Cisco modules compact enough devices housed in exclusive slots in the switch chassis, router, or server. They are necessary to optimize the essential equipment for the standards of the already created network infrastructure. So you can combine a wide range of services in one router/switch/server and improve some of the original features.
What are the main advantages of modular design?
Significantly simplified network infrastructure
When you organize a network infrastructure, the problem arises of installing many different types of equipment. It often takes a long time to configure it according to the network settings. Cisco developers offer an optimal way out of this situation: buy a separate chassis and put modules in it. Such a construction has a single platform for all its components and eliminates the possibility of the device’s incorrect operation. It will be aimed at solving specific problems and will simplify the administration for the network administrator as much as possible.
Savings in financial expenses to organize a corporate network
With time and business development, network service requirements change. Therefore, a rational solution would be to replace the corresponding module instead of purchasing a complete device, such as a switch/router/server.
Synchronize your equipment
Often a separately purchased device (new switch/router/server) requires the installation of specific configurations according to existing network parameters. By buying the same module, you most likely don’t need to coordinate it with the base unit (such modules come with a plug-and-play brand and automatically copy the primary device).
Retrench of space
Far from always, companies have enough space to install all network equipment. That is why the placement of several modules in a chassis is the most optimal solution, in contrast to installing several devices at the same time.
Network devises Online Resume
Due to the possibility of a “hot” replacement, you can remove the module from the slot and insert a new one without interrupting the base unit’s operation.
There are many types of Cisco modules. We select the most used: HWIC and EHWIC modules, VWIC modules, PVDM modules, NME modules, SFP transceivers, switch modules, memory modules, Cisco FLASH modules, power modules.
Let’s consider each of these types of modules separately.
And modulesEste Tipo de módulo provide Muertos con una Velocidad de red específica (Gigabit Ethernet o Fast Ethernet) para provide un Tipo de conexión for cable a la WAN. Los módulos HWIC y EHWIC Tienen las siguientes características:
high-speed connection. Thanks to xDSL technologies, these modules increase performance, surpassing digital and analog devices in their technical characteristics. These technologies allow you to combine the transmission of voice traffic with the transfer of high-speed data on the same twisted pair;
network protocols These include protocols for remote monitoring, flow control, central channel redundancy, and other protocols that increase network performance;
restriction of access to private resources on a local network. Unauthorized users receive (or do not collect, depending on administrator settings) access only to limited network resources, while corporate applications and services are invisible to them;
high-quality processing of data packets with media. Often when playing a video online, there is a dissonance of voice and movements. To avoid such delays, individual packages of traffic processing services give priority to this type of content. And only after these contents is it the turn of text documents and other information that has a relatively small volume;
additional features Many HWIC and EHWIC modules allow processing of jumbo frames (large data packets) and are also equipped with network load balancing protocols. Most of these modules provide a command-line interface (CLI) administration.
These modules are designed for digital signal processing. Having a high density of DSP resources, they are equipped with special features:
Voice over IP technology support. Most of the time, voice or video traffic has a considerable amount. Therefore, to minimize network loads, the data packet is pre-compressed and transmitted in digital format;
support for low-bandwidth devices It happens that the primary device has a small bandwidth (in particular, models with earlier network standards “sin”). To carry out efficient media transmission, the module converts voice traffic to transmit data through a dedicated channel;
expandability PVDM modules, depending on the configuration, have a different number of ports for connecting endpoints (for example, IP phones). Therefore, you can expand the number of network equipment without individual financial costs;
quality of service package. QoS prioritizes data packets, primarily by sending traffic from the media. These actions minimize delays when playing audio and video in real-time. So you get high-quality end-to-end IP telephony and conferencing services.
