128_SHA
  • EDH_RSA_DES_192_CBC3_SHA
  • EDH_DSS_DES_192_CBC3_SHA
  • RSA_RC4_128_SHA
  • RSA_RC4_128_MD5
  • EDH_RSA_DES_64_CBC_SHA
  • EDH_DSS_DES_64_CBC_SHA

 

EAP-FAST anonymous provisioning

  • ADH_WITH_AES_128_SHA

 

 

ISE 1.4/1.3

 

  • TLS 1.0 only
  • If FIPS mode enabled, DES and RC4 ciphers are gone.

 

EAP-TLS, PEAP

 

  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_DES_192_CBC3_SHA                                  
  • DHE_DSS_WITH_AES_256_SHA
  • DHE_DSS_WITH_AES_128_SHA
  • EDH_RSA_DES_192_CBC3_SHA
  • EDH_DSS_DES_192_CBC3_SHA
  • RSA_RC4_128_SHA
  • RSA_RC4_128_MD5
  • EDH_RSA_DES_64_CBC_SHA*
  • EDH_DSS_DES_64_CBC_SHA*

(*) EDH_RSA_DES_64_CBC_SHA and EDH_DSS_DES_64_CBC_SHA are theortically supported but will practically never be negotiated due to crytographic restrictions.

 

 

EAP-FAST

 

  • RSA_WITH_AES_256_SHA
    RSA_WITH_AES_128_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_RC4_128_SHA

 

EAP-FAST anonymous provisioning

  • ADH_WITH_AES_128_SHA
 

 

ISE 1.2 or prior (Web Portals)


Supports TLSv1.0 only and not allowing SSLv2 ClientHello since ISE 1.2 Patch 13 with the fix for CSCur29078 - ISE : evaluation of SSLv3 POODLE vulnerability

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA (SSLv3) or TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLSv1)
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA (SSLv3) or TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLSv1)
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA (added for 1.2)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA (added for 1.2)

 

 

 

Government Certifications

Global Certification GlobalCertifications_ISE_2016-05-31.png

FIPS

Cryptographic modules are FIPS approved.  They undergo a self-test when initialized.

Product Cryptographic Acceleration Module Security Level Software
Versions
Certificate or Compliance Letter
Cisco Identity Services Engine (ISE) 1.1 Cisco Common Cryptographic Module
(C3M) (FIPS 140-2 Cert#1643), Cisco Secure Access Control Server (ACS) and FIPS module Network Services (NSS) (FIPS 140-2 Cert#1497)
FIPS Level 1 ISE 1.1 Compliance Letter
Cisco Identity Services Engine (ISE) 1.2 Cisco Common Cryptographic Module
(C3M) (FIPS 140-2 Cert#1643), and the Network Services (NSS) Cryptographic Module (FIPS 140-2 Cert#815)
FIPS Level 1 ISE 1.2 Compliance Letter

 

Common Criteria

 

 
GlobalCertifications_ISE_2016-05-31.png
 
Product PP Compliance Evaluation Assurance Level Targeted Image Estimated Completion
Cisco Identity Services Engine (ISE) 1.2 N/A Network Device Protection Profile 1.2 Q3CY2013

 

DISA

  1. http://www.disa.mil/Services/Network-Services/UCCO
  2. Select “Common Criteria Certified Products List” this will bring you to the following page:  http://www.commoncriteriaportal.org/products.html
  3. Select:  “Download CSV”
  4. The xls spreadsheet you download – search for the following “Cisco Identity Services Engine (ISE) v1.2”
  5. On line 1754 you should see the ISE is listed on the certified products list. (this line number may change as more/less products are added/removed from the certified products list)

 

EAL

EAL (Evaluation Assurance Level) is an aspect of Common Criteria evaluation.  Previously, EAL used to be categorized by numeric levels. The new EAL categorization is based on protection profiles.  We are certifying against the Network Device Protection Profile version 1.1 (NDPP 1.1).
 

NERC

We don't have  any existing special compliance effort planned towards the NERC standard.
Please reach out to Kevin Gagnon and Paul Forbes Bigbee on this request
 

NIST

US NIST SP 800-88 Compliance, included in ISE 1.3 install guide
 

PSIRT Issues and Vulnerabilities

ISE security issues are communicated through Cisco PSIRT.


FAQs

Security / Separation of ISE Portals and ISE internal DB

 

How is information encrypted in ISE for local Identity Storage?

