The Cisco TrustSec® solution allows you to intelligently control access to corporate data allowing access control policies to be applied anywhere in the network using switches, routers or security appliances. Cisco TrustSec can greatly simplify the management of security policies and reduce risk by providing consistent enforcement anywhere on the network.
Challenge: Simplify Network Security
Organizations frequently have simple business goals that they want their security architecture to facilitate; for example, they may want only traders to access trading systems, or only doctors to access patient records. However, when these policies are implemented, they are frequently translated into complex network security rules that define users and servers by their IP addresses, subnet or site. The resulting network security rules are no longer simple to understand and may not clearly correlate with the original business goals.
In today's dynamic work environments, users are also frequently bringing their own devices to the workplace, which introduces yet more complexity in network security rules. The dramatic growth in virtualization and virtual private cloud technologies has also led to challenges in provisioning security requirements for new virtual servers and accommodating the movement of workloads while maintaining the desired security posture.
Cisco TrustSec Business Benefits
Cisco TrustSec allows you to group users and their devices so that rules and policies can be defined at a group level. For example, groups could be defined so that doctors using iPads will be classified differently from patients using iPads. After creation of a "Doctors Using iPads" group, all of the doctors connecting to a hospital network using an iPad can be automatically classified as members of that group, with common privileges. These security groups can also define the key assets that the organization would like to protect, so that the access control policy can be as simple as defining that the group of `Doctors Using iPads' are allowed access to the `Patient Records Databases', whereas the `Patients Using iPads' group would be unable to access those resources. Those sample requirements could be met with three simple groups and a simple access control rule.
Without a Cisco TrustSec solution, the network address assignments for the different user groups may need to be referenced in multiple access control lists and firewall rules, using IP addresses and subnets to denote the users and protected resources.
With Cisco TrustSec, auditing of rules and policies is also much simplified. In the hospital example, any number of doctors working anywhere in the hospital will receive the same user experience and access to appropriate resources.
Figure 1. Policy Matrix for Cisco TrustSec Security Group ACLs
Cisco TrustSec Solution Capabilities
Cisco TrustSec capabilities are embedded in Cisco®switches, wireless LAN (WLAN) controllers, routers, and firewalls. With TrustSec, when a user's traffic enters the network, it is classified according to characteristics such as user authentication, analysis of the device being used and it's network location. Based on these criteria, a user's endpoint is classified as a member of a particular security group; for example, it could be added to a group called Retail-Manager. Cisco switches and routers then propagate the security group information to policy-enforcement devices
Most Cisco switches and routers can transport this security group information with the user's traffic. This information is included by embedding a 16-bit Security Group Tag (SGT) value in each frame associated with the user device. The SGT can be transported over LAN, WAN and data center networks so that it is available for inspection and policy enforcement wherever appropriate.
To traverse networks or network devices that do not understand or support SGT propagation, a control-plane protocol, the SGT Exchange Protocol (SXP), allows Cisco TrustSec SGT information to be transported over any IP network to enforcement points.
Policy enforcement can be performed by Cisco firewalls, routers, or switches. The enforcement device reads the source SGT (denoting the Retail-Manager role, for example). It then evaluates the Retail-Manager's privileges to access the destination resource, which would also have an assigned SGT, such as PCI-Compliant Server or HR Database. It then determines whether the traffic should be allowed or denied.
If the enforcement device is a switch, it will apply security group ACLs (SG-ACLs). These are policies automatically downloaded from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control Server (ACS). SG-ACLs have the benefit of being processed at wire rate on many switch platforms. Because they are downloaded from ISE, they do not need to be provisioned to switches, as traditional Access Control Lists need to be.
If the enforcement device is a Cisco firewall, it will perform stateful firewall processing using the source and destination SGTs, as illustrated in Figure 2. The Cisco Adaptive Security Appliance (ASA) Software can also make additional inspection decisions based on the source and destination SGT values. For example, it can selectively pass traffic through additional intrusion prevention analysis or direct traffic to Cisco Cloud Web Security services based upon SGT values.
Figure 2. Firewall Rules Using Cisco TrustSec Security Groups
Cisco TrustSec Capabilities for Policy-Defined Segmentation
A Cisco TrustSec system provides:
• Simplified access management
– Manages policies using plain language
– Controls access to critical assets by business role
– Maintains policy compliance
• Accelerated security operations
– Quickly provisions access to new servers
– Speeds up adds moves and changes
– Automates firewall and ACL administration
• Consistent policy anywhere
– Segments networks using central policy management
– Enforces policy on wired and wireless networks
– Scales to support branch office, campus and data center locations
Components That Support Cisco TrustSec Capabilities
Table 1 lists components that support Cisco TrustSec capabilities and features. This list is frequently enhanced, please refer to the Cisco TrustSec platform support matrix available at Cisco.com/go/trustsec for the latest information.
Table 1. Components supporting Cisco TrustSec Features
Policy server for Cisco TrustSec classification and SG-ACL policy creation