Cisco Identity Services Engine (ISE) is a market leading, identity-based network access control and policy enforcement system. It’s a common policy engine for controlling, endpoint access and network devices’ administration for your enterprise. ISE allows an administrator to centrally control access policies for wired wireless, VPN and 5G endpoints in the network.

Cisco Identity Services Engine (ISE) is aligned with Zero Trust. Cisco Zero Trust is a comprehensive approach for securing access across your users, devices, applications, and environment. Cisco Zero Trust involves 3 solutions called Workforce, Workplace and Workloads. Workplace is about giving right privileges/access to the users and devices connecting to the network over wired, wireless, VPN and/or 5G. Workforce is about providing right level of access privileges to the users and/or devices accessing your protected applications. Workloads is to apply policies and have audit for securing your on-prem or cloud applications. Cisco ISE is aligned with Workplace-Cisco Zero Trust solution where users and devices gets right privileges/access when they connect to the network. ISE builds context about the endpoints that include users and groups (Who), device-type (What), access-time (When), access-location (Where), access-type (Wired/Wireless/VPN) (how), threats and vulnerabilities. Through the sharing of vital contextual data with technology partner integrations and the implementation of Cisco Scalable Group Policy for software-defined segmentation, Cisco ISE transforms the network from simply a conduit for data into a security enforcer that accelerates the time to detection and time to resolution of network threats.

Cisco ISE provides intent-based policy and compliance solution on top of AAA. Cisco ISE can be integrated with Threat Centric NAC vendors below

• Cisco Secure Endpoint (formerly AMP for Endpoints),
• Qualys,
• Nexpose
• Tenable

to assess vulnerabilities and/or threats associated with the endpoint connecting to your network and give secure access according to the policy definitions. As a Security administrator, you can check for compliance of an endpoint and continuously verify the trust of an endpoint based on vulnerabilities and/or threats associated to give the proper privileges to the network whenever they connect.

             Cisco ISE Threat Centric NAC service can dynamically provide differentiated privileges to endpoints based on Threats or vulnerability information.

_____________________________________________________________________________________________________

Threat information associated to the endpoint shared by Cisco Secure Endpoint

                               Cisco Secure Endpoint detects and shares the Threat Impact Level interms of Severity and corresponding Course of Action information so that Cisco ISE allows you to write policies based on Course of Action and dynamically raise CoA if there is any change to the endpoint’s Threat severity or Course of Action. Below attributes are shared by Cisco Secure Endpoint to Cisco ISE.

1. Threat Type
2. Threat Severity – Unknown, Insignificant, Distracting, Painful, Damaging or Catastrophic
3. Threat Course of Action – Internal Blocking, Monitoring or Eradication
4. Confidence level – High, Medium or Low
5. Threat detected Timestamp

 _____________________________________________________________________________________________________

Vulnerabilities information associated to the endpoint shared by Tenable, Qualys or Rapid7-Nexpose.

                               Tenable, Qualys or Rapid7-Nexpose can scan and detect Vulnerabilities associated to the endpoints interms of Vulnerability ID, Vulnerability Title,CVSS Base Score, CVSS Temporal Score, CVEIDS, Reported timestamp so that Cisco ISE allows you to write policies based on CVSS Base/Temporal Score and dynamically raise CoA if there is any change to the endpoint’s Vulnerability information. Below are the information shared by Tenable, Qualys or Rapid7-Nexpose

1. Vulnerability ID – This is the ID managed by Tenable, Qualys or Rapid7-Nessus
2. Vulnerability Title
3. CVSS Base Score
4. CVSS Temporal Score
5. CVEIDs
6. Reported Timestamp

_____________________________________________________________________________________________________

            Below table explains what information is going to be shared by these Threat Centric NAC vendors

Vendor	Information shared	ISE Dictionary	Dictionary Attribute Name	Attribute Values
Cisco Secure Endpoint	Threat Type, Threat Severity, Course of Action, Confidence and Reported Timestamp	Threat	CTA-Course_Of_Action	Eradication Internal Blocking Monitoring
Qualys Enterprise	Vulnerability ID, Vulnerability Title, CVSS Base Score, CVSS Temporal Score, CVEIDs, Reported TimeStamp	Threat	Qualys-CVSS_Base_Score Qualys-CVSS_Temporal_Score	0-10
Tenable Security Center	Vulnerability ID, Vulnerability Title, CVSS Base Score, CVSS Temporal Score, CVEIDs, Reported TimeStamp	Threat	Tenable Security Center-CVSS_Base_Score Tenable Security Center-CVSS_Temporal_Score	0-10
Rapid7-Nexpose	Vulnerability ID, Vulnerability Title, CVSS Base Score, CVEIDs, Reported TimeStamp	Threat	Rapid7 Nexpose-CVSS_Base_Score	0-10