These modules are typically high bandwidth and are installed inside switches and routers. NME modules provide services to protect equipment from network threats and provide power distribution over an Ethernet cable. Its primary functions include:
illegal copy warning Special services to restrict access by unauthorized network users to current traffic. As a result, the copying of private information is avoided;
authorization and authentication. Client device authentication and authorization services do not allow the use of network resources for unauthorized users. Due to this, the privacy and security of corporate data is maintained;
blocking network threats. In the event of network threats (for example, network worms or virus programs), the built-in firewall will prevent damage to the corporate network and network devices;
prohibition of inappropriate content. To optimize the workflow of your employees, you can use a special mode to block unwanted network resources (for example, game portals);
automatic bug fixes. Sometimes errors can occur when transferring data and connecting new network devices. Special network protocols constantly monitor the network and automatically correct its incorrect activity;
URL access restriction on blacklist Modules of this type are generally equipped with a constantly updated URL blacklist that could harm your system;
energy management. Special EnergyWise technology distributes the energy consumed by connected devices. Its use provides a significant reduction in energy costs and reduces greenhouse gas emissions in the air.
Very often, the initial services provided by a switch or router do not require IP phone maintenance. And to implement IP telephony in your network’s services, you only need to install this module in the corresponding slot. With these modules, a trunk connection is established with the IP-PBX. VWIC modules combine the functions of a WAN interface and a voice interface. Besides, some models allow the connection of IP and analog phones.
These miniature modules are used for high-speed data transmission (from 100 Mbit / s to 20 Gbit / s) over long distances (from 550 m to 120 km). They have a high fault tolerance, which guarantees the device’s effective operation in the event of faults in the current electrical network. Also, some models are equipped with a special DOM function. This function performs automatic module troubleshooting, verifying a correct list of parameters.
These modules are used to increase the amount of total RAM. If you expand the staff, as a result of this, the network load increases (due to the increased number of serviced computers). This means that the same router/switch/server must handle the requests more than before. If you do not increase RAM’s amount that already exists, you may experience a slowdown in work processes and an increase in the idle period. To solve this problem, it is necessary to install a RAM module in a special slot. Such a module will increase network performance and minimize inefficient uptime of network equipment.
These are removable storage media. They are used to store the operating system, various applications, and the boot image. The installation of such a module is necessary if you want to install new applications and programs. The available amount of FLASH memory on the main device is not enough.
These modules provide PoE type of power for connected devices and neutralize network voltage drops. Depending on the model, they provide a power of 7 W to 15.4 W per port (PoE and PoE + standards, respectively). Okay, you are not always close to the device installation site near a power outlet. Especially often, this problem occurs when mounting network cameras and IP phones. In turn, placing the power module in a special slot provides flexibility to install these devices. To carry out the power supply, it will be enough to connect an Ethernet cable to them, so that the electrical current flows through the twisted pair with the data.
Cisco 1900/2900/3900 Router Modules
The Cisco 1900/2900/3900 Series Routers have extensive functionality that supports these types of modules:
- Cisco Service Module. It includes an IP base feature set, quality of service, access control lists, and IP service feature set. This type of module also provides power through PoE, allowing intelligent control of incoming power;
- Cisco Enhanced High-Speed Interface WAN Card. This module provides SFP and a copper Gigabit Ethernet or Fast Ethernet connection, providing high-speed connectivity for connected equipment. Thanks to these modules, you can increase the performance of your network, as well as provide branch offices and remote offices with access to Ethernet WAN Layer 2 and Layer 3 services;
- Cisco Internal Services Module. These modules encrypt IPsec VPN traffic, speeding up this process up to 3 times. They also increase the number of requests processed simultaneously, which increases the network’s speed for large companies. Besides, Cisco internal services modules provide strong authentication and privacy for private network resources;
- Cisco High-Density Packet Voice Digital Signal Processor Module. This type of module provides conference and voice services. These devices process digital and analog signals and also provide transcoding. Additionally, DSP modules improve voice quality by performing operations to compress voice traffic, suppress echo, and automatically detect voice activity. You can easily scale the number of connected devices by selecting a module with many supported channels.
Cisco modules in VTK COMMUNICATION
VTK COMUNICACION provides a large selection of original certified network equipment products. On our site, you can view descriptions and purchase Cisco modules for the Cisco 1900/2900/3900 series routers. Specialists in VTK COMUNICACION will help choose the most suitable model for your needs and install the products purchased in the main unit. As a result, you will receive equipment that is already working according to your network parameters.
