ESOFT METRO CAMPUS

Project details
Title: Enhancing Network Security and Access Control through SDN and Cisco ISE Integration

Student Name : Pallekandalage Ravindu Priyankara

Registration No : E219483

Supervisor : Mr. K G R U Ishara

Second Supervisor :

Date Submitted : 28th of April 2024

Date Approved :
Introduction
In today's interconnected world, ensuring the security of network Infrastructure in every organization's is
mandatory. Through my exploration and analysis of our company current network setup, I have observed
significant vulnerabilities and challenges that demand our attention. While our existing infrastructure has
facilitated communication and collaboration, it is evident that traditional security measures are no longer
sufficient to protect against modern threats.

In my investigation, I have observed that our organization's commitment to technological advancement to

support organization growth. However, reliance on standard security policies has left us exposed to
emerging risks and potential breaches.

One of particular concern is our inability to effectively identify and manage external access to our network.
Incidents of unauthorized access and data breaches have underscored the critical need for enhanced security
measures.

Through my observations, it has become clear that our organization's security posture requires urgent
reinforcement.

To address these challenges, I propose the integration of two innovative technologies such as Software-
Defined Networking (SDN) and Cisco Identity Services Engine (ISE). By leveraging the capabilities of
SDN's centralized control and Cisco ISE's identity-based access control, we can establish a dynamic and
adaptive security framework tailored to our organization's needs.

Through this proposal, I aim to outline issues which we have in current setup and detail how the integration
of SDN and Cisco ISE can mitigate these challenges and enhance our overall security posture.

2
Background and Motivation
In this chapter I`ll explain in detail the background of the current issues and as well as why its mandatory
to resolve such an issue to prevent unnecessary security breach in an organization. Also the way of going
to implement this proposed solution with current setup. Here I have structured this chapter into 3 main
point for easy understanding.
1. Identification of Current Issues:
1.1 Inadequate Access Control: Since having basic access control mechanisms, leading to challenges in
effectively managing and securing access to network resources. Without proper control over who can access
what, we are vulnerable to unauthorized access and potential security breaches.

1.2 Limited Visibility and Monitoring: Another critical issue is the lack of visibility into network traffic
and user activities. Without comprehensive monitoring capabilities, we struggle to detect and respond to
security incidents in a timely manner.

1.3 Insufficient Authentication and Authorization: Our current authentication and authorization
mechanisms are outdated and not strong enough. With limited capabilities to verify user identities and
enforce access policies, we are unable to proactively protect sensitive data and ensure compliance with
regulatory requirements.

2. Why This Problem is Worth Solving:

2.1 Security Risks and Compliance Concerns: Addressing these issues is crucial for mitigating security
risks and ensuring compliance with industry regulations and standards. Failure to implement adequate
access control measures can result in data breaches, financial losses, and damage to our organization's
reputation.

2.2 Operational Efficiency and Resilience: By improving access control, visibility, and authentication
mechanisms, we can enhance operational efficiency and resilience. A more secure and well-monitored
network infrastructure enables smoother operations, faster incident response, and better resource utilization.

3. Motivation and Capabilities:

3.1 Personal Drive and Commitment: I am deeply motivated to undertake this project because of my
passion for networking and my commitment to protecting our organization's assets. I understand the
importance of addressing these security challenges and am dedicated to finding effective solutions that meet
our needs.

3.2 Technical Expertise and Experience: With extensive experience in network security and a strong
background in implementing advanced technologies, I possess the technical expertise necessary to lead this
project to success. My knowledge of access control, network monitoring, and authentication protocols
positions me well to tackle the complexities of our network security challenges.

3.3 Collaborative Approach and Resources: Additionally, I am committed to fostering collaboration and
leveraging available resources to support this project. By working closely with stakeholders, engaging with
industry experts, and accessing relevant tools and technologies, I am confident in our ability to achieve our
goals and enhance our network security posture.

3
Problem in Brief
As showed below our organization's network has security gaps that can enforce us into cyber threats,

Insufficient Security Measures: Our current security setup relies on outdated methods that aren't strong
enough to defend against modern cyber-attacks. We need advanced security solutions to protect our network
from modern threats.

Weak Access Control: Since having basic access control mechanisms, making it easy for unauthorized
users to access our network. advanced access control is mandatory to prevent unauthorized access to
sensitive data and resources.

Limited Visibility and Monitoring: Our network lacks comprehensive monitoring capabilities, hindering
our ability to detect and respond to security incidents effectively. Enhanced visibility into network traffic
and activities is essential for identifying and mitigating potential threats.

Challenges with Authentication: Verifying the identity of users and devices connecting to our network is
challenging. Implementing strong authentication measures is vital to ensure that only authorized entities
can access our network resources.

