Contents
What is covered in this document?
This document covers information regarding security, hardening and testing of Identity Services Engine (ISE). Information included such as TLS & Software versions, our testing processes, how is it hardened, upgraded paths, password policies, best practices and plus much more.
What Cisco ISE versions does this document support?
This document focuses on the current and latest supported ISE release versions below.
For the current ISE Suggested Release based on the software quality, stability, and longevity, see https://cs.co/ise-software.
What Cisco ISE versions are under EOS/EOL ?
Please refer to our EOS/EOL page for more information.
ISE Hardening and Security Best Practices
Secure Development
ISE follows the Cisco Secure Development Lifecycle (CSDL) process [CSDL Whitepaper]. Vulnerability testing is also performed.
General
Follow the same as in the Cisco Prime Infrastructure Admin Guide wherever applicable. In summary, the underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall.
There is no official hardening document, but we provide this as general guidance:
- Upgrade to latest patch levels in each release.
- Use of strong password policies for CLI, admin Web UI and Internal Users (complexity, expiry, history, etc.).
- Differentiated access for admins, each with own account whether local or via external ID store.
- Create policies with least privileges for general access and provide highest privileges based on granular policies.
- Do not use superadmin account for daily maintenance.
- Restrict console access and admin web access by configuring the access restriction under Administration > System > Admin Access > Settings > Access > IP Access.
- Restrict syslogs sent to MnT from deployment nodes only for enhanced security under Administration > System > Admin Access > Settings > Access > MnT Access.
- Minimize the session Idle timeout for admin UI access.
- Disable SSH for higher security, or per above, update access restrictions for SSH access. Use higher SSH encryption algorithms, encryption modes for enhanced security.
- Update pre-and post-banner config for admin which is applicable for both UI & CLI.
- Implement connection limit settings via CLI to set max TCP connections and TCP/UDP/ICMP rates as per your environment scale.
- Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any).
- Enable FIPS to enforce higher security algorithms.
- Review internal user accounts and disable those not in use.
- Limit access returned for health probe accounts used by access devices and load balancers.
- Deploy unique certs per node versus wildcard certs for higher security.
- Deploy firewalls and other security devices that restrict access to nodes to required operational ports.
- Use of offline updates for posture and agent files is more secure than live access which requires direct Internet access; firewalls and proxy as compensating controls.
- Use separate, dedicated interfaces for management and services.
- Enable scheduled backups during lesser load time or off-office hours for configuration and operational data at regular intervals.
- Secure store used for backup files, support bundles, log files, and associated encryption keys.
- Configure purging policies for your end devices inventory based on their inactivity, guest account types, registered devices..etc.
- Minimize the period of keeping local log files.
- Suppress Repeated Failed clients with recommended failure counts and also reject the RADIUS requests from clients with repeated failures to avoid processing load on authentication failed endpoints continuously.
- Suppress Repeated successful authentications to save the operational audit reports.
- Enable “Detect high rate of RADIUS requests” to detect higher rate of RADIUS requests in your environment.
Password Policies
Cisco Identity Services Engine provides configuration of password policies for ISE admin users (UI/CLI) and ISE internal users. Cisco ISE already provides default configuration for password policies which enhances your security. Refer to Administration > Settings > Admin > password policies for ISE admin users’ password policies, account disable policies and lock/suspend settings and Administration > Identity management > settings > User authentication settings for ISE internal user’s password policies and Account disable policies.
Disclose Invalid Usernames
It is recommended to disable “Disclose invalid usernames” for enhanced security. By default Cisco ISE is disabled to show invalid usernames in case of authentication failures. You can enable this settings to show invalid usernames during debugging scenarios for certain duration or always.
Connection and Rate Limiting
ISE has two independent types of network limits:
- Connection Limits.
- Limit TCP connections. Can be configured via CLI.
- Rate Limits.
- Limit packet rate to average number of packets per second.
- Applied to TCP, UDP and ICMP.
Network Limit Notes:
- Enhances security by limiting connections from known addresses
- Mitigates DOS attacks by limiting connections and floods
- Remote addresses may be spoofed so beware
- Limits operate at the firewall (iptables) level
- Not traffic shaping
- No indication when limit reached
Public Key Infrastructure (PKI) and TLS versions support.
It is recommended that clients/servers negotiate to use a higher version of TLS for enhanced security. Please see the respective ISE Compatibility Guides for the specific TLS versions and cipher suites supported per version of the product.
How is information encrypted in ISE for local Identity Storage?
ISE has below local user management in place.
- ISE Admin users, to access ISE administrative web console.
- ISE Internal (aka. Network Access) users
- ISE Admin CLI users
ISE admin and Internal Users stored in the Oracle database with below mechanisms for security. ISE CLI users are going to be stored in ADE-OS and is hashed for protection.
- ISE administrative command line interface user passwords are hashed with SHA-256, salted and stretched.
- ISE internal user passwords are encrypted using Cipher Block Chaining (CBC) with AES algorithm and PKCS-5 padding mechanisms.
- ISE administrative web admin passwords stored locally in ISE are hashed with SHA-256, salted and stretched.
- ISE stores passwords and passphrases in a database that is encrypted with Key Encryption Keys (KEKs) uniquely generated for each ISE deployment.
Does ISE use SALT?
ISE does not always use salt. The password of an internal admin users is using salt but not for the internal network access users.
Upgrade Paths
You can upgrade to latest Cisco Identity Services Engine from your current Cisco ISE release versions. Here are the Paths available for you to upgrade to latest Cisco ISE release.
|
Version
|
Upgrade from
|
|
ISE 2.6
|
ISE 2.1, 2.2, 2.3 or 2.4 Releases
|
|
ISE 2.7
|
ISE 2.2, 2.3, 2.4 or 2.6 Releases
|
|
ISE 3.0
|
ISE 2.4, 2.6, or 2.7 Releases
|
Refer to below upgrade guides for each release when you are upgrading to specific ISE versions.
Vulnerability Testing
As part of CSDL, ISE undergoes vulnerability testing. This involves both industry standard testing tools and custom testing targeted at the product functionality. Refer to vulnerability testing process as part of CSDL.
When is testing completed?
Cisco completes CSDL process testing and verification on all cisco ISE releases before making it available for customers. However, Patch releases doesn’t go through CSDL process as we do not introduce new features in patches. Instead we fix reported PSIRTs in patches as per the severity and impact.
Supported Protocols Standards, RFCs, and IETF Drafts
Cisco ISE conforms to the protocol standards, Requests for Comments (RFCs), and IETF drafts.
Ports Used in ISE
The Cisco ISE Ports Reference for each version of ISE, details all of the network ports and their purpose & usage. Refer to below table for the ports reference for each release.