Recently, active Internet users are increasingly faced with the appearance of unknown programs on their PCs: no one intentionally installed such software, but the programs somehow ended up on a working computer. An excellent example of such software is the Cisco EAP-FAST module, the Cisco LEAP module, or the Cisco PEAP module. However, most of the users do not understand what kind of program it is. And if necessary, will the removal suddenly lead to the operation of other applications?
What is the Cisco eap fast module?
If you previously connected to a network domain, or then the cisco eap fast module program’s appearance among working software is not surprising: this program is an authentication service that uses a secure tunnel (eap-fast), a Cisco EAP type.
This service enables authentication over the wide-area network following the IEEE 802.1X standard. Eap-fast also protects against various network attacks.
What is this program, and if it is necessary?
If you’ve never used Cisco products before and have connected to a network domain, you can safely delete it. This program was originally intended for the Cisco wireless infrastructure.
In general, Cisco eap-fast is relevant for users or organizations that cannot provide security requirements for password policies, do not want to use digital certificates in their work, or do not support various databases. In such cases, eap-fast will protect against various network attacks, including man-in-the-middle, authentication data spoofing, AirSnort attacks, data packet spoofing (based on victim responses), and dictionary lookups.
If an organization uses (such as WPA or WPA2, which includes the 802.1x standard for authentication purposes), and is also unable to meet password policy requirements and does not want to use certificates, it can easily implement eap-fast to improve performance. Safety in general.
What kind of program is this, and can it be removed?
Sometimes, when reinstalling the wireless adapter drivers, Cisco Express Install also kicks in, beyond which the process “doesn’t work” – the installer “freezes,” and the wireless network is unavailable. Possible reasons for this “behavior” lie in the wrong definition of the network card or the model name.
To prevent and eliminate such problems, it is advisable to periodically check the system for viruses with such antiviruses, such as Dr.Web CureIt.
After all, reinstalling the system, you might get already infected drivers and installers. Simultaneously, standard antiviruses, such as Kaspersky, can simply skip the infected files, add them to the exceptions, and consequently give them almost complete access to the system.
If the drivers were installed using the installer, you must first remove this program through the Control Panel under “Programs and Features” (for Windows 7 and higher) or “Add or Remove Programs” (for Windows XP) and again.
If all else fails, you must use the Everest program (also known as AIDA) to determine the correct device identifier by which you can find the correct drivers. You can also do this through the standard Device Manager by going to the device properties and selecting the Details item, but using Everest will make it easier and more convenient.
Program removal procedure
To completely remove the Cisco eap-fast module, use the Add / Remove Programs Wizard in Control Panel. The uninstallation tutorial is as follows:
- – open the start menu and go to the Control Panel;
- – select Add or Remove Programs for Windows XP or Programs and Features for Windows Vista, 7 and 10;
- – Find the Cisco eap-fast module program and click on it. For Windows XP, click the Change / Remove tab or just click the Remove button;
- – Follow the removal instructions until the process is completed successfully.
It manufactures networking equipment such as communicators, routers, displays, modems, routers, servers, and more. It is also a major manufacturer and leader in computer and network technologies.
This is an American company that develops and sells network equipment. The company’s main motto is to provide the opportunity to purchase all network equipment only from Cisco Systems.
In addition to manufacturing equipment, the company is the world’s largest company in high technology. He still asks, “Cisco, what is it?” The company, at the beginning of its activity, produced only routers. It is now the largest leader in developing technologies for the Internet. I created a multidisciplinary certification system for network professionals. Cisco’s professional certificates are valuable; the expert level (CCIE) is highly respected in the computer world.
The name Cisco itself comes from the city of San Francisco in California. The logo is a copy of the Golden Gate Bridge. In Russia, Ukraine, and Kazakhstan, the company has existed since 1995. In 2007, the considerable increase in sales in information security amounted to about 80 million dollars. And since 2009, in Russia, there is a research and development center.
This company is at the forefront of building highly reliable and branched inland networks. The Aironet series uses security, high precision controllability, and security when building a Wi-Fi network. This series has five access points. As a result, it helps to solve many problems. This network supports three standards: a, b, g, as well as 802.11n, so you can maximize
You can manually change rights, add and remove users on the network from two or three access points. But if it is more, then you need to use a device as a controller. This intelligent mechanism not only controls the operation of the network but also through the analysis of the operation of the access points evenly distributes the load on the access points in the network. There are two models of controllers: 2100 and 4400.
Cisco Academy Program
In conditions of progressive technology economy, the Cisco Academy Network program provides knowledge in networks and the Internet.
Of course, you want to know: Cisco, what is it? Includes Internet materials, practical exercises, assessment of student knowledge. This program was founded in 1997 in 64 educational institutions. And it spread to 150 countries. Program specialists train future teachers at Training Centers (SATS). The teachers then train the regional teachers, train the locals, and teach the acquired knowledge to the students. Students at the end of the training receive the certificates of “Network Specialist” (CCNA) and “Network Professional” (CCNP). At this time, in addition to these certificates, cadets can also take courses in different directions. Over time, the program constantly adapts to high standards.
Cisco Unified Computing System (UCS)
Today, businesses require a quick response and are, therefore, paying increasing attention to the Cisco Unified Computing System (UCS). So Cisco, what is it?
The first platform in the world where you can create data centers. It provides an intelligent infrastructure that can be scheduled, simplifies and streamlines applications and services of the right kind on the necessary cloud technologies. This system unifies model-based management, allocates appropriate resources, and supports migration to make applications faster and easier to deploy. And all this increases the level of reliability and safety. What this platform does as a result:
- combines different network resources and Cisco servers in a single system;
- increases the availability and performance of the application.
- minimizes services for operational work;
- optimally distributes data center capabilities to lower the cost of ownership.
Record application performance with Cisco Unified Computing System.
Everyone wants to know: Cisco Eap – what is it? Say the extended authentication protocol. Wireless information packets are translated into packets transmitted by cable and sent to and from the authentication server. If necessary, such a system is used with the passive function of the access point. There are EAP methods:
- EAP (PEAP) -MS- (CHAP) version 2;
- Token genérico PEAP (GTC);
- EAP through the secure tunnel (FAST);
- EAP Carelessness Tunnel (TLS);
- TLS con túnel EAP (TTLS).
EAP is running iOS. She especially feels verbal attacks, not new types of attacks. It is only necessary to develop a strong password and change it periodically. Now consider Cisco Eap Fast: what is it?
EAP-FAST is a program developed by Cisco Systems. An EAP method such as Leap is typically established among IP phones and is supported by FreeRADIUS. Ask Cisco Leap Module – A program to authorize Wi-Fi users. Vulnerable when calculating MD5 password rollup lists.
Módulo Cisco PEAP
We are interested in: Cisco Peep Module – What is it? At first glance, a program for the timely cleaning of Windows of various obsolete and unnecessary registries is very simple. Such cleaning improves the performance of the system. It is compatible with various operating systems such as Windows Vista / 7/8 / Server 2012.
Cisco advises users of its UC (Unified Communications) products not to wait for support for Windows 7 before the release of product version 8.0, which will appear in the first quarter of 2010. A dozen other products will receive Support for Windows 7 only with the release of version 8.5 in Q3 2010, while only the 32-bit version of Windows 7 will be supported.
Only three of the 50 UC products available in the Cisco arsenal will receive support for 64-bit versions of Windows 7, and even with the help of a 32-bit emulator. These three products include Cisco UC Integration for Microsoft Office Communicator, Cisco IP Communicator, and Cisco Unified Personal Communicator. Communicator products are multimedia client applications for use with Cisco Unified Communications server products.
