Identity aware networking using Cisco TrustSec

With all the fanfare surrounding the recent Nexus 7000 release I think many people have missed a significant new development in Cisco’s security portfolio. That new development is Cisco TrustSec. TrustSec takes the classic notion of access control based source and destination ip:ports and replaces it with a role and resource based methodology that fits quite nicely with security requirements driven by information assurance groups. It also brings link security on certain platforms using the 802.1ae protocol that encrypts high speed links at line rate without taking a performance hit.

Cisco TrustSec starts at the edge by negotiating a secure link if both hosts support it (802.1ae). This is similar to wireless encryption schemes, where a secure handshake is established and the L2 path become impervious to sniffing. This is user configurable, and to my knowledge the ASICs available to support line rate encryption are currently only on the Nexus 7000 blades.

The next step is to start 802.1x negotiations. For the people not familiar with 802.1x, it is a way of passing username / password information from your computer up into the network infrastructure. Once this is completed, the switch can not only utilize tools like NAC to place you into the appropriate quarantine, or access VLANs, but it also knows your identity.

Now the “network” is aware of your identity, a new level of granular security control can be deployed across your infrastructure. These security policies can map into “user x can connect to webserver y” instead of being restricted by IP and port. This allows you to utilize true roles based administration similar to what you use in your Windows and Unix file systems, but now you can do this across the network.

How is this done? I like to think of this as a mix between DSCP and MPLS tags. Which in a nutshell means that when traffic enters the network it is tagged with a small amount of additional “identity” information which is retained as it traverses the network. This information can be used to augment or completely replace your current ACL based security controls in a way that enables you to more effectively comply with complex regulatory environments such as PCI, SOX, GLBA and HIPAA.

Over the past few years we have learned how to leverage intelligence in the network by utilizing tools like QoS, MPLS VPNs, and many others. Expect to add Cisco TrustSec to your quiver of tricks to address the ever growing compliance needs faced by today’s network designers.

Learn more about Cisco TrustSec