on 10-30-2020 02:02 AM - edited on 04-02-2023 12:03 PM by thomas
Contents
This document covers information regarding security, hardening and testing of Identity Services Engine (ISE). Information included such as TLS & Software versions, our testing processes, how is it hardened, upgraded paths, password policies, best practices and plus much more.
This document focuses on the current and latest supported ISE release versions below.
For the current ISE Suggested Release based on the software quality, stability, and longevity, see https://cs.co/ise-software.
Please refer to our EOS/EOL page for more information.
ISE follows the Cisco Secure Development Lifecycle (CSDL) process [CSDL Whitepaper]. Vulnerability testing is also performed.
Follow the same as in the Cisco Prime Infrastructure Admin Guide wherever applicable. In summary, the underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall.
There is no official hardening document, but we provide this as general guidance:
Cisco Identity Services Engine provides configuration of password policies for ISE admin users (UI/CLI) and ISE internal users. Cisco ISE already provides default configuration for password policies which enhances your security. Refer to Administration > Settings > Admin > password policies for ISE admin users’ password policies, account disable policies and lock/suspend settings and Administration > Identity management > settings > User authentication settings for ISE internal user’s password policies and Account disable policies.
It is recommended to disable “Disclose invalid usernames” for enhanced security. By default Cisco ISE is disabled to show invalid usernames in case of authentication failures. You can enable this settings to show invalid usernames during debugging scenarios for certain duration or always.
ISE has two independent types of network limits:
Network Limit Notes:
It is recommended that clients/servers negotiate to use a higher version of TLS for enhanced security. Please see the respective ISE Compatibility Guides for the specific TLS versions and cipher suites supported per version of the product.
Version |
Compatibility Guide |
ISE 2.6 |
|
ISE 2.7 |
|
ISE 3.0 |
ISE has below user management in place.
ISE admin and Internal Users stored in the Oracle database with below mechanisms for security. ISE CLI users are going to be stored in ADE-OS and is hashed for protection.
ISE does not always use salt. The password of an internal admin users is using salt but not for the internal network access users.
You can upgrade to latest Cisco Identity Services Engine from your current Cisco ISE release versions. Here are the Paths available for you to upgrade to latest Cisco ISE release.
Version |
Upgrade from |
ISE 2.6 |
ISE 2.1, 2.2, 2.3 or 2.4 Releases |
ISE 2.7 |
ISE 2.2, 2.3, 2.4 or 2.6 Releases |
ISE 3.0 |
ISE 2.4, 2.6, or 2.7 Releases |
Refer to below upgrade guides for each release when you are upgrading to specific ISE versions.
Version |
Upgrade Guides |
ISE 2.6 |
|
ISE 2.7 |
|
ISE 3.0 |
As part of CSDL, ISE undergoes vulnerability testing. This involves both industry standard testing tools and custom testing targeted at the product functionality. Refer to vulnerability testing process as part of CSDL.
Cisco completes CSDL process testing and verification on all cisco ISE releases before making it available for customers. However, Patch releases doesn’t go through CSDL process as we do not introduce new features in patches. Instead we fix reported PSIRTs in patches as per the severity and impact.
Cisco ISE conforms to the protocol standards, Requests for Comments (RFCs), and IETF drafts.
The Cisco ISE Ports Reference for each version of ISE, details all of the network ports and their purpose & usage. Refer to below table for the ports reference for each release.
Version |
Reference Link |
ISE 2.6 |
|
ISE 2.7 |
|
ISE 3.0 |
hi all,
Thanks for the document.
As for DISA, I couldn't find ISE in the latest certified products. ISE2.0 and Identity Service Engine got archived back in 2017.
Any idea, if the new ISE versions will be added in the current certified products?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: