Duo and ISE Integrated Use Case – Delivering Zero Trust security for the workforce and workplace
By Amanda Rogerson This blog series will highlight exciting new developments and integrations between solutions within the Cisco Security portfolio with our acquisition of Duo Security. These posts will cover details about the problems that are being solved by these integrations with links to helpful technical documentation if you are interested in seeing for yourself the benefits that are provided. If you would like further information on how you can improve your security posture by leveraging these integrations, please contact our sales team.
Zero trust is a comprehensive security approach that secures access by your users, devices, applications and networks. This approach to security helps organizations implement practices that establish trust in the users and devices accessing sensitive applications and network resources, helping to prevent unauthorized access and reducing the risk of an attacker’s lateral movement through the network.
To protect the workforce, a zero trust security approach ensures only the right users and secure devices can access applications. And for the workplace, it secures all user and device connections across the network, including IoT. The integrations provided between Duo Security and Cisco’s Identity Services Engine (ISE) provide zero trust application and network access controls you need for the workforce and workplace.
Use Case 1: Zero trust remote access
ISE and the AnyConnect Secure Mobility Client empowers your mobile workforce with secure Virtual Private Network (VPN) access to the workplace. By integrating with Duo, you gain enhanced device visibility and multi-factor authentication (MFA) and establishing device trust.
Problem Solved: Customers who want to implement additional verification of the user when providing access to their corporate network via VPN. The motivators behind this requirement are:
VPN access provides end users with access to the entire network, many environments do not have the network segmentation robust policy to provide access to only the resources users need. Next best step for protection is to implement MFA to achieve higher level of confidence the user is who they say they are.
Credential compromise is still one of the biggest reasons customers get breached
Compliance (HIPAA, PCI-DSS etc.)
Solution: You can enhance remote access security with Duo Security, Cisco ISE, and the AnyConnect Secure Mobility Client. It’s easy to add multi-factor authentication to VPN access so that you can verify the trust in remote users. Here’s how:
Cisco AnyConnect Client + Cisco ASA utilizes Cisco ISE for Access Control. Customers add the Duo Authentication Proxy as a 2nd authentication source in the Cisco ISE. Upon AnyConnect login users are prompted for 2FA from Duo.
Use Case 2: Zero trust network administration.
ISE controls network administrator access to critical network infrastructure equipment like switches and routers with the added security layer of Duo’s multi-factor authentication to mitigate the risks of unauthorized access which could result in intentional misconfigurations that cause severe network outages.
Problem Solved: Most customers have network devices (Routers, Switches etc) in their environments which require access to manage and configure. Many of these network devices utilize a Cisco protocol called TACACS+ to authenticate and authorize end user admin access to the network device. Customers want to enable MFA for admin access to these network devices.
Solution: With the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users customers can protect admin access to network devices which utilize the TACACS+ protocol for primary authentication to ISE and 2FA with Duo by utilizing the Duo Authentication Proxy.
Stay tuned for more integration stories and use cases. You can learn more about Cisco Zero Trust here, and if you want to see the powerful security controls that Duo offers you can sign-up for a free trial at sign-up.duo.com .
Source:: Cisco Security Notice