Cisco Cisco Identity Services Engine 1.2 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 15 of 27
station on specific ports expected for that device increases the confidence of the data regarding device type
and function.
and function.
●
Classification based on expected behavior or unexpected behavior (anomalous traffic). For example,
when the infusion pumps and monitoring station described in the above examples operate within a
predicted pattern, there is assurance that the devices are operating normally. If these same devices
communicate outside their expected boundaries over foreign ports and different targets, that is an indication
that these critical devices may have been compromised, thus triggering an alarm and optional
reclassification or even quarantine.
when the infusion pumps and monitoring station described in the above examples operate within a
predicted pattern, there is assurance that the devices are operating normally. If these same devices
communicate outside their expected boundaries over foreign ports and different targets, that is an indication
that these critical devices may have been compromised, thus triggering an alarm and optional
reclassification or even quarantine.
Traditional profiling methods include the use of SNMP, DHCP, HTTP, and other common protocols. These
methods often lead to a knowledge of the OS type or hardware manufacturer. In the case of medical devices built
on general-purpose hardware and operating system software, this information may provide little value in
differentiating a Windows workstation used for a medical application from one used for nonclinical applications.
methods often lead to a knowledge of the OS type or hardware manufacturer. In the case of medical devices built
on general-purpose hardware and operating system software, this information may provide little value in
differentiating a Windows workstation used for a medical application from one used for nonclinical applications.
ISE ships with a number of medical profiles based on NetFlow data. These include patient monitoring devices
developed by Philips and Draeger as well CareFusion pumps. Additional medical profiles can be added or
enhanced in ISE by inputting the specific UDP or TCP ports used by these devices.
developed by Philips and Draeger as well CareFusion pumps. Additional medical profiles can be added or
enhanced in ISE by inputting the specific UDP or TCP ports used by these devices.
The main attributes gathered from NetFlow probes are:
●
IPV4_SRC_ADDR (source IP address)
●
L4_SRC_PORT (source port)
●
IPV4_DST_ADDR (destination IP address)
●
L4_DST_PORT (destination port)
●
Protocol (UDP or TCP)
The NetFlow probe is disabled by default.
Best practice: Implement NetFlow profiling for specific medical devices with known traffic characteristics.
Configure NetFlow sources where the medical device traffic must traverse the network. When possible, limit flow
collection to the data of interest.
Configure NetFlow sources where the medical device traffic must traverse the network. When possible, limit flow
collection to the data of interest.
ACIDEX
The Cisco AnyConnect Identity Extension (ACIDEX) is not an explicit probe configured in ISE, but is yet another
source of profiling data against which endpoints can be classified. The source of this data is currently limited to
remote devices that establish a VPN connection to a Cisco Adaptive Security Appliance (ASA) using a Cisco
AnyConnect client. This functionality is useful in profiling remote workstations and mobile devices.
The Cisco AnyConnect Identity Extension (ACIDEX) is not an explicit probe configured in ISE, but is yet another
source of profiling data against which endpoints can be classified. The source of this data is currently limited to
remote devices that establish a VPN connection to a Cisco Adaptive Security Appliance (ASA) using a Cisco
AnyConnect client. This functionality is useful in profiling remote workstations and mobile devices.
The main attributes gathered from ACIDEX are:
●
device-platform (example: iPad3)
●
device-platform-version (example: apple-ios)
●
device-type (example: 9.1)
ACIDEX attributes are forwarded from the ASA to ISE using RADIUS. Since the RADIUS probe is enabled by
default, ACIDEX processing is also enabled on ISE by default.
default, ACIDEX processing is also enabled on ISE by default.