No security program is complete without an effective means of identifying would-be network users and authenticating their credentials. Cisco Systems’ Identity Services Engine does just that. Here’s how government agencies can efficiently and effectively implement the solution across wired networks, wireless networks and VPNs.
1. Understand What ISE Can (and Can’t) Do
ISE is powerful, but it’s not magic. Agencies must understand its capabilities before they make the financial and time commitment to deploy the product. For example, ISE is capable of probing systems across the network and identifying those that respond to its polling requests, but it does not monitor network traffic for signs of activity.
2. Turn to User Authentication to Get More Value
ISE can be used to authenticate either devices or users. Many organizations benefit from integrating ISE with other components of their security infrastructure, such as Cisco Stealthwatch and Firepower. Those integrations are much more powerful when they have access to user data, so pursue user authentication whenever possible.
3. Check Hardware Compatibility in Advance
Older network equipment may not be compatible with ISE. Perform hardware compatibility checks early in the process to identify switches that require firmware upgrades or hardware replacement. Upgrading in advance speeds up ISE deployment, especially in environments where it’s difficult to schedule downtime.
4. Tune Alarms to Limit False Positives
Out of the box, ISE sends alerts for almost every event that takes place, and that’s simply too much information for most security teams. Make sure only the most important incidents cause alerts: CPU usage spikes, increases in authentication latency, failed backups, certificate expiration warnings and loss of contact with Active Directory domain controllers.