This post comes out of a conversation I had around Cisco’s Identity Services Engine, and I think it’s an important one to have. I gave a presentation on ISE, and a question came up around filtering web content by categories (social media, YouTube, and the like). This is a function of another Cisco product, Ironport, a dedicated appliance web proxy/filter. ISE can’t do this, so why not consolidate Ironport into ISE? This is definitely a valid question given that ISE controls access to resources on your network, so why not extend that to resources that are on the web? As I thought about it more, I wouldn’t want Ironport consolidated into ISE. Here’s why:
- ISE is already doing a ton of work keeping track of sessions, ACLs, profiling, posture, and other ISE features. Add in web requests and proxying and you’re going to overload the nodes or limit how large the deployment can scale. Is limiting scalability worth the minor benefits of consolidation?
- Don’t put all of your eggs in one basket! The more services located in one place, the more devastating a failure is. Even if you have high availability, if a node goes down because of process load it’s likely the secondary node will fail soon after due to the load being shifted from the primary node.
- Troubleshooting. As noted earlier, ISE is already a complex beast. When troubleshooting in a pinch, you want to be able to solve a problem quickly. Try digging through authorization policies, ACLs on network access devices, communication errors between nodes, and anything else that can cause problems. Now add web content filtering on top of that. I would rather have the services separated so I know exactly where to look when something is wrong. Can’t get to a certain web site? Look at the Ironport appliance. Can’t get access to an internal resource? Look at ISE.
Now that’s not to say I’m not a fan of consolidation. Hypervisors and server virtualization are fantastic examples because they make applications more versatile and highly available, while at the same time lowering management overhead. Consolidation can definitely be a great thing when there is a good reason behind it. However, don’t consolidate just because that’s the buzz word of the week; make a conscious design decision and take the time to weigh the pros and cons.
What I would like to see is integration of ISE and Ironport, similar to how ISE and Prime Infrastructure are integrated. Allow the platforms to be independent, distributed entities while enhancing the functionality of each by sharing information between the two. For example, allow Ironport to use the granularity of ISE device/user profiling to create content filtering rules, but retain the ability to fall back on a set of rules in the event an ISE node is not responding for one reason or another (granted you may have bigger problems at that point, but it could also be as simple as a new firewall rule blocking communication between the two).
What do you think? Leave a comment or send me an email at firstname.lastname@example.org to get the discussion started!
Keep an eye out for the second part of my ISE technical series on wireless deployments!