Upload
truongcong
View
221
Download
2
Embed Size (px)
Citation preview
Abstract
This session provides an overview of the Cisco TrustSec solution for Enterprisenetwork segmentation and Role-Based Access Control. TrustSec allows for simplifiednetwork segmentation based on User Identity/Role and allows for secure access andconsistent security policies across Wired/Wireless networks. We will cover TrustSecsolution on the Catalyst, Nexus Switching and Routing (ASR1K/CSR/ISR) platforms,including converged wired/wireless with a focus on the deployment use cases in acampus, data centre & branch networks. The session covers an architectural overviewof TrustSec and benefits of role based policies, elements of the solution such as useridentification with 802.1x, device identification, role classification using Security GroupTagging (SGT) and enforcement using Security Group Access Control List (SGACL).This session is for Network and Security Architects, Pre-Sales Engineers and TechnicalDecision Makers. Previous knowledge or experience is recommended in campusdesign, Internet edge design, routing protocol design, and Layer 2 and Layer 3switching.
3
TrustSec or related sessions
4
BRKSEC-2026 - Network as a Sensor and Enforcer
Matthew Robertson - Wednesday 9 Mar 2:30 PM - 4:00 PM – 208
BRKCRS-2891 - Enterprise Network Segmentation (with Cisco TrustSec)
Hariprasad Holla - Wednesday 9 Mar 4:30 PM - 6:00 PM – 203
BRKSEC-2690 - Deploying Security Group Tags
Kevin Regan - Wednesday 9 Mar 4:30 PM - 6:00 PM – 208
BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Hosuk Won - Thursday 10 Mar 8:30 AM - 10:30 AM – 208
BRKSEC-3690 - Advanced Security Group Tags
Kevin Regan - Friday 11 Mar 8:45 AM - 10:45 AM – 105
BRKACI-2504 - Cisco Security on ACI - Microsegmentation, ASA, FirePOWER
Brenden Buresh - Friday 11 Mar 8:45 AM - 10:45 AM – 211
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467Tom’s Segmentation Challenge
5
Tom manages network for ABC Corp
Line of Business
BYODCompliance
Various Segmentation needsRetain policies as network
transitions to IPv6
IPv6
Complex IP based policies
Employees
Contractors
Vendors
Guests
PCI DevicesCampus Branch
Extend segments over -
Layer 3 boundaries
VLANs
Need updates as topology changes
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780
access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606
access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005
access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199
access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782
Agenda
7
Network SegmentationThe past present and future of network segmentation
TrustSec Deep-dive WHAT is Cisco TrustSec
Deploying TrustSec HOW to deploy TrustSec
Use cases & Deployment scenarios WHY segment the TrustSec way?
Key takeaways WHEN to deploy TrustSec: Now!
1
2
3
4
5
For Your
Reference
Cisco Identity
Services Engine
Authenticated
User
8
Network Segmentation
Start
NetworkSegmentation
TrustSecDeep-dive
DeployingTrustSec
Use-cases &Scenarios
KeyTake-aways
Traditional Segmentation is operationally heavy
9
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL VACLLimitations of Traditional
Segmentation
• Security Policy based on
Topology
• High cost and complex
maintenance
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Classification
Static / Dynamic
VLAN assignments
Propagation
Carry segment context
over the network
through VLAN tags /
IP address / VRF
Enforcement
IP based policies.
ACLs, Firewall
rules
Introducing Cisco TrustSec
10
EnforcementClassification Propagation
Routers
ISE
DC Firewall
Production
Servers
Wireless
Remote
Access
Switch
DC Switch Application
Servers
Directory
Employees
8 SGT
7 SGT
Network5 SGT
Employee
App_Serv
Prod_Serv
App_Serv Prod_Serv
Permit All
Permit All Deny All
Permit AllDeny All
Deny All
So
urc
e
Destination
Egress Policy
Consistent access governed by simplified policy
11VLAN: Data-1VLAN: Data-2
Switch
Data Centre
DC Switch
Application
Servers
ISE
Enterprise
Backbone
Remediation
Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Regardless of topology or
location, policy (Security
Group Tag) stays with
users, devices, and servers
TrustSec simplifies ACL
management for intra/inter-
VLAN traffic
BRKCRS-2891
The three common deployment scenarios
13
• Context--based access control
• Compliance requirements PCI,
HIPAA, export controlled
information
• Merger & acquisition integration,
divestments
• Server zoning & Micro-segmentation
• Production vs. Development Server
segmentation
• Compliance requirements, PCI, HIPAA
• Firewall rule automation
• Line of business segregation
• PCI, HIPAA and other compliance
regulations
• Malware propagation
control/quarantine
User to Data Centre Access Control
Data Centre Segmentation
Campus and Branch Segmentation
14
TrustSec Deep-dive(WHAT is TrustSec)
Start
NetworkSegmentation
TrustSecDeep-dive
DeployingTrustSec
Use-cases &Scenarios
KeyTake-aways
ISE controls TrustSec
15
SGACL / Name table:
TrustSec policy matrix
to be pushed down to
the enforcers via
secure channel
SGT: Centrally define
Security Group Tags
802.1X Dynamic SGT
Assignment
ISE authenticates
Wired/Wireless/VPN
clients and assigns
SGTs
Static SGT Assignments
SGACL /
Name table
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
Security Group ACL
NDAC(Network Device
Admission Control)
Rogue
Device(s)
SGT and
SGT Names3: Employee
4: Contractors
8: PCI_Servers
9: App_Servers
Security Group Tags
NDAC for a trusted
domain of ‘Network
Devices’
The ‘3’ TrustSec functions
16
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
VLAN-SGT Mapping
SVI (L3 Interface) to
SGTL2 Port to SGT
VM (Port Profile)
to SGTSubnet-SGT
Two ways to assign Security Group Tags
17
Classification
WLC FW Hypervisor SW
Campus
Access Distribution Core DC Core DC Dist/Access
Enterprise
Backbone
Static ClassificationDynamic Classification
MAB
Routes learnt on L3 port automatically gets SGT assignment
18
Business
Partners
Joint
Ventures
Route Updates
43.1.1.0/24
49.1.1.0/24
Route Updates
17.1.1.0/24
Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface) , Tunnel interface, etc.