  • The UNIX/Linux passwords for ISE CLI admin and oracle are SHA-256 hashed since ISE 1.3. Prior to ISE 1.3 we used MD5 for hashing CLI passwords.
  • Oracle db users' passwords are in Oracle wallet
  • ISE 1.2 internal users' passwords are encrypted using block cipher mode CBC with AES algorithm and base64-encoded. This will change for ISE 1.5.  In ISE 1.5 we plan to use SHA-256 for hashing internal administrator passwords.  This is tracked with user story US10854
  • Only the ISE CLI admin users' passwords in MD5 hash are viewable as part of ISE CLI running-config. The other files are not normally accessible.

 

How is the user database encrypted?

ISE has ID stores for ISE internal (aka NA) users, admin users, and guest users, which stored in Oracle db tables, but not user databases per se.
ISE 1.2+ has passwords encrypted using Block cipher mode (CBC) with the AES algorithm and then base64 encoded, before storing in the database. Please note that ISE admin users do not have direct accesses to the database in normal operations."
 

Does ISE use SALT?

Taken from Wikipedia, “… In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. …

 

ISE does not always use salt. IIRC, the password of an internal admin users is using salt but not for the internal NA users. See Encryption for TACACS+ user passwords i... - Cisco Community


 

 

Comments
Cisco Employee

WOW. Nice Job putting this together Jason.

-Krishnan

Contributor

How is the user database encrypted?

"ISE 1.2 has passwords encrypted using Block cipher mode (CBC) with the AES algorithm and then base64 encoded, before storing in the database. ISE 1.1 has the same thing except using the ECB mode. Data fields other than passwords are not considered sensitive and not encrypted. Please note that ISE admin users do not have direct accesses to the database in normal operations."

How is the key used to encrypt/decrypt the passwords stored/secured?

Cisco Employee

I am not sure I understand the question.

AES symmetric cipher using CBC mode to make it a block symmetric cipher. CBC is more secure than ECB. The combination AES +CBC is used to encrypt the passwords.

AES uses different key sizes. The result of this is further base64 encoded to convert binary to ASCII and stored in the db. I am just interpreting what is provided in the ISE security best practices site.

-Krishnan

Contributor

Thanks Krishnan.  In order to decrypt the content stored in the database ISE needs to maintain a key and the IV (I believe).  Where and how is the key (or keys) protected which ISE uses to decrypt the encrypted passwords?

Cisco Employee

Hi Doug/Chris,

Do we know how and where we store the keys for AES+CBC used to encrypt passwords in the db?

There is a question from the community.

I wanted to respond “in a safe place”…☺. Well, that is not the answer I am looking for. Please see the email below.

Thanks

Krishnan

Cisco Communities <https://communities.cisco.com/>

ISE Security Best Practices (Hardening)

new comment by George Bekmezian<https://communities.cisco.com/people/gbekmezi-DD>

View all comments on this document<https://communities.cisco.com/docs/DOC-69521#comment-28500>

Cisco Employee

Please open up a TAC case if you are looking for further details.

-Krishnan

Contributor

how about an updated one for ISE versions 2.1 and 2.2

Community Member

We are looking for a more high level statement that we could provide to the customer .  A statement just stating we harden our OS in certain ways and don't open it up to customers to touch .  Also we address any issues on a per release basis .  Something like that.    Is there one and if not , who can we work with to write one up.

Beginner

somewhat unrelated but I've disabled everything except TLS 1.2 in my ISE 2.3 environment via GUI however I still show TLS 1.1 and sometimes TLS 1 support enabled via an nmap scan. Is there a way to verify this via cli?

Cisco Employee

Please open a separate thread for this discussion

Cisco Employee

Your issue seems among those addressed in the upcoming ISE 2.4 so I would suggest you to join ISE 2.4 beta by going to cs.co/ise-beta to learn more.

Beginner

Can anyone point me to some guidance on how to restrict SSH access to the ISE nodes from a select number of trusted networks? whilst the WebGUI can be configured to restrict access I can't see a way to easily restrict SSH other putting a firewall inline?

Cisco Employee

The IP restriction configuration in Web UI also imposes on SSH CLI access.

Contributor
Any chance the wording and information of this document can be updated for ISE 2.4/2.5, and kept updated in general for each major release? What was true a years ago may have changed, and even if it hasn't changed much it would be nice to know it's still relevant. For example the latest version in the document which refers to the ciphersuites in use is ISE 2.1. It's been awhile since it came out and perhaps certain ciphers are considered less secure and have been removed since from later versions of ISE, or added since. Another example is "In ISE 1.5 we plan to use SHA-256 for hashing internal administrator passwords." There never was an ISE 1.5, which means this block of text hasn't been updated since ISE 1.4 which came out nearly four years ago. Perhaps a stronger method is now in place for hashing internal administrator passwords such as SHA-3.
CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019