08-02-2024 09:50 AM - edited 08-04-2024 01:04 AM
This guide is intended to provide technical guidance to design, configure and operate the Threat Centric NAC service/feature in the Cisco Identity Services Engine (ISE). The document provides best practice configurations for a typical environment.
Cisco ISE provides intent-based policy and compliance solution on top of AAA. Cisco ISE can be integrated with Threat Centric NAC vendors below
to assess vulnerabilities and/or threats associated with the endpoint connecting to your network and give secure access according to the policy definitions. As a Security administrator, you can check for compliance of an endpoint and continuously verify the trust of an endpoint based on vulnerabilities and/or threats associated to give the proper privileges to the network whenever they connect.
Cisco Secure Endpoint (Formerly AMP)
Cisco® Secure Endpoint integrates prevention, detection, threat hunting, and response capabilities in a unified solution leveraging the power of cloud-based analytics. Secure Endpoint will protect your Windows, Mac, Linux, Android, and iOS devices through a public or private cloud deployment.
Cisco Secure Endpoint is a single-agent solution that provides comprehensive protection, detection, response, and user access coverage to defend against threats to your endpoints. The SecureX™ platform is built into Secure Endpoint, as well as Extended Detection and Response (XDR) capabilities. The newly introduced Cisco Secure MDR for Endpoint combines Secure Endpoint’s superior capabilities with security operations expertise to dramatically reduce the mean time to detect and respond to threats.
When Cisco Secure Endpoint integrated with Cisco ISE, Cisco ISE and Cisco Secure Endpoint can share the information of Threats and Malware associated with the endpoint so that Cisco ISE can allow endpoints based on the threats’ Course of Action. Cisco Secure Endpoint does not use Cisco platform Exchange Grid (pxGrid) for ISE integration, instead it uses Structured Threat Information Expression (STIX). STIX is an information exchange language and used to exchange cyber threat intelligence with organizations. It allows a common framework for organizations to share cyber threat information and adapt quicker to computer-based attacks. Cisco Threat Centric NAC using Cisco Secure Endpoint in the Cloud also falls into the Rapid Threat Containment category. Cisco Security Solutions and Ecosystem and CSTA partner solutions that fall into this category use Adaptive Network Control (ANC) mitigation actions to respond to or contain threats by issuing mitigation actions either from pxGrid, ISE EPS RESTful API or STIX. Cisco Threat Centric NAC using Cisco Secure Endpoint perform threat detection and malware analysis. The ISE STIX integration provides visibility into compromised hosts and provides manual ANC mitigation or Change ofAuthorization (CoA) actions the security administrator can take with regards to an organization’s security policy
Tenable Security Center integrated with Nessus Scanner can scan the endpoint for vulnerabilities and returns the CVSS score of the endpoint back to Cisco Identity Services Engine (ISE). As an Administrator, you can write policies in Cisco Identity Services Engine (ISE) based on the base/temporal CVSS score returned by the Tenable Security Center so that endpoints get differentiated privileges based on the policies defined. For eg., You can write Authorization Policy to deny the access to the endpoints when the endpoints have CVSS score more than 8. You can also continuously validate the Threats and Vulnerabilities associated with the endpoint using the Tenable Security Center integration via TC-NAC service.
Qualys allows organizations to assess and detect cyber security, posture and vulnerability of endpoints, devices. When Cisco ISE and Qualys are integrated together, Qualys can share the information of vulnerabilies found on the endpoint so that Cisco ISE can give differentiated privileges to the endpoints connecting to the network based on the CVSS base/temporal score.
Nessus Scanner integrated with Rapid 7 can help organizations to scan, assess risk, and vulnerabilities associated to the endpoints. When Cisco ISE and Rapid7 are integrated together, Rapid7 can share the information of vulnerabilies found on the endpoint so that Cisco ISE can give differentiated privileges to the endpoints connecting to the network based on the CVSS base/temporal score.
So, at high-level, Cisco ISE Threat Centric NAC service can provide differentiated privileges to endpoints based on
Cisco ISE Threat Centric NAC service can dynamically provide differentiated privileges to endpoints based on Threats or vulnerability information.
_____________________________________________________________________________________________________
Threat information associated to the endpoint shared by Cisco Secure Endpoint
Cisco Secure Endpoint detects and shares the Threat Impact Level interms of Severity and corresponding Course of Action information so that Cisco ISE allows you to write policies based on Course of Action and dynamically raise CoA if there is any change to the endpoint’s Threat severity or Course of Action. Below attributes are shared by Cisco Secure Endpoint to Cisco ISE.
_____________________________________________________________________________________________________
Vulnerabilities information associated to the endpoint shared by Tenable, Qualys or Rapid7-Nexpose.