DC Access
Hypervisor SW
g3/0/1
g3/0/2
IP Address SGT Source========================================11.1.1.2 2 INTERNAL12.1.1.2 2 INTERNAL13.1.1.2 2 INTERNAL17.1.1.0/24 8 L3IF43.1.1.0/24 9 L3IF49.1.1.0/24 9 L3IF
GigabitEthernet 3/0/1 maps to SGT 8
GigabitEthernet 3/0/2 maps to SGT 9
Classification
In Nexus 1000V, SGTs can be assigned to Port Profile
20
• Port Profile
– Container of network properties
– Applied to different interfaces
• Server Admin may assign Port Profiles to new VMs
• VMs inherit network properties of the port-profile including SGT
• SGT stays with the VM even if moved
Classification
The ‘3’ TrustSec functions
21
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
22
Propagation
SGT propagation through ‘Ethernet Inline Tagging’
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame
EtherType:0x8909
SGT Value:16bits
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
128
bit
En
cry
ption
http://tinyurl.com/sgt-draft
IETF
Faster, and most scalable way to propagate
SGT within LAN or Data Centre
SGT embedded within Cisco Meta Data (CMD)
in Layer 2 frame
Capable switches understands and process
SGT in line-rate
Protected by enabling MACsec (IEEE802.1AE)
– optional for capable hardware
No impact to QoS, IP MTP/Fragmentation
L2 Frame Impact: ~20 bytes
16 bits field gives ~ 64,000 tag space
Non-capable device drops frame with unknown
EthertypeEtherType:0x88E5
Out-of-band IP-SGT binding propagation through
SGT Exchange Protocol (SXP)
23
Propagation
Routers
Firewall
• Propagation method of IP-SGT binding
– Propagate IP-SGT from classification to enforcement point
• Open protocol (IETF-Draft) & ODL Supported
– TCP - Port:64999
• Role: Speaker (initiator) and Listener (receiver)
• Use MD5 for authentication and integrity check
• Support Single Hop SXP & Multi-Hop SXP (aggregation)
• Cisco ISE 2.0 can be an SXP Speaker and Listener.
(SXP Aggregation)
Speaker Listener
Switches
Switches
5 10.0.1.2
6 10.4.9.5
http://tinyurl.com/sxp-draft
IETF
5 10.0.1.2
6 10.4.9.5
SXP in action!
