Maximising Endpoint Security With ISE Posturing

Hey Everyone,

It’s been a while since I last posted. I’ve been extremely busy working on some projects, both personal and professional, and I haven’t had a lot of time to write.

I’m back! After a long break, I’m excited to start blogging again. And what better way to start than by sharing some of the ups and downs of my recent Cisco ISE posturing deployment.

For the last 4 months, I’ve been working on deploying ISE posturing to a large enterprise. It’s been a challenging project, but it’s also been very rewarding.

In this blog I’m going to go over the following things;

• Posture policy configuration: How to configure posture policies in Cisco ISE. This includes configuring posture conditions, posture remediation, posture requirements and posture policy.
• Posture agent installation and configuration: How to install and configure the Cisco ISE posture agent.

Overall, it’s been a tough deployment due to issues with integration into Microsoft MCM, then issues with the new Secure Client Posturing Module, though besides that its a powerful tool that can help organisations to improve their security posture and reduce their risk of attack. However, it’s important to be aware of the challenges involved before deploying Cisco ISE posturing at scale, but anyway lets move on to the requirements.

Requirements

The requirements were the following, to prevent endpoints accessing the network that do not have an up to date Anti-Malware definition file and up to date Windows Updates. The customer would also not like redirection to be visible to the end user meaning that we have to deploy ISE posturing using the redirection-less flow method.

Things to Consider

• Is your ISE environment scaled correctly to support posturing? Read the ISE scaling guide cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html
• Does the software that I use in my environment exist within conditions?
• How should the posturing software be deployed? Most enterprise environments use an endpoint management solution e.g. MCM (Microsoft Configuration Manager), Intune to deploy pre-packaged software.
• Should I be using redirection or non-redirection for the posture flow? This is dependant on the environment and needs assessing during the HLD stage.
• How should the DACL’s (Dynamic Access Lists) be configured for Non-Compliant endpoints, what services should endpoints still have access to?
• How long do you want endpoints to be in the remediation zone, this timer will depend on the type of conditions you are using e.g. if your just wanting to trigger an update of the AM (Anti-Malware) the remediation timer can be set to something short, but if your wanting to remediate Windows Update the timer should be set to something longer as there are multiple variables to take into consideration, for example people who are connected to the network remotely.

Implementation

Configure Client Provisioning

What is client provisioning? In summary, client provisioning is a fundamental process for ensuring that end-user devices are properly configured and comply with security policies before being granted access to the network. It’s a critical component of endpoint posturing, helping to maintain a secure and compliant network environment.

Client Provisioning Portal

The Client Provisioning Portal is what end-users/endpoints use to download software and profiles, it’s also how the posturing module communicates with the ISE PSN’s, the communication between secure client posture module all happens by default over TCP 8443, this can be changed if desired.

In this example we are using the default portal, but if you had a requirement for multiple portals then this is possible an example of this could be a separate portal for BYOD users that supports redirection flow.

As we are focusing on a redirection-less deployment we just need basic portal configuration, I’ve left all the ports as default.

Resources

This is where all of your Secure Client Software, ISE Compliance Module and Profiles are located, wether you are deploying the software from ISE through the client provisioning portal or deploying it manually you still need to make sure the software is uploaded to ISE, the software held on the headend also needs to match the version that is deployed to the estate.

As I mentioned earlier most enterprises are using some form of endpoint management solution to deploy software, the only two things I want to deploy from ISE are the compliance module and the posture profile xml.

As we are using the non-redirection flow, we need to manually create our XML file using the secure client profile editor which can be downloaded from Cisco, once your XML has been created this needs to go into C:\ProgramData\Cisco\Cisco Secure Client\ISE Posture\

Below is an example of the ISEPostureCFG, the XML below has the EnableNonRedirectionFlow attribute set to a value of 1.

