Danforth Campus: McKelvey School of Engineering – ISE Overview

How is the wired network secured today?

At the McKelvey School of Engineering, the network has many layer-2 security features enabled to secure the network. However, all this security is performed at the port level. What this means is that any device that plugs into a port will receive the access designated by that port.  Ports in the McKelvey School of Engineering network are currently divided into the basic security zones as detailed below:

  • Low unmanaged – Ports that are intended for more general network access and are general set for research labs and some public spaces. 
  • Low managed – Ports that are intended for managed computers that require general network access. 
  • Moderate managed – Configured ports for managed faculty and staff computers and printers. 
  • High managed – Special ports with restricted use and the need for heightened security. 

This results in a static and brittle security posture where it is difficult to identify who is connecting to the wired network and to ensure that individuals have the correct access.

To address these security vulnerabilities, the university is implementing Cisco Identity Services Engine (ISE).  ISE is a purpose-built network security platform that manages and maintains specific data about all the devices connected to the network and assigns the appropriate access policy.  ISE is designed to augment the network defenses already in-place.  People and or devices are required to authenticate and become authorized before being granted access to the network.    

Two phases of ISE implementations at WashU:

Monitor Mode (Summer 2024)

  • In this phase, ISE allows all devices and or users to connect regardless of authentication success (or failure). 
  • This allows the administrators to build and troubleshoot polices without impacting the user.   
  • As the policies are built out, more and more devices will match the new policy(s), and over time, the entire network will become more secure.  The goal is to identify and profile as much as possible while in Monitor Mode.

Low-Impact Mode (Fall 2024)

  • Builds additional security not available in Monitor Mode.
  • Immediately assigns a pre-authentication access control list (ACL) to the switchport upon a device connecting. This ACL grants only the necessary network access until ISE identifies the device.
  • Once authorized, the machine (and or user) is granted the appropriate access required for it to complete its function.  Typically, there is a specific dACL applied for each use case.
Go to Previous Page