TrustSec: The network as Security enforcer (Cisco)

This post contains my notes on the Cisco Webcast title “The Network as Security Enforcer”. The webcast was broadcast on June 30th 2015.

The network can be leveraged as an attack detector, or a security enforcer. It can be configured to watch out for threats and, if an attack occurs, it can protect itself from future threats.

To be able to prevent attacks, we must see network traffic by device and by user. We must see what type of traffic is crossing our network.

What can the network do for us?

  • detect anomalous traffic flows
  • detect application usage and access policy violations
  • detect rogue devices, APs and other

What tools can we use to detect that?

  • Netflow:
    • can be leveraged as a forensics tool. Netflow collects raw data that can contain attack signatures. Use Netflow to establish the normal behaviour of the network
    • can be coupled with ISE to answer questions such as “who?, what?, when?,…”
  • Lancope StealthWatch: provides alarming and notifications
  • TrustSec

What can the network do to enforce security?

  • Leverage network segmentation to contain attacks(with TrustSec and ISE)
  • Apply access policy based on the role, not the type of access
  • Encrypt the traffic to protect data in motion
  • Secure the branch for direct internet access

We will focus on TrustSec for the remainder of the post.

TrustSec

  • allows to define identity-based software-defined segmentation.
  • Unified policies across the entreprise

The network can behave as a sensor: it can detect unexpected network activity through TrustSec+ISE+Lancope. the network administrator will be alerted for further investigation

How to enable software-defined segmentation with TrustSec?

  • Network segmentation can contain an incident when it happens
  • Traditional segmentation occurs with L2 vlans. However, with TrustSec it is possible to control communication within a VLAN, by defining Security Group Tags (SGT). The exchange of SGTs can be done over Ethernet or the WAN. In heterogenous environments (not 100% Cisco devices) the exchange of SGTs happens with SXP (Security Group Tag Exchange Protocol)
cisco-trustsec-presentation2
Figure 1: Segmentation with TrustSec – © Cisco

 Why are customers deploying it?

  • To mitigate risk: to prevent lateral movement of threats (i.e. propagation of the malware to other hosts) and privilege escalation
  • Ability to re-write security rules based on logical groups and not on IP addresses or VLANs, which increases Security Operations (SecOps) efficiency
  • TrustSec facilitates compliance with corporate policies
  • Traditional security policies are written in access-list style. TrustSec policies are in a matrix-like style and are independent of the platform: routers, switches, firewalls…
cisco-trustsec-presentation1
Figure 2: Traditional vs TrustSec security policies – © Cisco
  • Switches dynamically download TrustSec security policies when needed. This type of policy enforcement occurs at line speed.
  • TrustSec can be monitored with Netflow.
  • Can change the SGT of a suspicious host and thus change his access policies
  • Can define PCI scope where non PCI-compliant devices can not communicate with PCI-compliant devices.
  • Simplicity of TrustSec group policies

Hardware compatibility

A list of current hardware that supports TrustSec is given in the picture below, as of June 30, 2015.

cisco-trustsec-presentation4
Figure 3: List of TrustSec-supported Cisco hardware – © Cisco

To get more information about Cisco TrustSec, take a look at www.cisco.com/go/trustsec

Keywords

Threat-centered security, perimeter security, security enforcer, sensor, lateral movement of threats, Cisco TrustSec, Lancope Stealthwatch, ISE, Netflow, Attack continuum, Security Group Tag (SGT), Security Group Tag Exchange Protocol (SXP), TrustSec Group policies, PCI compliance, identity-based software-defined network segmentation

Leave a Comment