<cfg xmlns="http://www.cisco.com/nac/agent/config-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd">
<!--  elements with notEndpointXMLConfigurable attribute value as yes are not end point configurable  -->
<configName>ISEPostureCFG</configName>
<BackOffTimerLimit>30</BackOffTimerLimit>
<GracePeriodStartTitle/>
<discoveryPsnList>ISE01.allthingsnetworking.net</discoveryPsnList>
<LogTrace>0</LogTrace>
<GracePeriodStartButtonText/>
<CwaByodMaxTimeout>90</CwaByodMaxTimeout>
<RetransmissionLimit>4</RetransmissionLimit>
<PingMaxTimeout>1</PingMaxTimeout>
<RetransmissionDelay>60</RetransmissionDelay>
<GracePeriodStartButtonLink/>
<StealthMode>0</StealthMode>
<NonCompliantDescription/>
<EnableNonRedirectionFlow>1</EnableNonRedirectionFlow>
<StateSyncProbeList>ISE01.allthingsnetworking.net</StateSyncProbeList>
<ServerNameRules>*.allthingsnetworking.net</ServerNameRules>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<NonCompliantButtonText/>
<GracePeriodStartDescriptionDetails/>
<RemediationTimer>30</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>ISE01.allthingsnetworking.net:8443</CallHomeList>
<LogFileSize>5</LogFileSize>
<WarningTimer>0</WarningTimer>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<NetworkTransitionDelay>3</NetworkTransitionDelay>
<DartCount>3</DartCount>
<CwaByodProbingInterval>5</CwaByodProbingInterval>
<NonCompliantTitle/>
<NonCompliantDescriptionDetails/>
<PingArp>0</PingArp>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<NonCompliantButtonLink/>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost/>
<StateSyncProbeInterval>0</StateSyncProbeInterval>
<GracePeriodStartDescription/>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>1</DisableUAC>
<PeriodicProbing>3</PeriodicProbing>
<PublicKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuqxIOM0Pdt34ZFZf8FqXSq4JRmPwa6w9R1i2q0WLazs7lBww0+hM1m0FitZuU/3N+MNoA3gbLsNh0M9Sh5M3/hDLIQNlqVUQNIsMdWaq2h/T9UXfsqX4gUlSB+HyUmYvmRnzVrKb0u2LL+utipnj+N8oVGaB7QqGcbuZWyYryLAq1rU7C/gHX5J1Ou+0YUBDS54IzluaOoXGZR8ZPGrPElrsUfxQWEB+5kap8naT+Wo1WfTTFut5Ukw0dqfy20d/wyYlm7u54snsy49U68PU3b5KaQO6DXOoVzbQdKTJKRE6xY3a9RnyhoUm2edHNwdiLiLlD9G58nHrzJtSzUTjoQIDAQAB</PublicKey>
</cfg>

Building out the Posture Policy

In this section we will go through how to build a Posture Policy, this will include creating Posture Conditions, Remediations, Requirements and then attaching the requirement to the Posture Policy.

Conditions

If we take the requirements that I mentioned above I have two conditions that I need to build out, the first being Anti-Malware and the second being Windows Updates.

Anti-Malware

Let’s get started, within ISE go to Work Centers, Posture and Policy Elements. The first page you will land on will be Anti-Malware Conditions, Click Add.

Below is the condition I have created, I have selected my OS (Operating System) and the AM (Anti-Malware) vendor, I’ve selected the check type as check again latest definition as I always want this to be up to date to catch any zero day vulnerabilities. You then need to select the AM product you are using from the list.

Remediation

The remediation is used after the condition has been triggered, as an example if the AM is out of date against the database, the remediation will trigger the AM software to pull down the latest definition file.

Anti-Malware

Below is the AM remediation, make sure to set the retry interval and retry count to something that suits your requirements.

Requirement

This is where we bind the condition and the remediation together, this then generates the requirement that is referenced within the posture policy.

In the image below I have two requirements one for AV and the other for SCCM aka MCM, as you can see for the AV requirement we have the condition and remediation that we created in the previous step.

