Cisco Cisco Identity Services Engine 1.2 白皮書
White Paper:
Cisco Systems and the Migration from NAC to EVAS
9
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Table 3. EVAS Use Case Before, During, and After an Attack
Time
EVAS Use Case
Benefits
Before attack
Identify risky assets
Improve risk mitigation
Enforce granular network access
policies
policies
Decrease attack surface and fine-tune security controls
based upon new threat intelligence. Reduce the
number of unknown/unmanaged devices connecting to
the network.
based upon new threat intelligence. Reduce the
number of unknown/unmanaged devices connecting to
the network.
During attack
Integrate with advanced
malware detection
malware detection
Block “kill chain” tactics
Enforce immediate remediation
actions
actions
Accelerate incident detection and minimize the impact
of an attack.
of an attack.
After attack
Assess endpoints for
vulnerabilities
vulnerabilities
Remediate compromised
systems
systems
Fine-tune security controls
Use attack tactics and forensic knowledge to harden
the network and endpoints.
the network and endpoints.
Source: Enterprise Strategy Group, 2014.
Cisco Systems: An Early EVAS Leader
EVAS is a broad and growing security segment made up of lots of vendors and technologies. While some EVAS tools
may be considered best-of-breed, many CISOs want integrated enterprise solutions rather than an army of
disparate EVAS point tools.
may be considered best-of-breed, many CISOs want integrated enterprise solutions rather than an army of
disparate EVAS point tools.
requirements for an integrated EVAS architecture. Cisco’s EVAS is actually made up of a number of products that
can interoperate to form a comprehensive EVAS architecture. This includes:
can interoperate to form a comprehensive EVAS architecture. This includes:
Cisco Identity Services Engine (ISE). ISE is used as the network access nexus for consistent security across
wired networks, wireless networks, and VPNs. Security and network operations teams can use ISE to create,
enforce, and monitor granular business-centric network access policies. ISE provides visibility, context, and
control across the entire attack continuum.
wired networks, wireless networks, and VPNs. Security and network operations teams can use ISE to create,
enforce, and monitor granular business-centric network access policies. ISE provides visibility, context, and
control across the entire attack continuum.
Cisco AnyConnect. AnyConnect is used to enable secure network access between a variety of endpoints
(PCs, smartphones, tablets, etc.) and network-based assets (i.e., per application VPN access). AnyConnect
can be used to scan devices for proper hygiene and enforce corporate endpoint configuration policies
before granting network access. AnyConnect also provides device authentication, a critical component of
granular access policy enforcement. Finally, AnyConnect monitors network traffic to block malware,
inappropriate sites, and content at the corporate gateway. This improves security and network bandwidth
utilization.
(PCs, smartphones, tablets, etc.) and network-based assets (i.e., per application VPN access). AnyConnect
can be used to scan devices for proper hygiene and enforce corporate endpoint configuration policies
before granting network access. AnyConnect also provides device authentication, a critical component of
granular access policy enforcement. Finally, AnyConnect monitors network traffic to block malware,
inappropriate sites, and content at the corporate gateway. This improves security and network bandwidth
utilization.
Cisco TrustSec. While enterprises want to create and enforce granular network access policies, it is often
difficult to align business process needs with static network segmentation technologies. Cisco TrustSec was
designed to alleviate this problem. In essence, TrustSec transforms the network into a contextual firewall
by categorizing user roles, tagging devices and assets, and then enforcing ACLs based upon business and
risk management considerations.
difficult to align business process needs with static network segmentation technologies. Cisco TrustSec was
designed to alleviate this problem. In essence, TrustSec transforms the network into a contextual firewall
by categorizing user roles, tagging devices and assets, and then enforcing ACLs based upon business and
risk management considerations.
Cisco Ecosystem Partner Integrations Powered by pxGrid. Cisco has developed a program to integrate with
technology partners to provide better security and improved network forensics capabilities. Cisco has also
recently developed Cisco Platform Exchange Grid (pxGrid) technology, which introduces a new way to share
contextual data about users, devices, connections, etc. to improve visibility for network and security
administrators, but also to provide remediation of threats by dynamically changing access policies. To
technology partners to provide better security and improved network forensics capabilities. Cisco has also
recently developed Cisco Platform Exchange Grid (pxGrid) technology, which introduces a new way to share
contextual data about users, devices, connections, etc. to improve visibility for network and security
administrators, but also to provide remediation of threats by dynamically changing access policies. To