cisco trustsec for software defined...
TRANSCRIPT
Karaked Kedchumpol
Systems Engineer
July 14,2016
Cisco TrustSec for Software Defined Segmentation
IT burden
Lack of control and context
Complexity and fragmentation
Dynamic threat landscape
Pace of technological change
New business demands create security and administrative headaches
THESE CHALLENGES PLACE A
SIGNIFICANT BURDEN ON IT
Manual,
error prone
administration
Expanding
resources with static
responsibilities
Increased
OpEx
Inconsistent
security
Reduced time
to implement
changes
Security and network
infrastructure challenges
Business and
technology drivers
THESE PRESENT OPPORTUNITY
BUT CREATE…
Acquisitions and
partnerships
Cloud
Internet of
Things
Digitization
BYOD
Global operations
Mobility
Segmentation is imperative for maintaining security
“Eataly’s network segmentation
prevented a POS compromise at one
store from compromising systems at the
chain’s 26 other locations across the
globe”
“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”“Effective network
segmentation… reduces the extent to which an adversary can move across the network”
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny icmp
Access-fst 102 deny cmp
57858..1332232325.5656565..
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny top
103.10.93.140255.255.255 433
Access-fst 102 permit top
f5f54444.584121..5664.4.47844
Access-fst 102 permit top
10.36481.1154f5d.55454g5h25
Access-fst 102 permit top
103.10.93.140255.255.255 d03.
Access-fst 102 permit top
453001212121215..026545455
Access-fst 102 permit top
23..55445478753.21554564..5
Access-fst 102 permit top
6.668627.565.gj.ip.6547894121.
Access-fst 102 deny icmp
103.10.93.140255.255.255
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146
Access-fst 102 deny cmp
57858..1332232325.5656565.6.
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny top
103.10.93.140255.255.255 4331
Access-fst 102 permit top
103.10.93.140255.255.255 d03
Access-fst 102 permit top
453001212121215..026545455
102 permit top 23..5544547875
Access-fst 102 permit top
6.668627.565.gj.ip.5658987513
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146.
Access-fst 102 deny cmp
57858..1332232325.5656565.6
Access-fst 102 deny ip
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny icmp
Access-fst 102 deny cmp
57858..1332232325.5656565..
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny top
103.10.93.140255.255.255 433
Access-fst 102 permit top
f5f54444.584121..5664.4.47844
Access-fst 102 permit top
10.36481.1154f5d.55454g5h25
Access-fst 102 permit top
103.10.93.140255.255.255 d03.
Access-fst 102 permit top
453001212121215..026545455
Access-fst 102 permit top
23..55445478753.21554564..5
Access-fst 102 permit top
6.668627.565.gj.ip.6547894121.
Access-fst 102 deny icmp
103.10.93.140255.255.255
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146
Access-fst 102 deny cmp
57858..1332232325.5656565.6.
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny top
103.10.93.140255.255.255 4331
Access-fst 102 permit top
103.10.93.140255.255.255 d03
Access-fst 102 permit top
453001212121215..026545455
102 permit top 23..5544547875
Access-fst 102 permit top
6.668627.565.gj.ip.5658987513
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146.
Access-fst 102 deny cmp
57858..1332232325.5656565.6
Access-fst 102 deny ip
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny icmp
Access-fst 102 deny cmp
57858..1332232325.5656565..
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny top
103.10.93.140255.255.255 433
Access-fst 102 permit top
f5f54444.584121..5664.4.47844
Access-fst 102 permit top
10.36481.1154f5d.55454g5h25
Access-fst 102 permit top
103.10.93.140255.255.255 d03.
Access-fst 102 permit top
453001212121215..026545455
Access-fst 102 permit top
23..55445478753.21554564..5
Access-fst 102 permit top
6.668627.565.gj.ip.6547894121.
Access-fst 102 deny icmp
103.10.93.140255.255.255
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146
Access-fst 102 deny cmp
57858..1332232325.5656565.6.
Access-fst 102 deny ip
103.10.93.140255.255.255
Access-fst 102 deny top
103.10.93.140255.255.255 4331
Access-fst 102 permit top
103.10.93.140255.255.255 d03
Access-fst 102 permit top
453001212121215..026545455
102 permit top 23..5544547875
Access-fst 102 permit top
6.668627.565.gj.ip.5658987513
Access-fst 102 deny ip
103.10.93.140255.255.255 d03.
Access-fst 102 deny icmp
10.56.89.10.11.456.4554463146.
Access-fst 102 deny cmp
57858..1332232325.5656565.6
Access-fst 102 deny ip
Manual, time-consuming
security and maintenance
IP-based security policy tied to network topology results in:
But Traditional Segmentation Results in ACL and VLAN Complexity
Employee
Info
Developer
Server
Policy inconsistencies
across devices and networks
Enterprise Network
HTTPFinancial ServerComplicated
access management
More policies using more VLANs
Guest
VLANsEmployee
VLANs
Developer
VLANs
Non
Compliant
VLANs
2
Locations
Guest
VLANsEmployee
VLANs
Developer
VLANs
Non
Compliant
VLANs
1
Guest
VLANsEmployee
VLANs
Developer
VLANs
Non
Compliant
VLANs
3
Management console 2 Management console 3Management console 1
Static, proliferating ACLs
TrustSec simplifies security management
Deny Employee to Financial Server
Permit Developer to Developer Server
Permit Guest to HTTP
Deny all access
Employee denied Financial Server
Permit Developer to Developer Server
Deny Guest access to Employee Info
Deny all access
Deny Employee to Financial Server
Consistent
Policy AnywhereKey
Employee Tag
Developer Tag
Voice Tag
Non-Compliant Tag
SGACLsEmployee Info Developer Server
Simplified Access
Management
Accelerated
Security Options
Leverage scalable and agile segmentation technology in over 40 different Cisco product families,
enabling dynamic, role-based policy enforcement anywhere on your network
Simplified Access Management
Manage policies using plain language
and maintain compliance by regulating
access based on business role
Rapid Security Administration
Speed-up adds, moves, and changes,
simplifying firewall administration to
speed up server onboarding
HTTPFinancial Server
Consistent Policy Anywhere
Control all network segments
centrally, regardless of whether or not
devices are wired, wireless or on VPN
Enterprise Network
Guest
endpointEmployee
endpoint
Developer
endpoint
Non
Compliant
endpoint8
Employee Info Tag
Developer Server Tag
Financial Server Tag
HTTP Tag
Enable Software-Defined Segmentation with TrustSec
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
EnforcementThreat
Defense
Propagation
Inline tagging or Data Plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Open technology
Heterogeneous environment
Control Plane
(SXP or pxGrid)
Switch
Router
Firewall
Data Center
Segmentation
Campus and Branch
Segmentation
User to Data Center
Access Control
And leverage a range of deployment scenarios
User Access to Data Center Control
Building 3 WLAN Data VLAN
TrustSec-enabled
data center
Main Building Data VLAN
Employee DeveloperVoice
ISE
Router
EmployeeNon
Compliant
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
Guest
Employee
TS-
enabled
DC Remediation Internet
Employee
Developer
Guest
Non-
Compliant
✓ X ✓ ✓
X X ✓ ✓
X X ✓ X
Non
CompliantEmployeeNon
Compliant
SwitchSwitch
• Enterprise-wide, role-based access control
• Automated BYOD access control
• End-to-end regulatory and compliance
requirements such as PCI and HIPAA
✓ ✓ ✓ ✓
Voice
TrustSec supports:
Policy in action:
TrustSec
Policy DomainProd server
Dev server
ACI policy domain
ACI Data Center
APIC
DC
Dev server
Prod server
Employee Developer
Data
center Internet
Employee
Developer
Building
Mgmt
Non-
Compliant
TrustSec supports:
Campus and Branch Segmentation
Router
Employee Tag
Developer Tag
Building Mgmt Tag
Non-Compliant Tag
Switch
Switch
Building 3 WLAN Data VLAN Main Building Data VLAN
Branch - 3 WLAN Data VLAN
✓ X X ✓
X X X ✓
X X X X
✓ ✓ ✓ ✓
HQ
Data
Center
Policy in action: Switch
Non
Compliant
Non
Compliant
Non
Compliant DeveloperVoiceVoice
Employee
EmployeeEmployeeBuilding
Mgmt
• Role-based segmentation across multiple
locations
• End-to-end regulatory and compliance
requirements such as PCI and HIPAA
• Restriction of lateral threat movement
Data Center Segmentation
Database Servers
Web Servers
Storage
Web Servers
TrustSec supports:
Policy in action:
SwitchMiddleware
ServersWeb
Servers
Middleware
Servers
Database
Servers Storage
Web
Servers
Middleware
Servers
Database
Servers
Storage
✓ ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ X X
• Firewall rule simplification
• Data center regulatory and compliance
requirements such as PCI and HIPAA
• Server zoning
• Micro-segmentation
• Physical and virtual workload segmentation
TrustSec-enabled functionality
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
EnforcementThreat
Defense
Propagation
Inline tagging or Data Plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Open technology
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
SGACLsISE (Policy server)
Enabling a more scalable approach to security policy setting
Moving to Software-Defined Segmentation
Segmentation with TrustSec
Source Security
Groups
Guest
Finance
Employee
Mfg.
Devices
Devices
RoutersFirewallsSwitches
Security Group Tag read by network
device and appropriate policies enforced
Relevant policy
pulled down
Topology-independent segmentation
Destinations
Destination
Security GroupsSource
EmployeeFinance
Employee
Guest
Guest
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
User:Developer
IP:177.22.133.9:8080
User:Developer
IP:122.228.76.117:80
User:Developer
IP:205.234.66.201:80
User:Developer
IP:88.149.221.35:80
User:Developer
IP:183.207.232.43:80
Building
mgmtMfg.
Devices
VLAN and ACL-based segmentation
VLAN1
VLAN2
VLAN3
Devices
Servers
Internet
Cloud
Intranet
Finance
Manufacturing
IT
Social Media
HTTP
Retail
Dev 1
Dev 2
Finance BI
HR Portal
Remediation
Expenses
Servers
Internet
Cloud
Intranet
Finance
Manufacturing
IT
Social Media
HTTP
Retail
Dev 1
Dev 2
Finance BI
HR Portal
Remediation
Expenses
TrustSec-enabled functionality
Endpoint Enforcement
EnforcementThreat
Defense
SGT-enabled network
Software-defined segmentation
Open technology
Heterogeneous environment
Propagation
Inline tagging
(many options)
Policy plane
(SXP or pxGrid)
Switch
Router
Firewall
Classification
Static
classification
Endpoint
identification
Dynamic
classificationSecurity
Group
Tags
Group tag management
Group policy management
Central management
Printer 1 Printer 2
Use security groups to demote common roles & policy requirements
Group Tag Management
Utilize ISE or another TrustSec-enabled
controller to support group design
Get up and running quickly
Assign business-based groupings to
provide consistent policy and access
independent of network topology
Assign role-based groups SGT_Guest SGT_Building
Management
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
Leverage attributes such as location and
device type to define group assignments
Establish context-aware groups
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature
Device 1
Temperature
Device 2
Surveillance
Device 1
Surveillance
Device 2
50°
50°
Destinations
SourcesCompany
Database
Public
Cloud
External
PartnerInternet
Guest Define
Access
Define
Access
Define
Access
Define
Access
Employee BYODDefine
Access
Define
Access
Define
Access
Define
Access
Building Mgmt.Define
Access
Define
Access
Define
Access
Define
Access
EmployeeDefine
Access
Define
Access
Define
Access
Define
Access
Policy Management
Deny
DenyDefine
Access
PermitPermit Deny
Deny Web Apps
Deny
Permit PermitDefine
AccessPermit
Define access policies using plain language
instead of complex ACLs and firewall rules
Simplify role creation
Defining policies with logical tags means
that rules don’t depend on individual IP
addresses and can be dynamically and
transparently changed no matter the
group size
Maintain and scale dynamically
Deny Deny Permit
Permit
Deny
Create rules and regulate access based on
logical groupings that are applied
automatically
Apply rules automatically
Maintain agility with simple, dynamic policy updates
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Permit
Deny
Web Apps
…
Centralized Management
Rule Name
Employee Access
Match Condition
• SSID = Corporate-WiFi
• Certificate-based Authentication
• Device Status = Registered
Asset
Classification
SGT_Employee
Manage segmentation and access
