Category: Cisco

Cisco Identity Services Engine (ISE) version 3.3

On By MikeIn AWS, Azure, Cisco, Cloud, SecurityLeave a comment

 

Simplified Operations

 

New Split Update: Upgrading Cisco ISE has never been easier. With the new Split Upgrade feature, customers now have complete control over the upgrade process from the UI, allowing them to upgrade specific ISE nodes in parallel, with multiple iterations, at their convenience without experiencing any downtime. Say goodbye to complex and time-consuming upgrades.

 

Control Application Restart: Minimize Downtime, Maximize Efficiency. Downtime during certification renewals can be disruptive. Cisco ISE 3.3 introduces Controlled Application Restart, which allows customers to plan the renewals of the ISE administrative certificate, eliminating the need to reboot the entire ISE deployment at once without control. Schedule updates during low network usage periods, ensuring a smoother security update process without impacting operations.

 

Navigation improvement: ISE admins use the ISE UI in order to perform their job. ISE 3.3 introduces a new and improved navigation, allowing ISE admin to faster perform their tasks, with fewer clicks and without hiding their screen while navigating throughout ISE pages. Each ISE admin can now save the pages he or she is using most frequently on ISE and reduce the time it takes them to access those pages. 

 

IPv6 Support: in addition to the RADIUS, TACACS+, and ISE management over IPv6, customers can now enable additional services over IPv6: the ISE guest portal can now be accessed over IPv6 address and serve guests on the IPv6 network. profiling of IPv6-enabled endpoints and doing posture checks is also available for IPv6-enabled endpoints. 

 

Enhanced Platform Security

 

TPM Chip: Strengthen Security with the TPM Chip Security is paramount. Cisco ISE 3.3 with SNS-3700 (or virtual machines supporting VTPM) introduces the TPM Chip, a dedicated and secure storage location for sensitive information. With true random number generation for key generation, the TPM Chip enhances the security of stored data, providing you with peace of mind.

ISE Cipher Control: By allowing ISE admins to disable unwanted and weak ciphers manually, ISE 3.3 helps customers to meet compliance and regulations without the need to wait for the next release or a patch. 

 

TLS 1.3 for ISE admins: ISE admins can now connect to ISE UI over TLS 1.3. TLS 1.3 provides enhanced security and improved performance by reducing latency and eliminating outdated cryptographic algorithms, ensuring stronger encryption and more efficient communication between clients and servers. 

Certificate-Based Authentication for API calls: ISE 3.3 supports Certificate-based authentication for API calls. Certificate-based authentication offers stronger security by eliminating the vulnerabilities associated with traditional username and password authentication methods. It provides robust protection against credential theft, unauthorized access, and phishing attacks, ensuring a higher level of trust and authentication for users accessing sensitive systems or resources.

 

Visibility and Compliance

 

AI/ML based Profiling: Effortlessly Identify Unknown Endpoints with AI/ML Profiling Unidentified endpoints on the network can be a challenge. Cisco ISE 3.3 employs AI/ML Profiling and multi-factor classification (MFC) to swiftly identify clusters of similar unknown endpoints. This cloud-based ML engine helps customers categorize these devices accurately, making it easier to determine their nature and apply appropriate policies.

 

Unlock Valuable Insights with Wi-Fi Edge Analytics 

Our exclusive Wi-Fi Edge Analytics feature enables customers, who use the Cisco Catalyst 9800 wireless controllers, to exchange data between ISE 3.3 and the controller and get profiling information from Apple, Intel, and Samsung devices, enhancing endpoint profiling. 

This information includes endpoint-specific attributes such as model, operating system version, and firmware. 

 

Multi Factor Classification: ISE 3.3 introduces a new way to profile endpoints on the network. The profile is no longer a descriptive string of the endpoint. Instead of that ISE uses MFC – Multi Factor Classification which breaks the profile into 4 categories: Manufacturer, Device Type, Model and OS. This allows our customers to build more granular policies, based on the different MFCs. 

 

Posture for ARM based Windows: for customers who move to computers based on ARM processor, ISE 3.3 can now perform posture checks in order to check compliance status before letting those endpoints access to the network. 

 

Cloud Availability 

 

ISE 3.3 is going to be available on all the supported platforms: AWS, Azure, and Oracle Cloud. Release dates depend on the different cloud vendors:

ISE 3.3 on Azure  – Already available

ISE 3.3 on OCI – Already Available

ISE 3.3 on AWS – Already Available

 

ISE 3.3 Resources:

 

ISE 3.3 download page

ISE 3.3 release notes

Cisco Live 2023 – Top 6 announcement

On By MikeIn CiscoLeave a comment

Cisco Networking Cloud
Overview: With simplification at the core of Cisco’s customer-focused momentum, the new Networking Cloud vision sets out how Cisco plans to deliver a single platform experience for seamlessly managing all networking domains. Customers need to shift to a powerful and intelligent platform that can proactively manage the network, eliminate silos, and reduce human workload. At Cisco Live, Cisco will introduce the steps underway to deliver this capability, driven by more unified and consistent experiences, smarter tools, and a simplified portfolio to achieve more robust customer outcomes. News Release: Cisco Showcases Vision to Simplify Networking and Securely Connect the World

Cisco Security Cloud
Overview: Cisco is delivering on its promise of the AI-driven Cisco Security Cloud to simplify cybersecurity and empower people to do their best work from anywhere regardless of the increasingly sophisticated threat landscape. Cisco will announce Cisco Secure Access (a security service edge, SSE, solution) that offers frictionless access across any location, any device, and any application through one platform. Cisco is also previewing the first generative AI capabilities in the Security Cloud, including a generative AI-powered Policy Assistant that enables Security and IT administrators to describe granular security policies and evaluate how to best implement them across different aspects of their security infrastructure, and a SOC Assistant that will support the Security Operations Center (SOC) to detect and respond to threats faster. Cisco is also announcing the Secure Firewall 4200 which provides seamless connected experiences at the office or on the road, alongside Cisco Multicloud Defense, which leads the way to security in any environment. News Release: Cisco Shows Breakthrough Innovation Towards AI-First Security Cloud

Full Stack Observability Platform & DEM Overview: Cisco will announce the launch of a new Full-Stack Observability (FSO) Platform, a vendor-agnostic solution that harnesses the power of the company’s full portfolio. The Cisco FSO Platform is focused on OpenTelemetry and is anchored on Metrics, Events, Logs, and Traces (MELT), enabling businesses to seamlessly collect and analyze MELT data generated by any source. The Cisco FSO Platform is also designed as a unified, extensible platform, allowing developers to build their own observability solutions, empowering an ecosystem of customers and partners. News Release: Cisco Launches Full Stack Observability Platform

Cloud Native Application Security
Overview: Announced today, Cisco’s Cloud Native Application Security solution, Panoptica, will now provide end- to-end lifecycle protection for cloud native application environments, from development to deployment to production. Panoptica will include an integrated and simplified visual dashboard experience with seamless scalability across clusters and multicloud environments. This will allow teams to secure APIs as well serverless, containerized, and Kubernetes environments holistically, with less complexity and more efficiency. News Release: Cisco Accelerates Application Security Strategy with Panoptica

Generative AI – Security & Collaboration
Overview: Cisco will announce it is reimagining the way people work with new, powerful generative AI technology. Cisco will harness large language models (LLMs) across its Security and Collaboration portfolios to help organizations drive productivity and simplicity for the workforce.
News Release: Cisco Unveils Next-Gen Solutions that Empower Security and Productivity with Generative AI

Sustainability
Overview: Cisco is unveiling new partnerships within sustainable data centers, and advanced energy monitoring with Webex Control Hub. In addition, Cisco will unveil new messaging that speaks to its own sustainability journey and the desire to accelerate total sustainable transformation.
Blog: Simplifying How Customers Unleash the Power of Our Platforms

Mike

Cisco acquired Valtix: What is Valitx?

On By MikeIn Cisco, CloudLeave a comment

Valtix is a cloud-native network security company that provides next-generation firewall and web application firewall (WAF) solutions for businesses looking to protect their cloud-based infrastructure. The company was founded in 2018 by seasoned technology executives who recognized the need for a modern approach to network security in the cloud.

Valtix’s cloud-based approach to network security is designed to be both scalable and flexible, allowing businesses to secure their cloud-based infrastructure without having to worry about the complexities of managing hardware or software. By leveraging cloud-native security technologies, Valtix enables businesses to deploy security policies that can be enforced consistently across their entire infrastructure, regardless of the cloud provider or network topology.

One of the key benefits of Valtix’s approach to network security is its ability to provide real-time threat detection and response capabilities. Using advanced machine learning algorithms, Valtix can analyze network traffic in real-time, identifying potential threats and responding quickly to mitigate any risks. This helps businesses stay ahead of the constantly evolving threat landscape and ensure their infrastructure remains secure.

In addition to its advanced threat detection and response capabilities, Valtix also provides businesses with granular control over their network security policies. This allows businesses to tailor their security policies to their specific needs, ensuring that their infrastructure is protected in the most effective way possible. With Valtix, businesses can easily manage their security policies from a centralized dashboard, making it easy to enforce policies consistently across their entire infrastructure.

Valtix’s cloud-based approach also makes it easy for businesses to scale their network security as their needs evolve. Whether they need to protect a small cloud environment or a large, complex infrastructure, Valtix can provide the necessary security solutions to meet their needs. This flexibility allows businesses to focus on growing their business, rather than worrying about managing their network security.

Finally, Valtix’s cloud-native approach to network security is designed to be highly automated, which helps businesses reduce the burden of managing their network security. By automating many of the routine tasks associated with network security, Valtix enables businesses to free up their IT resources to focus on more strategic initiatives.

In conclusion, Valtix is a cloud-native network security company, recently acquired by Cisco that provides businesses with advanced threat detection and response capabilities, granular control over their security policies, and the flexibility to scale their security solutions as their needs evolve. With its cloud-based approach and automated processes, Valtix helps businesses stay ahead of the constantly evolving threat landscape while reducing the burden of managing their network security.

https://valtix.com/blog/ciscos-intent-to-acquire-our-journey-and-why-it-matters/

Mike

Upgrade to ISE 3.1 on AWS

On By MikeIn Cisco, SecurityLeave a comment

Below is the prep work for migrating from ISE2.4 to ISE3.1+ for AWS, and the migration steps are here, but I have summarize them below.

Cisco ISE is available as an infrastructure-as-code solution leveraging AWS CloudFormation making the deployment of ISE a very light lift. I’ll be walking you through how to deploy ISE on AWS in a later post.

Step 1 – Base, Plus, Apex, and Device Admin licenses need to be migrated to Smart Licenses
Step 2 – VM licenses need to be converted
Step 3 – Migration can occur. Once licenses are prepped and converted, you go to the AWS Marketplace ISE BYOL listing and choose your deployment size. 

Cisco ISE on AWS Marketplace

ISE Licensing

  1. AWS ISE requires ISE 3.1+
    1. If upgrading to 3.1 from an existing 2.X release, it is required that a customer migrate their existing licenses to the new licenses and then upgrade to the 3.0 release. I.e. These are the Base, Plus, and Apex license that need to be upgraded. Device Admin licenses are grandfathered and need to be upgraded to a Smart License as well.
  2. This requires a Cisco Smart License Account. 
  3. Please refer to the Migration Guide for instructions.

ISE VM – You need to register the VM Common license for ISE 3.1 and later.

  1. Customers need to migrate their ISE License to the new “Common License.”
    1. To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade Product ID (PID), “L-ISE-VMC-UPG=, from Cisco. This is the same PID regardless of what current size of VM license you have today.
    2. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html

2. To obtain a VM Common License for a net new deployment you’ll need the new VM PID, “R-ISE-VMC-K9=” Refer to the table below for a 1:1 mapping.

These VM licenses are valid in Cisco ISE 3.0 and earlier releases. Again, when you upgrade your Cisco ISE to Release 3.1, you will need to have VM Common license.  

Upgrade FromUpgrade ToRatio
R-ISE-VML-K9=R-ISE-VMC-K9=1:1
R-ISE-VMM-K9=R-ISE-VMC-K9=1:1
R-ISE-VMS-K9=R-ISE-VMC-K9=1:1

How to migrate license

To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade PID, “L-ISE-VMC-UPG=,” in CCW. See ISE Licensing Migration Guide for the detailed process.

Support for VM and License

Q. What support do customers receive with the new ISE licenses?

A. The same as with current subscription licenses. With the new ISE software licenses, customers receive embedded SWSS—which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software updates. However, now Essentials will also have this support.

More Question and Answers here

Support associated with the legacy VM licenses

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased on legacy VM license PID. They can renew the support until the legacy VM license PID is EOL and reaches the last service renewal date per the EOL bulletin. There is no support for migration. For seamless support, the customer should request the legacy VM PID to be replaced with the desired VM PID in order to renew and receive support.

Mike