Cisco Cisco Identity Services Engine Software Guía De Introducción
At-A-Glance
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
If some interaction between user segments is desirable or shared services are
delivered to multiple user groups, controlled interactions tend to be defined in
static switch and router configurations, which can become complicated. Moreover,
controlling communication within a VLAN or segment is difficult to enforce.
delivered to multiple user groups, controlled interactions tend to be defined in
static switch and router configurations, which can become complicated. Moreover,
controlling communication within a VLAN or segment is difficult to enforce.
Cisco TrustSec Solution
Using a Cisco TrustSec role or SGT as the means to describe permissions on the
network allows the interaction of different systems to be determined by comparing
SGT values. This avoids the need for additional VLAN provisioning, keeping the access
network design simple and avoiding VLAN proliferation and configuration tasks required
as the number of roles grows. Interaction between user groups may be denied, or
controlled interaction on specific ports and protocols can be allowed. This provides a
much simpler and more flexible approach to managing security policies.
Using a Cisco TrustSec role or SGT as the means to describe permissions on the
network allows the interaction of different systems to be determined by comparing
SGT values. This avoids the need for additional VLAN provisioning, keeping the access
network design simple and avoiding VLAN proliferation and configuration tasks required
as the number of roles grows. Interaction between user groups may be denied, or
controlled interaction on specific ports and protocols can be allowed. This provides a
much simpler and more flexible approach to managing security policies.
Cisco TrustSec SG-ACLs can also block unwanted traffic between users of the same
role, so that malicious reconnaissance activities and even remote exploitation from
malware can be effectively prevented.
role, so that malicious reconnaissance activities and even remote exploitation from
malware can be effectively prevented.
Access Controls
Typical Situation
IP-address-based ACLs are simple to deploy, given an understanding of the network
design and the specific assets that need to be protected. They require ongoing
management, but for simple role structures this is not problematic. However, as
the number of access roles increases, it can become difficult to not only manage
these ACLs, but also ensure that downloaded ACLs will not exceed the memory and
processing capabilities of any given network access device applying them.
IP-address-based ACLs are simple to deploy, given an understanding of the network
design and the specific assets that need to be protected. They require ongoing
management, but for simple role structures this is not problematic. However, as
the number of access roles increases, it can become difficult to not only manage
these ACLs, but also ensure that downloaded ACLs will not exceed the memory and
processing capabilities of any given network access device applying them.
Cisco TrustSec Solution
Cisco TrustSec uses secure group ACLs (SG-ACL) for role-based access control.
These lists contain source and destination roles and Layer 4 services (ports). You don’t
need to maintain IP addresses in these ACLs, so they are simple to maintain, even as
the environment grows.
Cisco TrustSec uses secure group ACLs (SG-ACL) for role-based access control.
These lists contain source and destination roles and Layer 4 services (ports). You don’t
need to maintain IP addresses in these ACLs, so they are simple to maintain, even as
the environment grows.
SG-ACLs are dynamically downloaded from Cisco ISE as required by the network
device, so changes to SG-ACLs do not need to be provisioned on the network. On
many Cisco platforms, the SG-ACL enforcement functions operate at line rate, allowing
ACLs to be implemented at 10G, 40G, and even 100G.
device, so changes to SG-ACLs do not need to be provisioned on the network. On
many Cisco platforms, the SG-ACL enforcement functions operate at line rate, allowing
ACLs to be implemented at 10G, 40G, and even 100G.
Firewall Rule Automation
Typical Situation
Organizations are accustomed to defining access to protected assets based on the IP
address of the asset. This often results in large firewall rule tables, which are difficult
to understand and manage. In virtualized data centers, there may be growing numbers
of logical servers to protect, and changes to them are more frequent for workload
management and movement reasons.
Organizations are accustomed to defining access to protected assets based on the IP
address of the asset. This often results in large firewall rule tables, which are difficult
to understand and manage. In virtualized data centers, there may be growing numbers
of logical servers to protect, and changes to them are more frequent for workload
management and movement reasons.
Cisco TrustSec Solution
With Cisco TrustSec, firewall rules can be written using server roles and not the IP
address of the individual asset. This simplifies the policies and makes them easier to
understand, administer and audit.
With Cisco TrustSec, firewall rules can be written using server roles and not the IP
address of the individual asset. This simplifies the policies and makes them easier to
understand, administer and audit.
For virtualized data centers, Cisco TrustSec functions embedded in the Cisco Nexus®
1000V virtual switching platform allow the role assignment of servers to be marked in
a provisioning profile and automatically shared with Cisco firewalls. As more workloads
are deployed for a given profile, or as the workloads move, the firewalls will be updated
with group membership information immediately.
1000V virtual switching platform allow the role assignment of servers to be marked in
a provisioning profile and automatically shared with Cisco firewalls. As more workloads
are deployed for a given profile, or as the workloads move, the firewalls will be updated
with group membership information immediately.
For new servers being mapped into existing roles, no changes to the firewall rule table
should be needed (Figure 2).
should be needed (Figure 2).
Figure 2. Cisco TrustSec Firewall Rule Table