Cisco Identity Services Engine (ISE)

Cisco Identity Services Engine (ISE) is a centralized policy management solution within Cisco TrustSec. It allows you to effectively define and manage information security policies across your organization. Cisco ISE:

• solves the problem of supporting "any device" with a context-sensitive access control policy;
• distinguishes between enterprise and personal user devices;
• Automates information security across the organization with network-level access control and encryption
• Simplifies the day-to-day operations of your IT department by enabling you to develop policies that reflect business policies that address users, devices, applications, and locations.
• integrates with the Cisco PrimeTM enterprise IT infrastructure management system to provide endpoint connectivity management.

The Identity Services Engine (ISE) enables you to create an organization-wide trusted environment based on a single, centralized information security policy for all types of users, devices, and connections.

The technological basis of the INLINE Technologies solution based on ISE is the Trusted Security (TrustSec) architecture. In it, the ISE server acts as a key link in the network access control system, which implements the analysis of connections not only on the formal grounds of the corresponding security policies, but also taking into account the context of the request, including who, at what time, with what device and where he connected to the network, as well as what security group he has. The functionality of Cisco ISE/TrustSec technology allows you to extend such an "intelligent" component to all infrastructure elements of the information security of an enterprise or holding.

The Cisco Identity Services Engine (ISE) allows you to implement the concept of using your own devices (BYOD) among employees or organize safer access to data center resources. With a unique architecture, enterprises can receive, in real time, from networks, users, and devices the contextual information they need to make proactive access decisions. All decisions are made based on a single access policy that applies to wired network segments, wireless network segments, and remote access connections. Thus, ISE helps ensure robust compliance control, improves infrastructure security, and optimizes network maintenance operations.

2025: Cisco Product Bug Takes Over Large Corporate Networks

FSTEC in early February warned of the discovery of a critical error BDU:2025-01234^[1] in the Cisco Identity Services Engine (ISE) connection policy management platform API implementation. The vulnerability has been fixed in versions 3.2P7, 3.1P10 and 3.3P4, to which it is recommended to update. However, in Russia, due to the lack of technical support from Cisco, it is not always possible to install updates, and the vulnerability itself is quite dangerous - 9.9 out of 10 over CVSS.

Cisco ISE is a prominent representative of network access control (NAC), "Denis Bandaletov, head of network technologies at Angara Security, explained to TAdviser readers. - The product is designed to protect the network from an internal intruder by authenticating the user and device on the network using mechanisms to verify that the state of the connected devices complies with the company's security policies. Due to its wide functionality, the solution is still very popular in medium and large business companies in the Russian Federation.

The vulnerability is present in the product API, is associated with shortcomings in the data deserialization mechanism and allows the attacker to execute arbitrary commands by sending a specially crafted Java object, the methods of which can be launched in the context of Cisco ISE. An attacker can prepare such an object that will greatly worsen the operation of authentication mechanisms and allow non-authenticated users to control the internal communications of the company.

According to the Censys Search service, more than 10 thousand copies of Cisco ISE are used in Russia, - said Alexey Grishin, head of pentest. Infosecurity- How accessible these devices are from the global network depends on the configuration of organizations, but even their partial presence in the public domain can pose a threat. The vulnerability has a high level of criticality, as it allows an attacker to remotely execute commands on the device, which can lead to penetration into the internal network.

Cisco ISE provides centralized policy management within the Cisco TrustSec framework for implementing the Zero Trust principle in large enterprise systems. The product allows you to effectively define and manage information security policies across the organization, so it is useful mainly for enterprises that own large information infrastructures to control security policy.

𝓲

Фото: TAdviser

In 2022, Cisco announced the complete termination of its activities in Russia and Belarus, which led to a halt in the supply of equipment and software, as well as the termination of technical support, - recalled Artem Tereshchenko, Development Director of VAS Experts. - As a result, although Cisco ISE was previously quite popular among Russian users, its use is currently limited due to the lack of official support and updates. As for the availability of Cisco ISE from the WAN, it is not intended for direct access from the Internet. Access to its management interfaces and APIs is usually limited to internal networks of organizations and secure communication channels, such as VPN.