24
Propagation
IP Address SGT Source
========================================
172.22.2.2 2 INTERNAL
IP Address SGT Source
========================================
172.21.1.1 2 INTERNAL
IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch
WAN
10.2.2.2
802.1X Employee = SGT-5
Web_Server172.21.1.1 172.22.2.2
105
Cisco ISE 2.05
10
TrustSec Policy
SXP IP-10.2.2.2 = SGT-10
SXP IP-10.1.1.1 = SGT-5
10.2.2.2 10 SXP
10.1.1.1 5 SXP
10.1.1.1 5 LOCAL
2960X N7K
10.1.1.1
Employee
SRC: 10.1.1.1
DST: 10.2.2.2SRC: 10.1.1.1
DST: 10.2.2.2
Multiple options for SGT transport over L3 network
28
Propagation
Nexus 7000
Data Centre
ISE
Internet
Nexus 1000v
Catalyst 6500
SGACL
CTS Link
Enterprise LAN
HR
Finance
EnterpriseMPLS
DMVPN
• Multiple options for SGT transport over non CTS Layer 3 networks
• DMVPN for Internet based VPNS
• GETVPN and OTP for private WAN
BYOD
EnterpriseNetwork
IPSEC
Switch
Switch
Wireless
Switch
GETVPN
SXP
SXP
SXP
The ‘3’ TrustSec functions
29
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static Assignments
Dynamic Assignments
A B
Propagation
Inline SGT
SXP
WAN Options
Enforcement
Security Group ACL
SG Firewall
Ingress classification, ‘Egress enforcement’
30
Enforcement
Cat3850 Cat6800 Nexus 2248
WLC5508
Nexus 2248
Cat6800 Nexus 7000 Nexus 5500
User authenticated
Classified as Marketing (5)FIB Lookup
Destination MAC/Port SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220DST: 10.1.200.100
SGT: 30
Web_Dir
CRM
DST
SRC
Web_Dir
(20)
CRM
(30)
Marketing
(5)Permit Deny
BYOD
(7)Deny SGACL-A
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
Enterprise
Backbone5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
ACL: Access Control List
SGTs can be used for policies in Cisco ASA Firewall
32
Enforcement
Use Destination SGT received
from Switches connected to
destination
Use Network Object (Host, Range,
Network (subnet), or FQDN)
SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on
SGT
More on ASA TrustSec:
BRKSEC-2690 and
BRKSEC-3690
TrustSec supported platforms
33
Switch Router Router Firewall DC Switch vSwitch ServerUser
Propagation EnforcementClassification
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X/-CX
Catalyst 3750-E/-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E/7E) / 4500X
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 6800
WLC 2500/5500/WiSM2
WLC 5760
WLC 8510/8540
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISRG2, ISR4000
ASR1000, CSR 1000v
IE2000/3000/4000
CGR 2000, CGS2500
ASA5500 (RAS VPN)
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X/3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (Sup, 7E, 7LE, 8E)
Catalyst 4500X
Catalyst 6500E (Sup720)
Catalyst 6500/Sup2T, 6800
WLC 2500/5500/WiSM2
WLC 5760, 8510/8540
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISR G2, ISR 4000
ASR1000, CSR 1000V
IE2000/3000/4000,CGR2000,CGS2500
ASA5500
ISE
Catalyst 3560-X
Catalyst 3750-X
Catalyst 3850/3650
WLC 5760
Catalyst 4500E (7E) / 4500X
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Nexus 7000
Nexus 6000
Nexus 5500/5600
Nexus 1000v
ISR G2, ISR 4000
ASR 1000, CSR 1000v
CGR2000
ASA 5500 Firewall
ASAv Firewall
Web Security Appliance
SGT
Propagation PropagationClassification Enforcement
ISE
WAN(GETVPN
DMVPN
IPSEC)
Enforcement For up-to-date information visit: http://bit.ly/cisco-trustsec-matrix
34
Deploying TrustSec (HOW to deploy TrustSec)
Start
NetworkSegmentation
TrustSecDeep-dive
DeployingTrustSec
Use-cases &Scenarios
KeyTake-aways
Approaching a TrustSec design
35
Focus on
Business Problem
Use Cases can
be Localised
Start with
Policy Goals
• Maintain Compliance
• Protect against breach
• Complex ACLs,
Firewall rule
complexity
• Controlled access to Production systems or PCI Servers
• User to DC Access Control
• Secure BYOD
• Contractor Access Control
• Extranet Security
• Simplified Firewall Rule, VPN Access, ACLs or WSA rules
Starting a TrustSec design
36
Policy
Enforcement
Points
Discuss
assets to
protect
Classification
Mechanisms
Example:
Cardholder Data,
Medical Record,
intellectual data
Example:
Dynamic,
Static, etc.
• DC segmentation (DC
virtual/ physical switches
or virtual/physical
Firewalls)
• User to DC access control
• (Identify capable switches
or firewalls in the path)
Propagation
Methods
• Inline Tagging
• SXP
• DM-VPN
• GET-VPN
• IPSec
• OTP etc..
It all starts with ISE Things to do in Cisco ISE for TrustSec
42
WAN
Cisco ISE
Basic infrastructure setup – Certificates, Active Directory integration, etc.
Create Security Group Tags to be used in the network
Setup Network Device Admission Control - NDAC
Define Authentication and Authorisation policies for Users and Devices
Configure SGACL & Egress Policies (If enforcing on IOS / Nexus Switches)
Security Group Tags in ISE
43
Cisco ISE
Define SGTs under ‘Components’ section in TrustSec Work Centre (from ISE 2.0)
WAN
Define all the ‘Network Devices’
44
Cisco ISE
The Network Devices,
aka Switches, Routers,
Wireless controllers,
Firewalls, etc. needs to
be defined here.
Bulk upload via CSV is
possible too.
WAN
Configure additional parameters for TrustSec
45
Cisco ISE
In addition to RADIUS secret,
check ‘Advanced Trustsec
Settings’ and ‘Use Device ID for
Trustsec’, then type device
password.
