Cisco TrustSec - Simplified Network Access Control Policies
Today let's talk about Cisco’s latest approach to simplify the network access control policies using TrustSec. Yes, it is playing a significant role while implementing the Secure Access Campus network using SD-Access. You all know why secure access is a need in today’s campus network [click to read].
Users are roaming in their workspace, so are their network access policies. Organizations doing traditional ACL-based network access control based on network topologies such as IP Addresses, Subnet information, and VLANs is a time-consuming task. Not only this, policies are not consistent and un-used policies are not removed once defined, leading to policy violations sometimes unauthorized access to network resources.
How does TrustSec Help?
Cisco TrustSec developed to simplify provisioning and
managing of secure access to network services in a campus environment. The
policies in TrustSec are group-based that make security policies consistent
throughout the network. It simplifies the complex task of maintaining security
policies. With TrustSec, wired and wireless policies are common as they are not
dependent on network topologies and are defined using groups.
How does TrustSec work?
TrustSec work on basic three principles –
- Classification and assignment of a Tag
- Transport Tag throughout the network
- Policy Enforcement
Classification
A policy group tag (SGT) is assigned to an endpoint based on rich attributes such as user, device type, device posture status, location, etc. Scalable Group Tag (SGT) is a 16-bit tag assigned by the Cisco ISE to the endpoint using dynamic and static methods.
Dynamic classification is used in
the access layer by using dynamic authentication methods like 802.1x, MAB, or
WebAuth. Static classification is used on the Data Center switches where
servers are connected.
Transport
Once the SGT is assigned to the endpoint, this SGT information to be transport throughout the network by capable devices. This transport is achieved using inline tagging and Secure Exchange protocol. Inline tagging is performed by adding the SGT information (16-bit tag) to the Ethernet frame by the switches.
When the device does not support inline tagging, Secure
Exchange Protocol (SXP) is used for the transportation of SGT. Inline tagging is
supported on switches and SXP is used in routing and firewall domains.
Figure 1: TrustSec SGT Transport
Policy Enforcement
It is achieved using Secure Group ACL (SGACL). Using SGACLs, policies can be defined based on source and destination SGT. Policy enforcement is represented as a permission matrix, with source security group members on one axis and destination security group members on the other axis.
Each box in
the body of the matrix contains SGACL that specifies the permission between
source and destination. SGACLs don’t have any source and destination
information – it contains only what is permit or denied. For example, deny TCP
dest eq 21 says destination port 21 is denied. Wherever this SGACL is
implemented in the Matrix, will use source and destination reference.
Figure 2:
Permission Matrix and SGACL Snapshot
Traditional Way of defining the Access Control Policies on
the device –
(sources) * (destinations) * permissions = ACEs
4 VLANs (sources) * 30 (Destinations) * 4 Permissions = 480 ACL Entries
In SGACL, the magnitude is greatly reduced. Instead of specifying the sources and destinations now we are dealing with groups –
4 SGT (Sources) * 3 SGT (Destinations) * 4 Permissions = 48 ACL Entries
Using solutions like TrustSec is definitely going to make an IT Admin life simple with a reduced number of entries, centralized definition, and maintenance of the policies which is the ask of today's agile networks. It's a promise to a network team to give them their time back which is mostly taken by manual repetitive tasks - with more time in hand now the team can spend more time in Digital Transformation Initiatives.