This document covers information regarding security, hardening and testing of Cisco ISE. Information included such as TLS & Software versions, our testing processes, how is it hardened, plus much more.
What ISE versions does this document support?
This document will focus on the current supported releases of ISE. Please reference our EOS/EOL page for more information. To ensure proper support and coverage, customers/partners should be moving to our current recommended releases of ISE 2.4 & ISE 2.6
As part of CSDL ISE undergoes vulnreability testing. This involves both industry standard testing tools and custom testing targeted at the product functionality. Some of the industry standard tools that are used:
When is testing completed?
Testing is completed on those releases where new features are released. Patch releases are not subjected to vulnerability testing as we do not introduce new features in patches. Instead we fix reported PSIRTs in patches.
ISE Hardening and Security Best Practices
Follow the same as in the Cisco Prime Infrastructure Admin Guidewherever applicable.In summary, the underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall. Vulnerability testing is also performed. ISE follows the Cisco Secure Development Lifecycle (CSDL) process:
Cryptographic modules are FIPS approved. They undergo a self-test when initialized.
Cryptographic Acceleration Module
Certificate or Compliance Letter
Cisco Identity Services Engine (ISE) 2.6
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.
Select “Certified Products” from the top tabs this will bring you to the following page:
Select: “Download CSV”
The xls spreadsheet you download – search for the following “Cisco Identity Services Engine”
EAL (Evaluation Assurance Level) is an aspect of Common Criteria evaluation. Previously, EAL used to be categorized by numeric levels. The new EAL categorization is based on protection profiles. We are certifying against the Network Device Protection Profile version 1.1 (NDPP 1.1).
We don't have any existing special compliance effort planned towards the NERC standard.
Please reach out to Kevin Gagnon and Paul Forbes Bigbee on this request
How is information encrypted in ISE for local Identity Storage?
The UNIX/Linux passwords for ISE CLI admin and oracle are SHA-256 hashed since ISE 1.3. Prior to ISE 1.3 we used MD5 for hashing CLI passwords.
Oracle db users' passwords are in Oracle wallet
Since ISE 1.2 internal users' passwords are encrypted using block cipher mode CBC with AES algorithm and base64-encoded. Since ISE 1.4 use SHA-256 for hashing internal administrator passwords.
Only the ISE CLI admin users' passwords in MD5 hash are viewable as part of ISE CLI running-config. The other files are not normally accessible.
How is the user database encrypted?
ISE has ID stores for ISE internal (aka NA) users, admin users, and guest users, which stored in Oracle db tables, but not user databases per se.
ISE 1.2+ has passwords encrypted using Block cipher mode (CBC) with the AES algorithm and then base64 encoded, before storing in the database. Please note that ISE admin users do not have direct accesses to the database in normal operations."
Does ISE use SALT?
Taken from Wikipedia, “… In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. … “
Let me try to explain it : On our ESA we have 2 data interfaces DATA : ipaddress ex 10.64.xx.101 appliaction mail interfaceDATA1 : ipaddess ex 10.64.xx.103 massmail interface On each data interface we have a listener DATA -...
Hi All,I am replacing an existing ASA 5525 device with new ASA 5525 FTD. All configuration need to migrate into new box. After successfully perform the migration (Using Firepower Migration Tool (FMT) and a temporary Virtual Firepower Management Cente...
Greetings I am using the cisco anyconnect client to access a vpn.The problem is that every 4 ~ 5 minutes the vpn simply disconnects me with the message: The secure gateway has terminated the VPN connection. The following message was receive...