How Cisco ISE Answers the Five Ws of Network Access Control

by Jordan Burnett

Network Access Control

Gone are the days where a crook needs to put their life or limb on the line to get access to your valuables. Locks and physical access controls are nothing new; they’ve been around forever. People have become intimately familiar with identifying why a person needs access to a particular room, safe, or vault (hint—it has to do with who should have their hands or eyes on what’s inside those areas).

With the proliferation of network-accessible data (be that cloud or on-premise), networks and network endpoints have become easy targets for people who want to get their hands on your data. Click To Tweet While Local Area Networks were once an open environment where anyone could connect at will, there is now a significant effort to rethink what users and devices need access to your network. Network Access Control (NAC) solutions exist to ensure that only the devices and users you explicitly allow can gain access. 

What are the Five Ws, and why do you care?

According to Wikipedia, the Five Ws are “questions whose answers are considered basic in information gathering or problem-solving…They constitute a formula for getting the complete story on a subject.”

Often referred to as the Five Ws and How, or 5W1H, these questions are basic in nature but provide a baseline for evaluating an event or occurrence in any research or investigation.

The five basic Ws are as follows:

  1. Who?
  2. What?
  3. Where?
  4. When?
  5. Why?

And sometimes…

As they relate to NAC, the Five Ws provide invaluable context that any IT department can work through after or, ideally, prior to implementing a NAC strategy. Oftentimes, these questions are only asked AFTER a network compromise or data breach occurs—when it’s too late to implement any defense. As you’ll see, that probably isn’t the best strategy for any security department. In any case, let’s see how Cisco’s latest NAC solution, Identity Services Engine (ISE), can provide some valuable insight into these questions.

Who is accessing my network?

This is the most basic question that any NAC solution can answer. This attaches a username (or identity) to an otherwise obfuscated IP address and MAC address. This is a core tenant of Identity-Based Networking Services (IBNS). Admittedly, Cisco ISE doesn’t have any significant advantage here. Most NAC solutions provide you with detailed reports and information on who is logging into your network. I would argue that Cisco’s ability to tag each individual packet with an identity IS a significant advantage…but we’ll save that for another article.

Go back to the top.

What devices are being used on my network?

This is where Cisco ISE really shines. Cisco ISE is capable of profiling endpoints in your network with a myriad of Network Probe sources that can be sent to ISE from other network devices or gathered directly when ISE is in the data path. This data goes far beyond profiling based on the Organizational Unique Identifier (OUI) portion of a client’s MAC address.

The following probes provide abundant data about the endpoints in your network:

  • NetFlow Probe
  • DHCP Probe
  • DHCP SPAN Probe
  • HTTP Probe
  • HTTP SPAN Probe
  • RADIUS Probe
  • Network Scan (NMAP) Probe
  • DNS Probe
  • SNMP Query Probe
  • SNMP Trap Probe
  • Active Directory Probe

Note: don’t make the mistake of turning on all profiling probes in ISE just because you can. Just like turning on every routing protocol on your router isn’t recommended, turning on every profiling probe in ISE is an awful idea. Click To TweetWe can help you identify which probes will be most useful in your environment.

We aren’t simply identifying what kind of device is on the network anymore [Dell Laptop]—we’re identifying what operating system it’s running, what service packs it has installed [Dell Laptop running Windows 7 RTM—yikes!], and so on.

Go back to the top.

Where are these devices and users logging in?

Any ISE environment that is properly built identifies the specific location of the Network Access Device (NAD) including switches, routers, firewalls and access points. Each authentication and authorization request will carry the network device location attribute which can be used in policy conditions.

  • Would it be normal to see an HVAC sensor authenticate on a switch port that services your attic area? Definitely.
  • How about an HVAC sensor authenticating on a switch that services your public reception area? Hope not.
  • Laura from Accounting authenticating in a branch on the West Coast when she’s permanently assigned to the East Coast? This should raise some eyebrows.

Go back to the top.

When are these devices or users accessing my network?

Just like the “where” question, WHEN users or devices are accessing your network can give network and security administrators another level of insight. Cisco ISE can provide this information in real-time or in a historical report, and this data can also be used in policy decisions.

  • Laura from accounting authenticating at 8 AM Monday? Completely normal.
  • Laura authenticating at 2 AM on Saturday when the office is closed? Seems suspect—unless there is an audit or deadline that must be met.

Go back to the top.

How are users and devices authenticating?

The authentication method a user or device utilizes is extremely important. Certain authentication methods (802.1x) are far more secure than others (MAC Authentication Bypass). Anything with “authentication bypass” in the name should be a flag, am I right?

Again, in context, this information is invaluable, and Cisco ISE can provide this information in real-time or report form:

  • Corporate Accounting Employee Laura authenticating with Central WebAuth? Seems suspect.
  • Corporate Accounting Employee Laura authenticating with EAP-FAST (EAP-MS-CHAPv2) with EAP-Chaining (validating the Corporate Machine and Active Directory User Credentials)? That’s more like it.

With Cisco ISE, we can very easily prevent authentication methods that don’t measure up to our corporate standards (weak EAP methods, WebAuth, etc.). In addition, the authentication method is identified with every authentication request.

Go back to the top.

Why was this device/user allowed to access the network?

Simply put, the previous questions all lead to the ultimate question—why was this device or user allowed access? Here’s where you come in. The user or device was allowed access to the network because you or someone in your organization allowed it, OR because they somehow circumvented your NAC measures—if you have existing NAC measures in place.

Not running a NAC solution currently? Relying on user-based authentication to secure your data? That’s fine…but think about it this way: NAC is the equivalent of locking the doors of your house. You wouldn’t leave your doors unlocked or invite a thief in simply because you have your data in a secured safe upstairs. As they say, physical access is total access. Even if you do have a firewall and user-based restrictions, a defense-in-depth strategy is far superior to relying on only one or two countermeasures.

Go back to the top.

As you can see, starting with WHY—the overarching security policy of your organization—can be a very enlightening exercise. Starting with why before a data breach or network compromise happens is far more valuable than asking after. Click To Tweet The good news is, we can help! Contact us to find out how.

Next time, I’ll explain how we can put these contextual pieces together with a few other ISE features to get a comprehensive view of our security context and posture. Stay tuned!


Leave a comment