A Cisco user who wishes to remain anonymous regrets this delay. He said that Cisco became a Windows vendor when it developed desktop UC applications like the Unified Attendant Console. However, Cisco does not promise to provide this utility on Windows 7 64-bit. He believes that the company’s plans do not support 64-bit versions. Windows discourages companies that want to upgrade their fleet to Windows 7 from using Cisco UC products.
Another user left a comment on the blog, saying that Cisco UC products can be released today if you want. Another anonymous user wrote: “I understand that many UC products are more likely to work on the 32-bit version of Windows 7. I am more concerned with how they will work on the 64-bit version of Windows 7. 64- bit operating systems were available with the advent of Windows XP. However, 64-bit processors became available to the masses of users only in the last few years, yet most of the desktops and laptops bought in the last 2-3 years were equipped with 64-bit processors. develops applications for desktop computers, therefore,
Microsoft shipped Windows 7 for printing on July 22. And from that moment on, Windows application developers have access to the latest version of the operating system code. It is strange that since then, Cisco has not been in charge of providing support for its products in the new operating system.
According to information from the Windows 7 Compatibility Center, four Cisco desktop applications have been certified for Windows 7, namely: Cisco VPN v5 client, Cisco EAP-FAST module, Cisco LEAP module, Cisco PEAP module. These modules are designed to transmit credentials for authentication and are used in conjunction with a VPN.
Blogger Jamey Heary claims that Cisco is the first major VPN provider to support Windows 7. VPN support for Windows 7 covers client applications for IPSEC and SSLVPN. In fact, the Cisco Anyconnect 2.4 SSLVPN client is compatible with the 32-bit and 64-bit versions of Windows 7. And according to Microsoft, the Cisco VPN 5.0.6 client is only compatible with the 32-bit version of Windows 7.
Cisco ISE is a tool for creating a corporate network access control system. That is, we control who connects, where, and how. We can determine the customer’s device, how it complies with our security policies, etc. Cisco ISE is a powerful mechanism that allows you to control who is online and what resources they use. We decided to talk about our most interesting projects based on Cisco ISE and, at the same time, recall a couple of unusual solutions from our practice.
What is Cisco ISE?
Cisco Identity Services Engine (ISE) is a solution for controlling your corporate network access based on the access context. The solution combines authentication, authorization, and event accounting (AAA), health assessment, profiling, and guest access management services on a single platform. Cisco ISE automatically identifies and classifies endpoint devices, provides the desired level of access by authenticating users and devices, and also ensures that endpoints comply with corporate information security policies by evaluating their security status before providing access to corporate IT infrastructure. The platform supports flexible access control mechanisms, including Security Groups (SG), Security Group Tags (SGT), and Security Group Access Control Lists (SGACL). We will talk about this below.
A bit of our statistics.
90% of our deployments include wireless access protection. Our clients are very different. Someone is buying new high-end Cisco equipment, and someone is using what is because the budget is limited. But for safe wired access, the simplest models are not suitable, and certain switches are needed. But not all have them. If built on top of Cisco solutions, wireless access controllers generally only require updates to support Cisco ISE.
For wireless access, a single controller and a lot of points are generally used. And since we embrace wireless access, most customers, about 80%, want to implement guest access, as it is convenient to use the same infrastructure for both user access and guest access.
Although the industry is moving towards virtualization, half of our customers choose hardware solutions to not depend on the virtualization environment and resource allocation. The devices are already balanced, and they have the right amount of RAM and processors. Customers cannot worry about the allocation of virtual resources. Many still prefer to occupy a space in the rack but rest assured that the solution is optimized specifically for this hardware implementation.
Our sample project
What is our model project? This most likely includes both wireless access and guest access protection. We all love bringing our own devices to work and connecting to them online. But even today, not all devices have GSM modules. In order not to reduce security due to the connection of personal devices to the corporate network, the BYOD infrastructure is highlighted, which allows you to register a personal device automatically or semi-automatically. The system will understand that this is your device, not corporate, and will provide you with Internet access only.