This ID and Password needs to
be exactly same as you define
on network device CLI
WAN
Define Authorisation policies for Users and Devices
47
Cisco ISE
802.1X / MAB / Web
Authentication policy
to assign SGTs to the
Users and Devices
WAN
Configure Security Group ACLs
48
Cisco ISE
Configure SGACLs
first to be referenced
under the Egress
policy later
WAN
Global Cisco TrustSec (CTS) configurations
50
cts authorization list cts-list
TrustSec authorisation should use cts-list AAA servers
cts role-based enforcement
cts role-based enforcement vlan-list <VLANs>
For SGT policy enforcement, if switch has to access control
aaa new-model
!
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network cts-list group ise-group
aaa accounting dot1x default start-stop group ise-group
!
aaa server radius dynamic-author
client <Switch_IP> server-key cisco
!
radius server ise
address ipv4 <ISE_IP> auth-port 1812 acct-port 1813
pac key <PAC_Password>
!
aaa group server radius ise-group
server name ise
!
Global AAA Configuration for all IOS Switches
WAN
Critical authentication for NDAC – When ISE is not reachable and
cts critical-authentication
cts critical-auth fallback cached|default
Fall back to cached / default policies when ISE is unreachable
More options: http://bit.ly/cisco-cts-critical-auth
Cisco IOS Switches
(Typically) Enable 802.1X on downlink and SGT propagation on uplink
51
Cisco IOS Devices
Campus
** Other best practice configurations applicable
interface <Uplink_Port>
description ** Uplink Interface **
switchport mode trunk
cts manual
!Or
cts dot1x
cts commands in uplink ports, automatically (hidden)
configures ‘propagate sgt’ command
‘cts manual’ – for manual configuration of (optional)
MACSec on the port, ‘cts dot1x’ – for the switch to
receive MACSec PMK keys from Cisco ISE
interface <Access-port>
switchport access vlan <Data_VLAN>
switchport voice vlan <Voice_VLAN>
switchport mode access
authentication open
authentication port-control auto
authentication host-mode multi-auth
dot1x pae authenticator
mab
Switch port configuration for dynamic SGT assignments
cts role-based sgt-map vlan-list \
<VLAN_IDs> sgt <SGT>
(Optional) For static assignment of VLAN to SGT.
Useful if the users or devices are static
Access
Agg / Core
WAN
Cisco IOS Switches
Switch ports can stay in 802.1X ‘Monitor Mode’ forever
52
WAN
Catalyst® Switches
(3K/4K/6K)Users,
Endpoints
PCI Server
Production Server
N7K
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Permit all Permit all Permit all
Monitor Mode: Irrespective of authentication status (pass/fail), endpoints gets IP address.
Successful authentication gets specific SGTs and failures will be classified as ‘Unknown’ SGT
Campus
Network
Monitor Mode
Tagged traffic traverses the network allowing
monitoring and validation that:
Assets are correctly classified
Traffic flows to assets are as predicted/expected
Development Server
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100) Deny all Deny all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Deny all Deny all Permit all
Cisco IOS Switches
WAN
Environmental Data
TrustSec Egress Policy
RADIUS EAP FAST Channel
ISE and ‘Network Device’ transact securely using PAC keys
Switch# cts credential id C6800-001 password cisco
Switch authenticates with Cisco ISE for Secure EAP FAST Channel
Switch# show cts pacs
AID: 3E465B9E3F4E012E6AD3159B403B5004
PAC-Info:
PAC-type = Cisco Trustsec
AID: 3E465B9E3F4E012E6AD3159B403B5004
I-ID: C6800-0001
A-ID-Info: Identity Services Engine
Credential Lifetime: 13:12:04 UTC Jan 12 2016
PAC-Opaque:
000200B800030001000400103E465B9E3F4E012E6AD3159B403B50040006009C
000301008C3B32A200B23EF4A53D9DF79A6E4B2600000013555D348600093A80
8273497B5BB779165C75E75DDF4619CB3D4AD755949603F5488C5904CA27F13C
6FB45F333209915DCCED288FF304F8517663FD49D2D2D3EBF664300E3FD66925
A7DEB8C93570913A369280EB251091D92D90FEDA7BBD1148C7CCA8D018011F00
9A5548286430573F854DD3C9231476EE32E47B7AB7075372051BB3FD
Refresh timer is set for 12w4d
RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely
IOS
*PAC: Protected Access Credentail
ISE
Cisco IOS Switches
WAN
Environmental DataSwitch# show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00:TrustSec_Infra_SGT
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.1.1.222, port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004
Status = DEAD
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime
= 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-00:Unknown
2-00:TrustSec_Infra_SGT
10-00:Employee_FullAccess
20-00:Employee_BYOD
30-00:Contractors
100-00:PCI_Devices
110-00:Web_Servers
120-00:Mail_Servers
255-00:Unregist_Dev_SGT
Environment Data Lifetime = 86400 secs
Last update time = 21:57:24 UTC Thu Feb 4 2016
Env-data expires in 0:23:58:00 (dd:hr:mm:sec)
Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
IOSISESecurity Group Name Table:
0-00:Unknown
2-00:TrustSec_Infra_SGT
10-00:Employee_FullAccess
20-00:Employee_BYOD
30-00:Contractors
100-00:PCI_Devices
110-00:Web_Servers
120-00:Mail_Servers
255-00:Unregist_Dev_SGT
Cisco IOS Switches
Switch#show cts rbacl Permit_Email_Traffic
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4
name = Permit_Email_Traffic-40
IP protocol version = IPV4
refcnt = 1
flag = 0x40000000
stale = FALSE
RBACL ACEs:
permit tcp dst eq 110
permit tcp dst eq 143
permit tcp dst eq 25
permit tcp dst eq 465
permit tcp dst eq 585
permit tcp dst eq 993
permit tcp dst eq 995
deny all log
WAN
‘cts role-based enforcement’
Cisco IOS Switches
Switch#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
...
