Many enterprises are experiencing a massive number of Internet of Things (IoT) devices connecting to their IT networks. These include industry-specific devices such as medical devices for healthcare, Programmable Logic Controllers (PLCs) for manufacturing, building automation systems such as connected Heating, Ventilating, and Air Conditioning (HVAC) systems, connected lights, IP-based surveillance cameras and motion sensors, and consumer devices such as voice-activated virtual assistants and smart speakers.
While some devices are developed with security in mind, others were found to be vulnerable to malicious attacks after being introduced into the market. As we see more and more devices being introduced into the network, IT and security admins will need to implement strong security policies around those devices to prevent network attacks from compromised devices.
As noted in the cybersecurity framework by the National Institute of Standards and Technology (NIST), the best practice for IoT security processes should start with knowing what devices are connected to your network. Traditionally, asset management systems are heavily utilized for this purpose, storing information that includes device unique identifiers, date of procurement, ownership, manufacture, product name, etc.
● Understand what type of Internet-of-Things (IoT) devices are connected in your network
● Leverage third-party visibility platforms for IoT devices
● Accelerate your IT/OT network segmentation with device context
How Cisco ISE integration with third-party IoT visibility platforms works
● Third-party IoT visibility platforms establish a secure communication channel with ISE using pxGrid (version 2.0).
● The IoT visibility platforms receive traffic in the network, dissect packets using their own technology, and capture device asset information such as the manufacturer name, product name or ID, serial number, etc. This asset information is then published using pxGrid. The following table shows all available attributes that third-party visibility platforms can feed into ISE.
- Asset ID
- Asset name
- IP address - Vendor
- Product ID
- Serial number
- Device type
- Software revision version
- Hardware revision version
- Connected links
- Custom attributes
● The ISE database will be populated with these gathered attributes and will be available for matching with the profiling policies.
Although an Asset Management System (AMS) may capture static information, it’s challenging to keep track of changes to the devices after initial registration with the AMS system. A good example of this challenge would be an IP address for a device. From the network or security administrator standpoint, the only identifiable information for these devices is their IP and MAC address. In most cases, those address space ranges and numbers do not easily tie back to asset information. If IT and security admins do not know what devices are behind those IP addresses, it would be difficult for them to create security policy to protect those devices.
Cisco® Identity Services Engine (ISE) gathers device telemetry information from the network stack, identifying user and device type to create and then enforce policy within the network. ISE uses profiling technology to determine a device type. Gathered context information about devices are shared with third-party applications through the engine’s Cisco Platform Exchange Grid (pxGrid) technology.
With the ISE 2.4 release, pxGrid technology has been enhanced to support third-party IoT visibility platforms that share asset inventory information with ISE. Context shared by third-party applications can be easily consumed by the ISE profiling policy or can be part of a profiling rule to influence final device type determination.
Some third-party applications retrieve asset information by inspecting application payload or they use a complex algorithm to determine the device type. ISE benefits from the augmented contextual information from these third-party applications by enriching the endpoint attributes, resulting in very high accuracy for device profiling.
Call to action
Use a Cisco ISE Plus License to enable device profiling with pxGrid to gain higher visibility and a better understanding of the devices in your network.