One of the most important aspects of network security is access policy. This is how you control who can access your network and how. You can allow devices, block devices, and limit access as you see fit — assuming you have a competent system that allows you to control access policy.
Cisco, being the networking giant that it is, has an interesting solution for this issue. Cisco ISE (identity services engine) is a technology that consolidates access policy across a network. It’s scalable and allows for precise access control, empowering your network to greater total security.
What Is Cisco ISE?
Let’s start with the essentials. Cisco ISE is a server-based product. It can be an appliance or a virtual machine, but in either case, the purpose is to enforce access policies for endpoint devices.
In other words, you’re controlling who can access what on the devices that are directly connected within your network.
Access policy is essential for security and data control. Cisco ISE offers powerful ways to manage those policies and maintain the control you need. Without such tools, you might be vulnerable to hacking, data breaches, malware, or the simple but devastating issue of allowing unauthorized people to see privileged data.
In fact, a simple example scenario can highlight just how important access policy can be.
Imagine a doctor’s office where a computer terminal is available in every patient care room. Those terminals are used to access and update patient files, making it easier for providers to keep up with their patients and provide the best possible care.
But, what happens when the provider leaves the patient alone in the room? With no access policy and control, a patient could use the terminal and view any other patient’s files. That’s a massive violation of privacy and could incur major fines, just because a patient accidentally saw things they weren’t supposed to find.
Imagine how much worse the problem could become if the person with unwanted access had malicious intentions.
The importance of Cisco ISE is easy to understand, but how does it function?
For starters, it utilizes a host of industry-standard features that give you more control over how machines and files are accessed within your network.
You can implement VPN authentication for any endpoint within your network. You can control certificate validation, MAC address filtering, device profiling, and more.
You can also segregate your network using Cisco ISE tools. You can create and manage VLANs that allow you to severely limit interconnectivity within your network.
Here’s an example.
Going back to the idea of the doctor’s office, you can set up your VLANs so that each patient room is an isolated virtual network. That way, none of those terminals can ever access each other. So, if someone did compromise a single patient terminal, they would not be able to access any of the others from that device.
Network segregation mitigates problems when they do arise, and it’s one of the more powerful features available with Cisco ISE.
Then again, we’ve only covered industry-standard features so far. Where Cisco ISE really pulls away is with the ISE nodes.
Specifically, the technology makes it easy to set up and control four specific nodes: policy administration, monitoring, policy services, and pxGrid.
Each node serves a unique purpose within the network and enhances the precision of your control over access policies and related security practices.
Let’s explore the nodes individually to better understand exactly how they can help.
Policy Administration Node
The policy administration node (PAN) sits at the top of the hierarchy. As you can guess from the name, this node in the network is where the administrator sets and disseminates access policies. Commonly, this node is a central server that can distribute information to the rest of the network (or network segment) easily, but that isn’t a requirement.
In fact, you can create primary and secondary policy administration nodes to service more complicated and segmented networks. At each PAN, you can select access criteria and controls for every endpoint nested under that PAN. This makes it easy to create varying tiers of access policy throughout the network, and you aren’t bound by the physical configuration of the devices.
Next up is the monitoring node, and like the others, it is aptly named. This node is where you collect and store logs. You can also generate reports at this node.
This node is powerful enough that a single instance can provide live statuses for every device connected to the network — known and unknown.
You can also segment your monitoring and set up multiple monitoring nodes if and when that becomes reasonable. Regardless, Cisco ISE readily provides this feature, making it much easier to monitor your network as you see fit.
Policy Services Node
The policy administration node (PSN) sets access policy. The policy services node follows that policy. This node is where endpoints connect with the network.
Typically, a group of switches can communicate with a server that acts as the policy services node. That node provides relevant access policy information to endpoint devices via the switches.
With this design, smaller networks can operate with a single policy services node, but larger networks will need multiple PSN servers.
The greatest advantage of this feature is its scalability. It’s relatively simple to add additional PSNs when and where you need them.
The last node of the day is the pxGrid node. For those unfamiliar, pxGrid framework allows devices to exchange information via the session directory.
In simpler terms, the pxGrid node allows ISE to trade data between Cisco devices and third-party equipment. It provides more power to access policy controls, and the pxGrid can even enable the network to quarantine or block users in response to events.
That covers the essentials of Cisco ISE. It’s a powerful bit of technology that gives you detailed and extensive control over access policy. You can customize your ISE nodes to optimize your network while maintaining the level of security and control that you need.
Additional Learning Center Resources