C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Cisco Trustsec Solution: Identity Services Engine (ISE)

Introduction and Overview

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Forward-Looking Statements

Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document. 

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

The Network Policy is an Extension of Business Goals and Objectives

“I need to on board consumerized IT devices to reduce

desktop computing costs”

“I need to support an organization that works globally”

“We must be compliant with regulations, and be able to prove that

we are compliant”

“Our business transactions need to

be protected from malicious attack”

Chief Information

Officer

What Exactly Is Your Network Policy?

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4Cisco Confidential 4

The RIGHT Person

An approved Device

In The Right Way

Anyone

Any Device

Anywhere

Anytime

Policy Evolving with Borderless Network

Borderless Networks

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5Cisco Confidential 5

Cisco Borderless Network ArchitectureDiverse WorkforceAlways On Employees Consumer IT Devices Multi-Modal

Cisco TrustSec® is what protects a borderless network

Borderless Management

and Policy

Borderless End-Point/User Services

Mobility WorkplaceExperience

Video

Mobility: Motion

Green:Cisco

EnergyWise

Video and Voice:

Medianet

Application Performance

Security:Cisco TrustSec

Solutions

Infrastructure

Switching

Wireless

WAAS

Routing

Security

Secure, Reliable, Seamless, Collaborative Cisco® Services for Borderless Network

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Cisco TrustSec® Securely Enables Your Business by Applying the Appropriate Policies Throughout the Network

“We need to monitor the real-time mapping of people to device for accountability and compliance”

Employees now get $1500 to buy Laptops and are responsible for updating but they can also get corporate

issued smart phones to access corp data anywhere any time”

I need to onboard consumerized IT devices to enable new services while reducing

our desktop computing costs”

Cisco TrustSec Solution

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Non-User Devices

• How do I discover non-user devices?

• Can I determine what they are?

• Can I control their access?

• Are they being spoofed?

Cisco Trustsec: Identity Services EngineISE: Policies for people and devices

• Can I allow guests Internet-only access?

• How do I manage guest access?

• Can this work in wireless and wired?

• How do I monitor guest activities?

Guest Access

• How can I restrict access to my network?

• Can I manage the risk of using personal PCs, tablets, smart-devices?

• Access rights on-prem, at home, on the road?

• Devices are healthy?

Authorized Access

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

A Practical Example of Policies

Internet

Campus Network

“Printers should only ever communicate

internally”

“Employees should be able to access everything but have limited access on personal

devices”

“Everyone’s traffic should be encrypted” Internal

Resources

Cisco WirelessLAN Controller

Cisco AccessPoint

Cisco® Identity Services EngineCisco Switch

Cisco Switch

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9Cisco Confidential 9

Advantages of Identity Services EngineConsolidated Services,

Software Packages

Simplify Deployment & Admin

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server ISE

Location

User ID Access Rights

Session Directory

Tracks Active Users & Devices

Flexible Service Deployment

Optimize Where Services Run

AdminConsole

Distributed PDPs

M&T

All-in-One HA Pair

Policy Extensibility

Link in Policy Information Points

Manage Security Group Access

Keep Existing Logical Design

System-wide Monitoring & Troubleshooting

Consolidate Data, Three-Click Drill-In

SGT Public Private

Staff

Guest

Permit

Deny

Permit

Permit

Device (& IP/MAC)

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Cisco Confidential 10

ISE Packaging and Licensing

Appliance Platforms

Base Feature SetPerpetual Licensing

Advanced Feature SetTerm Licensing

• Authentication / Authorization• Guest Provisioning• Link Encryption Policies

• Device Profiling• Host Posture• Security Group Access

Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Upgrades and Migrations

ACS

Identity Services Engine

NAC Guest NAC Profiler NAC Manager NAC Server

• Current hardware is software upgradeable (1121/3315/3355/3395)• Migration program for older hardware at large discount levels• License migration program for all software licenses• Data and Configurations migration tools available*

*Available over future releases

Existing Investments Protected

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco Confidential 12

 Two-Year Roadmap Outlook

Converged Policy Platform

Unified Agent Identity BasedFirewall

Simplified DeviceProfiling

Network Infection Containment

System-wide Monitoring & Troubleshooting

• AAA, 802.1x, guest, profiler, posture• System monitor & diagnosis• “ISE”: Next-generation ACS + NAC

ISENAC ACS

GuestProfiler

• Offers Cisco AnyConnect™ technology: On- and off-premises security

• Extends 802.1x & VPN client + NAC• Extends management to Positron

• User, group, device based policy• ASA & Positron platforms

User group enforcement

Sales

HR

UK Employees

• Cisco delivered device template feed• Switches collect & forward device

fingerprint, no traffic re-engineering

• Streamline the locate, contain, & remediation process

• Leverage reputation & NIPS feeds

• Single admin pane-of-glass• Wired & wireless infrastructure

Network Device

ProvisioningIdentity Policy

Monitoring & Troubleshooting

Client Management

Cisco Security Intelligence Ops

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13Cisco Confidential 13

Guests

Device

Full

Internet

Quarantine

ISE: Looking to the Future

Business Relevant Policies

Context Awareness

Visibility & Control

Policy Enablement Platform

Cisco TrustSec

ISE

Policy Governed Networks

Policy Based on Business Objects

Policy Enabled Services

Policy Management

Today Tomorrow

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Cisco SecureX Architecture

Management Services Partners

Application Programming Interfaces

Sec

ure

End

poin

t

Sec

ure

Virt

ual a

nd C

loud

Cisco Infrastructure

ControlVisibility Context

Network

CloudIntegrated Overlay

Context Aware Enforcement

Context Aware Policy

Acc

ess

Con

trol

Acc

ess

Con

trol

Tru

stS

ec

Tru

stS

ec

Any

Con

nect

Nex

us 1

K a

nd C

loud

C

onne

cted

Net

wor

k

Cisco SIOThreat Intelligence

C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Thank you.