Cisco Security Group Access An Introduction

The concept of identity-based access network - in essence, provide the credentials to log on to a network or a resource - not a new phenomenon. Over the years , it has evolved from access to individual applications for single sign-on (SSO ) and centralized user record using multiple authentication methods and authorization policies apply custom user group , type of access and the access method.

Basically, IBNA is giving a confidence level of a user or device based on an identity document . Security within an organization is based on control , enforcement and predictability . The more you know about the users of the network - individuals or devices - the most comprehensive and effective security policy will be. Implement IBNA is a great way for organizations to review their network design, secure and optimize asks questions like :" Where does and why" "Who are you "and Understanding the flow of the network and the user resource requirements is the basis for the Cisco Access Security Group (ASG ), which falls under the umbrella of the Cisco TrustSec . SGA offers several advantages:

1) Grants network resource access based on identity and associated policy.
2) Enhances security and control as traffic flows are more easily segmented.
3) Reduces the cost and complexity associated with large firewall policies and access-list rules.
4) Provides a mechanism for consistent and dynamic policy propagation across different platforms.
5) Enables centralized policy management and auditing per identity.

SGA is based on the concept of assigning a user a security group tag (SGT) . The SGT is a 16-bit value is inserted into a frame 802.1AE. SGT Assignment known as classification. When a user is authenticated using 802.1X, MAC Authentication Bypass (MAB) or Web Authentication ( WebAuth ) , SWG is assigned as part of the authorization policy in the AAA server, usually Cisco Identity Services Engine ( ISE).In addition, network resources, such as infrastructure devices (routers, switches, firewalls, wireless LAN controllers ( WLCs ) and SGT services are also assigned. Tags can also be set manually from the port level or statically assigned addresses IP , subnet or VLAN in the individual network devices.

SGA is based on the propagation of EPG information devices that become points of policy implementation. Propagation of the EST can be done online by the special hardware to label each traffic flow with a user assigned SGT ASIC. The integrated value is carried out with the flow and examined from the point of execution.

For devices that do not have the capacity to handle the embedded SGT, tag information can spread through SGT Exchange Protocol ( SXP ), which is a TCP - to-peer network in which the "speaker " IP address propagates SGT binding information to a " listener. " The listener can use this information to apply policies based on the learned values SGT. While the user traffic passes through a point of the application is given the SGT should be allowed for security ACL group that was downloaded from the centralized policy store (ISE) or statically configured on performance the device.

Policies SGACLs simplify and reduce the complexity rule, as shown by the simple example below.
In general, due to the syntax used to create rules based on IP address:
(# Of Sources) * (number of positions) * permissions = # of ACE (access control entries).
Thus four subnets that require access to three Web servers using HTTP and HTTPS require:

4 * 3 * 2 = 24 ACEs.

Using SGTs, we can assign all the "users" in each sub-net to a group (source), and combine the three Web servers in a protected group (destination), and then apply the two permits (permit HTTP, HTTPS permit) plus the catch -all the actions for the non-conforming traffic:

1 * 1 * 3 = 3 ACEs.

Obviously, the more granular SWG allocation, more rules, but the concept is the use of TMS provides more efficient and rational grouping of resources based on the role and function.

Consistent application of policy information SGT multiplication is obtained and applied devices have consistent policies throughout the network topology. More centralized policy management and more devices that can be downloaded dynamically a set of rules apply , the lower the possibility of configuration errors arising from the management of a large number of ACE statically defined multiple network devices.

Migrating to an EMS solution can be done gradually. Start with the classification and propagation of SGT between Cisco devices. SXP, which uses TCP as transport, tags allow propagation of all devices in the non-SGA level. This will facilitate the introduction of running on network devices such as switches strategic access to WLC and the edge of the network and the protection of critical resources such as the Nexus switches in the core.