IPv4 Role-based permissions from group 10:Employee_FullAccess to group
10:Employee_FullAccess:
Malware_Contol_ACL-10
IPv4 Role-based permissions from group 10:Employee_FullAccess to group 30:Contractors:
Cisco_Jabber_Access-10
IPv4 Role-based permissions from group 30:Contractors to group 10:Employee_FullAccess:
Cisco_Jabber_Access-10
IPv4 Role-based permissions from group 30:Contractors to group 120:Mail_Servers:
Permit_Email_Traffic
...
ISE
Switch
IOS switch as enforcer
WAN
AireOS Controllers*
58
Wireless
* Supported on all Wireless Controllers except 7500 & vWLC
Cisco ISE
Switch / FW
5520
Assign
SGT
SXP
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
No SG based enforcement locally on
the controller. IP-SGT sent over SXP to
enforcers / Aggregators
SXP Listener (Switch / Firewall)
SXP Speaker(Wireless Controller)
WAN
AireOS Controllers*
59
Wireless
Cisco ISE
Switch / FW
5520
Assign
SGT
SXP
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
No SG based enforcement locally on
the controller. IP-SGT sent over SXP to
enforcers / Aggregators
* Supported on all Wireless Controllers except 7500 & vWLC
Wireless
WAN
Overview of TrustSec support on routers
60
Routers
Classification Propagation Enforcement
WAN
• IP-to-SGT
• Subnet-to-SGT
• L3IF-to-SGT
No dynamic classification option
Multiple options for propagation
• SXP
• Inline methods:
• SGT over Ethernet
• IPSec
• DMVPN
• GETVPN
• EIGRP OTP / LISP
Zone based Firewall (ZBFW)
SGT based PBR
(Policy Based Routing)
SGT based QoS
(Quality of Service)
WAN
One command to enable SGT transport over IPSec
61
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1 !
crypto ikev2 keyring key
peer v4
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
CTS infra CLI used to configure IP->SGT mapping
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! ...........
Cisco Meta Data (CMD) uses protocol 99, and is inserted to
the beginning of the ESP/AH payload.
IP header (Protocol Type = ESP)
SGT in IPSec
IV
ESP Header
Next Header (IP) Len = 3 Version (0x1) Reserved
Len (0x0)
Len (0x1)
Type (1 = SGT)
Type (5 = PST)
SGT Number (16 bits)
GETVPN Psuedo timestamp
Original IP Header
Original IP Payload
Pad
Authentication Tag
Pad Length Next Header
CM
D
ESP: Encapsulating Security Payload | AH: Authentication Header
Routers
WAN
‘cts sgt inline’ enables SGT transport in DMVPN sessions
63
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
!
cts sgt inline
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
Hub
Spokes
cts role-based sgt-map 10.10.10.1 sgt 150
cts role-based sgt-map 10.10.10.2 sgt 200
CTS infrastructure CLI , to configure static IP to SGT bindings
Router# show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0
cluster = 0 req-sent 44 req-failed 0 repl-recv 43
(00:01:37 ago)
TrustSec Enabled
Routers
WAN
Enable tagging in GETVPN KS, run v1.0.5 or later on members
64
Key Server (KS)
crypto gdoi group GDOI
identity number 12345
server local
sa ipsec 2
no tag
match address ipv4 ACL_GETVPN_NO_SGT
sa ipsec 1
tag cts sgt
match address ipv4 ACL_GETVPN_SGT
Router# show crypto gdoi feature cts-sgt
Group Name: GETVPN
Key Server ID Version Feature Supported
10.0.5.2 1.0.5 Yes
10.0.6.2 1.0.5 Yes
Group Member ID Version Feature Supported
10.0.1.2 1.0.2 No
10.0.2.5 1.0.3 No
10.0.3.1 1.0.5 Yes
10.0.3.2 1.0.5 Yes
Group Members
If the KS is configured for tagging, Group members must be register
using GETVPN software version 1.0.5 or higher to be accepted.
