INTRO: This is the IT Roadshow.
We're taking you with us, as we go coast to
coast, East to West, on the tricked-out CDW
Technoliner —anywhere and everywhere there's
technology, talking to and learning from real
engineers, swapping stories with real techies,
seeing real technology in action.
So if you're ready to geek out, hop on and
let's go.
Nathan: Welcome to another Pit Stop on the
IT Roadshow.
I'm Nathan Coutinho, and I'm here today with
Allen Schmidt to talk about Cisco ISE.
Allen: Yep.
Nathan: Identity Services Engine?
Allen: That's correct.
Nathan: So tell me all about ISE.
What is ISE?
Allen: So Cisco ISE is network admission control.
You know, for years we've been used to securing
the public perimeter, the outside perimeter,
so we've had firewalls and intrusion prevention
and those kinds of solutions to protect us
from the outside world.
ISE and network admission control are protecting
that internal perimeter.
It's that access layer infrastructure where
people are connecting to our network, and
we assume they are trusted.
But we really can't make that assumption,
so that's where ISE comes in.
Nathan: So, network admission control, it's
not a new thing, right?
So what's different about Cisco ISE?
Allen: So network admission control, it's
been around for a long time.
It uses 802.1x, but there's a lot of components
to that.
The endpoints had supplicants, which weren't
terribly stable.
The access layer infrastructure, like the
wired switches and the wireless LAN controllers,
they didn't necessarily always have the services
that you needed.
And then the place where you built the policy
— who gets on it and who gets off — it
was really complex.
It was not easy or intuitive at all to build
those policies.
ISE came along, and it improved that policy
engine and, over time, the access layer infrastructure
now holds all of those capabilities that we
need.
The supplicants that come with Mac computers
and Windows computers — and, you know, mobile
devices like iPhones and tablets — they're
very stable now and operating exactly the
way we would want.
Nathan: So this explains why when I get to
the office with my Wi-Fi–enabled toaster,
it doesn't actually work.
Allen: I'm not sure why you're bringing a
toaster to the office …
Nathan: [Laughs]
Allen: … but, yes, it will identify that
that is not our toaster, and it will prevent
it from getting on the network.
Nathan: What would you say is critical for
managing NAC?
Allen: The key to a successful network admission
control implementation is to understand things
like: Who are the users that you're going
to allow on to the network?
What are the kinds of devices that you're
going to let on the network?
And then, you know, what are the permissions
you're going to give to them?
So, you have employees that want to get on
the network — maybe they want to get onto
the campus wireless, maybe they want to get
onto the wired network.
And this is where Identity Services Engine
comes in — so that we can identify that
that's a legitimate user.
So we can tell who this user is based on their
Active Directory credential, for instance.
ISE can work on the back end with Active Directory,
so we can identify who that user is.
But if we'd like to know that it's our device,
the best way to do that is with a certificate.
Again, ISE can work on the back end with a
certificate authority, so now we can know
this is our user and our device, which is
an important part of network admission control.
I tell all of the people I talk to: If you
really want to do this, start to implement
PKI, public key infrastructure, in your environment.
It really helps.
So this will allow you to get to internal
systems, like get on to the local network,
talk to printers, email, file servers.
But you also have people who bring in their
own devices.
It's not a toaster, but it's a tablet, for
instance.
Nathan: Mm-hmm.
Allen: So, you can let them on, they have
a valid credential, but they don't have that
certificate.
We can know that, and we can say, all right,
maybe we'll let them get on to parts of the
network but not all of the network.
So now you can limit where they can get to.
Nathan: Hmm.
Allen: We also have guest access.
We have visitors that show up with their tablets
that want to get onto the guest Wi-Fi.
You can give them sponsored access, where
we can have an employee-created credential
for them.
They could use that visitor credential directly
on that smart phone if they want or on that
machine, so that they can get to the internet,
for instance.
This also works for wired.
So this is how you control user-based access,
but then there's also those other kinds of
devices that join the network.
There are IP phones, there's streaming video,
and there's video surveillance cameras.
There's display screens that connect to the
network.
These are things that don't have a keyboard
or a thumb board, or something like that.
So this is where profiling comes in, which
ultimately can identify a device based on
the characteristics it presents when it connects.
So now you can address BYOD employee access,
bring your own device, guest access, connecting
devices — all controlled from the ISE server.
Nathan: That makes sense from a policy control
perspective, right?
Allen: Mm-hmm.
Nathan: So how does this make it simpler,
because it still sounds fairly complex?
Allen: The key to the whole thing is that
it's very dynamic.
When you connect to the network, it identifies
who you are, it identifies the device that
you're using, and then it brings the appropriate
level of access — down to the connection
you made, down to the very port that you're
connected to.
And the same goes for wireless, the same goes
for VPN.
So now, you've got wired, wireless and remote-user
access all coming under the same access control
structure.
And I think one of the key benefits is those
nonuser machines, like the phones and the
cameras — and those kinds of things.
By dynamically figuring out what they are,
you don't have to go around and collect information
about each phone that you have and each camera
that you have.
It looks when you connect and says, "I can
tell.
I'm 99 percent sure that thing that's connecting
is an IP phone.
IP phones go on this vLAN; they get this kind
of connection."
Nathan: So it sounds pretty straightforward.
As long as you create the right policies for
the right people based on role, you can also
change those once they actually log in to
the network and then the devices essentially
follow those policies and so does the user
profile.
Allen: Right, and you're changing that centrally.
You're not having to visit …
Nathan: Right.
Allen: … each access layer device to put
that policy in there.
You're doing it in a central location.
Nathan: That does seem a lot easier.
Allen: Very much so.
Nathan: So this sounds like a really comprehensive
solution; a lot of features, lots of functionality,
especially with the policies.
Allen: Sure.
Nathan: Can small businesses use this as well?
Allen: That's one of the nice things about
Identity Services Engine.
It's very scalable.
So you can start small, maybe with a single
location.
You can extend that to additional locations
as time goes on and as you build your policy.
You can also start at particular parts of
your network.
It's very common for people to start with
Wi-Fi.
You know, Wi-Fi has been doing network admission
control for years.
So introduce ISE on the wireless side and
then, over time, you can start to introduce
it to the wired side.
And you can pick again, you know, a particular
location as the pilot site and then start
to add additional locations over time.
So it can scale in size, it can scale in mission.
It can also do network administrative access
control so you can control administrators'
access to routers and switches and firewalls,
and those kinds of things.
So it's above and beyond just getting connection
to the network; it's who has permission to
manage and to configure the network.
Nathan: Allen, thank you so much for your
time.
It's been fantastic really learning about
network admission control.
Allen: It's been my pleasure.
Nathan: Thank you so much for watching another
Pit Stop on the IT Roadshow.
For more information, go to CDW.com/security.
Have a great day.
