Cisco Cisco Identity Services Engine 1.3 Weißbuch
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 23 of 27
physical ports restrictsthe mobility of devices and carts that require ports to be available at any location. Some
providers have reported that they were unable to use certain critical devices in different hospital rooms. A room
may have been available, but the dedicated network ports were not.
providers have reported that they were unable to use certain critical devices in different hospital rooms. A room
may have been available, but the dedicated network ports were not.
For wireless devices it is also possible to deploy a dedicated network of access points and controllers. But again,
the cost of managing separate systems with redundancy is extremely costly and may result in interference between
wireless networks. For these reasons, healthcare delivery organizations commonly opt for a shared infrastructure
with virtual segmentation.
the cost of managing separate systems with redundancy is extremely costly and may result in interference between
wireless networks. For these reasons, healthcare delivery organizations commonly opt for a shared infrastructure
with virtual segmentation.
Segmentation Using ACLs
The use of access control lists (ACLs) to limit or segment traffic may be preferred when the allowed ports and
destinations are well known. A benefit of ACLs is that they can limit or eliminate the need for virtual local area
networks (VLANs) to separate endpoint traffic.
destinations are well known. A benefit of ACLs is that they can limit or eliminate the need for virtual local area
networks (VLANs) to separate endpoint traffic.
One challenge with ACLs is the need to manage the lists on the access devices. Cisco supports downloadable
ACLs (dACLs), which allow ACLs to be centrally managed, but maintaining these policies can still be cumbersome,
especially if they change frequently. Another challenge with ACL enforcement is that they are intended for access
policy to be roughly defined. In other words, hardware limits often restrict the number of ACL rules on the access
device to a few entries. Firewalls are typically required to provide more granular policy control further upstream in
the network or closer to the protected hosts.
ACLs (dACLs), which allow ACLs to be centrally managed, but maintaining these policies can still be cumbersome,
especially if they change frequently. Another challenge with ACL enforcement is that they are intended for access
policy to be roughly defined. In other words, hardware limits often restrict the number of ACL rules on the access
device to a few entries. Firewalls are typically required to provide more granular policy control further upstream in
the network or closer to the protected hosts.
To implement a monitor-only policy for medical devices, ISE can assign an ACL that permits all access (for
example, “permit ip any any”).
example, “permit ip any any”).
Segmentation Using VLANs and WLANs
VLANs and wireless LANs (WLANs) are commonly used to segment medical networks. A key advantage of VLANs
is that they are intuitive. All the devices in the same VLAN are virtually segmented from the devices in other
VLANs. However, VLANs do not guarantee traffic separation. Unless VLANs are completely isolated through the
use of virtual routing and forwarding (VRF) or a similar method, ACLs or other firewall services are needed at the
VLAN boundaries.
is that they are intuitive. All the devices in the same VLAN are virtually segmented from the devices in other
VLANs. However, VLANs do not guarantee traffic separation. Unless VLANs are completely isolated through the
use of virtual routing and forwarding (VRF) or a similar method, ACLs or other firewall services are needed at the
VLAN boundaries.
A major challenge using VLANs for network segmentation is the need to define and coordinate the assignment of
these separate networks across the access layer. IP address management also becomes more difficult because
each VLAN must typically be assigned its own subnetwork. Finally, DHCP may not work as expected if the
endpoint is allowed to acquire an IP address in an initial VLAN and is then assigned a different VLAN upon
authorization. Some hosts can detect this VLAN change while others do not. In the latter case, the endpoint may
be stuck without access due to an IP mismatch.
these separate networks across the access layer. IP address management also becomes more difficult because
each VLAN must typically be assigned its own subnetwork. Finally, DHCP may not work as expected if the
endpoint is allowed to acquire an IP address in an initial VLAN and is then assigned a different VLAN upon
authorization. Some hosts can detect this VLAN change while others do not. In the latter case, the endpoint may
be stuck without access due to an IP mismatch.
To implement a monitor-only policy for medical devices, ISE can assign a VLAN that segregates the Layer 2 traffic
but does not restrict IP access.
but does not restrict IP access.
Note: A VLAN-based policy requires that static endpoints have been assigned an appropriate IP address for the
authorized VLAN. DHCP-enabled medical devices may require “closed mode” port authentication, whereby a
VLAN is assigned only after authentication to avoid the case where the host acquires an initial VLAN IP address.
authorized VLAN. DHCP-enabled medical devices may require “closed mode” port authentication, whereby a
VLAN is assigned only after authentication to avoid the case where the host acquires an initial VLAN IP address.