Research Hub > What to Consider When Implementing a Cisco ISE Solution

April 17, 2018

3 min

What to Consider When Implementing a Cisco ISE Solution

These lessons, learned from years of deploying this security tool, can help organizations get the most from its capabilities.

Paul Haferman

Cisco’s Identity Services Engine (ISE) is a powerful tool for providing cybersecurity and networking teams with visibility into the identity of users accessing their networks. I’ve spent the past few years working with CDW customers deploying ISE in a wide variety of environments. During that time, I’ve learned a few lessons that can help organizations implement these solutions efficiently and effectively across wired networks, wireless networks and virtual private networks (VPNs).

Let’s take a look at the four most important things I’ve learned in the process of deploying ISE with my customers.

Lesson 1: ISE is not magic.

ISE is a powerful tool, but it’s not a magical one. It’s important that organizations understand the capabilities of ISE before they decide to make the financial and time commitment to deploy the product. The most common misconception is about how ISE identifies systems on the network. It is capable of probing systems over the network and identifying those that respond to its polling requests, but ISE does not monitor network traffic for signs of activity.

Lesson 2: User-based authentication provides analytical value.

When you deploy ISE, you have the option of using it to authenticate devices or to authenticate users. In the past, most of my customers were primarily interested in making sure that only corporate-owned devices were connecting to their networks. That made device authentication the logical choice. Today, many organizations benefit from integrating ISE with other components of their security infrastructure, including StealthWatch and FirePower. Those integrations are much more powerful when they have access to user data, so I’m now encouraging clients to pursue user authentication whenever possible.

Lesson 3: Check network device compatibility far in advance.

The most common problem organizations experience when deploying ISE is that some of their older network equipment may not be compatible with the technology. I now perform hardware compatibility checks early in the process to identify any switches that require firmware upgrades or hardware replacement. Performing these upgrades in advance will speed up the ISE deployment process, especially in environments where it’s difficult to schedule downtime, such as a hospital.

Lesson 4: Tune alarms to lower your false positive rate.

When you first deploy ISE, you’ll likely be overwhelmed by the number of security alerts that you receive from the system. Out of the box, ISE alerts you to almost every event that takes place, and that’s simply too much information for most security teams. As we deploy ISE, I work with my customers to make sure that we’re seeing the important alerts. Those include CPU usage spikes, increases in authentication latency, failed backups, certificate expiration warnings and ISE devices losing contact with Active Directory domain controllers. At the same time, I make sure that we tune out the noise that often occurs when clients temporarily stop responding or are misconfigured for the network. Reducing the number of false positive alerts makes everyone’s life easier.

To learn more about steps you can take to protect your organization from cyberthreats, read the CDW Cybersecurity Insight Report.

This blog post brought to you by: