cisco trustsec for software defined...

Karaked Kedchumpol

Systems Engineer

July 14,2016

Cisco TrustSec for Software Defined Segmentation

IT burden

Lack of control and context

Complexity and fragmentation

Dynamic threat landscape

Pace of technological change

New business demands create security and administrative headaches

THESE CHALLENGES PLACE A

SIGNIFICANT BURDEN ON IT

Manual,

error prone

administration

Expanding

resources with static

responsibilities

Increased

OpEx

Inconsistent

security

Reduced time

to implement

changes

Security and network

infrastructure challenges

Business and

technology drivers

THESE PRESENT OPPORTUNITY

BUT CREATE…

Acquisitions and

partnerships

Cloud

Internet of

Things

Digitization

BYOD

Global operations

Mobility

Segmentation is imperative for maintaining security

“Eataly’s network segmentation

prevented a POS compromise at one

store from compromising systems at the

chain’s 26 other locations across the

globe”

“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”“Effective network

segmentation… reduces the extent to which an adversary can move across the network”

Access-fst 102 deny ip

103.10.93.140255.255.255

Access-fst 102 deny icmp

Access-fst 102 deny cmp

57858..1332232325.5656565..


103.10.93.140255.255.255 d03.

Access-fst 102 deny top

103.10.93.140255.255.255 433

Access-fst 102 permit top

f5f54444.584121..5664.4.47844


10.36481.1154f5d.55454g5h25


103.10.93.140255.255.255 d03.


453001212121215..026545455


23..55445478753.21554564..5


6.668627.565.gj.ip.6547894121.


103.10.93.140255.255.255


10.56.89.10.11.456.4554463146


57858..1332232325.5656565.6.


103.10.93.140255.255.255


103.10.93.140255.255.255 4331


103.10.93.140255.255.255 d03


453001212121215..026545455

102 permit top 23..5544547875


6.668627.565.gj.ip.5658987513


103.10.93.140255.255.255 d03.


10.56.89.10.11.456.4554463146.


57858..1332232325.5656565.6



103.10.93.140255.255.255



57858..1332232325.5656565..


103.10.93.140255.255.255 d03.


103.10.93.140255.255.255 433


f5f54444.584121..5664.4.47844


10.36481.1154f5d.55454g5h25


103.10.93.140255.255.255 d03.


453001212121215..026545455


23..55445478753.21554564..5


6.668627.565.gj.ip.6547894121.


103.10.93.140255.255.255


10.56.89.10.11.456.4554463146


57858..1332232325.5656565.6.


103.10.93.140255.255.255


103.10.93.140255.255.255 4331


103.10.93.140255.255.255 d03


453001212121215..026545455

102 permit top 23..5544547875


6.668627.565.gj.ip.5658987513


103.10.93.140255.255.255 d03.


10.56.89.10.11.456.4554463146.


57858..1332232325.5656565.6



103.10.93.140255.255.255



57858..1332232325.5656565..


103.10.93.140255.255.255 d03.


103.10.93.140255.255.255 433


f5f54444.584121..5664.4.47844


10.36481.1154f5d.55454g5h25


103.10.93.140255.255.255 d03.


453001212121215..026545455


23..55445478753.21554564..5


6.668627.565.gj.ip.6547894121.


103.10.93.140255.255.255


10.56.89.10.11.456.4554463146


57858..1332232325.5656565.6.


103.10.93.140255.255.255


103.10.93.140255.255.255 4331


103.10.93.140255.255.255 d03


453001212121215..026545455

102 permit top 23..5544547875


6.668627.565.gj.ip.5658987513


103.10.93.140255.255.255 d03.


10.56.89.10.11.456.4554463146.


57858..1332232325.5656565.6


Manual, time-consuming

security and maintenance

IP-based security policy tied to network topology results in:

But Traditional Segmentation Results in ACL and VLAN Complexity

Employee

Info

Developer

Server

Policy inconsistencies

across devices and networks

Enterprise Network

HTTPFinancial ServerComplicated

access management

More policies using more VLANs

Guest

VLANsEmployee

VLANs

Developer

VLANs

Non

Compliant

VLANs

2

Locations

Guest

VLANsEmployee

VLANs

Developer

VLANs

Non

Compliant

VLANs

1

Guest

VLANsEmployee

VLANs

Developer

VLANs

Non

Compliant

VLANs

3

Management console 2 Management console 3Management console 1

Static, proliferating ACLs

TrustSec simplifies security management

Deny Employee to Financial Server

Permit Developer to Developer Server

Permit Guest to HTTP

Deny all access

Employee denied Financial Server

Permit Developer to Developer Server

Deny Guest access to Employee Info

Deny all access

Deny Employee to Financial Server

Consistent

Policy AnywhereKey

Employee Tag

Developer Tag

Voice Tag

Non-Compliant Tag

SGACLsEmployee Info Developer Server

Simplified Access

Management

Accelerated

Security Options

Leverage scalable and agile segmentation technology in over 40 different Cisco product families,

enabling dynamic, role-based policy enforcement anywhere on your network

Simplified Access Management

Manage policies using plain language

and maintain compliance by regulating

access based on business role

Rapid Security Administration

Speed-up adds, moves, and changes,

simplifying firewall administration to

speed up server onboarding

HTTPFinancial Server

Consistent Policy Anywhere

Control all network segments

centrally, regardless of whether or not

devices are wired, wireless or on VPN

Enterprise Network

Guest

endpointEmployee

endpoint

Developer

endpoint

Non

Compliant

endpoint8

Employee Info Tag

Developer Server Tag

Financial Server Tag

HTTP Tag

Enable Software-Defined Segmentation with TrustSec

Endpoint

Group tag management

Group policy management

Security

Group

Tags

Enforcement

EnforcementThreat

Defense

Propagation

Inline tagging or Data Plane

(many options)

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management

Software-Defined Segmentation

Open technology

Heterogeneous environment

Control Plane

(SXP or pxGrid)

Switch

Router

Firewall

Data Center

Segmentation

Campus and Branch

Segmentation

User to Data Center

Access Control

And leverage a range of deployment scenarios

User Access to Data Center Control

Building 3 WLAN Data VLAN

TrustSec-enabled

data center

Main Building Data VLAN

Employee DeveloperVoice

ISE

Router

EmployeeNon

Compliant

Employee Tag

Developer Tag

Guest Tag

Non-Compliant Tag

Guest

Employee

TS-

enabled

DC Remediation Internet

Employee

Developer

Guest

Non-

Compliant

✓ X ✓ ✓

X X ✓ ✓

X X ✓ X

Non

CompliantEmployeeNon

Compliant

SwitchSwitch

• Enterprise-wide, role-based access control

• Automated BYOD access control

• End-to-end regulatory and compliance

requirements such as PCI and HIPAA

✓ ✓ ✓ ✓

Voice

TrustSec supports:

Policy in action:

TrustSec

Policy DomainProd server

Dev server

ACI policy domain

ACI Data Center

APIC

DC

Dev server

Prod server

Employee Developer

Data

center Internet

Employee

Developer

Building

Mgmt

Non-

Compliant

TrustSec supports:

Campus and Branch Segmentation

Router

Employee Tag

Developer Tag

Building Mgmt Tag

Non-Compliant Tag

Switch

Switch

Building 3 WLAN Data VLAN Main Building Data VLAN

Branch - 3 WLAN Data VLAN

✓ X X ✓

X X X ✓

X X X X

✓ ✓ ✓ ✓

HQ

Data

Center

Policy in action: Switch

Non

Compliant

Non

Compliant

Non

Compliant DeveloperVoiceVoice

Employee

EmployeeEmployeeBuilding

Mgmt

• Role-based segmentation across multiple

locations

• End-to-end regulatory and compliance


• Restriction of lateral threat movement

Data Center Segmentation

Database Servers

Web Servers

Storage

Web Servers

TrustSec supports:

Policy in action:

SwitchMiddleware

ServersWeb

Servers

Middleware

Servers

Database

Servers Storage

Web

Servers

Middleware

Servers

Database

Servers

Storage

✓ ✓ ✓ ✓

X ✓ ✓ ✓

X ✓ ✓ ✓

X ✓ X X

• Firewall rule simplification

• Data center regulatory and compliance


• Server zoning

• Micro-segmentation

• Physical and virtual workload segmentation

TrustSec-enabled functionality

Endpoint



Security

Group

Tags

Enforcement

EnforcementThreat

Defense

Propagation

Inline tagging or Data Plane

(many options)

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management

Software-Defined Segmentation

Open technology


Control plane

(SXP or pxGrid)

Switch

Router

Firewall

SGACLsISE (Policy server)

Enabling a more scalable approach to security policy setting

Moving to Software-Defined Segmentation

Segmentation with TrustSec

Source Security

Groups

Guest

Finance

Employee

Mfg.

Devices

Devices

RoutersFirewallsSwitches

Security Group Tag read by network

device and appropriate policies enforced

Relevant policy

pulled down

Topology-independent segmentation

Destinations

Destination

Security GroupsSource

EmployeeFinance

Employee

Guest

Guest

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

User:Developer

IP:177.22.133.9:8080

User:Developer

IP:122.228.76.117:80

User:Developer

IP:205.234.66.201:80

User:Developer

IP:88.149.221.35:80

User:Developer

IP:183.207.232.43:80

Building

mgmtMfg.

Devices

VLAN and ACL-based segmentation

VLAN1

VLAN2

VLAN3

Devices

Servers

Internet

Cloud

Intranet

Finance

Manufacturing

IT

Social Media

HTTP

Retail

Dev 1

Dev 2

Finance BI

HR Portal

Remediation

Expenses

Servers

Internet

Cloud

Intranet

Finance

Manufacturing

IT

Social Media

HTTP

Retail

Dev 1

Dev 2

Finance BI

HR Portal

Remediation

Expenses


Endpoint Enforcement

EnforcementThreat

Defense

SGT-enabled network

Software-defined segmentation

Open technology


Propagation

Inline tagging

(many options)

Policy plane

(SXP or pxGrid)

Switch

Router

Firewall

Classification

Static

classification

Endpoint

identification

Dynamic

classificationSecurity

Group

Tags



Central management

Printer 1 Printer 2

Use security groups to demote common roles & policy requirements

Group Tag Management

Utilize ISE or another TrustSec-enabled

controller to support group design

Get up and running quickly

Assign business-based groupings to

provide consistent policy and access

independent of network topology

Assign role-based groups SGT_Guest SGT_Building

Management

SGT_Employee

Guest 1

Guest 2

Guest 3 Guest 4

Employee 1 Employee 2 Employee 3

Employee 4

Leverage attributes such as location and

device type to define group assignments

Establish context-aware groups

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2

Temperature

Device 1

Temperature

Device 2

Surveillance

Device 1

Surveillance

Device 2

50°

50°

Destinations

SourcesCompany

Database

Public

Cloud

External

PartnerInternet

Guest Define

Access

Define

Access

Define

Access

Define

Access

Employee BYODDefine

Access

Define

Access

Define

Access

Define

Access

Building Mgmt.Define

Access

Define

Access

Define

Access

Define

Access

EmployeeDefine

Access

Define

Access

Define

Access

Define

Access

Policy Management

Deny

DenyDefine

Access

PermitPermit Deny

Deny Web Apps

Deny

Permit PermitDefine

AccessPermit

Define access policies using plain language

instead of complex ACLs and firewall rules

Simplify role creation

Defining policies with logical tags means

that rules don’t depend on individual IP

addresses and can be dynamically and

transparently changed no matter the

group size

Maintain and scale dynamically

Deny Deny Permit

Permit

Deny

Create rules and regulate access based on

logical groupings that are applied

automatically

Apply rules automatically

Maintain agility with simple, dynamic policy updates

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Permit

Deny

Web Apps

…

Centralized Management

Rule Name

Employee Access

Match Condition

• SSID = Corporate-WiFi

• Certificate-based Authentication

• Device Status = Registered

Asset

Classification

SGT_Employee

Manage segmentation and access

controls for your entire business from a

single location

Centralized

Define access policies in ISE or locally

on ASAs or Firepower appliances

using plain language instead of

complex ACLs and IP-based firewall

rules

Simple

Make changes quickly and easily and

reduce the need for costly network re-

architecture

Agile

Control your entire business on a single pane of glass




Enforcement

EnforcementThreat

Defense

SGT-enabled network

Central management


Open technology


Propagation

Inline tagging

(many options)

Policy plane

(SXP or pxGrid)

Switch

Router

Firewall

Classification

Static

classification

Security

Group

Tags

Endpoint

Endpoint

identification

Dynamic

classification

Dynamic and Static Classification

Dynamic mechanisms

802.1X

Web Auth

MAB

Passive identity

Static mechanisms

VPN

Port

Profile

IP

Address

VLANs

SubnetsL2

Interface

L3

InterfacePort

Application

-centric

Ideal for users and

mobile devices

User endpoints

Internal IT

infrastructure and

topology-based policy

Internal resources

External partners and

3rd party connections

Partner & externalSta

tic

Dyn

am

ic

SGT #1

SGT #2

SGT #3

SGT #4

IP address

Subnets

VLANs

L3 Interface

Application-centric [ACI]

VPN

Static Classification

L2 Interface

Port Profile

SGACLsISE

(Policy server)

Security

Group Tag

Finance

Server

Printers

Building

Mgmt

Partner 1

Internal resources

Partner and external

Implement physical, location-based tagging

Features

• Physical, location-based

tagging

• Used to classify endpoints

when authentication isn’t

available

• Based on hardware aspects

• SGTs map to a network

element rather than relying

on authentication from ISE

• Classifications are then

transported deeper into the

network for policy

enforcement

Access methods

Any user, any device, anywhere, can

access the network, increasing risk

Strong context awarenessPoor context awareness

The right user, on the right device, from

the right place, is given appropriate

access

Bob???

Endpoint IdentificationEnable dynamic classification with rich context awareness

ISE

Vulnerability

data

Web data

Threat data

Event logs

Result Result

Who

What

When

Vulnerability

Threat

Compliance

How

Where

IP Address 192.168.1.51

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Bob

Tablet

11:00 AM EST on April 10th

Building 200, 2nd floor

Wireless

Yes

Distracting

CVSS score of 6Or 3rd party

controller

With ISE and TrustSec,

gain

• Better visibility through

richer contextual

information

• Increased visibility into

threats and vulnerabilities

• Reduced impact of a

potential breach and

accelerated remediation

Authenticate endpoints and assign SGTs

Dynamic Classification

Scenario

Finance Employee Access

Finance Employee SGT

characteristics• SSID = Corporate-Wifi

• Role-based authentication

• Device Status = Registered

Asset

• AD Group = Finance Employee

ClassificationSGT_Finance

PoliciesFinance server

Remediation portal

Finance BI

Development servers

Features

• Authentication methods for

dynamic classification

include:– 802.1X

– Web Authentication

– MAC Auth. Bypass

– Passive Identity [AD]

• SGTs are assigned based

on authenticated endpoint

characteristics

• SGTs are then transported

throughout the network for

policy enforcement


Endpoint



Security

Group

Tags

Enforcement

EnforcementThreat

Defense

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management


Open technology


Propagation

Inline tagging

(many options)

Policy plane

(SXP or pxGrid)

Switch

Router

Firewall

Inline TaggingCarrying Security Group Tag Metadata in data plane

• Simple, Scalable where devices support

inline tagging in hardware

• SGT information stays with traffic

• Cisco MetaData (CMD)

• Ethernet

• MACsec

• IPsec

• DM-VPN

• GET-VPN

FUTURE:

• VXLAN (with DNA)

• NSH

Propagation options

• Catalyst switches

• WLAN controllers

• Nexus switches

• Integrated Service Routers

• Industrial Ethernet Switches

• ASR 1000

• ASA 5500-x

• Firepower Threat Defense

Supporting devices

Branches

Inline tagging

Untagged ISE

Where does the Security Group Tag reside?

Ethernet Frame

Destination MAC

Source MAC

802.1Q

ETHTYPE

CMD

PAYLOAD

Cisco MetaData

CMD EtherType

Version

Length

SGT Opt Type

SGT Value

Other CMD

Options

Dynamically Classified

• 802.1X Authentication

• Web Authentication

• MAC Auth. Bypass

• Passive identity [AD]

Dynamic Classification

Statically Classified

• IP Address

• Subnets

• L2 Interface

• L3 Interface

• Port Profile

• Port

• VLANs

• VPN

• Application-centric [ACI]

Common Classification

for Servers, Topology-

based policy, etc.

Propagate SGTs over any IP network

Control Plane

Firepower

NGFW

SXP

pxGrid

SXP IP-SGT Binding Table

IP Address SGT SRC

10.1.100.98 50 Local

ISE

Ecosystem

vendor

products

• Security appliances subscribe to

TrustSec topic in pxGrid

• SGT bindings shared via pxGrid

pxGrid

• SXP connections enabld quickly and

easily

• no hardware dependencies

• Use TCP for transport protocol

• Propagate from ISE or access-layer

devices to any enforcement point

SXP

www

WSARouter 2

Router 3Router 1

Switch 1Non

Inline

Capable

Switch

Generate IP-SGT

mappings from ISE

Send IP-SGT mappings to

SXP peers and pxGrid peers


Endpoint



Security

Group

Tags

Propagation

Inline tagging

(many options)

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management


Open technology


Policy plane

(SXP or pxGrid)

Switch

Router

Firewall

Enforcement

EnforcementThreat

Defense

Ensure global security infrastructure is always updated

Policy distribution

Global policy deployment

Policy follows the mobile user to any location where they join the network

Automatic updates

Policies are available globally as soon as updates are made by the

administrator

Location 1 Location 2 Location 3 Location 1

Country 2Country 1

Finance

Employee

Finance

Employee

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Deny_VideoFinance

Employee

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Deny_Video

Finance

Employee

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Deny_Video

Finance

EmployeeDeveloper Auditor

Finance

Employee

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Deny_Video

Developer

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Deny_Video

Auditor

Deny_Malware

Permit_Voice

Deny_Video

Deny_Malware

Permit_Voice

Permit_Video

Deny_Malware

Permit_Voice

Permit_Video

Finance

Employee

Finance

Employee

ISE (Policy server)

