Identity Services Engine

Blackout

Someone give me the skinny on this, is this going to get big?

Iristheangel

LoL. Check out the link in my signature, my friend. I've pretty much become "that person" people call in my area for ISE help.

ISE is pretty much what NAC evolved to. I've used it from 1.1 to 2.0. I really don't think it was solid until about 1.3 tbh. 2.0 just added a lot more benefits and made the GUI a lot easier to work with. It seems like Cisco is investing a LOT of money on using it as the "glue" to tie all the security products together. As of now, you can use ISE's pxgrid functionality to share information and even remediation functions between ISE and Lancope, Firepower, WSA, Splunk, etc. It's a cool concept. I have it running it my lab right. My favorite and probably the coolest is the ISE + Lancope integration. Oh? Something acting up on my network? Hit that Quarantine button in Lancope and watch ISE blackhole that device. Firepower they are still working on... it's more of a coorelation policy to make that work and while I have it working, it's something you have to be very sure of the policy before you deploy it in production. I haven't tested it in Splunk yet but I plan on doing it next.

As far as "getting big," it's big as far as NAC is concerned but I don't see a lot of smaller businesses using it past guest wireless. Medium and large customers I see use it a lot more for dot1x, TACACS+, wireless, and VPN. If you really want to pick up an awesome and practical book on ISE, check this one out: http://www.amazon.com/Practical-Deployment-Identity-Services-Engine/dp/0128044578/ref=sr_1_4?ie=UTF8&qid=1453217471&sr=8-4&keywords=ISE

Honestly, I think learning ISE is a good investment for yourself as far as niche skills. I don't see a lot of people in the enterprise really know it well and just having it on my linkedin is like recruiter crack :P

joelsfood

Iris about covered it. ISE isn't likely to go away, but it's unlikely to hit any more instalaltions than NAC/TACACS+. I've taken a peek at it, but as I no longer support anyone that runs/ran TACACS+, I never bothered to learn it. Definitely better uses for your studying, unless you're really interested.

Blackout

Iristheangel wrote: »

LoL. Check out the link in my signature, my friend. I've pretty much become "that person" people call in my area for ISE help.

ISE is pretty much what NAC evolved to. I've used it from 1.1 to 2.0. I really don't think it was solid until about 1.3 tbh. 2.0 just added a lot more benefits and made the GUI a lot easier to work with. It seems like Cisco is investing a LOT of money on using it as the "glue" to tie all the security products together. As of now, you can use ISE's pxgrid functionality to share information and even remediation functions between ISE and Lancope, Firepower, WSA, Splunk, etc. It's a cool concept. I have it running it my lab right. My favorite and probably the coolest is the ISE + Lancope integration. Oh? Something acting up on my network? Hit that Quarantine button in Lancope and watch ISE blackhole that device. Firepower they are still working on... it's more of a coorelation policy to make that work and while I have it working, it's something you have to be very sure of the policy before you deploy it in production. I haven't tested it in Splunk yet but I plan on doing it next.

As far as "getting big," it's big as far as NAC is concerned but I don't see a lot of smaller businesses using it past guest wireless. Medium and large customers I see use it a lot more for dot1x, TACACS+, wireless, and VPN. If you really want to pick up an awesome and practical book on ISE, check this one out: http://www.amazon.com/Practical-Deployment-Identity-Services-Engine/dp/0128044578/ref=sr_1_4?ie=UTF8&qid=1453217471&sr=8-4&keywords=ISE

Honestly, I think learning ISE is a good investment for yourself as far as niche skills. I don't see a lot of people in the enterprise really know it well and just having it on my linkedin is like recruiter crack :P

They moved me back over into TAC (Cisco) to train up in ISE. I was previously doing Core Architecture. I have always been interested in the security side. Just really wanted to see outside of Cisco's perception, what the general overall viability ISE is. The last thing I want to do is get all trained up in something and have it go the way of ZBFW lol

Danielm7

We have a big ISE deployment planned this year, excited to get it going. All the demos I've seen so far with our Cisco team have been very interesting.

Iristheangel

The way of ZBFW? ZBFW is still used and supported all over the place and it's baked into the iWAN design guide. I deployed ZBFW at 40 locations at my last job. It's simple and easy if you're looking for basic segmentation.

I think a more accurate description would be going the way of MARS or CX :P

Iristheangel

Danielm7 wrote: »

We have a big ISE deployment planned this year, excited to get it going. All the demos I've seen so far with our Cisco team have been very interesting.

If you have access to the OVA on Cisco's site, spin up a lab. I use vWLC and ISE VMs for a quick and dirty lab. Just add an AP and switch and you can test most functions Check out my blog's instructions, labminutes.com (free videos on ISE) and the above book I posted. The book is under 300 pages so easy reading

Blackout

Probably right about the ZBFW, but in my defense being in TAC we see a ton of the issues with it. So I had just assumed it was crap lol.

Anyways I appreciate the heads up, will definitely get up to speed with ISE.

Danielm7

Iristheangel wrote: »

If you have access to the OVA on Cisco's site, spin up a lab. I use vWLC and ISE VMs for a quick and dirty lab. Just add an AP and switch and you can test most functions Check out my blog's instructions, labminutes.com (free videos on ISE) and the above book I posted. The book is under 300 pages so easy reading

I'll have to check that out, thanks!

Iristheangel

Blackout wrote: »

Probably right about the ZBFW, but in my defense being in TAC we see a ton of the issues with it. So I had just assumed it was crap lol.

Anyways I appreciate the heads up, will definitely get up to speed with ISE.

Remember: Being in TAC means you get to see all the issues, bugs, misconfigurations, etc. When 90% of the calls you get are issues, it's easy to assume to assume the worst. Go ahead and take a look at my TAC cases since you know my real name. The only issue I had with ZBFW was a cosmetic one with the logging that was easily fixed with a command but I had a lot more "fun" ISE 1.1 issues. Thankfully, seeing it since 1.1 and having to deal with it, it's been amazing to see the evolution and how much better it's gotten.

Reach out to me if you need anything else on ISE. Also a good recommendation for an easy high level look: Check out the PEC labs and the ATP training on the Cisco PEC site. That'll give you some easy config-level and architectural understanding.

Blackout

Iristheangel wrote: »

Remember: Being in TAC means you get to see all the issues, bugs, misconfigurations, etc. When 90% of the calls you get are issues, it's easy to assume to assume the worst. Go ahead and take a look at my TAC cases since you know my real name. The only issue I had with ZBFW was a cosmetic one with the logging that was easily fixed with a command but I had a lot more "fun" ISE 1.1 issues. Thankfully, seeing it since 1.1 and having to deal with it, it's been amazing to see the evolution and how much better it's gotten.

Reach out to me if you need anything else on ISE. Also a good recommendation for an easy high level look: Check out the PEC labs and the ATP training on the Cisco PEC site. That'll give you some easy config-level and architectural understanding.

Cool, and thank you.

joelsfood

Heh, two days after you ask, and I see my first and only Upwork posting for ISE

https://www.upwork.com/job/Senior-Cisco-Identity-Service-Engineer_~0144ac92a14a9d0eb9/

Iristheangel

Kinda funny. They're asking for 9 years of experience and yet ISE 1.0 came out in 2012