Significance of the Issue:

These security shortcomings expose our organization to significant risks, including data breaches, financial
losses, and reputational damage. Addressing these issues is imperative to safeguard our network assets and
maintain the trust of our stakeholders.

As described above these are high risk issues that need to resolved immediately to prevent such a threats.

4
Aim
The aim of this project is to develop a advanced network security solution to address the vulnerabilities and
shortcomings which identified in our current network infrastructure. This solution will include Software-
Defined Networking (SDN) and Cisco Identity Services Engine (ISE) technologies to enhance access
control, visibility, and monitoring capabilities within our network environment. By integrating SDN's
centralized control and programmability with Cisco ISE's identity-based access control and policy
enforcement, the project aims to establish a dynamic and adaptive security framework that mitigates cyber
threats and ensures the integrity and availability of our organization's data and resources.

Objectives
Critical Review of the Problem Domain: Conduct a comprehensive review and analysis of the current
network security challenges and vulnerabilities within our organization's infrastructure. Identify key areas
of concern, including access control limitations, visibility gaps, and authentication dependencies.

Critical Study of Technologies that Can Solve the Problem: Conduct an in-depth study and evaluation
of technologies, frameworks, and methodologies that can effectively address the identified network security
challenges. Explore the capabilities and limitations of Software-Defined Networking (SDN) and Cisco
Identity Services Engine (ISE) technologies, as well as alternative solutions, to determine their suitability
for mitigating the identified issues.

Design and Develop a System for Solving the Problem: Design and develop an advanced network
security solution based on the findings from the critical review and study. Define architecture, protocols,
and components for implementing access control, visibility, monitoring, and threat response mechanisms
within the network infrastructure. Utilize SDN's centralized control and programmability, along with Cisco
ISE's identity-based access control and policy enforcement capabilities, to design an advanced security
framework.

Evaluation of the Proposed System: Evaluate the effectiveness and performance of the proposed network
security solution through various testing and validation. Conduct functional testing, security assessments,
and performance evaluations to validate the solution's ability to address the identified network security
challenges and meet the organization's requirements. Taking the feedback from key stakeholders and
maintain the solution based on their input and observations.

Preparation of Final Documentation: Prepare comprehensive documentation detailing the design,

implementation, and evaluation of the network security solution. Document the methodology, findings, and
recommendations from the critical review and study, as well as the design decisions, implementation
details, and testing results of the proposed system. Compile all documentation into a final report and
presentation for publish to stakeholders and for future reference

5
Proposed Solution: Enhancing Network Security with SDN and Cisco ISE
Introduction:
In this chapter, have present proposed solution for enhancing network security within our organization
using Software-Defined Networking (SDN) and Cisco Identity Services Engine (ISE). I`ve outline the key
components of the solution, discuss the architectural design, and provide insights into how SDN and Cisco
ISE will be integrated to address the identified network security challenges.
Proposed Solution Overview:
Here proposed solution aims to address the vulnerabilities and issues present in our current network security
infrastructure by using innovative technologies such as SDN and Cisco ISE. The primary objectives of the
solution include improving access control, enhancing visibility and monitoring, and enabling dynamic
threat response. By integrating SDN's centralized control and programmability with Cisco ISE's identity-
based access control and policy enforcement capabilities, I aim to establish an advanced security framework
that mitigates cyber threats and ensures the integrity and availability of our organization's data and
resources.
Architectural Design:
The architectural design of our proposed solution is centered around the integration of SDN and Cisco ISE
technologies to create a cohesive and adaptive security framework. At the core of the architecture is the
SDN controller, which serves as the centralized intelligence that distributes network policies and
configurations. Network devices such as switches and routers are programmed to communicate with the
SDN controller via southbound APIs, enabling dynamic policy enforcement based on real-time network
conditions. Cisco ISE is integrated into the architecture to provide identity-based access control and policy
enforcement, leveraging attributes such as user identity, device type, and location to enforce particular
access policies.
Key Components:
The key components of our proposed solution include:
SDN Controller: Provides centralized control and programmability, enabling dynamic policy enforcement
and network orchestration.
Network Devices: Includes switches, routers, and other network infrastructure components programmed to
communicate with the SDN controller and enforce access control policies.
Cisco ISE: Acts as the policy engine for identity-based access control, authentication, and authorization,
integrating with the SDN controller to enforce network policies based on user identity and other contextual
attributes.