SGT Finance

Grant instant access to those who need it, when they need it

Enforce policy across your organization

Finance

Employee

• SSID = Corporate-WiFi

• Role-based authentication

• Device Status = Registered Asset

• AD Group = Finance Employee

ClassificationSGT_Finance

Endpoint Characteristics

Streamline the authentication process at the switch level and enable instant access to destinations, while ensuring rock-solid

security of sensitive information

=

ISE

IT serversLimited

Access

InternetLimited

Access

CloudAccess

Granted

Company

Intranet

Limited

Access

Destinations

Servers

Internet

Cloud

Intranet

Finance

Manufacturing

IT

Social Media

HTTP

Retail

Dev 1

Dev 2

Finance BI

HR Portal

Remediation

Expenses

Enforce policy using Security Groups

Enforcement

Security Group Access Control

Lists enable you to:

• Use SGTs instead of IP addresses

to enforce policy at wire speed

• Consolidate access control entries

• Reduce maintenance complexity

associated with traditional

access lists

• Create policies that are IP version

agnostic, unidirectional, and

stateless

Control access with less

maintenance

permit tcp dst eq 110







deny all log

Permit_Mail Traffic

Enforce policies at the firewall using Security Groups

Simplifying & Automating Firewall Policies

Security Group Firewall enables

you to:

• Manage assets at the group level,

and reuse security groups to

simplify firewall rules

• Write security policies in plain

language

• Use security groups in conjunction

with IP addresses for increased

flexibility

• Invoke IPS inspection based on

traffic coming from one security

group and going to another

Streamline firewall rule

creation and provisioningUse Destination SGT received from

network devices

SGT Defined in ISE or locally

defined on Cisco security

appliances

Enforce policy at a granular level even within the same role/same VLAN

Micro-segmentation

RouterSwitch

Developer

1

Finance

Employee 1

Auditor

Stop malware from

spreading to other

users within the

VLAN

Prevent members

with the same SGT

from establishing

inappropriate peer-

to-peer connections

Main Building VLAN

Building 2 VLAN

Building 3 VLAN

Developer

2

Destinations

Servers

Intranet

Finance

Manufacturing

IT

HR Portal

Remediation

Expenses

Finance

EmployeeDeveloper Auditor

Finance

Employee

AntiMalware

Permit_Voice

Deny_Video

AntiMalware

Permit_Voice

Permit_Video

AntiMalware

Permit_Voice

Deny_Video

Developer

AntiMalware

Permit_Voice

Permit_Video

AntiMalware

Permit_Voice

Permit_Video

AntiMalware

Permit_Voice

Deny_Video

Auditor

AntiMalware

Permit_Voice

Deny_Video

AntiMalware

Permit_Voice

Permit_Video

AntiMalware

Permit_Voice

Permit_Video

Switch

Finance

Employee 2

SGT_DeveloperSGT_Finance

SGT_Suspicious

Restrict access using context-aware threat detection

Threat Defense

IT serversAccess

Denied

InternetAccess

Denied

CloudAccess

Denied

Company

Intranet

Limited

Access

Finance

Employee

ISE

Security Sensor

Prevent lateral threat movement by quickly containing

them with threat identification and remediation policies

Isolate threats

Use the security infrastructure to detect threats and

automatically apply quarantine policies

Automate threat response

Direct the infected user to a remediation portal for rapid

remediation

Remediate quickly

Alert:

Painful Threat Score

Firepower

Management Center

Destinations

Servers

Internet

Cloud

Intranet

Finance

Manufacturing

IT

Social Media

HTTP

Retail

Dev 1

Dev 2

Finance BI

HR Portal

Remediation

Expenses

SGT Finance

IT

servers

Limited

Access

InternetLimited

Access

CloudAccess

Granted

Company

Intranet

Limited

Access!


Endpoint



Security

Group

Tags

Propagation

Inline tagging

(many options)

Classification

Static

classification

Endpoint

identification

Dynamic

classification

SGT-enabled network

Central management



Policy plane

(SXP or pxGrid)

Switch

Router

Firewall

Enforcement

EnforcementThreat

Defense

Open technology

With TrustSec’s unique functionality

Segmentation Simplified

Simplify access

management with access

based on business role

Achieve consistent

policy anywhere and

control centrally

Speed up security

administration and

server onboarding

Thank you

cisco trustsec for software defined...

Documents