The Cisco ISE has several capabilities to manage endpoints, one of them is the ANC (Adaptive Network Control) – using this feature an administrator using Cisco ISE can Quarantine, Shutdown or Port Bounce an offending host. An offending host can be many things, one that has malware, APT, viruses, or vulnerabilities. In our scenario we are looking into imposing a Quarantine on a host that has a certain amount of High-risk vulnerabilities or whose overall Score (security posture) is below a certain value.
The first step to integrating Cisco ISE and beSECURE is to enable ERS (Endpoint RESTful Service) on the Cisco ISE end, this is done by going to, Administration -> System -> Settings -> ERS Settings page:
And clicking on the “Enable ERS for Read/Write”.
The second step is to create a dedicated user for beSECURE to use, this is a recommended step to allow you to be able to audit the actions taken by beSECURE, the alternative is to give it to the ‘admin’ user you already are using to administer the system.
Start by going to the Administration -> System -> Admin Access page, there click on the Administrators -> Admin Users option in the left side menu, click on the Add button:
And then on “Create an Admin User”:
Configure it as follows, “Name”: beSECURE, “Password”: create a complex password and write it down, assign it under “Admin Groups” access to the “ERS Admin” group:
After clicking “Submit” you will be presented with this screen:
The third step is to create a ANC policy, go to the Operations -> Adaptive Network Control -> Policy List page, and click “Add”:
Give the Policy the Name of “beSECURE”, and the Action of “Quarantine”:
Click “Submit”, and you will be presented with this screen:
You are now set to configure beSECURE side of the process, login into beSECURE and access the More -> Server -> Integration screen, there select “Cisco ISE (ANC)” checkbox:
And configure it according your Cisco ISE URL, Cisco ISE username and Cisco ISE password values:
The last part is the decision on which trigger should beSECURE ask Cisco ISE to apply a Policy on a target IP address, in this case I configured it to whenever 5 High risk vulnerabilities are found or whenever the Score goes below or equals to 25 (out of a 100):
Of course, you can decide to do just a High-risk count trigger, or just a Host score trigger.
After clicking “Modify” in beSECURE and whenever a scan completes, the results of the scan will be analyzed to determine whether a Cisco ISE should be altered to the fact that a host is exceeding the allowed number of High-risk vulnerabilities or has a score below or equal to the provided value.
To view Policies that are currently active (and remove them if needed), go to the Operations -> Adaptive Network Control -> Endpoint Assignment screen:
Choose the host you want to unquarantined, and then either delete the entry by using the “Trash” button or by clicking on the “EPS unquarantine” button and typing there the IP address or MAC address of the endpoint.