Trustsec
Cisco TrustSec is a network segmentation solution, like iWAN it isn't a physical piece of kit or a protocol, but a solution. So what is the problem? Fsx scenery downloads. Typically in IP networks ACL's (Access Control Lists) are used to permit and deny access, for a small network this makes sense and typically works well. The issue with ACL's is that you are classifying traffic based on selected network interfaces, IP addresses and / or port numbers which doesn't scale very well.
An example ACL in it's simplest form would look something like this
The above ACL would typically be applied on a network interface inbound or outbound and traffic would be checked against the ACL so the decision can be made on whether the traffic can continue to be forwarded or dropped. The ACL is permitting traffic sourced from the 10.0.0.0/24 network to any host on the 172.16.1.0/24 network on port 80.
All of our users at HQ office are on the 10.0.0.0 /24 network and all of our web servers are located at DC1 on subnet 172.16.1.0 /24 so this ACL operates as expected. Happy days right? Well if our business doesn't expand then yes this will continue to work without any issues.
However if our company expands and we open some new offices this same ACL would have to be applied to routers at the new sites and we may also have to update it to add new IP ranges in. This can lead to ACL's becoming very large (I have seen ACL's in production networks with over 1000 entries) and if that ACL is applied on thousands of routers, every time we need to update that ACL we have to update it on 1000 devices.
Any organisation with thousands of devices is likely to have a change control process which involves out of hours change windows for any configuration changes on live devices so something as simple as updating an ACL is suddenly costing lots of money. Time is money.
This is where Cisco TrustSec comes in, it uses a central server (Cisco ISE - Identity Services Engine) to define network segmentation. When a user connects their device to the network ISE allocates the user a tag (SGT - Security Group Tag) based on various parameters such as Active Directory group, physical location, asset type, posture assessment etc. This alone is already a big improvement on our ACL example as we no longer have to worry about updating the ACL with new IP ranges as we expand. We no longer care what IP address the end user ends up with as we can tell what office they are based at, what device they are using and where they sit within the organisation using our existing Active Directory server.
For non-user headless devices such as IP Phones, printers, servers etc we can use MAB (Mac Authentication Bypass) to authenticate these devices.
Now that we have classified the users of our network, how do we define our security policies? It's all done within ISE, allowing the configuration on our routers and switches to remain minimal - a few lines to enable TrustSec and a few lines to enable DOT1X authentication. Everything else is done from ISE. Feeding of the 5000 crass.
Zhuyufang/Getty Images TrustSec for Identity-Based Network Security: Why and How Software-defined access helps organizations deploy network segmentation, a critical step to contain attacker reconnaissance and malware infestations. By Aaron Pratt and Dan Siebert. Is an Ottawa, ON based consulting and professional services firm. Our approach is client-centric in our offering of the following services: Converged Infrastructure Solutions delivery. Cisco TrustSec SGT Technology vs Huawei Ddkompik Created: Oct 7, 2020 12:06:53 Latest reply: Oct 7, 2020 12:51:49 168 3 0 0 Rewarded HiCoins: 0 (problem resolved).
ISE provides a matrix view of our SGT's where we can decided who can talk to who, the image below (source: cisco.com) shows an example of this.
ISE translates our matrix into SG-ACLs which get downloaded to our network devices on the fly - no more worrying about having to arrange change windows to update ACL's on thousands of devices across the estate.
I will write up further posts on enforcement and SXP (The protocol that can be used to propagate IP to SGT bindings if parts of our network are not TrustSec aware).
Please also note that this is one example of TrustSec and takes a very narrow view of it's capabilitys please refer to documentation on Cisco's website such as http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html to find out more.
Trustsec is founded by internationally recognized information security and cryptography experts. Launched in 2016, the company intends to fill the gap in the cybersecurity market, Securing data assets, and digital identity against unauthorized access, cyber-attacks, hacking, through its state of the art and innovative products and solutions.
Through Trustsec pool of experts and its business-driven innovative solutions, Trustsec offers its uniquely, in-house developed operating system for smart cards- SLCOS, a variety of products and solutions, that cover Software protection, data encryption, OTP, and security hardware namely PKI tokens and FIDO2 tokens in addition to its unique panel of professional services; of consultation, integration, testing, and outsourcing to help the other companies benefit from the latest available advances in cryptography to improve their products and services.
Trustsec Lab
TrustSec has acquired Softlock inc in 2020. This new chapter for Softlock and Trustsec is an important step for the information security field where two companies with their strengths combined will better serve the region. Working in parallel, the R&D of Softlock with accumulative 25 years of experience, and the professional supervision of Trustsec Board who steer the organization towards a successful future, the two companies will provide the best-in-class secure digital experience to the benefit of individuals, entities, and governments!
Ise Trustsec
Throughout the past 25 years, Softlock has been a leader in providing innovative information security solutions in the Middle East. Softlock has been focusing on research and development over the past 25 years. The company’s latest unique innovative solution was the smart card operating system SLCOS. With its strategy of innovation, Softlock is now developing smartcard solutions and applets that run on SLCOS to serve the different sectors under Trustsec Supervision.