Tenable, Qualys or Rapid7-Nexpose can scan and detect Vulnerabilities associated to the endpoints interms of Vulnerability ID, Vulnerability Title,CVSS Base Score, CVSS Temporal Score, CVEIDS, Reported timestamp so that Cisco ISE allows you to write policies based on CVSS Base/Temporal Score and dynamically raise CoA if there is any change to the endpoint’s Vulnerability information. Below are the information shared by Tenable, Qualys or Rapid7-Nexpose
_____________________________________________________________________________________________________
Below table explains what information is going to be shared by these Threat Centric NAC vendors
Vendor |
Information shared |
ISE Dictionary |
Dictionary Attribute Name |
Attribute Values |
Cisco Secure Endpoint |
Threat Type, Threat Severity, Course of Action, Confidence and Reported Timestamp |
Threat |
CTA-Course_Of_Action |
Eradication Internal Blocking Monitoring |
Qualys Enterprise |
Vulnerability ID, Vulnerability Title, CVSS Base Score, CVSS Temporal Score, CVEIDs, Reported TimeStamp |
Threat |
Qualys-CVSS_Base_Score Qualys-CVSS_Temporal_Score |
0-10 |
Tenable Security Center |
Vulnerability ID, Vulnerability Title, CVSS Base Score, CVSS Temporal Score, CVEIDs, Reported TimeStamp |
Threat |
Tenable Security Center-CVSS_Base_Score
|
0-10 |
Rapid7-Nexpose |
Vulnerability ID, Vulnerability Title, CVSS Base Score, CVEIDs, Reported TimeStamp |
Threat |
Rapid7 Nexpose-CVSS_Base_Score |
0-10 |
Based on how ISE works with Threat/Vulnerability Management systems, below two sections are going to be explained how it works with Cisco ISE + Cisco Secure Endpoint & Cisco ISE + Tenable SC/Qualys/Rapid7-Nessus in detail.
When Cisco ISE is integrated with Cisco Secure Endpoint, Cisco secure endpoint module (standalone/Secure Client) installed on the endpoint can scan or automatically detect the threat associated with endpoint and shares the info to Cisco ISE (specifically PSN running with Threat Centric NAC service) so that endpoint gets updated with latest information sent by Cisco Secure Endpoint and raises CoA to give differentiated privileges based on the policies written.
Below flow of events explains how it works at high-level with Cisco ISE standalone node.
When Cisco ISE and Cisco Secure Endpoint was integrated, below flow of events explains how Cisco ISE can give differentiated privileges based on the threat info updated by Cisco Secure Endpoint.
Example Policies1:
Example Policies2:
It is recommended to write threat based policies under Global/Local Exceptions. Global/Local Exception policies would help you to give differentiated privileges irrespective of how you construct policy sets. You can write policies using Threat dictionary. You could give differentiated privileges based on the Threat severity mentioned in example policies1 above. Or you could give restricted/deny/Quarantine privielges based on any threat severit mentioned in example policies2 above.
Cisco ISE through Threat Centric NAC integration with Cisco Secure Endpoint, gets these details and updates the endpoint. Once updated, you will get to see these threats associated by the endpoint from context visibility > Compromised Endpoints Dashboard as shown below.
You can also click on the Endpoint MAC address from context visibility > Threats window to know threat incidents reported by Cisco Secure Endpoint as shown below.
NOTE: Based on the threat incident, the course of action might not get updated. if Course of Action is null from Cisco Secure Endpoint, Cisco ISE can’t enforce the policies as policies are written based on Course of Action.
When Cisco ISE is integrated with Vulnerability Management Systems such as Tenable SC, Qualys or Rapid7, Cisco ISE can submit the request to Tenable SC, Qualys or Rapid7 to scan the endpoint. Tenable SC, Qualys or Rapid7 with the help of Nessus Scanner, Qualys On-prem Scanner or Nexpose Scanner respectively can scan the endpoint. Once the scanning is completed, Cisco ISE queries Tenable SC, Qualys or Rapid7 and gets the vulnerability information retrieved as part of a scan request. Once the vulnerability information is updated, Cisco ISE issues CoA to give differentiated privileges based on the policies written.
Below flow of events explains how it works at high-level with Cisco ISE standalone node.
Below flow of events explains how it works in Cisco ISE distributed deployment which can give differentiated privileges based on the vulnerability info updated by respective Vulnerability Management Systems.