cts role-based sgt-map 10.10.10.1 sgt 150
cts role-based sgt-map 10.10.10.2 sgt 200
CTS infrastructure CLI , to configure static IP to SGT bindings
Routers
WAN
Zone Based Firewall
65
class-map type inspect match-any partner-services
match protocol http
match protocol icmp
match protocol ssh
class-map type inspect match-any partner-sgts
match security-group source tag 2001
match security-group source tag 2002
match security-group source tag 2003
class-map type inspect match-all partner-class
match class-map partner-services
match class-map partner-sgts
class-map type inspect match-any guest-services
match protocol http
class-map type inspect match-any guest-sgts
match security-group source tag 5555
class-map type inspect match-all guest-class
match class-map guest-services
match class-map guest-sgts
class-map type inspect match-any emp-services
match protocol http
match protocol ftp
match protocol icmp
match protocol ssh
...
SGT is a source criteria only in ISR FW,
Source or Destination in ASR 1000
Routers
WAN
Path selection based on SGT
66
VRF-GUEST
Enterprise
WAN
Inspection Router
Router /
Firewall
Network A
Policy-based
Routing based
on SGT
SGT-based VRF
Selection Redirect traffic from malware-infected hosts
• Contain threats
• Pass traffic through centralised analysis and
inspection functions
Security Example
To map different user groups to different WAN
service
Other Example
User C
Guest
Segment traffic to different VRFs based on context
Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)
route-map SG_PBR
match security-group source tag 100
set ip next-hop 172.20.100.2
match security-group destination tag 150
set ip next-hop 172.20.101.2
User A
Employee
User B
Suspicious
Routers
WAN
Quality of Service for SGTs
67
Enterprise
WAN
Applications Router
Router /
Firewall
Network A
Critical applications
get priority treatment
Non-critical
class gets lower
bandwidth
Different user groups can be offered different Quality of
Service (QoS)
Available Today: Cisco ISE 4K and ASR 1K with 3.17S or later
class-map employee-non_critical
match security-group source tag 10
match security-group destination tag 254
end
!
class-map employee-critical
match security-group source tag 10
match security-group destination tag 100
end
!
policy-map sg_qos
class employee-critical
priority percent 50
class employee-non_critical
bandwidth percent 25
set dscp ef
end
CriticalServers (100)
NonCritical (254)
f Y
Employee (10)
Routers
Same policy structure for Data Centres
WAN
68
Web
Servers
Database
Servers
Middleware
ServersStorage
Data Centre
TrustSec on NXOS and IOS are alikeTowards
Enterprise
/ WAN
LOB1 DB LOB2 DB PCI DB Finance DBD
AT
A C
EN
TR
E
Nexus(config)# feature cts
Nexus(config)# feature dot1x
Nexus(config)# cts device-id N7K-DST1 password cisco
‘cts credentials’ defined in global config unlike in Exec mode in IOS
*Earlier pushed through cts refresh CLI over SSH, now CoA. More details here: http://bit.ly/nxos-7-2-RN
CoA for Environmental-Data and SGACL download from NXOS version 7.2*
Nexus(config)# int e1/30
Nexus(config-if)# cts manual
Nexus(config-if-cts-manual)# policy static sgt 0X3
Nexus(config-if-cts-manual)# no propagate-sgt
Disable SGT propagation on ports connecting to Physical servers
SXP v1 only (IPv4-to-SGT, no loop detection)
Nexus 5000/6000: Port-to-SGT classification only
Nexus 9000 doesn’t support SGTs today
C P E
WAN
69
ACI Policy Domain
ISE 2.1: ‘TrustSec ACI Policy Plane Integration’
70
Data Centre
TrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus3000 ServerUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXPClassification
WAN(GETVPN
DMVPN
IPSEC)
ISE creates matching
Security Groups and
Endpoint Groups
ISE exchanges IP-SGT/EPG
‘Name bindings’
IP-ClassId, VNI bindingsIP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE 2.1 Cisco APIC-DC
Security Groups End Point Groups
WAN
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
Security Group– EPG exchange
71
Data Centre
Cisco ISE 2.1 Cisco APIC-DC
Security Groups and IP bindings
End Point Groups (EPG) and IP bindings
WAN
More on ACI Security:
BRKACI-2504 - Cisco
Security on ACI
BRKACI-1003 - Introduction
to ACI for Security Admins
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
TrustSec traffic monitoring in StealthWatch
72
WAN
• Highly scalable (enterprise class) collection
• High compression long term storage• Months of data retention
When Who
Where
What
Who
Security Group
More Context
flow record my-flow-record
...
match flow cts source group-tag
match flow cts destination group-tag
...
