Cisco Cisco Identity Services Engine 1.0.4 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 22 of 27
When complete, click Save. A list of all matching endpoints is displayed.
Depending on organizational and policy requirements, it may be necessary to create multiple logical profiles to
group the medical devices by function, type, or department. Profiler policies, and thus endpoints, may belong to
multiple logical profiles.
group the medical devices by function, type, or department. Profiler policies, and thus endpoints, may belong to
multiple logical profiles.
Segmentation
Overview
Once endpoints have been discovered, classified (profiled), and optionally assigned to one or more logical profiles,
ISE can use this information to make a more informed policy decision. Actual policy will require careful
consideration of the security risks as well as the potential impact to endpoint connectivity. Many healthcare
providers are faced with the challenge that they are not aware of all medical devices and their traffic requirements.
Attempts to segment or limit network access may result in a service disruption that may pose a risk to a patient’s
health, a risk that outweighs the security risk.
ISE can use this information to make a more informed policy decision. Actual policy will require careful
consideration of the security risks as well as the potential impact to endpoint connectivity. Many healthcare
providers are faced with the challenge that they are not aware of all medical devices and their traffic requirements.
Attempts to segment or limit network access may result in a service disruption that may pose a risk to a patient’s
health, a risk that outweighs the security risk.
The possibility that service may be denied to legitimate medical devices and their supporting systems leads many
healthcare IT administrators to opt for a monitor-only policy, at least until the environment is better understood.
healthcare IT administrators to opt for a monitor-only policy, at least until the environment is better understood.
Segmentation Using Dedicated Networks
A traditional method for segmenting medical devices is to completely isolate them in one or more dedicated
networks. Although intuitive and straightforward, this method is diminishing in popularity because of the cost of
managing separate networks. These networks often require integration with shared resources and partner
networks, which makes controlled separation and “leakage” difficult to manage. Furthermore, the dedication of
networks. Although intuitive and straightforward, this method is diminishing in popularity because of the cost of
managing separate networks. These networks often require integration with shared resources and partner
networks, which makes controlled separation and “leakage” difficult to manage. Furthermore, the dedication of