controls for your entire business from a
single location
Centralized
Define access policies in ISE or locally
on ASAs or Firepower appliances
using plain language instead of
complex ACLs and IP-based firewall
rules
Simple
Make changes quickly and easily and
reduce the need for costly network re-
architecture
Agile
Control your entire business on a single pane of glass
TrustSec-enabled functionality
Group tag management
Group policy management
Enforcement
EnforcementThreat
Defense
SGT-enabled network
Central management
Software-defined segmentation
Open technology
Heterogeneous environment
Propagation
Inline tagging
(many options)
Policy plane
(SXP or pxGrid)
Switch
Router
Firewall
Classification
Static
classification
Security
Group
Tags
Endpoint
Endpoint
identification
Dynamic
classification
Dynamic and Static Classification
Dynamic mechanisms
802.1X
Web Auth
MAB
Passive identity
Static mechanisms
VPN
Port
Profile
IP
Address
VLANs
SubnetsL2
Interface
L3
InterfacePort
Application
-centric
Ideal for users and
mobile devices
User endpoints
Internal IT
infrastructure and
topology-based policy
Internal resources
External partners and
3rd party connections
Partner & externalSta
tic
Dyn
am
ic
SGT #1
SGT #2
SGT #3
SGT #4
IP address
Subnets
VLANs
L3 Interface
Application-centric [ACI]
VPN
Static Classification
L2 Interface
Port Profile
SGACLsISE
(Policy server)
Security
Group Tag
Finance
Server
Printers
Building
Mgmt
Partner 1
Internal resources
Partner and external
Implement physical, location-based tagging
Features
• Physical, location-based
tagging
• Used to classify endpoints
when authentication isn’t
available
• Based on hardware aspects
• SGTs map to a network
element rather than relying
on authentication from ISE
• Classifications are then
transported deeper into the
network for policy
enforcement
Access methods
Any user, any device, anywhere, can
access the network, increasing risk
Strong context awarenessPoor context awareness
The right user, on the right device, from
the right place, is given appropriate
access
Bob???
Endpoint IdentificationEnable dynamic classification with rich context awareness
ISE
Vulnerability
data
Web data
Threat data
Event logs
Result Result
Who
What
When
Vulnerability
Threat
Compliance
How
Where
IP Address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Bob
Tablet
11:00 AM EST on April 10th
Building 200, 2nd floor
Wireless
Yes
Distracting
CVSS score of 6Or 3rd party
controller
With ISE and TrustSec,
gain
• Better visibility through
richer contextual
information
• Increased visibility into
threats and vulnerabilities
• Reduced impact of a
potential breach and
accelerated remediation
Authenticate endpoints and assign SGTs
Dynamic Classification
Scenario
Finance Employee Access
Finance Employee SGT
characteristics• SSID = Corporate-Wifi
• Role-based authentication
• Device Status = Registered
Asset
• AD Group = Finance Employee
ClassificationSGT_Finance
PoliciesFinance server
Remediation portal
Finance BI
Development servers
Features
• Authentication methods for
dynamic classification
include:– 802.1X
– Web Authentication
– MAC Auth. Bypass
– Passive Identity [AD]
• SGTs are assigned based
on authenticated endpoint
characteristics
• SGTs are then transported
throughout the network for
policy enforcement
TrustSec-enabled functionality
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
EnforcementThreat
Defense
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-defined segmentation
Open technology
Heterogeneous environment
Propagation
Inline tagging
(many options)
Policy plane
(SXP or pxGrid)
Switch
Router
Firewall
Inline TaggingCarrying Security Group Tag Metadata in data plane
• Simple, Scalable where devices support
inline tagging in hardware
• SGT information stays with traffic
• Cisco MetaData (CMD)
• Ethernet
• MACsec
• IPsec
• DM-VPN
• GET-VPN
FUTURE:
• VXLAN (with DNA)
• NSH
Propagation options
• Catalyst switches
• WLAN controllers
• Nexus switches
• Integrated Service Routers
• Industrial Ethernet Switches
• ASR 1000
• ASA 5500-x
• Firepower Threat Defense
Supporting devices
Branches
Inline tagging
Untagged ISE
Where does the Security Group Tag reside?