How do you do with us? Bringing your phone and connecting via Wi-Fi will only free it up on the Internet. If you connect a laptop via Wi-Fi, it will also be allowed to access the office network and all resources. This is BYOD technology.
Often, to protect against brought-in devices, we also implement EAP chaining technology, which enables authentication of users and workstations. That is, we can determine whether someone’s personal or domain laptop is connected to the network and, based on this, apply some policies.
That is, in addition to “authenticated / not authenticated”, the criteria “domain / non-domain” appear. Based on the intersection of the four criteria, different policies can be defined. For example, a domain machine, but not a domain user, means the administrator has come to configure something locally. Most likely, you need special rights on the network. If it is a domain machine and domain user, we give you standard access according to privileges. And if the domain user, but not the domain machine, this person brought their laptop and should have limited access rights.
We also recommend that everyone use profiles for IP phones and printers. Profiling is a determination by indirect signs, what kind of device is connected to the network. Why is this important? Take a printer. Usually, it stands in the hallway; that is, there is a plug nearby, which is often not seen by a surveillance camera. Intruders and intruders often use this: they plug a small device with multiple ports into the outlet, put it behind the printer, and the device can walk the network for a month, collect data, and gain access. Also, printers do not always restrict your rights; they will put them in another VLAN in the best case. This often leads to a security risk. If you configure the profile, as soon as this device enters the network,
Finally, we use postures regularly: we verify that users comply with the information security requirements. We generally apply this to remote users. For example, someone connected via VPN from home or on a business trip. You often need critical access. But it is very difficult for us to understand if he is good with information security on a personal or mobile device. And the position allows us to verify, for example, if the user has an updated antivirus if it is running if it has updates. So you can, if not exclude, at least reduce the risks.
Now let’s talk about a curious project. One of our customers bought Cisco ISE many years ago. The company’s information security policy is very strict: everything possible is regulated, it is not allowed to connect other people’s devices to the network, that is, not BYOD for you. If a user unplugged their computer from an electrical outlet and connected to a neighbor, this is already an information security incident. Antivirus, with the highest level of heuristics, a local firewall prohibits incoming connections.
The customer wanted to receive information about what corporate devices are connected to the network, what version of the operating system is there, etc. Based on this, he formed a security policy. Our system required different indirect data to identify devices. The best option is DHCP probes: for this, we need to receive a copy of the DHCP traffic or a copy of the DNS traffic. But the customer categorically refused to send us traffic from their network. And there were no other effective samples in its infrastructure. They started thinking, how can we determine the workstations that the firewall is on? We can’t scan outside.
In the end, they decided to use the LLDP protocol, an analog of the Cisco CDP protocol, whereby network devices exchange information about themselves. For example, one switch sends a message to another switch: “I am a switch, I have 24 ports, such VLANs exist, these are the settings.”
We found a suitable agent, put him on a workstation, and sent data to our switches about connected computers, his operating system, and equipment. Simultaneously, we were very lucky that ISE allowed us to create custom profiling policies based on the data received.
Not the most pleasant case came out with the same client. The company had a Polycom conference station, which is generally traded. Cisco announced support for Polycom equipment several years ago, and therefore the station had to be factory profiled. The necessary built-in policies were contained in Cisco ISE. ISE saw and supported it, but the client station was not profiled correctly – it was defined as an IP phone without specifying a specific model. And the client wanted to determine in which conference room which model is standing.
We started to find out. Primary device profiling is based on the MAC address. As you know, the first six digits of MAC are unique to each company and are reserved in a block. During the profiling of this conference station, we turned on debug mode and saw a very simple event in the log: ISE took the MAC and said it was Polycom, not Cisco so that I won’t be doing any CDP and LLDP polling.
We write to the seller. From another instance of this conference station, they took the MAC address, which was only a few digits different from ours. It was correctly profiled. It turned out that we had no luck with the direction of this particular station, and as a result, Cisco almost released a patch, after which the client also began to profile correctly.
And finally, I want to talk about one of the most interesting projects in recent times. But first, you need to remember the technology called SGT (Security Group Tag).