NetFlow
Segmentation monitoring with StealthWatch
73
WAN
Rule name and
description
DGTSGT
Trigger on traffic in both directions;
Successful or unsuccessful
Custom event
triggers on traffic
condition
More on StealthWatch:
BRKSEC-2026: Network
as a Sensor and Enforcer
74
Use Cases & Deployment Scenarios
(WHY TrustSec)
Start
NetworkSegmentation
TrustSecDeep-dive
DeployingTrustSec
Use-cases &Scenarios
KeyTake-aways
TrustSec means efficiency
75
• Large Electronics Device Manufacturing Company deploying Secure Wi-Fi
• ACL needs to scale more than 64 lines of ACL (>1,500)
• TrustSec solution within C6k chassis
WiSM2 aggregates AP traffic
Policy enforcement Sup2T based on SGT
Destination SGT values defined by IP & Subnet
• Reduced IOS static ACL managing policy using Egress Matrix
• e.g. about 500 lines of ACL allowing HTTPS is now supported by single line of SGACL
• permit tcp dst eq 443
CAPWAP Tunnel
Internet
Cat6500VSS
System
Data Centre
Branch Office
Access Points
ISE
Large Campus Wireless Deployment
SXP
Campus C
Campus D
10.4.150.0/24 = SGT 7
16.34.22.0/24 = SGT 10
10.5.1.0/24 = SGT 22
SGT 3: Full Access
Corporate
Network
10.0.0.0/8 = SGT 100Sup2T
WiSM2
WiSM2
Sup2T
WiSM2
WiSM2
SXP
Compliant
Corporate Asset
Non-Compliant
Mobile Device
SGT 2: Limited Access
10.39.22.0/24 = SGT 6
SGACLs
optimises TCAM
Utilisation
SGACL download only for known destinations
76Dev_Server
(SGT=7)
Prod_Servers (7) Dev_Servers (8)
SEGMENTATION DEFINED IN ISE
SG
T=
3
SG
T=
4
SG
T=
5
SGACL
Enforcement
Switches pull down only
the policies they need
I have nothing to protect
I know SGT-7, is there a policy for it?I pulled policies to
protect SGT-7
interface ethernet 2/1
cts manual
policy static sgt 0x7
no propagate-sgt
• TrustSec switches requests policies for
assets they protect
• Policies downloaded & applied dynamically
• Result = Software Defined Segmentation
Handling acquisitions / mergers or disinvestments
Secure,
economical way to
integrate or
segment networks
“Technicolor has acquired
Cisco's Connected
Devices business”
Initiative: To divest assets
including employees and
properties to Technicolor
Objective: To create logical
separation on network
infrastructure and provide
secure resource access in
shared workspace
Cisco on Cisco Case Study
Cisco Users
Technicolor Users
Solution: TrustSec segmentation based on user
authentication in selected offices.
Shanghai and
Lawrenceville
Offices
Technicolor
Resources
Shared
Resources
Cisco Internal
For details read: http://bit.ly/cisco-it-technicolor
Global ISE deployment
77
Destination SGT
Source SGT Cisco Internal Technicolor Shared
Cisco Permit Permit Permit
Technicolor Deny Permit Permit
Auth-Fail Deny Deny Permit
Untrusted Deny Deny Permit
https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
limiting workstation- to-workstation communication
78
Control lateral access with TrustSec
79
1 Scan for open ports / OS
Distribution Switch
Access Switch
BYOD Device PC
AP
Wireless Segment Wired Segment
2 Exploits vulnerability
Pawned
PC
Employee Tag
Anti-Malware-ACL
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
deny tcp src dst eq www
deny tcp src dst eq 443
deny tcp src dst eq 22
deny tcp src dst eq pop3
deny tcp src dst eq 123
Sample ACEs to
block PtH (SMB
over TCP) used
for privilege
escalation
SGACL Policy
• Replaces Private Isolated / Community VLAN
functionality with centrally provisioned policy
• Supports mobile devices (with DHCP address).
Statically defined ACL cannot support same
level of policy
• No other competitor can support this type of
use case
Effective East-
West Traffic
control at the
Enterprise access
PtH: Pass-the-Hash
Before: An SSID & VLAN per vendor
82
Segmenting
Vendors, Guests,
Employees and
PCI devices in
Retail Stores
LOB: Line of Business
Customer Concerns
• Employees, PCI devices, Vendors & Guest in branch needing segmentation.
• Each segment today is a VLAN and / or a SSID.
• Provisioning and decommissioning vendors is a tedious task
Store
Guest
BYOD
Vendor-1
Vendor-2
Vendor-3
…
Vendor-N
Store
PCI
Demo
Vendor-2
Vendor-A
Vendor-B
…
Vendor-N
Internet
WANData Centre
WLC ServersISR w/
ZBFW
VRFs
* Additional VLAN/VRFs for Voice,
Print, AP, etc. not shown in the picture
After: One SSID and one VLAN for vendors
83
Segmenting
Vendors, Guests,
Employees and
PCI devices in
Retail Stores
LOB: Line of Business
TrustSec Solution
• Cisco ISE authorises each endpoint with SGT and pushes SGACL to Branch CA* Switch
• One network for all Vendors, but each vendor is segmented with TrustSec
• Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY!
