In the face of continued security threats, the task of today's network professionals is to build networks that protect against unauthorized intrusion, while still providing easy, timely access to legitimate users. While IT departments have done a pretty good job of securing what's outside the firewall (i.e., the Internet/DMZ), the one piece that has continued to be a challenge is the LAN and protecting the corporate network against what might be inadvertently or even maliciously plugged into the ordinary LAN wall jack. Today, VLANs are typically configured to segment use cases, each being configured for the rights appropriate to the category of device being attached. So, if a printer is moved by a user, for example, and inadvertently plugged into a LAN jack that has been configured for an end-user PC, the printer may not work properly, resulting in an unnecessary call to the Help Desk. This is more of an inconvenience than a security threat. On the other hand, if a guest vendor or contractor on site plugs their laptop into a LAN jack that has been configured for an end-user PC, rather than one configured for a "guest", they may end up gaining access to a lot more than just the Internet, which is likely all that was intended. They may in fact have unauthorized access to the full range of corporate computing resources and data that would typically be reserved only for the firm's regular end users, resulting in a security exposure. While solutions for securing the LAN have been around for a number of years, they have typically been piecemeal solutions involving multiple products, usually rendering them complex, cumbersome, expensive and difficult to manage. However, with continued regulatory pressure (e.g., PCI compliance), with continued exponential growth in the use of personal computing devices, and with the Bring Your Own Device (BYOD) endpoint model rapidly gaining broad acceptance, the need has never been greater for a slicker solution to LAN security. According to Cisco, 7.7 billion WiFi-enabled devices are expected to enter the market over the next five years. Like other network vendors, industry leader Cisco has for some time relied on using multiple products, including its Network Admission Control (NAC) products, to provide full LAN security solutions. For our customers, this has meant multiple products to buy, multiple products to administer and manage, multiple different interfaces and multiple security policies; and trying to deploy all this on a large scale across multiple sites was far too complex and required a lot of software and hardware appliances, as well as the different interfaces to manage—like I said, piecemeal, cumbersome, complex and costly. All this came to an abrupt end, however, when Cisco introduced its new Identity Services Engine (ISE), a real game-changer that, as depicted by the accompanying diagram, consolidates and centralizes multiple legacy technologies into a single security platform for VPN and LAN (wired or wireless). The Cisco ISE, which consists of software running on a Cisco appliance or virtual machine, collapses all the legacy access security products–products Cisco has acquired from other vendors over the years–into a single product that provides all the same functionality, and more, controlled through a single, enterprise-wide security policy. Two ancillary pieces to an ISE solution should also be mentioned, both of which are small software shims deployed onto each endpoint device. One is the NAC Agent, which helps ISE determine the device's 'security posture' (e.g., what security software and patches are installed). The other is Cisco AnyConnect, which is not only a 'supplicant' that helps ISE identify the device, but also helps the device with VPN access and the deployment of client-based firewalls. Cisco has indicated that it is their intention to consolidate these into a single client. The key benefits for of ISE are robust network security (no matter what device or what location), simplified installation and administration, and a single network policy across the entire enterprise. With BYOD becoming so prominent, ISE provides the security and flexibility to ensure that the right device will only get onto the right area of the network. Feel free to e-mail me or call me at 1-800-387-5045 to find out how a Cisco ISE solution from Compugen offers the flexibility to secure your BYOD initiative.
Looking for a little inspiration, some ideas or trusted advice? We've got you covered.
Cisco Identity Services Engine (ISE) solves BYOD security challenges
Posted By Chris Goundry September 03, 2012 in
Compugen Named Canada’s EdTech Partner of the Year
Compugen is proud to announce it was awarded EdTech Partner of the Year for 2020 at the Canadian EdTech Leadership Summit. This award recognizes the extensive contribution Compugen has made to encourage and facilitate educational development through technology across Canada. Read More …
Cloud Adoption made simple in Compugen offerings featured on Microsoft’s Azure Marketplace
A simple, 3 step approach for organizations migrating or growing their cloud investment Read More …