It was great to be a part of cisco community Tech-Talk . We discussed on the Various aspects of how cisco Trustsec works and what is the value add for a customer to use cisco trustsec in their network.
Cisco TrustSec Secure Group access is yet another cool technology in Network Security domain. Gone are the days when the Network Administrator had to deal with the challenges like mantainability and Huge access lists in an enterprise network. Today lots of our customers have deployed cisco trustsec in their network and seem to be pretty happy about it. Cisco Trustsec makes a network more intelligent and secure by making it role based and by providing secure networking environment and hence helps customer.
Acheive Data confidentiality and Integrity.
Our Network becomes role based when we are classifying the traffic on the basis of roles and not vlans or ip addresses.
How do we classify the traffic based on Roles?
We add a value (SGT) Value at layer 2 of the packet which means a specific role for e.g., SGT value 2 would mean Marketing and SGT value 3 would mean HR so you will define the rules on the bases of Source SGT and Destination SGT.
What is the Value add of adding SGTs?
Adding SGTs to a packet makes the whole network Tag aware and hence the accessing and filtering of the traffic can be done on the basis of SGTs only. Adding the SGTs to packets will help Network Administrators classify the traffic and mantain it in an efficient way.
What about Secure Networking environment ? How is it acheived ?
To understand how to secure the Network we need to understand what is NDAC (Network Device Admission control).
NDAC is a mechanism which is used to create a trusted domain for the network traffic to traverse through . it is done with the help of 802.1x authentication
Every device which wants to join the trusted domain has to authenticate itself with its peer and hence it becomes trusted device of a Trusted domain.
The Traffic or SGTs comming from a non-trusted device is not entertained. To traverse networks or network devices that do not understand or support SGT propagation, a control-plane protocol, the SGT Exchange Protocol (SXP), allows Cisco TrustSec SGT information to be transported over any IP network to enforcement points.
Policy enforcement can be performed by Cisco firewalls, routers, or switches. The enforcement device reads the source SGT (denoting the Retail-Manager role, for example). It then evaluates the Retail-Manager's privileges to access the destination resource, which would also have an assigned SGT, such as PCI-Compliant Server or HR Database. It then determines whether the traffic should be allowed or denied.
If the enforcement device is a switch, it will apply security group ACLs (SG-ACLs). These are policies automatically downloaded from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control Server (ACS). SG-ACLs have the benefit of being processed at wire rate on many switch platforms. Because they are downloaded from ISE, they do not need to be provisioned to switches, as traditional Access Control Lists need to be.
If the enforcement device is a Cisco firewall, it will perform stateful firewall processing using the source and destination SGTs.
Cisco Trustsec provides Data confidentiality and Integrity with the help of hop by hop encryption of traffic at layer 2 . Protocol used for the same is
AES-128. Traffic gets decrypted on the ingress of the Network device and it gets encrypted on the egress of the device hence ruling out the possibility of Man in the middle kind of attacks .
Please refer to the Cisco TrustSec 2.0 Product Bulletin to know about what devices support trustsec.