Ethernet Frame
Destination MAC
Source MAC
802.1Q
ETHTYPE
CMD
PAYLOAD
Cisco MetaData
CMD EtherType
Version
Length
SGT Opt Type
SGT Value
Other CMD
Options
Dynamically Classified
• 802.1X Authentication
• Web Authentication
• MAC Auth. Bypass
• Passive identity [AD]
Dynamic Classification
Statically Classified
• IP Address
• Subnets
• L2 Interface
• L3 Interface
• Port Profile
• Port
• VLANs
• VPN
• Application-centric [ACI]
Common Classification
for Servers, Topology-
based policy, etc.
Propagate SGTs over any IP network
Control Plane
Firepower
NGFW
SXP
pxGrid
SXP IP-SGT Binding Table
IP Address SGT SRC
10.1.100.98 50 Local
ISE
Ecosystem
vendor
products
• Security appliances subscribe to
TrustSec topic in pxGrid
• SGT bindings shared via pxGrid
pxGrid
• SXP connections enabld quickly and
easily
• no hardware dependencies
• Use TCP for transport protocol
• Propagate from ISE or access-layer
devices to any enforcement point
SXP
www
WSARouter 2
Router 3Router 1
Switch 1Non
Inline
Capable
Switch
Generate IP-SGT
mappings from ISE
Send IP-SGT mappings to
SXP peers and pxGrid peers
TrustSec-enabled functionality
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Propagation
Inline tagging
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-defined segmentation
Open technology
Heterogeneous environment
Policy plane
(SXP or pxGrid)
Switch
Router
Firewall
Enforcement
EnforcementThreat
Defense
Ensure global security infrastructure is always updated
Policy distribution
Global policy deployment
Policy follows the mobile user to any location where they join the network
Automatic updates
Policies are available globally as soon as updates are made by the
administrator
Location 1 Location 2 Location 3 Location 1
Country 2Country 1
Finance
Employee
Finance
Employee
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Deny_VideoFinance
Employee
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Deny_Video
Finance
Employee
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Deny_Video
Finance
EmployeeDeveloper Auditor
Finance
Employee
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Deny_Video
Developer
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Deny_Video
Auditor
Deny_Malware
Permit_Voice
Deny_Video
Deny_Malware
Permit_Voice
Permit_Video
Deny_Malware
Permit_Voice
Permit_Video
Finance
Employee
Finance
Employee
ISE (Policy server)
SGT Finance
Grant instant access to those who need it, when they need it
Enforce policy across your organization
Finance
Employee
• SSID = Corporate-WiFi
• Role-based authentication
• Device Status = Registered Asset
• AD Group = Finance Employee
ClassificationSGT_Finance
Endpoint Characteristics
Streamline the authentication process at the switch level and enable instant access to destinations, while ensuring rock-solid
security of sensitive information
=
ISE
IT serversLimited
Access
InternetLimited
Access
CloudAccess
Granted
Company
Intranet
Limited
Access
Destinations
Servers
Internet
Cloud
Intranet
Finance
Manufacturing
IT
Social Media
HTTP
Retail
Dev 1
Dev 2
Finance BI
HR Portal
Remediation
Expenses
Enforce policy using Security Groups
Enforcement
Security Group Access Control
Lists enable you to:
• Use SGTs instead of IP addresses
to enforce policy at wire speed
• Consolidate access control entries