Despite the danger of vulnerability, hackers can use it to move horizontally inside the network rather than penetrating from outside. However, if attackers have already penetrated the perimeter and they need to seize control of the entire corporate network, then there is no better strategy for this than an attack on Cisco ISE. Therefore, companies that still operate this product (and this is mainly large business) are advised to pay close attention to the protection of this internal resource.

The vulnerability itself is potentially very dangerous, because it allows an attacker to remotely execute commands on the critical network security system Cisco ISE, "Pavel Merkuriev, head of the network technology security department at Informzaschita, told TAdviser. - With the successful implementation of the attack, an attacker can disable almost the entire network infrastructure of the company. However, it will be quite difficult to implement this vulnerability, because, as a rule, Cisco ISE is located in an isolated information security segment and access to this segment is limited. By properly segmenting and configuring restrictions on access to Cisco ISE management interfaces, the potential attack vector can be significantly reduced and reduced to zero

FSTEC provides the following standard recommendations for compensatory measures:

• Use firewall tools to restrict remote access to vulnerable software;
• Create a "white" list of IP addresses to restrict access to the product API;
• Configure the SIEM system to track attempts to exploit the vulnerability;
• Use secure communications for remote access.

However, solutions have already appeared to protect the API from attempts to exploit various vulnerabilities. Therefore, it is logical to configure API-level firewalls to identify and prevent attempts to exploit this vulnerability.

Like any vulnerability that allows an attacker to execute arbitrary commands, BDU:2025-01234 is quite dangerous, and without due attention, its presence in a corporate solution can potentially harm the actions of a hacker, "warned TAdviser readers Denis Chigin, head of the technological expertise department of Softline Group of Companies. - In general, the compensating measures recommended in such cases will work here too: limit access of IP addresses to the product to the list of trusted ones if possible, update to the version in which such a vulnerability was fixed and, if this was not done earlier for some reason, change the default passwords to the solution administration panel.

2017: Cisco Identity Services Engine (ISE) 2.3

The complexity of devices connected to the network and their number are growing at a faster pace. You cannot protect what you do not see, and therefore obtaining detailed up-to-date information about devices in the context of the network is extremely important for eliminating vulnerabilities and enforcing policies. Combined with Cisco AnyConnect, the ISE platform provides more detailed endpoint information, including BIOS level data such as computer serial number, USB connections, and resource loading, including disk and RAM usage. This level of visibility is achieved in various ways. The ISE now uses temporary agents that do not require administrative privileges or browser extensions at the endpoint. It is also possible for a hidden agent to output flexible notifications via the OS message system .

Network information security policies are often formulated manually, which is fraught with errors. If these processes are automated, then it will be possible to focus not on the intricacies of implementing controls, but on achieving business goals. Now, automation of network information security policy for an intuitive network has become a reality thanks to the ISE platform, an essential element of the Cisco Software-Defined Access solution, and integration with the DNA Center management system. ISE allows you to formulate security policies (who can talk to whom, which systems can communicate with each other, on which ports and protocols all this can happen), relying on security classes that the customer determines based on business needs. Endpoints and systems are automatically distributed to classes according to extensive contextual information (who, what, where, when and how they connect to the network), and then the network independently determines which users and devices will be able to access certain business resources. This level of control simplifies network segmentation and accelerates the response to attacks, helping to reduce damage, including by preventing the horizontal spread of threats.

Potential ISE opportunities include saving hundreds of hours of time for administrators who manage network policies. The new platform interface greatly simplifies the process of creating and editing policies. It provides sets of simplified, easily perceived policies with built-in authentication and authorization rules that easily create replicable access conditions. After updates are installed, existing policies remain the same despite the creation of additional policy sets. In the new user interface, a response counter is provided for each set of policies. We also added the possibility of guest registration using Facebook, which allows users to visit the guest portal without gaining access to corporate resources

2014: Russian Implementation Partners

In January 2014, it became known that Orange Business Services in Russia confirmed compliance with the requirements of the Cisco ATP Identity Services Engine Partner in Russia (ISE ATP) technology specialization. Obtaining this specialization demonstrates a high level of operator expertise in the architecture of the Cisco ATP Identity Services platform and allows you to offer customers solutions for building information security systems.

Cisco Identity Services Engine ─ a network policy and user rights management system that allows you to implement projects to distinguish between access to information resources of companies and enterprises. As of January 2014, Orange ─ the only telecommunications operator on the Russian market with this specialization and Cisco Gold Partner status.

Notes