Global Cisco ISE Implementation at an International Manufacturing Company

Global Cisco ISE Implementation at an International Manufacturing Company

Our client, an international manufacturing company in the healthcare industry, needed a solution that would effectively manage network access across 250 locations worldwide. The existing Cisco Identity Services Engine system no longer met its requirements: it lacked consistency, stability, and flexibility, and its configuration was riddled with inconsistencies and certificate issues. Managing access policies from a single location was complex and time-consuming, and a security breach could pose a real threat.

The Cisco ISE Challenge: Security and Access Control on a Global Scale

One of the key elements of a transformation project is the analysis of security risks. The system in its previous state was not designed or configured in a manner consistent with the overall security concept of the transformation project. This posed a risk of inconsistent security rules, a lack of uniform policy coverage across the IT infrastructure, and potentially problems with opening attack vectors related to network access. Another significant issue was the complex and fragmented management of network access.

Krzysztof Osmałek, Advanced Services Team Lead, Grandmetric

Configuration audit as a starting point

Before implementing the new system, we conducted a comprehensive audit of the existing Cisco ISE infrastructure. This allowed us to identify key issues: inconsistent access policies, lack of scalability, and poor system performance. It was clear that a fundamental overhaul of the NAC architecture and the implementation of modern AAA policies was necessary.

New, scalable Cisco ISE architecture

The company has gained global consistency by the unification of access management across all regions: APAC, EMEA, and AMER.

The network is more secure. The new NAC architecture and AAA policies effectively control access and eliminate security gaps.

Management is simpler. IT now has full control over access policies.

Greater flexibility. Authorization levels are tailored to user roles and scenarios.

Step by step: How did the project proceed?

Audit and Analysis

The first step was a thorough analysis of the existing Cisco ISE infrastructure. We examined current access policies, security gaps, and opportunities for performance improvement. The audit also included log analysis, best practice compliance assessments, and interviews with the client’s IT team to better understand their needs and challenges, including identifying and classifying the type of device users wish to connect.

Designing a New Architecture

Based on the audit results, we designed a new NAC architecture that addressed the organization’s security and network access needs. We created an optimal AAA policy model, adapting authorization levels to different user groups and devices, in accordance with security policies. Ensuring global consistency was key, so we ensured uniform policy implementation across three key regions.

New system implementation in the APAC, EMEA, and AMER regions

The implementation was phased to minimize the risk of network disruptions. Each region received dedicated resources and support, and configuration was performed according to previously developed documentation. We also conducted extensive performance and security testing to ensure the new system met the project’s design objectives.

Ensuring High Availability and Redundancy

A key goal was to ensure uninterrupted system operation even in the event of individual component failures. Therefore, we implemented redundancy and load-balancing mechanisms, which increased the stability of the environment. We also developed an incident response strategy and backup procedures, which further strengthened the infrastructure’s security.

Training the Client’s IT Team

Following the implementation, it was crucial to transfer operational knowledge to the client’s IT team. We prepared a set of documentation, conducted workshops, and conducted hands-on training so that administrators could independently manage the new environment. We also provided post-implementation support to facilitate the client’s adaptation to the new system.

What do you need to know before implementing Cisco ISE or another access control solution?

What is Cisco Identity Services Engine?

Cisco Identity Services Engine (ISE) is an advanced network access control (NAC) system that provides secure access to network resources. It is a comprehensive solution that provides a centralized location for network access control, ensuring compliance and simplifying management. Cisco ISE enables organizations to effectively manage user and device identities, resulting in increased security and consistent access policies across the network. With Cisco ISE, organizations can dynamically enforce security policies, minimizing the risk of unauthorized access and ensuring secure network access.

How does an access control system work?

The Cisco ISE access control system operates on a common identity management foundation. It ensures that only authorized users and devices have access to the network. It dynamically enforces security policies, ensuring secure network access. Cisco ISE monitors and analyzes network traffic in real time, identifying and classifying devices and users. Based on the collected data, the system automatically applies appropriate security policies, enabling effective access management and minimizing the risk of breaches. This allows organizations to ensure their networks are protected from unauthorized access and threats. Check our blog article to learn more about how Cisco ISE works.

Cisco ISE Usage Scenarios

Cisco ISE can be used in a variety of network environments, including LANs, WANs, and VPNs. It can also be used in guest access scenarios such as hotspots, registration, opt-in registration, and sponsored access. In LANs, Cisco ISE provides secure access to internal resources by controlling access at the network port level. In WANs, it enables access management to geographically distributed resources, ensuring consistent security policies. For VPNs, Cisco ISE controls remote access, ensuring only authorized users can connect to the network. Guest access scenarios allow secure network access for guests, with varying levels of authorization and control.

Device Types

Cisco ISE can be deployed as a physical or virtual appliance. Physical appliances are designed for high performance and reliability, making them an ideal solution for large organizations with demanding network environments. Virtual appliances, on the other hand, offer significant deployment flexibility, enabling easy scaling and adapting to the changing needs of the organization. Virtual Cisco ISE deployments can be implemented on various virtualization platforms, allowing for optimal utilization of existing IT infrastructure. This allows organizations to choose the most appropriate solution that best meets their specific requirements and resources.

Profiling and pxGrid

Profiling in Cisco ISE refers to the process of identifying and classifying devices. It involves collecting and analyzing device data, which is then used to apply appropriate network access policies. Profiling allows Cisco ISE to precisely determine the device type, its operating system, and even the specific applications running on it. This allows for precise tailoring of security policies to a specific device and its role in the network. pxGrid (Platform Exchange Grid) is a framework that facilitates the exchange of contextual information between Cisco ISE and other network systems and security solutions. With pxGrid, Cisco ISE can interoperate with other security tools, such as threat detection systems, firewalls, and security information management (SIEM) systems, enabling more integrated and effective network security management.

Summary

The new Cisco ISE environment not only improves security but also provides significant convenience for IT teams. The global manufacturing company can now effectively manage network access worldwide, ensuring fast and seamless connections for its employees. Auditing and optimization of the environment allowed for the elimination of risks and the implementation of modern access control standards. All this while maintaining flexibility, scale, and reliability.

Wondering if it’s time for network access control tailored to your organization?

Schedule an initial consultation with a Grandmetric engineer and get started!

Want to learn how Cisco ISE can help your organization? Contact us today!