StealthWatch: Integration with Cisco ISE. Part 4

Earlier articles covered several broad topics regarding the monitoring solution. Cisco StealthWatch… Let me remind you that StealthWatch is a solution for monitoring network traffic for security incidents and the legitimacy of network interaction. StealthWatch is based on collecting NetFlow and IPFIX from routers, switches and other network devices.
For reference, I will give links to past articles: the first introduction and capabilities, deployment and configuration, as well as analysis and investigation of incidents.
Please note that monitoring, in particular Cisco StealthWatch, is primarily a solution for detecting threats and attacks. All monitoring solutions do not imply threat prevention, but it is often required. StealthWatch has out of the box integration with Cisco ISE (Identity Services Engine). The integration consists in the fact that StealthWatch detects a security incident, and Cisco ISE quarantines the host until the administrator hands it out of quarantine.
This article discusses the integration setup and an example of triggering.

Cisco ISE is

In short, Cisco ISE is a Network Access Control (NAC) solution for providing context-aware access control to users on the internal network. Cisco ISE allows you to:

  • Create guest access quickly and easily
  • Detect BYOD devices (such as employees’ home PCs that they bring to work)
  • Centralize and apply security policies to domain and non-domain users using SGT security group labels (technology TrustSec)
  • Check computers for certain software installed and compliance with standards (posturing)
  • Classify and profile endpoint and network devices
  • Provide endpoint visibility
  • Send logs of events logon / logoff of users, their accounts (identity) on NGFW to form user-based policy
  • Do everything the AAA server can do

Many colleagues in the industry wrote about Cisco ISE, I recommend that you familiarize yourself with: the practice of implementing Cisco ISE, how to prepare for the implementation of Cisco ISE, and integration with Cisco FirePOWER.

How quarantine works

The workflow of the “add / remove from quarantine” ANC policy (Adaptive Network Control) in Cisco ISE is depicted below:

  1. The user must first log into the corporate network through the WLC (access point controller). Then a REST API quarantine request is sent from the control node (Policy Administration Node).
  2. Monitoring node (Monitoring Node), which is responsible for collecting logs, sends a special PrRT request to the PSN node (Policy Service Node, is responsible for applying ISE policies). A CoA request is also sent to change the AAA attributes and disable the user.
  3. The client device is disconnected.
  4. The client tries to re-authenticate and reconnect.
  5. A RADIUS request from the client side is sent back to the monitoring node (Monitoring Node).
  6. The device is quarantined.
  7. It remains in quarantine, since the quarantine profile was applied and is still active.
  8. Having resolved the security incident, the administrator takes the host out of quarantine.

Setting up

1. In the Cisco ISE web interface, go to the Operations> Policy List and create a new policy by clicking on Add

2. Let’s call it StealthWatch_Quarantine and choose the action “Quarantine”(Quarantine) and click Submit

3. The next step is to configure the policy. Go to Policy> Policy Sets and click on the rightmost arrow under the column View

4. In the tab Authorization Policy> Global Exceptions a new rule is created (click on the “+”). Next, in the Conditions column, click “+” again and select the attribute Session ANCPolicy… Action in this rule Equals – StealthWatch_Quarantine
In a collumn Profile> DenyAccess and optionally in the column Security Groups you can specify your security group (for example, guests or marketing department). Finally, save the changes.

5. In the tab Operations> Live Logs (RADIUS or TACACS) logs can be viewed by user or address. Suppose we find user wesley.

6. Go to the StealthWatch web interface and in the tab Monitor> Users we find this user.

7. Go to its host by clicking on the IP address.

8. In paragraph ISE ANC Policy choose Edit> StealthWatch_Quarantine> Save… The host is quarantined pending further investigation.

Additionally, in ANC policy, you can use actions port_shutdown (disable the port of the network device) and port_bounce (shutdown / no shutdown device). For example, if the malware has managed to spread over an entire VLAN, then it would be more logical and faster to disable the port on the access-level switch, rather than quarantine each host.


Just as Cisco StealthWatch is a worthy security incident monitoring solution, Cisco ISE is an excellent user access control solution. The integration of these two solutions really works and allows you to minimize the response time to information security incidents.
Soon Cisco promises to add an automatic reaction to selected incidents and apply ANC policies to them, or you can write a script yourself. Both StealthWatch and ISE have an open REST API… However, this automatic integration should be configured only after a long time, when StealthWatch has formed correct host behavior models and the number of false positives is minimal.
More information on the Cisco StealthWatch is available at website… In the near future we are planning several more technical publications on various information security products. If you are interested in this topic, then stay tuned to our channels (Telegram, Facebook, VK, TS Solution Blog)!

Similar Posts

Leave a Reply