Senior Network Engineer at a government with 5,001-10,000 employees
Real User
2021-08-10T13:38:46Z
Aug 10, 2021
OK, so Cisco ISE uses 802.1X to secure switchports against unauthorized access. The drawback of this is that ISE cannot secure the port if a device does not support 802.1x. Cameras, badge readers, temp sensors, etc would fall into this category. Then you have to leave the port unsecured. Also, 802.1x requires you to drop config on every switchport, and have other infrastructure installed to support it. Also, Cisco ISE licensing is complicated and draconian. In some cases, the same endpoint might need to utilize 4 different licenses at the same time.
Forescout operates differently and does not rely on 802.1x. Forescout listens to a variety of sources. For one thing, Forescout can listen to the wire through SPAN. Forescout also uses SNMP to monitor and control switches, routers, and APs. So Forescout can hear when a connection is made to a switchport, discover the IP of the endpoint on that port, control the endpoint if possible through AD or an installed agent, place the switchport into a quarantine VLAN if needed, and if SPAN traffic is available, place a virtual firewall rule in front of the endpoint. It can query the endpoint for processes, apps, OS, AV, and many other things.
The main advantage of Forescout is it doesn't need 802.1x on every switchport to control access, which is quite burdensome to configure. It senses every device on the network instantly, can listen to the wire, has multiple ways of gathering data, and can control switches. Licensing is simple and is per IP address.
Cisco ISE may be required for certain Cisco technologies or environments - then you don't have a choice. ISE is expensive and has extensive licensing requirements. You will need to dedicate at least one person to become an ISE SME, and training will be mandatory. The main advantage of Cisco ISE over Forescout is it can be a TACACS server natively.
Both Cisco ISE and Forescout are highly regarded as both are at the very top of the Garner Magic Quadrant (if you follow Gartner). Looking at them both on their own the nod tends to go to Forescout as the Best of Breed. Best of Platform, however, the nod goes to Cisco ISE.
So in simplest terms, Cisco ISE is a better solution when in a strong Cisco environment, and Forescout is the better solution if there are disparate security flows within your organization.
Now I would also throw into the mix (not meant to overcomplicate your decision) HPE/Aruba Clearpath as well. In any case, they can all be a bear to implement so make sure you have a great organization to work with you on implementation that has a specialty with a particular vendor.
Forescout Platform and Cisco Identity Services Engine compete in the network security category. While both offer distinct advantages, Cisco ISE appears to have the upper hand due to its robust feature set, despite the higher investment it requires.Features: Forescout Platform boasts agentless capabilities, integration flexibility, and superior device visibility and control. Its ability to manage IoT devices effortlessly is recognized as an additional strength. Cisco ISE is valued for...
OK, so Cisco ISE uses 802.1X to secure switchports against unauthorized access. The drawback of this is that ISE cannot secure the port if a device does not support 802.1x. Cameras, badge readers, temp sensors, etc would fall into this category. Then you have to leave the port unsecured. Also, 802.1x requires you to drop config on every switchport, and have other infrastructure installed to support it. Also, Cisco ISE licensing is complicated and draconian. In some cases, the same endpoint might need to utilize 4 different licenses at the same time.
Forescout operates differently and does not rely on 802.1x. Forescout listens to a variety of sources. For one thing, Forescout can listen to the wire through SPAN. Forescout also uses SNMP to monitor and control switches, routers, and APs. So Forescout can hear when a connection is made to a switchport, discover the IP of the endpoint on that port, control the endpoint if possible through AD or an installed agent, place the switchport into a quarantine VLAN if needed, and if SPAN traffic is available, place a virtual firewall rule in front of the endpoint. It can query the endpoint for processes, apps, OS, AV, and many other things.
The main advantage of Forescout is it doesn't need 802.1x on every switchport to control access, which is quite burdensome to configure. It senses every device on the network instantly, can listen to the wire, has multiple ways of gathering data, and can control switches. Licensing is simple and is per IP address.
Cisco ISE may be required for certain Cisco technologies or environments - then you don't have a choice. ISE is expensive and has extensive licensing requirements. You will need to dedicate at least one person to become an ISE SME, and training will be mandatory. The main advantage of Cisco ISE over Forescout is it can be a TACACS server natively.
@Avraham Sonenthal thanks a lot for such a detailed answer!
Both Cisco ISE and Forescout are highly regarded as both are at the very top of the Garner Magic Quadrant (if you follow Gartner). Looking at them both on their own the nod tends to go to Forescout as the Best of Breed. Best of Platform, however, the nod goes to Cisco ISE.
So in simplest terms, Cisco ISE is a better solution when in a strong Cisco environment, and Forescout is the better solution if there are disparate security flows within your organization.
Now I would also throw into the mix (not meant to overcomplicate your decision) HPE/Aruba Clearpath as well. In any case, they can all be a bear to implement so make sure you have a great organization to work with you on implementation that has a specialty with a particular vendor.
Hi @Sean Muller, @Nayef Hamzeh, @Chandra-Prakash, @Josept Conde, @Dilan Jayamantri, @Jonathan Soto, @Miguel Santiago and
@Avraham Sonenthal,
It seems you should be able to share some professional advice in relation to this question.
Thanks in advance for helping other community members!