Руководство По Настройке для Cisco Cisco Identity Services Engine 1.3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
At-A-Glance
Cisco TrustSec® simplifies the provisioning and management of secure access to
network services and applications. Compared to access control mechanisms that
are based on network topology, Cisco TrustSec defines policies using logical policy
groupings, so secure access is consistently maintained even as resources are moved
in mobile and virtualized networks. De-coupling access entitlements from IP addresses
and VLANs simplifies security policy maintenance tasks, lowers operational costs,
and allows common access policies to be applied to wired, wireless, and VPN access
consistently.
network services and applications. Compared to access control mechanisms that
are based on network topology, Cisco TrustSec defines policies using logical policy
groupings, so secure access is consistently maintained even as resources are moved
in mobile and virtualized networks. De-coupling access entitlements from IP addresses
and VLANs simplifies security policy maintenance tasks, lowers operational costs,
and allows common access policies to be applied to wired, wireless, and VPN access
consistently.
Introduction
Cisco TrustSec classification and policy enforcement functions are embedded in
Cisco® switching, routing, wireless LAN, and firewall products. By classifying traffic
based on the contextual identity of the endpoint versus its IP address, Cisco TrustSec
enables more flexible access controls for dynamic networking environments and data
centers.
Cisco® switching, routing, wireless LAN, and firewall products. By classifying traffic
based on the contextual identity of the endpoint versus its IP address, Cisco TrustSec
enables more flexible access controls for dynamic networking environments and data
centers.
At the point of network access, a Cisco TrustSec policy group called a Security Group
Tag (SGT) is assigned to an endpoint, typically based on that endpoint’s user, device,
and location attributes. The SGT denotes the endpoint’s access entitlements, and all
traffic from the endpoint will carry the SGT information. The SGT is used by switches,
routers, and firewalls to make forwarding decisions. Because SGT assignments can
denote business roles and functions, Cisco TrustSec controls can be defined in terms
of business needs and not underlying networking detail (Figure 1).
Tag (SGT) is assigned to an endpoint, typically based on that endpoint’s user, device,
and location attributes. The SGT denotes the endpoint’s access entitlements, and all
traffic from the endpoint will carry the SGT information. The SGT is used by switches,
routers, and firewalls to make forwarding decisions. Because SGT assignments can
denote business roles and functions, Cisco TrustSec controls can be defined in terms
of business needs and not underlying networking detail (Figure 1).
Personal
Asset
Employee
AP
WLC
ISE
Routers DC Firewall
Distributed
Enforcement
Based on
Security Group
SGT Propagation
Personal Asset
SGT
Finance Server
SGT
HR Server
SGT
ID &
Pr
ofiling Data
S
G
T
Clas
sification
DC Switch
Switch
Company
Asset
Device Type: Mac
User: Mary
Group: Employee
Corporate Asset: Yes
Device Type: Apple iPAD
User: Mary
Group: Employee
Corporate Asset: No
With Cisco TrustSec, a network administrator can implement extensive network
segmentation and endpoint access controls without modifying network topology (e.g.,
additional VLANs) and rule administration, which greatly simplifies IT engineering and
operations. Cisco TrustSec policies are centrally managed by Cisco Identity Services
Engine (ISE) with enforcement functions available in campus switches, data center
switches, firewalls, and routers.
segmentation and endpoint access controls without modifying network topology (e.g.,
additional VLANs) and rule administration, which greatly simplifies IT engineering and
operations. Cisco TrustSec policies are centrally managed by Cisco Identity Services
Engine (ISE) with enforcement functions available in campus switches, data center
switches, firewalls, and routers.
Business Issues Addressed
Reduces Operational Expenses
Virtual footprints allow flexible and elastic operation. Cisco TrustSec allows firewall and
access control rules to be defined by an asset or application’s role, and automates
management of those rules, saving significant operational effort and time.
access control rules to be defined by an asset or application’s role, and automates
management of those rules, saving significant operational effort and time.
Allows Secure, “Any Device” Access to Resources
To help organizations gain visibility into, and effective control over, unmanaged
mobile devices accessing their networks, Cisco TrustSec provides flexible and high-
performance controls in network devices to control access to resources based upon
attributes such as user role, location, device type, and posture.
To help organizations gain visibility into, and effective control over, unmanaged
mobile devices accessing their networks, Cisco TrustSec provides flexible and high-
performance controls in network devices to control access to resources based upon
attributes such as user role, location, device type, and posture.
Dynamic Campus Segmentation
Unlike traditional campus network segmentation techniques, Cisco TrustSec is a
scalable, agile, and efficient means to enforce security policy in today’s highly dynamic
environments.
Unlike traditional campus network segmentation techniques, Cisco TrustSec is a
scalable, agile, and efficient means to enforce security policy in today’s highly dynamic
environments.
Caters for Changing Workforces and Business Relationships
Users are more mobile and businesses are more collaborative. Allowing controlled
access to resources for mobile users, contractors, partners, and guests has become
operationally intensive and technically challenging for many enterprises.
Users are more mobile and businesses are more collaborative. Allowing controlled
access to resources for mobile users, contractors, partners, and guests has become
operationally intensive and technically challenging for many enterprises.
Using Cisco TrustSec
Campus Network Segmentation
Typical Situation
For user access in enterprise campus networks, it is common to map different user
groups into appropriate VLANs to provide complete isolation between groups. Each
VLAN requires address space and provisioning, and needs to be mapped to an
upstream routed network interface, which may need to use static access control lists
(ACLs) or virtual routing and forwarding (VRF) functions to maintain the isolation.
For user access in enterprise campus networks, it is common to map different user
groups into appropriate VLANs to provide complete isolation between groups. Each
VLAN requires address space and provisioning, and needs to be mapped to an
upstream routed network interface, which may need to use static access control lists
(ACLs) or virtual routing and forwarding (VRF) functions to maintain the isolation.