: Set up Cisco ISE to Identify and Quarantine IoT Devices
Focus
Focus

Set up Cisco ISE to Identify and Quarantine IoT Devices

Table of Contents

Set up Cisco ISE to Identify and Quarantine IoT Devices

Integrate
IoT Security
through
Cortex XSOAR
with Cisco ISE to identify and quarantine IoT devices.
As an
IoT Security
administrator, you can selectively quarantine devices through Cisco ISE using PanwIoTAlertSeverity and PanwIoTAlertType attributes. When you send ISE the quarantine command, ISE quarantines impacted devices by applying policy rules based on the alert severity, alert type, or both.
In addition to configuring ISE to identify IoT devices, configure the following on your Cisco ISE system to quarantine IoT devices when there are security alerts:
  • Add these custom endpoint attributes for
    IoT Security
    alerts: PanwIoTAlertSeverity and PanwIoTAlertType
  • Create authorization profiles
  • Create exception rules
  1. Add
    IoT Security
    endpoint attributes for alert severity and type.
    1. Click
      Administration
      Identity Management
      Settings
      Endpoint Custom Attributes
      .
    2. Click the
      Add
      icon (
      +
      ), enter
      PanwIoTAlertSeverity
      in the Attribute name field, and then choose
      String
      from the Type drop-down list.
    3. Click the
      Add
      icon (
      +
      ), enter
      PanwIoTAlertType
      in the Attribute name field, choose
      String
      from the Type drop-down list, and then
      Save
      the configuration.
      This is a possible set of attributes:
      PanwIoTProfile, PanwIoTIP, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET, PanwIoTAlertSeverity, PanwIoTAlertType
  2. Create an authorization profile that allows IoT devices to access the network and associates them with the quarantine VLAN.
    1. Click
      Policy
      Policy Elements
      Results
      Authorization
      Authorization Profiles
      and then click
      Add
      .
    2. Enter settings like those described below, leave the other settings at their default values:
      Name
      : Enter a name for the profile; for example:
      IoT-device-protection
      Access Type
      :
      ACCESS_ACCEPT
      VLAN
      : (select); Tag ID: 1;
      ID/Name
      :
      999
      , where 999 is the ID number of the quarantine VLAN.
    3. Submit
      the settings.
  3. Create a condition for applying an exception rule, such as applying it when the severity is critical.
    1. Click
      Policy
      Policy Elements
      Conditions
      Library Conditions
      and then enter the following in Editor:
      Click to add an attribute
      :
      Endpoints
      PanwIoTAlertSeverity
      Operator
      :
      Equals
      Attribute value
      :
      Critical
    2. Save
      the configuration.
    3. In the Save condition dialog box, select
      Save as a new Library Condition
      , enter a name such as
      Critical Alert Severity
      in the Condition Name field, and then click
      Save
      .
  4. Create authorization policy exception rule that assigns devices with critical alerts to the quarantine VLAN.
    1. Click
      Policy
      Policy Sets
      and then click the
      Arrow
      icon (
      >
      ) to modify your existing policy set.
    2. Expand
      Authorization Policy - Local Exceptions
      , click the
      Plus
      icon (
      +
      ) to add an exception rule, and then click the
      Plus
      icon (
      +
      ) to add a condition.
    3. Click-drag
      Critical Alert Severity
      from the Library into the Editor and then click
      Use
      .
    4. In Results-Profiles, choose
      IoT-device-protection
      , which is the authorization profile you created for this condition.
    5. Save
      the configuration.
      When you quarantine a device in the
      IoT Security
      portal, it sends the two alert attributes (PanwIoTAlertType and PanwIoTAlertSeverity) for that device (identified by its MAC address) through XSOAR to ISE. The next time that device connects to the network and requests access from Cisco ISE, the two alert attributes will match this exception rule and assign it to the quarantine VLAN.
      The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you then release it from quarantine, which clears the alert attributes. When the device connects to the network and again requests access from Cisco ISE, ISE reassigns it to its usual VLAN.

Recommended For You