Cisco TrustSec technology provides switch to switch wire speed encryption services and security group tagging of ethernet frames. But what it really does is allow you to implement the most robust identity aware network with services on the planet. This technology, if Cisco executes on it properly, could forever change the way we design secure networks. Today's business networks are so open and have so many ingress/egress perimeters that it is very risky to trust your internal packets anymore. The industry data on this topic backs that up with statistics that show right around 40% of breaches occur from inside the network. So what do we do now that we cannot trust our internal communication flows? Well for starters we need pervasive identity awareness in the network. If we can trace a communication flow or even a packet back to an identity then we can make a better security decision on what to allow that flow to do on the network. Once we have identity awareness of every internal packet then we need to be able to apply identity aware security policies to those packets. And that ladies and gentlemen is exactly what Cisco's TrustSec solution does.
Here is an example scenario for TrustSec protection. I plug my laptop into the switchport. I authenticate to the network using 802.1x and my AD credentials. A Cisco ACS policy server will send down a Security Group Tag (SGT) identifier to the switch based on the group my user account is a member of. Lets say it sends an SGT of 110 to the switch. An SGT of 110 translates to a memberof contractors in AD. The switch will then start put a SGT of 110 inside of every ethernet frame my laptop sends to the network. Now the fun starts! As that frame traverses the network heading toward its destination any network device in its path can read the SGT and apply a security policy to it. One of the options today is to apply a security group ACL (SGACL) to the frame. If the frame is destined for a server that is a member of SGT 120 you can set a policy in Cisco ACS that says if SGT 110 talks to SGT 120 then deny all TCP ports except 80 and 443. TrustSec just created an ACL based on tag values and not IP addresses as has been traditional. So the beauty of this is that you no longer have to create ACLs based on IP addresses and instead use a group based identity tag that is a part of the frame! These SGTs are centrally managed and distributed by a Cisco ACS server so you have a single pane of glass to view, modifiy or add SGTs and their associated policies.
TrustSec can use location awareness, timerange, access type, AD attributes like memberof, and compound condition statements to make a security group tag decision. Once the decision is made you can then enforce policy today using VLAN assignment, downloadable ACLs and security group ACL policies. Here is an example ACS authorization policy.
If a user 802.1x authenticates with a username that is a memberof AD group doctors from any location then an SGT of Doctor (ID of 06) is assigned along with the Employee-Permit-Profile authorization profile. That authorization profile includes a downloadable ACL called Restricted-IT-Services. Given the centralized nature of these policies you can quickly make changes using just ACS. Here is a look at the security group ACL matrix in ACS. This is where you set tag to tag security policies.
From the matrix you can see that when SGT doctor talks to SGT Voice servers the Deny any IP rule kicks in to block the communication.
To get real geeky on ya, here is a look at the ethernet frame that is SGT enabled. Because the tagging is done at the frame level there is no impact on IP packet fragmentation or IP MTU.
This image shows the SGT buried in the CMD field. It also shows the optional 802.1AE/MACSEC encryption headers. If you want to use the switch to switch or switch to host MACSEC based encryption feature of TrustSec then these would be present as well. The tagging process happens before other layer 2 switch services like quality of service (QoS) actions. That means that if Cisco chooses to make QoS features SGT aware then they can change QoS based on tags values. As Cisco matures its Trustsec offering it would make sense for Cisco to make all of their network devices Trustsec aware. For example, trustsec aware ASA appliances would be able to make policy decisions based on SGT info. Same goes for IPS, VPN, Ironport web appliances, ACE load-balancers, WAAS, you name it. The trustsec solution allows you to gather identity once (preferably via 802.1x at the access layer) and then maintain that identity awareness for any trustsec aware device to use. Today each device needs to gather a users identity on its own. The Firewall talks to AD, the web filtering service talks to AD the NAC solution talks to AD, etc. etc. TrustSec allows you to talk to AD once through a central point (ACS) and then have each service use the embedded Security group tags in the frames to gather the needed identity for making a policy decision. Pretty powerful stuff IMHO. To find out what is available today in the TrustSec solution go to: http://www.cisco.com/go/trustsec In a nutshell, the Cisco Nexus 7000 series fully support TrustSec, ACS 5.1 is the policy server and most other switches have limited TrustSec support starting in IOS 12.2(55)SE. For a security group tagging configuration guide go here: http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.html To download a 90 day eval of Cisco ACS 5.1 go here http://www.cisco.com/go/acs
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*
*