Cisco Cisco Identity Services Engine 1.3 백서
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 24 of 27
Cisco TrustSec Technology and pxGrid
Also growing in popularity is the Cisco TrustSec software-defined segmentation method. This segmentation uses
logical tags known as security group tags, or SGTs. At the point of network authorization, Cisco ISE can “mark” or
tag matching endpoints as critical medical devices without changing its VLAN or assigning a specific IP address.
Although they are compatible with traditional segmentation methods, SGTs can eliminate the need for VLAN
proliferation or port ACLs. SGTs can be used purely for visibility or policy enforcement virtually anywhere in the
network. Firewalls that support Cisco TrustSec technology can dynamically apply policy without concern over
source IP or VLAN assignment, which simplifies rule management. Unlike ACLs and VLANs, Cisco TrustSec
segmentation is independent from the network topology and topology changes.
logical tags known as security group tags, or SGTs. At the point of network authorization, Cisco ISE can “mark” or
tag matching endpoints as critical medical devices without changing its VLAN or assigning a specific IP address.
Although they are compatible with traditional segmentation methods, SGTs can eliminate the need for VLAN
proliferation or port ACLs. SGTs can be used purely for visibility or policy enforcement virtually anywhere in the
network. Firewalls that support Cisco TrustSec technology can dynamically apply policy without concern over
source IP or VLAN assignment, which simplifies rule management. Unlike ACLs and VLANs, Cisco TrustSec
segmentation is independent from the network topology and topology changes.
In the context of medical devices, SGTs offer an attractive option. You can use them to track and monitor medical
devices without applying enforcement and later apply more restrictive segmentation and access to and from these
devices. These policy markings are also made available to external applications through Cisco pxGrid, a
framework for data sharing. Cisco pxGrid greatly enhances visibility and policy compliance validation for critical-
care and other healthcare systems using solutions such as Cisco Stealthwatch and the Cisco Firepower™
Management Center as well as Splunk and a host of other third-party ecosystem partners. For more information on
Cisco ISE partners that support pxGrid, see
devices without applying enforcement and later apply more restrictive segmentation and access to and from these
devices. These policy markings are also made available to external applications through Cisco pxGrid, a
framework for data sharing. Cisco pxGrid greatly enhances visibility and policy compliance validation for critical-
care and other healthcare systems using solutions such as Cisco Stealthwatch and the Cisco Firepower™
Management Center as well as Splunk and a host of other third-party ecosystem partners. For more information on
Cisco ISE partners that support pxGrid, see
http://www.cisco.com/c/en/us/products/collateral/security/identity-
services-engine/solution-overview-c22-735909.html
.
SGT Authorization Policy Example
The example policy rules below show the use of logical profiles to match medical devices on a wired network to
assign a permissions policy that permits access and marks the endpoint as a healthcare endpoint using a security
group tag labeled “Healthcare.”
The example policy rules below show the use of logical profiles to match medical devices on a wired network to
assign a permissions policy that permits access and marks the endpoint as a healthcare endpoint using a security
group tag labeled “Healthcare.”