From addressing new auditor-mandated security requirements to removing network vulnerabilities, administrators have a growing need for network access controls that allow them to quickly and efficiently control user access to critical resources and manage security threats.
Network access controls allow administrators to configure user access to all network devices, including switches, routers and firewalls. Without the right tools, configuring multiple devices can be extremely time consuming and difficult to manage. Cisco’s Identity Service Engine, or Cisco ISE, provides an all-in-one solution for controlling user access and managing many other security issues.
Cisco ISE is first and foremost a central identity source for everything on a network. It allows user access based on client needs and network policies. A great feature of ISE is the ability to build these policies in a logical manner. No more creating long, hard to read, access control lists on switches to manage network access for all users. With ISE, administrators can create policies that they can actually read to know exactly who and what is getting certain network privileges.
For example, a policy built inside ISE could read, “If the device is a domain computer and there is an employee username and password that matches in Active Directory, give that device employee network privileges.” Or, administrators can use ISE’s device profiling capabilities to create a policy that states, “If a device is profiled as a HP LaserJet printer, give that device printer privileges on the network.” ISE gives administrators the flexibility to mold their company’s written network policies into usable policies on the network.
ISE also provides real visibility with the RADIUS Livelog tool, which provides a real-time feed showing who is on the network, what devices are connected to the network, and the location of the device on the network. Visibility into what is actually present on your network and which devices were denied network access can be crucial for audits, for finding rogue devices, or for discovering personal devices that should not be on the internal network.
Another great feature is ISE’s ability to integrate with Cisco’s Firepower. This integration is one of the best tools that ISE has to offer. The combination of ISE’s in-depth visibility into network connected devices, along with Firepower’s ability to detect viable threats, makes it much easier for a network administrator to keep up with evolving network vulnerabilities. Because of this integration, administrators no longer need to sift through hundreds of alerts to discover which computer is infected and should be taken offline to protect the rest of the network.
Firepower, with the use of FireAMP for Endpoints, scans all computers on the network and reports back to ISE which computers are infected and no longer fit within the company’s security posture. Once ISE has that information, it will automatically quarantine that device by either taking it offline completely or moving it to a segregated network until the network administrator can disinfect the computer and get it back into compliance. As soon as the computer is again compliant with the company’s security posture, ISE will automatically put the device back into production, thereby removing the need for administrators to manually remove the device from quarantine. The ISE and Firepower integration keeps the network healthy and saves countless hours of work and sleepless nights for network administrators.
I’ve discussed three benefits that ISE offers, but there are many other aspects to ISE that can add depth to a client’s network and give administrators better insight and control over who and what is on their network. If you’re interested in learning more about Cisco Identity Service Engine, please contact RSM’s technology consulting professionals at 855-437-7202 or send us an email.
Read our case study about how RSM’s managed IT services team improved Goppert Financial Bank’s overall network stability.