Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Cisco Identity Services Engine and Bayshore Networks Integration At-A-Glance

advertisement 
At-A-Glance
Cisco Identity Services
Engine and Bayshore
Networks Integration
Device- and Network-Aware Data Loss Prevention for
OT Networks
Use Cases
• Extend data loss prevention (DLP)
capabilities to Operational Technology
(OT) control and supervisory control
and data acquisition (SCADA)
networks: Coupling Bayshore’s multiprotocol support with network context
from Cisco ISE helps IT extend DLP
policies to manufacturing and industrial
control networks.
• Implement dynamic DLP policies:
Cisco TrustSec technology and device
context from Cisco ISE are delivered in
real time so Bayshore DLP policies can
be dynamically adapted to network and
device risk factors.
• Audit IoT device traffic patterns and
policies: Industrial and manufacturing
applications have highly controlled
communications patterns. Combining
Bayshore’s multi-protocol awareness
with network segmentation awareness
from Cisco ISE and Cisco TrustSec help
enable the identification of anomalous
traffic patterns that may indicate a
security breach or misconfiguration.
• Facilitate a strong network response:
Take quick action on data leakage
events or traffic anomalies from within
the Bayshore console by implementing
network quarantine or disconnect
actions through Cisco ISE.
The Internet of Things (IoT) has made network environments more
complex than ever by causing a new influx of networked devices in
industrial and manufacturing company networks. The diversity and
number of networked devices, along with the increased amount of
virtualization in network environments, has heightened the need for
more flexible and precise approaches to data loss prevention (DLP).
Previous static DLP policies that treated all devices equally are no
longer sufficient to ensure security. Businesses need a new contextdriven comprehensive solution that incorporates full contextual visibility
of devices, data, device security posture, and location with network
segmentation driven by access policy.
The integration of Bayshore Networks technology with the Cisco Identity
Services Engine (ISE) allows the Bayshore Secure Enterprise (SE) and
Industrial Controls (IC) platforms to create adaptable, context-driven
DLP policies. Bayshore’s rich multi-protocol recognition and inspection
support provides pervasive visibility of the devices and policies that
make up industrial and manufacturing control networks. Security
architects can use the endpoint device and context information from
Cisco ISE to create and differentiate DLP policies based on user identity,
device type, posture status, network access connection type, and
network segment access. DLP decisions can be customized in realtime based on the risk represented by the user and device. Leveraging
Cisco® Platform Exchange Grid (pxGrid) in Cisco ISE, Bayshore
administrators can also use Cisco ISE’s dynamic network control
capabilities to take mitigation actions or to quarantine or block user or
device access within the Cisco network infrastructure in response to a
severe DLP event.
Solution Highlights and Components
This solution is composed of Cisco ISE running the pxGrid context
exchange capabilities, the Cisco TrustSec® Source-Group Tag
eXchange Protocol (SXP), and the Bayshore Networks platforms.
Cisco pxGrid is a unified framework that helps enable multivendor,
cross-platform network system collaboration among IT infrastructure
components such as security monitoring and detection systems,
network policy platforms, identity and access management platforms,
and virtually any other IT operations platform.
© 2014 Cisco and/or its affiliates. All rights reserved.
nce
At-A-Glance
Integration Details
Cisco ISE integration with Bayshore is
accomplished through the following:
• Bayshore provides rich policy controls
and visibility for major industrial
protocols such as the Distributed
Network Protocol (DNP3), Modbus,
Ethernet IP, IEC 61850, PROFINET,
and BACnet.
• Cisco ISE provides device and network
information to Bayshore through
pxGrid. Network segmentation policy
information is provided to Bayshore
from Cisco ISE through SXP. Using SXP,
both Cisco networks and Bayshore
networks can speak a common
network segmentation language, which
is critical for implementing adaptable,
real-time DLP policies, especially when
combined with Bayshore’s rich OT
network awareness.
• This contextual data from Cisco
ISE is used to supplement existing
Bayshore policy attributes, allowing
administrators to adapt DLP analytics
and policy decisions based the new
criteria coming from Cisco ISE.
• Changes in network segmentation
initiated by Bayshore DLP policies
are correlated to Cisco ISE policies
and enforced via SXP to ensure
consistency in endpoints’ access
across both IT and OT networks.
Next Steps
Additional product information regarding
this integration may be found by
searching for “Bayshore Networks” in the
Cisco Marketplace Solutions Catalog at:
http://marketplace.cisco.com/catalog.
Cisco TrustSec SXP technology provides dynamic identification
and classification of “source groups” which are used to indicate the
trust level and access privilege level of users, devices, and network
resources.
Figure 1. Cisco ISE and Bayshore Integration
Cisco ISE and Bayshore Deliver Device- and
Network-Aware DLP for IT and OT Networks
Device and Network Context from ISE
Cisco ISE
pxGrid
and
TrustSec
Bayshore
Data Leakage Response Through ISE
Bayshore can use Cisco ISE identity, device, and network contextual
information to enhance existing DLP policy attributes and multi-protocol
inspection capabilities. This helps enable DLP heuristics that can be
easily adapted as network changes occur. This contextual information
is also integrated into Bayshore monitoring and reporting capabilities,
so network managers can get a detailed view of the types of devices
that are accessing various classes of information assets on the network.
Network managers can also respond to severe data leakage events by
using Cisco ISE to implement network mitigation actions from within the
Bayshore management console.
Some Cisco ISE attributes available for use by Bayshore for user-,
device-, and network-related context include the following:
• User name, IP address, authentication status, location
• Authorization group, guest, Cisco TrustSec security group tag (SGT),
quarantine status
• Device manufacturer, model, OS, OS version, MAC address, IP
address, network connection method (wired or wireless)
• Posture compliance status, antivirus installed, antivirus version, OS
patch level, mobile device posture compliance status (through mobile
device management ecosystem partners)
Supported products:
• Cisco ISE 1.3 or later
• Bayshore SE™ (Secure Enterprise) and Bayshore IC™ (Industrial
Controls)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-732920-00 09/14
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Open Source Used In Unified Screen and
Open Source Used In Unified Screen and
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
E Cisco for Cisco’s Identity Services Engine (ISE) Trust Award
E Cisco for Cisco’s Identity Services Engine (ISE) Trust Award
Download
advertisement