            When Cisco ISE is integrated with Cisco Secure Endpoint, Cisco secure endpoint module (standalone/Secure Client) installed on the endpoint can scan or automatically detect the threat associated with endpoint and shares the info to Cisco ISE (specifically PSN running with Threat Centric NAC service) so that endpoint gets updated with latest information sent by Cisco Secure Endpoint and raises CoA to give differentiated privileges based on the policies written.

 

Below flow of events explains how it works at high-level with Cisco ISE standalone node.

1. Endpoint connects to network over wired, Wireless or VPN and authenticates against ISE.
2. Cisco ISE might give Full Access or Corporate access based on the policies.
3. Cisco Secure Endpoint agent module (either in standalone or deployed with Cisco Secure Client)scans the endpoint or automatically detects malware or vulnerability associated with the endpoint.
4. Cisco Secure endpoint notifies the Endpoint Cloud.
5. Cisco Secure Endpoint Cloud updates the ISE about threat information.
6. Cisco ISE updates the endpoint with threat information shared.
7. Cisco ISE issues CoA to give Quarantine or different privileges based on the policies written using threat’s Course of Action

            When Cisco ISE and Cisco Secure Endpoint was integrated, below flow of events explains how Cisco ISE can give differentiated privileges based on the threat info updated by Cisco Secure Endpoint.

1. Endpoint connects to network over WiFi, Wired, VPN or 5G network and authenticates against PSN in a deployment.
2. PSN updates the endpoint information to MnT and PAN
3. TC-NAC adaptor instance enabled in the PSN gets the endpoint session information from MnT.
4. When endpoint tries to download any malware file or service or application, Cisco Secure Endpoint agent module (either in standalone mode or integrated with cisco secure client) will detect the maliciousness/threat and updates the Cisco Secure Endpoint Cloud
5. Since ISE was already integrated Cisco Secure Endpoint Cloud, Cisco ISE gets that threat information from Cisco Secure Client Cloud.
6. PSN with TC-NAC adaptor instance updates the endpoint with threat information to PAN node.
7. PAN node replicates the same endpoint info to rest of the nodes over replication.
8. Once the threat information is updated on the endpoint, PSN to which endpoint got authenticated, raises CoA to match the policies based on the Threat’s Course of Action.

Example Policies1:

Example Policies2:

               It is recommended to write threat based policies under Global/Local Exceptions. Global/Local Exception policies would help you to give differentiated privileges irrespective of how you construct policy sets. You can write policies using Threat dictionary. You could give differentiated privileges based on the Threat severity mentioned in example policies1 above. Or you could give restricted/deny/Quarantine privielges based on any threat severit mentioned in example policies2 above.

Reports

            Once the endpoint tries download any malicious/malware file, Cisco Secure Endpoint agent module automatically detects the threat incident, reports it Cisco Secure Endpoint Cloud. Cisco ISE through TC-NAC integration, gets these details. You can see these events from Operations > Reports > Reports > Threat Centric NAC > Threat Events.

            Cisco ISE through Threat Centric NAC integration with Cisco Secure Endpoint, gets these details and updates the endpoint. Once updated, you will get to see these threats associated by the endpoint from context visibility > Compromised Endpoints Dashboard as shown below.

            You can also click on the Endpoint MAC address from context visibility > Threats window to know threat incidents reported by Cisco Secure Endpoint as shown below.

             NOTE: Based on the threat incident, the course of action might not get updated. if Course of Action is null from Cisco Secure Endpoint, Cisco ISE can’t enforce the policies as policies are written based on Course of Action.

 

 

 

Cisco ISE + Tenable SC/Qualys/Rapid7-Nessus Integration Architecture

            When Cisco ISE is integrated with Vulnerability Management Systems such as Tenable SC, Qualys or Rapid7, Cisco ISE can submit the request to Tenable SC, Qualys or Rapid7 to scan the endpoint. Tenable SC, Qualys or Rapid7 with the help of Nessus Scanner, Qualys On-prem Scanner or Nexpose Scanner respectively can scan the endpoint. Once the scanning is completed, Cisco ISE queries Tenable SC, Qualys or Rapid7 and gets the vulnerability information retrieved as part of a scan request. Once the vulnerability information is updated, Cisco ISE issues CoA to give differentiated privileges based on the policies written.

 

1. Endpoint connects to network over WiFi, Wired, VPN or 5G network and authenticates against ISE.
2. ISE submits the scan request to respective Threat Centric NAC vendor. Authorization profile associated with TC-NAC adaptor instance (either Tenable, Qualys or Rapid7) mapped to matched authorization policy, respective TC-NAC adaptor instance requests Tenable SC or Qualys or Rapid7 to scan the endpoint. An example authorization profile associated with Tenable SC is shown below
   

    

3. Tenable SC or Qualys or Rapid7 management centers submits the requests to respective Nessus, Qualys on-prem or Nexpose scanner.
4. Nessus, Qualys on-prem or Nexpose scanner scans the endpoint based on the policies.
5. Once the scanning is completed, scan result is going to be updated to respective management centers.
6. Cisco ISE peridiocally queries Tenable SC or Qualys or Rapid7 for the completed, scanning-inprogress endponts and gets the vulnerability information where scanned result is available.
7. Once the vulnerability information is updated on the endpoint, Cisco ISE raises CoA to match the policies written based on the CVSS Base/Temporal Score.

 

            As per Zero Trust principle, when an endpoint connecting to network, Cisco ISE can give differentiated privileges based on the vulnerabilities assessed by the vulnerability management systems. However, when new endpoint is getting connected to the network, Cisco ISE might not have vulnerability information (CVSS Base/Temporal Score). In this case, Cisco ISE can request vulnerability management systems such as Tenable SC, Qualys or Rapid7 to scan for vulnerabilities of connected endpoint. Cisco ISE submits the request to Tenable SC, Qualys or Rapid7 via respective Threat Centric NAC adaptors defined under authorization profile. Once the scanning is completed, Cisco ISE can retrieve vulnerability information from Tenable SC, Qualys or Rapid7 to issue CoA and give differentiated privielges based on the policies written.

 

Case2: when Cisco ISE has vulnerability information

            When Cisco ISE has vulnerability information retrieved earlier (CVSS Base/Temporal Score) from Tenable SC, Qualys or Rapid7 for the endpoints connecting to network, Cisco ISE can give differentiated privileges based on the policies written.

            Below example policies are written based on Tenable CVSS Base Score. You can also write similar policies based on Tenable CVSS Temporal Score or Qualys/Rapid7 CVSS Base/Temporal score. As per the standards, here is the vulnerability severity based on CVSS score. You can write policies to give differentiated privileges based on the CVSS score severity.  

            It is recommended to write Vulnerability based policies under Global Exceptions. Global Exception policies would help you to give differentiated privileges irrespective of how you constructed policy sets. i.e. irrespective of policy sets that endpoints matched with generally, as long as they found to be vulnerable, global exception policies are going to be matched. You can write policies using Threat dictionary. You could give differentiated privileges based on the CVSS Base or Temporal Score as shown below.

 

Visibility/Monitoring/Reporting

Reports

            When a new endpoint is connected to network, Cisco ISE submits the request to scan the endpoint to Threat Centric NAC adaptors to scan the endpoint. You can find out this from Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment Report

          Cisco ISE periodically queries Vulnerability management centers to look for the scanned results available. This can be configured at the time of respective Threat centric NAC adaptor configuration. Below example snapshot is derived from Tenable SC integration where Cisco ISE queries for
Number of endpoints queued for checking scan results
Number of endpoints queued for scan
Number of endpoints for which the scan is in progress

Once the endpoint gets scanned by the Vulnerability Management systems such as Tenable SC, Rapid7 or Qualys, Cisco ISE gets that information from Tenable SC, Rapid7 or Qualys on query & retrieval basis. Once Cisco ISE gets that information, you can find it from  Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment Report.

            As and when Cisco ISE gets latest Scanned vulnerability information, Cisco ISE issues CoA on those endpoints. You can find those CoA events from Operations > Reports > Reports > Threat Centric NAC > CoA-Events report

You can also find CoA events if they are recent from Operations > Threat Centric > Live Log page as shown below.