As per Zero Trust principle, when an endpoint connecting to network, Cisco ISE can give differentiated privileges based on the vulnerabilities assessed by the vulnerability management systems. However, when new endpoint is getting connected to the network, Cisco ISE might not have vulnerability information (CVSS Base/Temporal Score). In this case, Cisco ISE can request vulnerability management systems such as Tenable SC, Qualys or Rapid7 to scan for vulnerabilities of connected endpoint. Cisco ISE submits the request to Tenable SC, Qualys or Rapid7 via respective Threat Centric NAC adaptors defined under authorization profile. Once the scanning is completed, Cisco ISE can retrieve vulnerability information from Tenable SC, Qualys or Rapid7 to issue CoA and give differentiated privielges based on the policies written.
When Cisco ISE has vulnerability information retrieved earlier (CVSS Base/Temporal Score) from Tenable SC, Qualys or Rapid7 for the endpoints connecting to network, Cisco ISE can give differentiated privileges based on the policies written.
Cisco ISE maintains the vulnerability information retrieved from Tenable SC, Qualys or Rapid7 for the endpoints in it’s database. Cisco ISE allows you to submit the request for latest scan results to Tenable SC, Qualys or Rapid7 if the vulnerability information present in Cisco ISE is beyond X hours in authorization profile using “Trigger scan if the time since last scan is greater than” attribute. Example Authorization profile shown below, Cisco ISE submits a new scan request to Tenable SC for latest scan results if the results available in Cisco ISE is beyond 48 hours.
Cisco ISE also allows you to periodically reassess the vulnerability information by submitting new requests to vulnerability management systems for every X hours. In below example, Cisco ISE submits a new scan request for every 48 hours in order to retrieve latest vulnerability information.
It is recommended to write Vulnerability based policies under Global Exceptions. Global Exception policies would help you to give differentiated privileges irrespective of how you constructed policy sets. i.e. irrespective of policy sets that endpoints matched with generally, as long as they found to be vulnerable, global exception policies are going to be matched. You can write policies using Threat dictionary. You could give differentiated privileges based on the CVSS Base or Temporal Score as shown below.
When a new endpoint is connected to network, Cisco ISE submits the request to scan the endpoint to Threat Centric NAC adaptors to scan the endpoint. You can find out this from Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment Report
Cisco ISE periodically queries Vulnerability management centers to look for the scanned results available. This can be configured at the time of respective Threat centric NAC adaptor configuration. Below example snapshot is derived from Tenable SC integration where Cisco ISE queries for
Number of endpoints queued for checking scan results
Number of endpoints queued for scan
Number of endpoints for which the scan is in progress
Once the endpoint gets scanned by the Vulnerability Management systems such as Tenable SC, Rapid7 or Qualys, Cisco ISE gets that information from Tenable SC, Rapid7 or Qualys on query & retrieval basis. Once Cisco ISE gets that information, you can find it from Operations > Reports > Reports > Threat Centric NAC > Vulnerability Assessment Report.
As and when Cisco ISE gets latest Scanned vulnerability information, Cisco ISE issues CoA on those endpoints. You can find those CoA events from Operations > Reports > Reports > Threat Centric NAC > CoA-Events report
You can also find CoA events if they are recent from Operations > Threat Centric > Live Log page as shown below.
When Cisco ISE gets the latest vulnerability information from vulnerability management centers, Cisco ISE updates vulnerability information into endpoint database. Once updated, you will get to see these Vulnerabilities associated to the endpoint from context visibility > Vulnerable Endpoints Dashboard as shown below.
You can also find vulnerabilities by clicking on specific Context visibility > Endpoint > Vulnerabilities tab.
In order to enable Threat Centric NAC Service, you require premier license. Ensure from Administration > System > Licensing page that you have registered your ISE standalone or distributed deployment against CSSM server and enabled premier license.
You can enable Threat Centric NAC service only on single PSN node. Visit Administration > System > Deployment page, select one of the PSN (which is nearer to vulnerability management centers such as Tenable SC, Qualys or Rapid7), enable the check box against “Enable Threat Centric NAC Service” and save the configuration. It takes couple of minutes to start the services.
NOTE: Keep in mind that “Enable Threat Centric NAC Service” check box gets grayed out if you don’t have premier license or premier license isn’t enabled in your Cisco ISE. Also note that if the PSN where Threat Centric NAC service has issues with reachability or service, Cisco ISE doesn’t have high availability to handle Threat centric NAC requests.
You can check for status of services below by login to Cisco ISE (where Threat Centric NAC service is enabled) CLI and execute “show application status ISE” command.
Once the services are enabled, you can now integrate Threat Centric NAC vendors from Administration > System > Threat Centric NAC > Third Party Vendors.
NOTE: This page is visible only when the relevant services mentioned above are enabled and in Running State.
Click Add to integrate Threat Centric NAC Vendors into Cisco ISE.
From the drop down, you can choose Threat Centric NAC vendors
Refer to below respective integrations of individual vendor and validation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: