Enterprise 2 Build 3 (E2B3) - Microsegmentation - Cisco ISE, Cisco Secure Workload, and Ping Identity Ping Federate as PEs Product Guides#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section of the practice guide contains detailed instructions for installing, configuring, and integrating all of the products used to implement Microsegmentation (Network) E2B3. For additional details on E2B3’s logical and physical architectures, please refer to Architecture and Builds.

Ping Identity PingOne#

Ping Identity PingOne is a SaaS solution that provides ICAM capabilities to an enterprise. The following sections describe the setup of PingOne and its PingFederate service, and various integrations to other products. Ping Identity integrates with Radiant Logic for identity information, and with Cisco Duo to delegate the second authentication factor for users accessing resources.

Configuration: PingOne and PingFederate#

Refer to PingOne and PingFederate Configuration.

Integrations#

Refer to Ping Identity Integrations for integrations of Ping Identity with Radiant Logic and Cisco Duo.

VMware Workspace ONE Access’s Integration with PingFederate was achieved using a SAML redirect (Workspace ONE Access is configured as a third-party SAML IdP in PING). When users on mobile devices attempt to authenticate through PingFederate, they will be redirected to Workspace ONE Access. Workspace ONE Access performs seamless passwordless user and device authentication using certificates, as well as checking the device’s compliance status in Workspace ONE UEM. The result of the compliance check and authentication is passed back to PING as a SAML Assertion.

  1. To integrate with VMware Workspace ONE Access, navigate to the Authentication -> IdP Connections menu and click Create Connection to create an IdP connection. The steps below describe the information needed to configure this IdP connection.

  2. For the IDP Connection settings, the connection role is IdP using SAML 2.0. General information needed is Partner’s Entity ID, Connection Name, and Base URL. All this information is provided by Workspace ONE Access.

  3. Browser SSO properties include IdP-Initiated SSO and SP-Initiated SSO.

  4. For User-Session Creation information, leverage the contract that was created in PingOne and PingFederate Configuration.

  5. For Protocol Settings, SSO Service URLs need to include a Redirect URL and a POST URL.

  6. Lastly, a certificate that is provided by Workspace ONE Access is needed for Credentials.

Refer to the PingFederate Administrator’s Reference Guide for detailed configuration steps.

Radiant Logic RadiantOne#

Installation and Configuration#

Refer to Radiant Logic RadiantOne Installation and Configuration.

Additional attributes were added to the RadiantOne solution. These attributes allow other ZT tools to create more granular policies for access. Within the Directory Namespace, we created namespaces (HDAP) for Clearance, Data Governance, Risk, and Training. Information pertaining to these categories was imported via flat files for the purpose of this build. For configuration instructions, refer to RadiantOne v7.4.4 Namespace Configuration Guide. We also updated RadiantOne’s configuration with a global Identity view of users combining these attributes with the AD directory and HR database. We leveraged the Global Identity Builder to perform this.

Integrations#

Refer to Radiant Logic RadiantOne Integration for integration of Radiant Logic with SailPoint.

To integrate with Cisco ISE and VMware Workspace ONE Access, follow the instructions in the Integration sub-section of Radiant Logic RadiantOne Integration to create unique service accounts for the integration.

SailPoint IdentityIQ#

Installation and Configuration#

Refer to SailPoint IdentityIQ Installation and Configuration.

Integration with Radiant Logic#

Refer to SailPoint IdentityIQ Integration with Radiant Logic.

Integration with AD#

Refer to SailPoint IdentityIQ Integration with AD.

Integration with Ping Identity#

There is no integration with Ping Identity. For this build, SailPoint provides AD user information and Duo pulls from AD.

VMware Workspace ONE#

VMware Workspace ONE Access is a cloud-based service that provides a variety of management functions to support enterprise operations. For this build, two VMware services were utilized to support endpoint management functionality: Workspace ONE Access and Workspace ONE UEM.

VMware Workspace ONE Access#

Workspace ONE Access can serve as an IdP and integrate with a large range of enterprise identity components. For this build, Workspace ONE Access was integrated with PingFederate and RadiantOne to provide certificate-based authentication for endpoints.

Setup#

Each instance of Workspace ONE Access must be provisioned by VMware. After this has been completed, VMware provides access and setup instructions.

Integration with RadiantOne#

To integrate with RadiantOne, an on-premises agent was installed on a Microsoft Windows Server 2019 system and connected to Workspace ONE Access. After this, Workspace ONE Access was configured to pull user, group, and attribute information.

  1. The step-by-step guide to adding the on-prem connector can be triggered in the Workspace ONE Access console by navigating to Integrations -> Connectors and clicking New.

  2. After the on-prem agent is installed and connected to Workspace ONE Access, follow the official VMware documentation to add a new LDAP Directory and point Workspace ONE Access to your RadiantOne installation.

Once these two steps are completed, RadiantOne’s users, groups, and attributes are available for use within Workspace ONE.

Integration with PingFederate#

Integration with PingFederate was achieved using a SAML redirect. When users with mobile devices attempt to authenticate through PingFederate, they will be redirected to Workspace ONE Access if certificate authentication is available.

  1. In the Workspace ONE Access console, navigate to Integrations -> Identity Providers and click Add -> SAML IdP.

  2. Fill out details in the form pertaining to your installation. For the binding protocol, select HTTP Redirect.

  3. Under Users, select the directory that you created in your previous integration with RadiantOne.

  4. Under Authentication Methods, add a new authentication method name and select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport for the SAML Context.

  5. Click Save in the bottom right corner.

Now that the configuration on the Workspace ONE Access side has been completed, navigate to the PingFederate console.

  1. Navigate to Authentication -> IdP Connections and click Create Connection.

  2. Check the BROWSER SSO Profiles checkbox and select SAML 2.0 from the dropdown menu that appears. Click Next.

  3. Select the Browser SSO checkbox and click Next.

  4. On the Metadata URL page, click Next.

  5. Under the Partner’s Entity ID (Connection ID) section, paste your Workspace ONE Access metadata URL. It should look something like https://<WorkspaceONEAccessURL>/SAAS/API/1.0/GET/metadata/idp.xml.

  6. Under BASE URL, add the base URL for your Workspace ONE Access instance. Click Save.

Workspace ONE Access can also be configured as a Service Provider (SP) for PingFederate. This process is very similar to the IdP configuration.

  1. In the PingFederate console, navigate to Applications -> SP Connections and click Create Connection.

  2. Check the BROWSER SSO Profiles checkbox and select SAML 2.0 from the dropdown menu that appears. Click Next.

  3. Select the Browser SSO checkbox and click Next.

  4. On the Metadata URL page, click Next.

  5. Under the Partner’s Entity ID (Connection ID) section, paste your Workspace ONE Access metadata URL. It should look something like https://<WorkspaceONEAccessURL>/SAAS/API/1.0/GET/metadata/idp.xml.

  6. Under BASE URL, add the base URL for your Workspace ONE Access instance. Click Next.

  7. Under Browser SSO, select the checkboxes next to IdP-Initiated SSO and SP-Initiated SSO.

  8. For Assertion Creation, select the checkbox next to Enable Standard Identifier. Select the PingFederate contract to use for this connection.

  9. Under Protocol Settings, set the Assertion Consumer Service URL to /SAAS/auth/saml/response. Click Save.

Initial setup for this integration has now been completed. To utilize this integration, you can set policies on either Workspace ONE Access or PingFederate to point to the other IdP or SP. In PingFederate, this can be found under Authentication -> Policies. In Workspace ONE Access, this can be found under Resources -> Policies.

VMware Workspace ONE UEM#

Workspace ONE UEM provides endpoint management capabilities for this build and allows certificates to be provisioned for user authentication.

Setup#

The cloud-based Workspace ONE UEM instance must be provisioned by VMware. After this has been completed, follow the official Workspace ONE UEM documentation to deploy agents to each of your managed endpoints. Instructions for deploying profiles and compliance requirements to devices can also be found in the link above.

Integration with Certificate Authority#

To provide certificates with custom attributes, Workspace ONE UEM was integrated with the on-prem Certificate Authority hosted in Enterprise 4. Instructions on how to complete this process can be found in the official Workspace ONE UEM documentation.

Cisco Duo#

Cisco Duo is a SaaS solution that implements and enforces security policies and processes, using strong authentication to reduce the risk of data breaches due to compromised credentials and access from unauthorized devices. For this build, we use Cisco Duo as the second authentication factor for resources.

Configuration#

Refer to Cisco Duo Configuration.

Integration#

Refer to Cisco Duo Integration.

Palo Alto Networks Next Generation Firewall#

For installation, configuration, and integration instructions, refer to Palo Alto Networks Next Generation Firewall.