Security Group Tag Technology
The classic method of network protection is based on the source and destination IP addresses of the nodes and their ports. But this information is too small, and at the same time, it is rigidly connected to the VLAN. Cisco came up with a very simple good idea: let’s assign SGT tags to all senders and receivers on our team, and apply a policy on filtering devices based on protocols A, B, and C that can be exchanged between tags 11 and 10. and between 11 and 20, and between 10 and 20, it is impossible. That is, a matrix of allowed and prohibited data exchange paths are obtained. Also, in this matrix, we can use simple access lists. We will not have any IP addresses, only ports. This allows for more atomic and granular policies.
SGT architecture consists of four components.
- Labels. First of all, we need to assign SGT tags. There are four ways to do this.
- Based on IP. We say that such a network is internal, and then on the basis of specific IP addresses, we can specify: for example, network 10.31.10.0/24 is the server segment, apply the same rules. Within this segment of servers, we have a server responsible for PCI DSS: we apply stricter rules to it. In this case, you do not need to move the server out of the segment.
- Why is this useful? When we want to implement a firewall somewhere, establish stricter rules, we need to locate the server in the customer’s infrastructure, which is often unwieldy. Nobody thought that the server should not communicate with a neighboring server, that it would be better to select it in a separate segment. And when we implement a firewall, most of the time is spent migrating servers according to our recommendations from one segment to another. And in the case of SGT, this is not mandatory.
- Based on VLAN. You can specify that VLAN1 is tag 1, VLAN10 is tag 10, and so on.
- Based on switch ports. The same can be done with regard to ports: for example, mark all data coming from port 24 of the switch with a label of 10.
- And the last most exciting way: dynamic tagging using ISE. That is, Cisco ISE can not only assign an ACL, send it to a redirect, etc., but also assign an SGT tag. As a result, we can dynamically determine: this user comes from this segment, at that time, he has a domain account, an IP address. And already on the basis of this data, we assign a label.
- Share tags. We need to transfer the assigned labels to where they will be applied. For this, the SXP protocol is used.
- SGT Policy. This is the matrix we talked about earlier, and it explains which interactions can be used and which cannot.
- Forced SGT. This is what switches do.
Now, in one of the clients, we have configured the IP and SGT mapping, which allowed us to distinguish 13 segments. They overlap in many ways, but thanks to the granularity with which the lowest entry is always selected for a specific host, we were able to segment all of this. ISE is used as a single repository for labels, policies, and IP and SGT compliance information. First, we define the names: 12 – development, 13 – production, 11 – testing. It was also determined that between 12 and 13, it is only possible to communicate through the HTTPS protocol; between 12 and 11, there should be no interaction, and so on. The result is a list of networks and hosts with their corresponding labels. And the entire system is deployed on four Nexus 7000s in the customer’s data center.
What benefits did the client receive?
Now the atomic politicians are available to him. It happens that on one network, administrators mistakenly deploy a server from another interface. For example, a production host was lost on a development network. As a result, you need to transfer the server, change the IP, check if the connections with neighboring servers are interrupted. But now you can simply micro-segment a “foreign” server: declare it part of the production and apply other rules to it, unlike participants in the rest of the network. And at the same time, the host will be protected.
Additionally, the customer can now store and manage policies in a centralized, fault-tolerant manner.
But it would be really cool to use ISE to dynamically assign labels to users. We can do this not only based on the IP address but also based on the time, the user’s location, their domain, and account. We can prescribe that if this user sits in the central office, he only has privileges and rights, and if he arrived at the branch, he is already on a business trip and has limited rights.
I would also like to see the logs in ISE. Now when you use four Nexus and ISEs as centralized storage, you need to access the switch to view records, generate queries in the console, and filter responses. If you use dynamic allocation, ISE will start collecting logs, and we can see centrally why some users did not enter a particular structure.
But so far, these capabilities have not been realized, because the customer decided to protect only the data center. Consequently, users come from abroad and are not connected to ISE.