Posture Policy

Below is the new posture policy that I have created, as you can see in the below figure I have specified other conditions, this is really key when testing posturing policy as at this point you wouldn’t want to make it a global policy, if your using some form of 802.1x like PEAP with MSCHAPv2 or TEAP authentication then it’s a good idea to create an AD (Active Directory) group where you can add your test users.

Alongside the condition I have specified the two requirements that I created earlier, once you have saved this policy posturing will be live.

Policy Set

Downloadable ACL

Below are three DACL’s that have to be created, the first one which permits all traffic, the non-compliant one needs to list all the services you want the endpoint to communicate with when it’s held in the remediation zone, the unknown DACL can be the same as your non-compliant one, devices in unknown state are ones that have issues communicating with ISE, this again will be dependant on your environment as this could stop endpoints getting on the network at all.

Additional Notes

As this is a lab environment which currently only contains wired endpoints, please see the bullet points below for advice on production.

• VPN users need a different DACL applying when they are in non-compliant state, above I used the statement deny ip any any, do not use this, instead use a permit ip any any and above this add three rules denying all the RFC1918 address space. (I missed this bit when testing, I’m sure you can guess what happened 😉 )
• DACL for Catalyst 9800 WLC is now supported in version 17.10.1 – Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.10.x – Downloadable ACL [Cisco Catalyst 9800 Series Wireless Controllers] – Cisco
• If you are using AireOS you would have to manually create the ACL on the WLC, then reference the name of the ACL within the authorization profile.

Authorization Profiles

In ISE go to Policy, Policy Elements, Results, Authorization, Authorization Profiles. Here you can create your Compliant, Non-Compliant, Unknown profiles that will be attached to your policy set.

Creating the Policy Set

Below are the three policy sets that need to be created, the same would need to be created for the like of VPN, Wireless with any other attributes you want to include.

Using MCM for Windows Updates? This is how you integrate it into a condition!

Below I have created a new posture condition that matches against the MCM Client that is installed on the endpoint AKA Software Centre, the check type needs to be set as Up to Date and Check patches installed.

When the endpoint goes through the posture scan the posturing agent will check Software Centre for any updates, if there are no updates available within Software Centre posturing will go to compliant, if there are updates available you will be put into non-compliant and fall into the remediation zone.

Additional Notes

• MCM/SCCM has the ability for two different deployment types, Required and Available. If you want to integrate Windows Updates that are deployed from MCM/SCCM the available deployment type needs to be used. Available makes all updates appear within Software Centre for manual install.

Testing Posturing on a Wired Endpoint

The test environment contains one Windows 10 VM that has a wired connection to a Catalyst 3560 that is setup for 802.1x.

Firstly let’s put all the requirements that I added into my posture policy into audit mode, this is always a good mode to start off in as it will prove weather your posture policy is working correctly by generating a report that is sent to ISE.

In the above image we can see that the MCM requirement passed successfully but the AV option failed, the reason the AV failed is that MCM has not been triggered to deploy the latest Windows Defender patch.

Let’s now put the requirements into mandatory mode, we now should get put into the remediation zone as the Windows Defender patching will fail and force the endpoint to go into the remediation zone, as I have now pushed the definition update out through MCM we have gone to compliant mode.

Additional tips:

• Plan carefully: Before deploying Cisco ISE posturing, it’s important to carefully plan your deployment. This includes identifying your posture requirements, selecting the right posture agent whether it being agentless or the full client, and making sure you design your posture policies correctly.
• Test thoroughly: Once you’ve deployed Cisco ISE posturing, it’s important to thoroughly test your deployment to ensure that it’s working properly. This includes testing your posture policies and ensuring that compliant devices are granted access to the network.
• Monitor and maintain: Cisco ISE posturing requires ongoing monitoring and maintenance. This includes monitoring your posture policies and ensuring that your posture agents are up to date.

I hope this summary has been helpful. If you have any questions about Cisco ISE posturing, please feel free to leave a comment below or reach out to me.