IBM Security QRadar XDR#

For installation, configuration, and integration instructions, refer to IBM Security QRadar XDR.

Tenable.io#

For installation, configuration, and integration instructions, refer to Tenable.io.

Tenable.ad#

For installation, configuration, and integration instructions, refer to Tenable.ad.

Tenable NNM#

For installation, configuration, and integration instructions, refer to Tenable NNM.

Mandiant Security Validation (MSV)#

For installation, configuration, and integration instructions, refer to Mandiant Security Validation (MSV).

DigiCert CertCentral#

For installation, configuration, and integration instructions, refer to DigiCert CertCentral.

Cisco Identity Services Engine (ISE)#

Cisco ISE is a network central PDP that includes both PE and PA to help organizations provide secure access to users, their devices, and the other resources in their network environment. It simplifies the delivery of consistent and secure access control to PEPs across wired and wireless multi-vendor networks, as well as remote VPN connections.

To deploy ISE, use the following steps:

  1. Install Cisco ISE ADE-OS-Version 3.1.0.010 Patch 5 using Cisco ISE Installation Guide.

  2. Continue configuration using Cisco ISE configuration information.

  3. Key configuration features used at the NCCoE lab are as follows:

    1. Basic setup: Cisco ISE Deployment model used is the “Stand Alone” as shown here.

    2. Maintain and Monitor: System recovery, syslog settings, backups/recovery, advance filtering, and reporting, including endpoint purging and quarantining used as shown here.

    3. Secure Access: Cisco ISE User Identity is supported by Integration with Microsoft Active Directory as the user identity source as shown here.

    4. Profiling and Compliance: Configuration of posture policies to mandate allowance of specific applications is shown here. For NCCoE lab configuration, AnyConnect is enabled on endpoints in order to achieve accurate posture on enterprise-supplied endpoints.

    5. Segmentation: Cisco ISE supports configuration for segmentations as shown here.

    6. BYOD: Cisco ISE is used as a tool that allow employees to securely use either employer-provided or personal devices on the enterprise network. Cisco ISE is used to protect network services and enterprise data by authenticating and authorizing users (employees and contractors) and their devices. The BYOD configuration is shown here.

Integrations#

Cisco ISE was provisioned with a service account to pull user and device attributes from Workspace ONE UEM for use in policy decisions. Configure this integration in Administration/Network Resources/External MDM using the ISE Admin Guide.

Cisco ISE and Cisco Secure Network Analytics (SNA) are integrated to allow SNA to provide network visibility information to ISE to enforce policies. Integration configuration was completed by creating a client for SNA under Administration/pxGrid Services/Client Management.

Cisco Secure Workload (CSW - Formerly Tetration)#

Cisco Secure Workload (formerly known as Cisco Tetration) is designed to address application security challenges by providing comprehensive workload protection and bringing security closer to applications and tailoring the security posture based on the application behavior. For configuration, this document references specific sections of the Cisco Secure Workload User Guide.

Configuration#

For this build, the NCCoE used the SaaS-based version of CSW. To start, contact a Cisco representative to procure an instance of CSW.

  1. A prerequisite for CSW is to gather and document the organizational layout of your enterprise in the form of security boundaries. Leverage the Cisco Secure Workload Quick Start Guide to familiarize the CSW design using scopes and labels.

  2. Once a basic understanding of CSW is achieved, a CSW administrator can leverage labels to develop the scope tree. These labels can be uploaded to CSW so that CSW maintains these additional metadata tags within the inventory database in CSW.

  3. Once logged into CSW, leverage the first-time user-experience (FTUE) wizard to define the scope and inventory. Note: This step was not necessary, but it was leveraged to have a baseline understanding of how scopes and inventory function.

  4. In parallel to a scope tree being defined in CSW, users can begin installing software agents on all workloads (resources) to be managed by CSW. Once in the “Software Agents Installer” page, the user will be guided through the process of selecting the OS platform to download. See the Deploying Software Agents page for support platforms, requirements, and install instructions.

  5. With agent installations completed on the workloads, CSW will begin collecting network flow data along with OS information about these resources. Ensure a minimum of at least a week or so if you want to take advantage of CSW’s ability to auto-generate microsegmentation policies using the solution’s built-in machine learning algorithms.

  6. Once agents are installed and your scope tree is set up properly, create policies. The policy analysis phase is intended to be an iterative process that allows a CSW user to adjust policies as necessary.

  7. Once you feel the policies are good enough to enforce, enable enforcement of those policies. Alerts should be created for escaped policies. CSW can, at a minimum, generate internal alerts, but best practice suggests that these alerts should also be sent to a northbound platform like a SIEM.

Cisco Secure Network Analytics (SNA - Formerly Stealthwatch)#

Cisco Secure Network Analytics (SNA) uses machine learning, behavioral modeling, and threat intelligence to provide network visibility. For this build, we mainly leverage NetFlow data collected from network devices to feed to SNA.

Installation#

The components of SNA are installed on-premises in the virtual environment for Enterprise 2. Installation is completed using the Virtual Edition Appliance Installation Guide 7.4.1. Specific sections from that guide are noted below.

  1. Prior to installing SNA, check all resource requirements and prerequisites (General Deployment Requirements and Section 1).

  2. Install the virtual edition for VMware vCenter (Section 3a).

  3. Configure the SNA manager and the Flow Sensor (Section 4).

Configuration#

Use the Cisco Secure Network Analytics System Configuration Guide to configure the SNA.

  1. Configure SNA to retrieve information for network appliances. This is performed by the Flow Sensor, which is a separate appliance managed by the SNA manager.

  2. Configure network components to send NetFlow data to the SNA Flow Sensor. Note: There are tools that can build the configuration for network devices.

  3. Configure hosts and host groups to be used by policies and response management.

  4. Configure policies to monitor various host groups.

  5. Configure response management to perform specific actions based on policies. Response management configuration provides information to Cisco ISE to act on those policies.

Integration#

Integrate with Cisco ISE to inform ISE of actions it needs to take to allow or deny communications based on the policies. To integrate with ISE, follow the configuration instructions shown here.

Cisco Secure Endpoint (CSE - Formerly AMP)#

Cisco Secure Endpoint (CSE) is a cloud-based solution that leverages connectors that are deployed on endpoints to protect against vulnerabilities. The configuration steps below leverage the Cisco Secure Endpoint User Guide.

  1. Work with your Cisco representative to procure an instance of Cisco Secure Endpoint.

  2. Ensure administrator accounts are created and users have access to the AMP portal.

  3. Develop policies for all your different endpoints. For this build, endpoints include Windows, macOS, Linux, iOS, and Android devices. By default, CSE has various default policies that can be applied to endpoints once these endpoints are configured. For this build, we began by leveraging the Audit mode to allow CSE to gather information and learn about the endpoints. After several weeks, we enabled the Enforce mode to block malicious traffic. Refer to Chapter 5 of the User Guide.

  4. Note that Groups can be configured to apply policies for different types of endpoints. Refer to Chapter 6.

  5. Exclusions for the types of applications that you want to exclude from policies can be configured. You can create custom exclusions or view the Cisco-maintained exclusions list. Refer to Chapter 4.

  6. Download connectors from CSE and deploy them to endpoints. Once in the Management/Download Connector page, links will be available for download or for a URL for the various endpoints that CSE supports. The URL can be provided to the user to download, or it can be downloaded and deployed via an enterprise tool. Refer to Chapters 8-12 for connector installation.

Integrations#

CSE integrates with ISE to provide endpoint threat detection information to ISE to act on. The process for integration begins with Cisco ISE. From the ISE Administration menu, click on the Third Party Vendors link. Click Add and click Cisco AMP as the vendor. Input all information. Once added, there will be a status link stating “Ready to configure.” Click on it and follow instructions to configure CSE.

Palo Alto Networks - Panorama#

Palo Alto Networks’ Panorama provides centralized management and monitoring of the Palo Alto Networks NGFWs. For this build, it was leveraged to integrate with Cisco ISE in addition to managing the NGFWs.

  1. Deploy Panorama in the virtual environment using Palo Alto Networks’ prerequisite recommendations. Follow each step of the deployment to install the VM, register Panorama and install licenses, perform updates, add firewalls as managed devices, and create templates and device groups.

  2. Complete all configuration of the firewalls on Panorama’s console.

  3. For remote access, the NGFW is leveraged to check compliance of user devices. Create the configuration for compliance checks and add it to the VPN policy created for users. Note: Integration with ISE needs to be completed prior to this step.

Integration with Cisco ISE#

For this integration, the user logging onto the Palo Alto Networks VPN will leverage ISE for authentication. The Palo Alto Networks NGFW will perform device compliance checks prior to completing the authentication. To integrate with Cisco ISE, leverage the instructions to enable delivery of vendor-specific attributes to RADIUS server.