• Reduce maintenance complexity
associated with traditional
access lists
• Create policies that are IP version
agnostic, unidirectional, and
stateless
Control access with less
maintenance
permit tcp dst eq 110
permit tcp dst eq 143
permit tcp dst eq 25
permit tcp dst eq 465
permit tcp dst eq 585
permit tcp dst eq 993
permit tcp dst eq 995
deny all log
Permit_Mail Traffic
Enforce policies at the firewall using Security Groups
Simplifying & Automating Firewall Policies
Security Group Firewall enables
you to:
• Manage assets at the group level,
and reuse security groups to
simplify firewall rules
• Write security policies in plain
language
• Use security groups in conjunction
with IP addresses for increased
flexibility
• Invoke IPS inspection based on
traffic coming from one security
group and going to another
Streamline firewall rule
creation and provisioningUse Destination SGT received from
network devices
SGT Defined in ISE or locally
defined on Cisco security
appliances
Enforce policy at a granular level even within the same role/same VLAN
Micro-segmentation
RouterSwitch
Developer
1
Finance
Employee 1
Auditor
Stop malware from
spreading to other
users within the
VLAN
Prevent members
with the same SGT
from establishing
inappropriate peer-
to-peer connections
Main Building VLAN
Building 2 VLAN
Building 3 VLAN
Developer
2
Destinations
Servers
Intranet
Finance
Manufacturing
IT
HR Portal
Remediation
Expenses
Finance
EmployeeDeveloper Auditor
Finance
Employee
AntiMalware
Permit_Voice
Deny_Video
AntiMalware
Permit_Voice
Permit_Video
AntiMalware
Permit_Voice
Deny_Video
Developer
AntiMalware
Permit_Voice
Permit_Video
AntiMalware
Permit_Voice
Permit_Video
AntiMalware
Permit_Voice
Deny_Video
Auditor
AntiMalware
Permit_Voice
Deny_Video
AntiMalware
Permit_Voice
Permit_Video
AntiMalware
Permit_Voice
Permit_Video
Switch
Finance
Employee 2
SGT_DeveloperSGT_Finance
SGT_Suspicious
Restrict access using context-aware threat detection
Threat Defense
IT serversAccess
Denied
InternetAccess
Denied
CloudAccess
Denied
Company
Intranet
Limited
Access
Finance
Employee
ISE
Security Sensor
Prevent lateral threat movement by quickly containing
them with threat identification and remediation policies
Isolate threats
Use the security infrastructure to detect threats and
automatically apply quarantine policies
Automate threat response
Direct the infected user to a remediation portal for rapid
remediation
Remediate quickly
Alert:
Painful Threat Score
Firepower
Management Center
Destinations
Servers
Internet
Cloud
Intranet
Finance
Manufacturing
IT
Social Media
HTTP
Retail
Dev 1
Dev 2
Finance BI
HR Portal
Remediation
Expenses
SGT Finance
IT
servers
Limited
Access
InternetLimited
Access
CloudAccess
Granted
Company
Intranet
Limited
Access!
TrustSec-enabled functionality
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Propagation
Inline tagging
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-defined segmentation
Heterogeneous environment
Policy plane
(SXP or pxGrid)
Switch
Router
Firewall
Enforcement
EnforcementThreat
Defense
Open technology
With TrustSec’s unique functionality
Segmentation Simplified
Simplify access
management with access
based on business role
Achieve consistent
policy anywhere and
control centrally
Speed up security
administration and
server onboarding
Thank you