6
Implementation Considerations:
Several implementation considerations need to be addressed when deploying the proposed solution within
our organization's network infrastructure. These considerations include:
Network Topology: Designing a network topology that facilitates communication between SDN
components and existing network infrastructure.
Hardware and Software Requirements: Identifying the hardware and software requirements for deploying
the SDN controller and Cisco ISE components.
Configuration Settings: Configuring network devices and policy engines to enforce access control policies
and facilitate communication between SDN components.
Integration with Existing Systems: Ensuring seamless integration with existing systems and applications to
facilitate identity management and policy enforcement.
Conclusion:
In conclusion, our proposed solution offers a comprehensive approach to enhancing network security with
SDN and Cisco ISE technologies. By leveraging the capabilities of these technologies, I aim to establish a
resilient and adaptive security framework that safeguards our organization's data, resources, and reputation
against the evolving threat landscape. Moving forward, I will proceed with the implementation of the
proposed solution, addressing implementation considerations and refining the architecture to meet our
organization's specific security requirements.

Resource Requirements: Hardware, Software, and Cost Considerations

Introduction:
In this chapter, I`ve outline the hardware, software, and other resources required to complete the proposed
network security project utilizing SDN and Cisco ISE technologies. I`ve discuss the specifications of the
hardware components, software licenses, and associated costs involved in deploying the solution.
Hardware Requirements:
Begin by detailing the hardware requirements necessary for setting up the network security solution within
the EVE-NG environment. This includes specifications for the server hosting EVE-NG, such as CPU,
RAM, and storage capacity, to ensure optimal performance during network simulation and testing.
Additionally, I`ve discuss any hardware peripherals, such as network adapters or USB dongles, required
for connecting physical devices to the virtualized environment.
Software Requirements:
Next, outline the software requirements for deploying the proposed solution, including the operating system
and virtualization software. discuss the compatibility of EVE-NG with different operating systems and
provide recommendations for selecting the appropriate version based on hardware specifications and user
preferences. Additionally, we discuss the availability of virtual machine templates and software images for
deploying SDN controllers, Cisco ISE instances, and network devices within the EVE-NG environment.

7
Licensing and Cost Considerations:
Then address the licensing requirements and associated costs for acquiring the necessary software licenses
and subscriptions. This includes licensing fees for SDN controllers, Cisco ISE software, and any additional
software components required for implementing the solution. discuss different licensing models, such as
perpetual licenses, subscription-based licenses, and open-source options, and provide insights into the cost
implications of each licensing model.
Other Requirements:
Finally, consider any other requirements, such as network connectivity, internet access, and power supply,
necessary for deploying the solution effectively. We discuss the availability of online resources, community
forums, and technical support channels for troubleshooting issues and obtaining assistance during the
implementation process.
Conclusion:
In conclusion, emphasize the importance of carefully evaluating hardware, software, and other resource
requirements to ensure the successful implementation of the proposed network security solution. By
considering these requirements and associated costs upfront, organizations can effectively plan and budget
for the project, minimizing risks and maximizing the return on investment.

Deliverables: Final Results and Outputs

Introduction:
In this chapter, outline the deliverables that will be produced as part of the network security project utilizing
SDN and Cisco ISE technologies. discuss the final results and outputs that stakeholders can expect upon
completion of the project, including system components, documentation, training materials, and more.
System Implementation:
The primary deliverable of the project will be the implementation of the proposed network security solution
within the organization's infrastructure. This includes deploying and configuring SDN controllers, Cisco
ISE instances, and network devices to enforce access control policies, enhance visibility and monitoring,
and enable dynamic threat response.
Documentation:
In addition to the system implementation, comprehensive documentation will be produced to support the
deployment and operation of the network security solution. This documentation will include architectural
diagrams, configuration guides, user manuals, and troubleshooting procedures to assist administrators in
managing and maintaining the deployed system. The documentation will serve as a valuable resource for
training, reference, and knowledge transfer within the organization.
Training Materials:
To facilitate user adoption and proficiency with the deployed system, training materials will be developed
to educate stakeholders on the features, functionalities, and best practices for using the network security
solution. Training materials may include interactive tutorials, video demonstrations, and hands-on
workshops to help administrators and end-users gain the necessary skills and knowledge to effectively
utilize the deployed system.

8
Testing and Validation Reports:
Throughout the implementation process, testing and validation reports will be generated to assess the
performance, functionality, and security of the deployed system. These reports will document the results of
functional testing, security assessments, and performance evaluations conducted during the testing phase.
Any issues or vulnerabilities identified during testing will be addressed, and the final testing and validation
reports will provide assurance that the deployed system meets the organization's requirements and
objectives.
Conclusion:
In conclusion, the deliverables of the network security project will include a fully implemented system,
comprehensive documentation, training materials, and testing and validation reports. These deliverables
will enable stakeholders to effectively manage, maintain, and utilize the deployed network security solution,
thereby enhancing the organization's security posture and resilience against cyber threats.

