Contents

• Overview
• Software
• ISE Suggested Release
• What Cisco ISE versions are under EOS/EOL ?
• Hardening
• General
• Ports Used in ISE
• How Are Local User Identities Protected?
• Does ISE Use Salt on Passwords?
• Secure Development
• When is testing completed?
• Best Practices
• Supported Protocols Standards, RFCs, and IETF Drafts
• TLS Versions Support
• Password Policies
• Disclose Invalid Usernames
• Connection and Rate Limiting

Overview

This document covers information regarding security, hardening and testing of Identity Services Engine (ISE). Information included such as TLS & Software versions, our testing processes, how is it hardened, upgraded paths, password policies, best practices and plus much more. Version-specific capabilities will be identified where appropriate.

Software

ISE Suggested Release

For the current ISE Suggested Release based on the software quality, stability, and longevity,

See the Cisco Identity Services Engine (ISE) Software Downloads page (cs.co/ise-software) on software.cisco.com.

What Cisco ISE versions are under EOS/EOL ?

See the Cisco Identity Services Engine (ISE) End-of-Life and End-of-Sale Notices page (cs.co/ise-eol)  for all ISE-related announcements, dates, and more information.

Hardening

General

The ISE underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall.

There is no official hardening document, but we provide this as general guidance:

• Upgrade to latest patch levels in each release.
• Use of strong password policies for CLI, admin Web UI and Internal Users  (complexity, expiry, history, etc.).
• Differentiated access for admins, each with own account whether local or via external ID store.
• Create policies with least privileges for general access and provide highest privileges based on granular policies.
• Do not use superadmin account for daily maintenance.
• Restrict console access and admin web access by configuring the access restriction under Administration > System > Admin Access > Settings > Access > IP Access.
• Restrict syslogs sent to MnT from deployment nodes only for enhanced security under Administration > System > Admin Access > Settings > Access > MnT Access.
• Minimize the session Idle timeout for admin UI access.
• Disable SSH for higher security, or per above, update access restrictions for SSH access. Use higher SSH encryption algorithms, encryption modes for enhanced security.
• Update pre-and post-banner config for admin which is applicable for both UI & CLI.
• Implement connection limit settings via CLI to set max TCP connections and TCP/UDP/ICMP rates as per your environment scale.
• Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any).
• Enable FIPS to enforce higher security algorithms.
• Review internal user accounts and disable those not in use.
• Limit access returned for health probe accounts used by access devices and load balancers.
• Deploy unique certs per node versus wildcard certs for higher security.
• Deploy firewalls and other security devices that restrict access to nodes to required operational ports.
• Use of offline updates for posture and agent files is more secure than live access which requires direct Internet access; firewalls and proxy as compensating controls.
• Use separate, dedicated interfaces for management and services.
• Enable scheduled backups during lesser load time or off-office hours for configuration and operational data at regular intervals.
• Secure store used for backup files, support bundles, log files, and associated encryption keys.
• Configure purging policies for your end devices inventory based on their inactivity, guest account types, registered devices..etc.
• Minimize the period of keeping local log files.
• Suppress Repeated Failed clients with recommended failure counts and also reject the RADIUS requests from clients with repeated failures to avoid processing load on authentication failed endpoints continuously. 
• Suppress Repeated successful authentications to save the operational audit reports.
• Enable “Detect high rate of RADIUS requests” to detect higher rate of RADIUS requests in your environment.

Ports Used in ISE

Refer to the Cisco ISE Installation Guides' (cs.co/ise-docs) ISE Ports Reference section for your version of ISE for all network ports, protocols, and any required Internet URLs.

How Are Local User Identities Protected?

ISE has different tables for local user management of:

• ISE Admin Users: to access ISE administrative web console.
• ISE Internal (Network Access) Users
• ISE Admin CLI Users

ISE Admin and Internal Users are stored in the Oracle database with below mechanisms for security. ISE CLI users are going to be stored in the Linxux OS and hashed for protection.

• ISE administrative command line interface user passwords are hashed with SHA-256, salted and stretched.
• ISE internal user passwords are encrypted using Cipher Block Chaining (CBC) with AES algorithm and PKCS-5 padding mechanisms.
• ISE administrative web admin passwords stored locally in ISE are hashed with SHA-256, salted and stretched.
• ISE stores passwords and passphrases in a database that is encrypted with Key Encryption Keys (KEKs) uniquely generated for each ISE deployment.

Does ISE Use Salt on Passwords?

ISE does not always use salt. The password of an internal admin users is using salt but not for the internal network access users.

Secure Development

ISE follows the Cisco Secure Development Lifecycle (CSDL) process and vulnerability testing is also performed. 

When is testing completed?

Cisco completes CSDL process testing and verification on all cisco ISE releases before making it available for customers. We fix reported PSIRTs in patches based on the severity and impact. Hotfixes may also be available  for some critical fixes via TAC before a patch is released.

Best Practices

Supported Protocols Standards, RFCs, and IETF Drafts

Cisco ISE conforms to various protocol standards, Requests for Comments (RFCs), and IETF drafts. See the ISE Compatibility Guides (cs.co/ise-compatibility) for your respective ISE version for a detailed support list.

TLS Versions Support

See the respective ISE Compatibility Guides (cs.co/ise-compatibility) for the specific TLS versions and cipher suites supported per version of the product. It is recommended that clients/servers negotiate to use a higher version of TLS for enhanced security. ISE has configurable options to disable specific TLS versions and ciphers.

Password Policies

Cisco Identity Services Engine provides configuration of password policies for ISE admin users (UI/CLI) and ISE internal users. Cisco ISE already provides default configuration for password policies which enhances your security. Refer to Administration > Settings > Admin > password policies for ISE admin users’ password policies, account disable policies and lock/suspend settings and Administration > Identity management > settings > User authentication settings for ISE internal user’s password policies and Account disable policies. 

Disclose Invalid Usernames

It is recommended to disable “Disclose invalid usernames” for enhanced security. By default Cisco ISE is disabled to show invalid usernames in case of authentication failures. You can enable this settings to show invalid usernames during debugging scenarios for certain duration or always.

Connection and Rate Limiting

ISE has two independent types of network limits:

• Connection Limits.
• Limit TCP connections. Can be configured via CLI.
• Rate Limits.
• Limit packet rate to average number of packets per second.
• Applied to TCP, UDP and ICMP.

Network Limit Notes:

• Enhances security by limiting connections from known addresses
• Mitigates DOS attacks by limiting connections and floods
• Remote addresses may be spoofed so beware
• Limits operate at the firewall (iptables) level
• Not traffic shaping
• No indication when limit reached