Store
Guest
BYOD
Vendors
Store
PCI
Demo
Vendors
WANData Centre
ServersISR w/
ZBFW
*Converged
Access
= Authenticated and authorised by ISE
AD
Employee
Accounts
* Additional VLAN/VRFs for Voice,
Print, AP, etc. not shown in the picture
VRFs
Vendor & Guest
Accounts
Cisco ISE
Internet
University controls IPv4 and IPv6 clients uniformly
84
Carry forward the
policies as you
transition the
network
IPv4 IPv6
TrustSec is about tags!
• IPv6 to SGT bindings over SXP support from 15.2(3)E / 03.06.00E
• Both IPv4 and IPv6 endpoints can co-exist today and be access-controlled uniformly
CTS-C6500#show cts role-based sgt-map all ipv6
Active IP-SGT Bindings Information
IP Address SGT Source
========================================================
2001:DB8:100::1 2 INTERNAL
2001:DB8:100:0:7CB0:3B1D:2F77:16A6 3 SXP
2001:DB8:200:0:9112:EB74:784F:E88B 4 SXP
2001:DB8:252::100 2 INTERNAL
2001:DB8:254::10 9 CLI
2001:DB8:254::12 7 CLI
Data Centre
Servers
Cisco ISE
= Authenticated and authorised by ISE
IPv6
Enterprise
Backbone
C6500/6800
IPv6 to SGT -binding over SXP
15.2(2)E/
3.6.0E
IPv4
Cat3K/4K
SGACL
Cat3K/4K
TrustSec reduces ‘Operational Costs’
85
Forrester Report on ‘Total Economic Impact of TrustSec’
http://bit.ly/ts-forrester-report
“Cisco TrustSec enabled the organisations interviewed, to
reduce operational costs by avoiding additional IT
headcount, deploy new environments faster, and
implement consistent and effective network segmentation
resulting in lower downtime.”
Push and enforce model
86
ISE
Campus
NetworkWAN
SGACL Policy CoA (Change of Authorisation) to push policy
change from ISE to appropriate devices
Currently supported on IOS Switch / Wireless controllers and
NXOS 7.2 and later.
CoA
TrustSec for PCI scope reduction
87
POS
Store ABC
Backbone
Floor 1 SW
Floor 2 SW
Data Centre
DC FW
POS
PCI DB
ISE
Common
Servers
Employee
Workstation
OS Type: Windows 8
User: John
AD Group: Floor Staff
Device Group: Nurse Workstation
Security Group = Employee
OS Type: Windows 7 Embedded
User: George
AD Group: Point-of-Sales Admin
Device Group: POS
Security Group = PCI DeviceAccess Privilege
Authorisation with
Security Group
ASA Firewall Policy
PCI Scope
Verizon certifies TrustSec for PCI segmentation
88
http://bit.ly/pci-trustsec-report
89
Key Takeaways(WHEN to-do TrustSec? – NOW!)
Start
NetworkSegmentation
TrustSecDeep-dive
DeployingTrustSec
Use-cases &Scenarios
KeyTake-aways
Tom’s Segmentation Challengeaccess-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780
access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606
access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005
access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199
access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782
PCI Web Employee Contractor
Employee Deny All Permit AllAnti-
Malware-ACL
Cisco-Jabber-Access
Contractor Deny All Permit AllCisco-Jabber-Access
Permit All
BYOD Deny All Permit AllAnti-
Malware-ACL
Permit All
Tom is happy with Cisco TrustSec
90
Tom manages network for ABC Corp
Line of Business
BYODCompliance
IPv6
Employees
Contractors
Vendors
Guests
PCI DevicesCampus Branch
VLANs
I
Tr ustSec
Campus Branch
SGTs
Various Segmentation needsRetain policies as network
transitions to IPv6
Extend segments over -
Layer 3 boundariesComplex IP based policies
Need updates as topology changes
TrustSec for segmentationRemember, TrustSec is
about ‘tag’s not IP!
SGTs
TrustSec decouples
segmentation from topology
Simple tag based policies
Policy automation leading to lesser updates
“logical source and destination security groups are more flexible, are easier to maintain and reduce runtime overhead in the network’s switching fabric.”
“There is much to like about Cisco’s ambitious and innovative initiative….”
“Cisco has made great strides in integrating support for the TrustSec framework across its product lines”
“Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs”
“Reduction in ACL Maintenance, Complexity and Overhead”
http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec
Gartner on TrustSec
Make a Choice!
92
About 100 years after a crank was required to start a car,
modern batteries can now start many cars using just a button.
Traditional Segmentation
MethodsSegmenting using TrustSec
bcarwallpapers.comcaranddriver.com
Visit www.cisco.com/go/trustsec and know more
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration