CCSSEC-1003.Pdf

#CLUS Zero trust model using ISE, SGT and Cat9K in a clinical environment Derek Dutt, UC San Diego Health, Dir of Infrastructure Dale Keehan, UC San Diego Health, Sr. Network Engineer Matt Jennings, Cisco, Sr. Systems Engineer CCSSEC-1003

#CLUS Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#CCSSEC-1003 by the speaker until June 16, 2019.

• Introduction

• Who is UC San Diego Health?

• UC San Diego Health’s Network Vision

• Past, Present and Future

• Q/A with typical customer questions

• Worked in Information Services for 22 years

• 10 years as an IT consultant supporting different industries, including, Rady Children’s Hospital in San Diego

• 12 years at UC San Diego Health in several roles from Network Engineer, Network Architect, Network and Telecom Manager and now Director of Infrastructure

• In the IT industry for 25+ years, have provided operational support in Science and Information Technology most of his working life.

• Worked as top level support for various IT related systems within UC San Diego Health from Digital VAX support to Cisco Networking over last 20+ years.

• For the last 5 years he has supported the roll-out of ISE within UC San Diego Health.

• Working for Cisco and with UC San Diego Health for 11 years

• For the last 2 years I have been focused on the research higher education space

• 20+ year veteran in the IT industry

• Worked as a production network and security engineer with fortune 100 companies prior to Cisco

• I have a passion for helping customers succeed in their missions

Hillcrest Hospital Campus La Jolla Hospital Campus

UC San Diego Health La Jolla Hospital campus

UC San Diego Health Hillcrest Hospital campus

We are here CLUS 2019

• Top-ranked Specialty Care

• Outstanding Stroke Care

• Nursing Excellence

• Excellence in Maternity Care

• LGBTQ Leader

• Top Hospital

• "A" for Hospital Safety and 2018 Top Teaching Hospital • Distinguished Hospital Award

• Information Technology to Enhance Patient Care and Comfort

• Cisco ACS to manage wireless enterprise authentication as well as TACACS+ for our network device authentication

• Single Chassis, Dual Sup Cat6500 Building Distribution using Layer 2 Trunking to Cat4500 Access Layer

• VLANs used for segmentation with multiple ACLs used throughout to create a basic security posture between the VLANs

L2 Single Chassis No VSS design

Trunked VLAN’s

SVI’s w/ACL’s

Cat 6500 Distribution

• Migrated off of Cisco ACS to ISE to manage wireless enterprise authentication as well as TACACS+ for our network authentication

• Moved to dual chassis 6807 in VSS configuration for added resiliency

• Onboarding process for various medical devices or any other network connected hosts, was easily bypassed

#CLUS CCSSEC-1003 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 UC San Diego Health’s PAST network Cat 4500 Cat 4500 Access Layer Access Layer L2 Dual Chassis With VSS design

Trunked VLAN’s

SVI’s w/ACL’s

Cat 6807 VSS Distribution

• VSS was good but for administration but had some HA issues during ISSU that UCSD Health’s 24x7 hospital environment cannot tolerate

• Migrating from VSS to Layer 3 for maintaining a better HA and allow for future migration to SDA

• L3 topology all the way down to the access layer • Jacobs Medical Center-Hybrid L2/L3 • Komen Outpatient Pavilion –Full L3

• Migration from Cat4500 to Cat9400

#CLUS CCSSEC-1003 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 UC San Diego Health’s PAST network Cat 4500 Cat 4500 Access Layer Access Layer L2/L3 Dual Chassis+ With VSS hybrid design

Trunked VLAN’s L3 Links

SVI’s w/ACL’s

Cat 9400 Cat 9400 Access Layer Access Layer L3 Dual Chassis No VSS design

2 SVI’s using 2 SVI’s using SGT’s for SGT’s for segmentation L3 Point to Point’s segmentation

Cat 9500 Distribution

• ISE is identifying profiled systems as they join the network and assigning an SGT to limit access of that system to the appropriate communication level.

• ISE maintains the policy for SGT communication

• Once a device is profiled it is automatically detected and assigned an SGT to limit access to the appropriate

• Troubleshooting in ISE can be delegated to tier 2 personnel to offload network engineers from having to spend time on low level cases

• Better Security and ease of operation • Intra-VLAN east-west segmentation • No more manual VLAN/Port configuration, SGT is applied automatically

• Software defined Security Policy • Matrixed security policy vs standard ACLs

• Present topology scaled up and out to all campuses and remote locations

• Use DNAC for network analytics

• SDA?

• Did you need Cisco Advanced Services to implement ISE for wireless?

• Can you customize profiling for devices you are onboarding?

• How did you get all the devices profiled?

• What is your onboarding policy like?

• Did you need to work with your desktop teams extensively?

• What happens to a guest or a doctor with a BYOD?

• Can your help desk team use ISE to troubleshoot?

• What sort of issues did you run into along the way?

• What features are you using today?

• How much of your time, post implementation, do you end up taking to manage ISE? Is your world mainly ISE these days?

• How many hours do you spend on ISE per week?

• What sort of lessons learned can you tell us about?

• How are the duties delegated or shared among the teams?

• What is the redundancy you have designed into your ISE infrastructure?

• Did you test it?

• What does your ISE infrastructure look like today?

• What will it look like as you scale up to the whole enterprise?

#CLUS CCSSEC-1003 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

Demos in the Walk-in labs Cisco campus

Meet the engineer Related sessions 1:1 meetings

#CLUS #CLUS