Cisco ISE Development History
This critical innovation appeared in version 1.3 in October 2013. For example, one of our customers had printers that worked with certificates only, that is, they knew how to authenticate not with a password, but only with a guarantee on the network. The customer was upset that he couldn’t connect the device due to the lack of an AC, and for the sake of five printers, he didn’t want to implement it. Then using the built-in API, we were able to issue certificates and connect printers on a regular basis.
Support for Cisco ASA Change of Authorization (CoA)
Since the advent of CoA support in Cisco ASA, we can control not only users who come to the office and connect to the network but also remote users. Of course, we could do this earlier, but for this, we needed a separate IPN node device to enforce authorization policies to represent the traffic. That is, in addition to the fact that we have a firewall that terminates the VPN, we had to use another device just to enforce the rules on Cisco ISE. It was expensive and uncomfortable.
In version 9.2.1, in December 2014, the vendor finally added authorization change support to the Cisco ASA, and as a result, all Cisco ISE functionality was supported. Several of our customers sighed happily and were able to use the freed IPN node with more benefits than merely terminating VPN traffic.
We have all been waiting for the implementation of this protocol for a long time. TACACS + allows you to authenticate administrators and record their activities. These features are often in demand in PCI DSS projects for administrative control. Previously, there was a separate Cisco ACS product for this, which was slowly dying out, until Cisco ISE finally took over its functionality.
The appearance of this functionality in AnyConnect has become one of the innovative features of Cisco ISE. What function is visible in the following image. The posturing process looks like: the user is authenticated (via login, password, certificate, or MAC), and policy with access rules arrives in response from Cisco ISE.
If you need to verify user compliance, the redirect is sent to you, a particular link that redirects all or part of the user traffic to a specific address. The client at this time has a special agent for the installation of positions, who, from time to time, connects and waits. If it is redirected to the ISE server, it will take the policy from there, use it to verify workstation compliance, and draw some conclusions.
The agent used to go and check the URL once every five minutes. It was long, inconvenient, and at the same time, cluttered the network with empty traffic. Finally, this mechanism is included in AnyConnect. He, at the network level, understands that something happened to her. Suppose we connect or reconnect to a network, or connect to Wi-Fi, or build a VPN: AnyConnect will find out about all these events and work as a trigger for the agent. Thanks to this, the waiting time for the start of the poses has changed from 4 to 5 minutes to 15 seconds.
Disappearance of features
There was an exciting case with functionality that first disappeared in one of the versions, and after a while, it was returned.
Cisco ISE has guest access accounts – a network where even secretaries can issue passwords. And there is a very convenient feature when the system administrator can make a bunch of guest accounts, seal them in envelopes and hand them over to the responsible person. These accounts will be valid for a specific time. For example, in our company, this is the week from the first entry. The user receives an envelope, prints it, enters, the counter starts to work. Convenient and practical.
Initially, this functionality has been around since the introduction of the Cisco ISE but disappeared in version 1.4. And a few years later, in version 2.1, it was brought back. Due to a lack of guest access, for more than two years, we have not updated the Cisco ISE version at our company because we were not ready to restructure our business processes for this.
As they said goodbye, a funny story was recalled. Do you remember that we are talking about a client with very strict security policy? It is located in the Far East, and once there, the time zone changed, instead of GMT + 10, it became GMT + 11. And since the customer simply set “Asia / Sakhalin,” they turned to us so that we could perform accurate time display.
We wrote to Cisco, and there we replied that in the near future, they would not update the time zones, because it took too long. They suggested using the standard GMT + 11 zone. We set it up, and it turned out that Cisco didn’t test our product well enough – the belt became GMT-11. That is, the customer’s time passed 12 hours. The funny thing is that Kamchatka and Sakhalin are at GMT + 11, and two American islands are at GMT-11. That is, Cisco simply did not assume that someone would buy a product from these time zones from them, and did not test. They still fixed this bug for quite some time, they apologized.
Stanislav Kalabin, Information Security Services, and Engineering Support Expert, Jet Infosystems