ISE Security Best Practices (Hardening)

 

Secure Development


ISE follows the Cisco Secure Development Lifecycle (CSDL) Process.


Vulnerability Testing

As part of CSDL ISE undergoes vulnreability testing.  This involves both industry standard testing tools and custom testing targeted at the product functionality.  Some of the industry standard tools that are used:

  • IBM AppScan
  • Codenomicon
  • Retina
  • Nessus
  • SkipFish


When is testing completed?


Testing is completed on those releases where new features are released Example ISE 2.1. Patch releases are not subjected to vulnerability testing as we do not introduce new features in patches. Instead we fix reported PSIRTs in patches.

 

 

ISE Hardening  and Security Best Practices


General

Follow the same as in the Cisco Prime Infrastructure Admin Guidewherever applicable.In summary, the underlying OS is based on Redhat Linux but access to underlying OS is not provided. Only required ports open, and rest closed through a firewall. Vulnerability testing is also performed. ISE follows the Cisco Secure Development Lifecycle (CSDL) process:

 

There is no official hardening document, but here are some items compiled from a previous request:

  • Upgrade to current patch levels.
  • Use of strong password policies for CLI and Web UI.  (complexity, expiry, history, etc.)
  • Differentiated access for admins, each with own account whether local or via external ID store.
  • Policy of least privileges
  • Do not use superadmin account for daily maintenance.
  • Restrict console access and admin web access by configuring the access restriction under Administration > System > Admin Access; LHS: Settings
  • Disable SSH for higher security, or per above, update access restrictions for SSH access.
  • Update pre-and post-banner config for admin
  • Implement 1.2 connection limit settings via CLI to set max TCP connections and TCP/UDP/ICMP rates.
  • Configure ACLs that require ISE PSN access to specific ports (8443, 8905, etc, versus ip or tcp any any)
  • Enable FIPS to enforce higher security algorithms
  • Review internal user accounts and disable those not in use
  • Limit access returned for health probe accounts used by access devices and load balancers.
  • Deploy unique certs per node versus wildcard certs for higher security
  • Deploy firewalls and other security devices that restrict access to nodes to required operational ports.
  • Use of offline updates for posture and agent files is more secure than live access which requires direct Internet access; firewalls and proxy as compensating controls.
  • Use separate, dedicated interfaces for management and user services (new to 1.2)
  • Secure store used for backup files, support bundles, log files, and associated encryption keys.

 

 

Underlying Operating System (OS)

Customers do not have direct access to the OS.

VersionUnderlying OS
ISE 1.2Redhat Enterprise Linux (RHEL) 5.8 x86_64 running ADE-OS 2.0.5.250
ISE 1.3RHEL 6.4 x86_64 ADE-OS 2.2.0.162
ISE 1.4RHEL 6.4 x86_64 ADE-OS 2.2.0.421
ISE 2.0RHEL 6.4 x86_64 ADE-OS 2.3.0.187
ISE 2.0.1RHEL 7.1 x86_64 ADE-OS 2.4.0.147
ISE 2.1RHEL 7.1 x86_64 ADE-OS 3.0.0.202

Main 3rd Party Components

As of ISE 2.0.0.306 (ISE 2.0 FCS):

  • Apache Tomcat/8.0.23
  • Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

Ports Used in ISE

The Cisco ISE Ports Reference for each version of ISE details all of the network ports and their uses.

 

Connection and Rate Limiting

ISE 1.2 introduces two independent types of network limits:

  • Connection Limits.
    • Limit TCP connections.
  • Rate Limits.
    • Limit packet rate to average number of packets per second.
    • Applied to TCP, UDP and ICMP.

Network Limit Notes:

  • Enhances security by limiting connections from known addresses
  • Mitigates DOS attacks by limiting connections and floods
    • Remote addresses may be spoofed so beware
  • Limits operate at the firewall (iptables) level
    • Not traffic shaping
    • No indication when limit reached

Certificates in ISE

 

 

SSL/TLS CipherSuite in ISE

SSH

ISE 2.0

aes256-cbc

aes128-cbc

ISE 1.3 / 1.4

aes256-cbc

aes128-cbc

3des-cbc

Web Portals

ISE 1.2

Supports TLS 1.0, 1.1, 1.2

 

== 443 (ISE web admin)

(TLS 1.1 and 1.2 only, but no TLS 1.0)
DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA
AES256-SHA256
AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-SHA256
AES128-SHA


== 8443 (ISE guest)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

 

== 9060 (ISE ERS)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

== 9002 (ISE sponsor “managed account”)
(TLS 1.1 and 1.2 only, but no TLS 1.0)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA

 

== 8905 (ISE client provisioning and posture)

 

DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES256-SHA256
AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-SHA256
AES128-SHA


== 8910 (ISE pxGrid session bulk download; client certificate required)

 

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

AES256-SHA256

AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

AES128-SHA256

AES128-SHA


 

ISE 1.3 and 1.4

(supports TLS 1.0 only)

 

     == 443 (ISE web admin)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8443 (ISE guest)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 9060 (ISE ERS)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 9002 (ISE sponsor “managed account”)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8905 (ISE client provisioning and posture)

 

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

     == 8910 (ISE pxGrid session bulk download; client certificate required; ISE 1.4 and above)

 

     TLSv1  256 bits  AES256-SHA

     TLSv1  168 bits  DES-CBC3-SHA

     TLSv1  128 bits  AES128-SHA

 

 

------------

 

XMPP

 

Port TCP 5222

  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA

 

EAP

 

EAP Ciphers in ISE versions

 

ISE 1.3/1.4ISE 2.0FIPS
EAP-TLS, PEAPEAP-TLS, PEAP, (EAP-TTLS)
DHE_RSA_WITH_AES_256_SHA256
DHE_RSA_WITH_AES_128_SHA256
RSA_WITH_AES_256_SHARSA_WITH_AES_256_SHA
RSA_WITH_AES_128_SHARSA_WITH_AES_128_SHA
RSA_WITH_AES_256_SHA256
RSA_WITH_AES_128_SHA256
DHE_RSA_WITH_AES_256_SHADHE_RSA_WITH_AES_256_SHA
DHE_RSA_WITH_AES_128_SHADHE_RSA_WITH_AES_128_SHA
RSA_DES_192_CBC3_SHA(added back in ISE 2.0 Patch 2)
DHE_DSS_WITH_AES_256_SHA(added back in ISE 2.0 Patch 2)
DHE_DSS_WITH_AES_128_SHA(added back in ISE 2.0 Patch 2)
EDH_RSA_DES_192_CBC3_SHA(added back in ISE 2.0 Patch 2)
EDH_DSS_DES_192_CBC3_SHA(added back in ISE 2.0 Patch 2)
RSA_RC4_128_SHA(added back in ISE 2.0 Patch 2)non-FIPS
RSA_RC4_128_MD5(added back in ISE 2.0 Patch 2)non-FIPS
EDH_RSA_DES_64_CBC_SHA*(added back in ISE 2.0 Patch 2)non-FIPS
EDH_DSS_DES_64_CBC_SHA*(added back in ISE 2.0 Patch 2)non-FIPS
EAP-FASTEAP-FAST
DHE_RSA_WITH_AES_256_SHA256
DHE_RSA_WITH_AES_128_SHA256
RSA_WITH_AES_256_SHA256
RSA_WITH_AES_128_SHA256
DHE_RSA_WITH_AES_256_SHA
DHE_RSA_WITH_AES_128_SHADHE_RSA_WITH_AES_128_SHA
RSA_WITH_AES_256_SHARSA_WITH_AES_256_SHA
RSA_WITH_AES_128_SHARSA_WITH_AES_128_SHA
RSA_RC4_128_SHA(added back in ISE 2.0 Patch 2)non-FIPS
EAP-FAST anon provisioningEAP-FAST anon provisioning
ADH_WITH_AES_128_SHAADH_WITH_AES_128_SHA

 

  • CSCux27365 added back the ciphers removed in ISE 2.0 FCS.
  • (*) EDH_RSA_DES_64_CBC_SHA and EDH_DSS_DES_64_CBC_SHA are theortically supported but will practically never be negotiated due to crytographic restrictions.

 

ISE 2.1

 

TLS 1.0/1.1/1.2 are supported

 

EAP-TLS, PEAP, EAP-FAST, EAP-TTLS

  • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • DHE_DSS_WITH_AES_128_GCM_SHA256
  • DHE_DSS_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • ECDHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE_ECDSA_WITH_AES_128_SHA256
  • ECDHE_ECDSA_WITH_AES_256_SHA384
  • ECDHE_RSA_WITH_AES_128_SHA256
  • ECDHE_RSA_WITH_AES_256_SHA384
  • RSA_WITH_AES_256_SHA256
  • DHE_RSA_WITH_AES_128_SHA256
  • RSA_WITH_AES_256_SHA256
  • RSA_WITH_AES_128_SHA256
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA

 

ISE 2.0

All these ciphers can be used with TLS 1.0 and TLS 1.1/1.2

  • EAP-TLS, PEAP, EAP-FAST, EAP-TTLS
  • DHE_RSA_WITH_AES_256_SHA256
  • DHE_RSA_WITH_AES_128_SHA256
  • RSA_WITH_AES_256_SHA256
  • RSA_WITH_AES_128_SHA256
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA

 

ISE 2.0 Patch 2 added back ciphers below:

  • RSA_DES_192_CBC3_SHA
  • DHE_DSS_WITH_AES_256_SHA
  • DHE_DSS_WITH_AES_128_SHA
  • EDH_RSA_DES_192_CBC3_SHA
  • EDH_DSS_DES_192_CBC3_SHA
  • RSA_RC4_128_SHA
  • RSA_RC4_128_MD5
  • EDH_RSA_DES_64_CBC_SHA
  • EDH_DSS_DES_64_CBC_SHA

 

EAP-FAST anonymous provisioning

  • ADH_WITH_AES_128_SHA


 

ISE 1.4/1.3

 

  • TLS 1.0 only
  • If FIPS mode enabled, DES and RC4 ciphers are gone.

 

EAP-TLS, PEAP

 

  • RSA_WITH_AES_256_SHA
  • RSA_WITH_AES_128_SHA
  • DHE_RSA_WITH_AES_256_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_DES_192_CBC3_SHA                                  
  • DHE_DSS_WITH_AES_256_SHA
  • DHE_DSS_WITH_AES_128_SHA
  • EDH_RSA_DES_192_CBC3_SHA
  • EDH_DSS_DES_192_CBC3_SHA
  • RSA_RC4_128_SHA
  • RSA_RC4_128_MD5
  • EDH_RSA_DES_64_CBC_SHA*
  • EDH_DSS_DES_64_CBC_SHA*

(*) EDH_RSA_DES_64_CBC_SHA and EDH_DSS_DES_64_CBC_SHA are theortically supported but will practically never be negotiated due to crytographic restrictions.

 

 

EAP-FAST

 

  • RSA_WITH_AES_256_SHA
    RSA_WITH_AES_128_SHA
  • DHE_RSA_WITH_AES_128_SHA
  • RSA_RC4_128_SHA

 

EAP-FAST anonymous provisioning

  • ADH_WITH_AES_128_SHA

 

ISE 1.2 or prior (Web Portals)


Supports TLSv1.0 only and not allowing SSLv2 ClientHello since ISE 1.2 Patch 13 with the fix for CSCur29078 - ISE : evaluation of SSLv3 POODLE vulnerability

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA (SSLv3) or TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLSv1)
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA (SSLv3) or TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLSv1)
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA (added for 1.2)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA (added for 1.2)

 

 

Government Certifications

 


Global Certification GlobalCertifications_ISE_2016-05-31.png

FIPS

Cryptographic modules are FIPS approved.  They undergo a self-test when initialized.

ProductCryptographic Acceleration ModuleSecurity LevelSoftware
Versions
Certificate or Compliance Letter
Cisco Identity Services Engine (ISE) 1.1Cisco Common Cryptographic Module
(C3M) (FIPS 140-2 Cert#1643), Cisco Secure Access Control Server (ACS) and FIPS module Network Services (NSS) (FIPS 140-2 Cert#1497)
FIPS Level 1ISE 1.1Compliance Letter
Cisco Identity Services Engine (ISE) 1.2Cisco Common Cryptographic Module
(C3M) (FIPS 140-2 Cert#1643), and the Network Services (NSS) Cryptographic Module (FIPS 140-2 Cert#815)
FIPS Level 1ISE 1.2Compliance Letter

 

Common Criteria

 

GlobalCertifications_ISE_2016-05-31.png
ProductPP ComplianceEvaluation Assurance LevelTargeted ImageEstimated Completion
Cisco Identity Services Engine (ISE) 1.2N/ANetwork Device Protection Profile1.2Q3CY2013

 

DISA

  1. http://www.disa.mil/Services/Network-Services/UCCO
  2. Select “Common Criteria Certified Products List” this will bring you to the following page:  http://www.commoncriteriaportal.org/products.html
  3. Select:  “Download CSV”
  4. The xls spreadsheet you download – search for the following “Cisco Identity Services Engine (ISE) v1.2”
  5. On line 1754 you should see the ISE is listed on the certified products list. (this line number may change as more/less products are added/removed from the certified products list)

 

EAL

EAL (Evaluation Assurance Level) is an aspect of Common Criteria evaluation.  Previously, EAL used to be categorized by numeric levels. The new EAL categorization is based on protection profiles.  We are certifying against the Network Device Protection Profile version 1.1 (NDPP 1.1).

NERC

We don't have  any existing special compliance effort planned towards the NERC standard.
Please reach out to Kevin Gagnon and Paul Forbes Bigbee on this request

NIST

US NIST SP 800-88 Compliance, included in ISE 1.3 install guide

FAQs


Security / Separation of ISE Portals and ISE internal DB


How is information encrypted in ISE for local Identity Storage?

  • The UNIX/Linux passwords for ISE CLI admin and oracle are SHA-256 hashed since ISE 1.3. Prior to ISE 1.3 we used MD5 for hashing CLI passwords.
  • Oracle db users' passwords are in Oracle wallet
  • ISE 1.2 internal users' passwords are encrypted using block cipher mode CBC with AES algorithm and base64-encoded. This will change for ISE 1.5.  In ISE 1.5 we plan to use SHA-256 for hashing internal administrator passwords.  This is tracked with user story US10854
  • Only the ISE CLI admin users' passwords in MD5 hash are viewable as part of ISE CLI running-config. The other files are not normally accessible.

How is the integrity of an ISE image verified?

 

How is the user database encrypted?

"ISE 1.2 has passwords encrypted using Block cipher mode (CBC) with the AES algorithm and then base64 encoded, before storing in the database. ISE 1.1 has the same thing except using the ECB mode. Data fields other than passwords are not considered sensitive and not encrypted. Please note that ISE admin users do not have direct accesses to the database in normal operations."

What about data outside of the ISE database?

 

Do ISE processes run as non-root?

 

PSIRT Issues and Vulnerabilities

ISE security issues are communicated through Cisco PSIRT.