Suggested Starting Point: Initial Steps to Begin Work

Introduction:
In this chapter, discuss the suggested starting point and initial steps to begin work on the network security
project utilizing SDN and Cisco ISE technologies. outline the key actions and considerations that
stakeholders should prioritize in the early stages of the project to ensure a smooth and successful
implementation process.
Assessment of Current Infrastructure:
The first step in starting work on the project is to conduct a thorough assessment of the organization's
current network infrastructure and security posture. This assessment will help identify existing challenges,
vulnerabilities, and limitations in the network infrastructure, providing valuable insights into areas that
require improvement. Key considerations include evaluating access control mechanisms, visibility and
monitoring capabilities, authentication methods, and security policies.
Identification of Requirements and Objectives:
Following the assessment of the current infrastructure, stakeholders should identify the requirements and
objectives for the network security project. This includes defining specific goals, such as improving access
control, enhancing visibility, and mitigating security risks, as well as identifying key performance indicators
(KPIs) for measuring the success of the project. By clearly defining requirements and objectives upfront,
stakeholders can align their efforts and resources towards achieving desired outcomes.
Selection of Technologies and Solutions:
Once requirements and objectives have been identified, stakeholders can proceed with selecting appropriate
technologies and solutions for addressing the identified challenges and achieving project goals. This may
involve researching and evaluating different SDN controllers, Cisco ISE implementations, and other
security technologies to determine the best fit for the organization's needs. Considerations should include
compatibility with existing infrastructure, scalability, ease of integration, and cost-effectiveness.

9
Establishment of Project Plan and Timeline:
With requirements, objectives, and technologies identified, stakeholders should establish a project plan and
timeline for the implementation of the network security solution. This involves defining milestones, tasks,
and deliverables, as well as allocating resources and responsibilities. A well-defined project plan will help
ensure that the project stays on track and progresses towards completion in a timely manner.
Conclusion:
In conclusion, the suggested starting point for work on the network security project involves assessing the
current infrastructure, identifying requirements and objectives, selecting appropriate technologies and
solutions, and establishing a project plan and timeline. By taking these initial steps, stakeholders can lay
the foundation for a successful implementation process and ultimately achieve their goals for enhancing
network security.

Project Plan: Stages and Timeline

Introduction:

In this chapter, present the project plan for implementing the network security solution utilizing SDN and
Cisco ISE technologies. outline the stages of the project, along with their respective timelines, to provide
stakeholders with a clear roadmap for the implementation process.

Stages of the Project:

Assessment and Requirements Gathering: Conduct an assessment of the current network infrastructure
and security posture. Identify requirements and objectives for the network security project.

Technology Evaluation and Selection: Research and evaluate SDN controllers, Cisco ISE
implementations, and other security technologies. Select appropriate solutions based on compatibility,
scalability, and cost-effectiveness.

System Design and Architecture: Design the architecture of the network security solution, including the
integration of SDN and Cisco ISE components. Define network topologies, access control policies, and
monitoring mechanisms.

Hardware and Software Acquisition: Procure necessary hardware components, software licenses, and
other resources required for deploying the solution. Ensure compatibility with selected technologies and
budget constraints.

Implementation and Configuration: Deploy SDN controllers, Cisco ISE instances, and network devices
within the organization's infrastructure. Configure settings, establish communication between components,
and enforce access control policies.

Testing and Validation: Conduct functional testing, security assessments, and performance evaluations to
validate the effectiveness and reliability of the deployed solution. Identify and address any issues or
vulnerabilities.

10
Documentation and Training: Prepare comprehensive documentation, including architectural diagrams,
configuration guides, and user manuals. Develop training materials and conduct training sessions for
administrators and end-users.

Deployment and Go-Live: Deploy the fully implemented network security solution into production.
Monitor system performance, address any post-deployment issues, and ensure a smooth transition to
operational use.

Below table will display weekly timeframe for the project implementation.

Stage Approximate Timeframe

Assessment and Requirements Gathering 2 weeks
Technology Evaluation and Selection 3 weeks
System Design and Architecture 2 weeks
Hardware and Software Acquisition 1 week
Implementation and Configuration 4 weeks
Testing and Validation 3 weeks
Documentation and Training 2 weeks
Deployment and Go-Live 1 week

11
With assuming start date as a May 1 2024, Below grant chart show the timeline till 11th of September as a
project completed date.

12
References / Bibliography

Software-Defined Networking (SDN) Definition. Cisco, Cisco, 26 Sept. 2023,

www.cisco.com/c/en/us/solutions/software-defined-networking/overview.html.

Software-Defined Access. Cisco, 23 Feb. 2024, www.cisco.com/c/en/us/solutions/enterprise-

networks/software-defined-access/index.html.

Cisco Identity Services Engine (ISE). Cisco, 25 Mar. 2024,

www.cisco.com/site/us/en/products/security/identity-services-engine/index.html.

Ise High-Level Design Guide. Cisco Systems CX,

ciscocustomer.lookbookhq.com/iseguidedjourney/ise-hld-design-guide. Accessed 28 Apr. 2024.

13