Today Cisco launched its TrustSec architecture to expand network security from controlling admission to controlling access to IT resources through a role-based approach. This is a significant announcement as it addresses an important issue to all public companies, that being regulatory and legislative compliance to regulations issued after September 11th 2001 and because the Enron, WorldCom, et al., scandals have restricted corporate boards from fully developing their growth strategies. As the network is the business platform, corporate boards need confidence that their networks are in auditable conformance to applicable regulations as they develop business strategies. To meet that end, Cisco’s TrustSec organizes and simplifies existing authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on the user’s role in the organization. TrustSec also provides encrypted links between end-points and servers. TrustSec is an architecture which builds upon existing network services embedded into network infrastructure. Cisco will ship TrustSec-based products in the future, and we’ll cover those as they come. But for now, I provide an in-depth view of TrustSec so you can wrap your mind around this new approach to securing IT assets.

While Network Admission Control (NAC) solutions were a huge leap forward in securing internal networks, many business and IT leaders have been demanding more. Many regulatory policy requirements such as Sarbanes-Oxley, Gramm-Leach Bliley Act, Presidential Decision Directive 63 (PDD 63), Health Insurance Portability and Accountability Act (HIPAA), and in Europe the Basel II et al., require that only users access information for which they are authorized or need to perform their job function. Further, depending on information sensitivity, some policies prevent information from being accessed outside of specific geographic regions, even by the same user. To get ahead of these compliance requirements, corporate boards have been demanding tools from IT providers to both comply with and demonstrate conformance to government regulations. Simultaneously corporate boards are overseeing a workforce that is dramatically more mobile now than just a few years ago while inter-dependencies between suppliers and partners have increased, for many on a global scale. One manifestation of these trends is that corporate headquarter offices have become hollowed out as resources have shifted toward data center and branch office facilities. As a result, there are more people accessing a wider diameter network than ever before while regulators are demanding restricted access to it. Therein lies the rub; how do business and IT leaders simultaneously continue to expand their networks and access to them while restricting access to IT assets? The answer? Role-based networking.

Access to IT assets will increasingly become role-based, meaning that an employee’s role or job function dictates his/her access to information, be it financial data, patient record data, grading data, etc. There are more people coming into a corporate network via a wide variety of means, be it wired or wireless, and on different end-point devices. NAC does a good job of controlling “admission” and device posture but once a user is in, he/she can access any IT resource. To comply with regulatory policy and support an ever increasing network diameter, business and IT leaders need to start thinking about access to IT resources based upon the role of the user and his/her identity.

The bottom line is that layering auditable compliance requirements on top of an ever increasing massively distributed and connected workforce is a daunting task with existing network security solutions. In short it can’t be done in scale. The industry needs a network security solution which delivers granularity of access, ease of administration and does not slow down business process.

Enter Cisco’s TrustSec. Cisco just launched its TrustSec initiative, an architecture and security vision allowing corporate boards to comply with regulatory requirements without limiting or slowing down business initiatives and processes. Cisco TrustSec consists of three components:

Secure Campus Access Control: Provides an approach that simplifies the management of multiple identity and authentication mechanisms. Identity needs to be consistently obtained over various network access methods while a user’s role in the network is established. All users and devices need to be authenticated, to provide controlled access to IT applications and resources. In Cisco TrustSec, all IP-enabled entities are authenticated using a mechanism that is flexible enough to support different roles, access devices, and access methods. Administrators can select from various authentication mechanisms and identity can be mapped to roles. This role information is now available at every enforcement point in the network, making the network role-aware.

Consider that today administrators link a user identity to an IP address and then use Access Control Lists (ACLs) at the point of entry to determine where a user can and cannot go. This requires an understanding of all possible locations the user might go to and requires management across different administrative domains. This process is labor intensive, leads to ACL bloat and is difficult to change for fear of breaking something that is working. In short, this process simply does not scale. With Cisco TrustSec, Cisco has develop a Secure Tagging capability based on the IETF 802.1x and IEEE 802.1AE standards that allows administrators to consistently identify a user or device’s role when they enter the network independent of how or where they access the network. This means that administrators can shift the burden of who can access what resource from the points of entry to just those places in the network where access is required.

According to Cisco its secure tags are cryptographically secure, meaning that they cannot be spoofed or altered. The tags also provide administrative control even when end-to-end crypto is being used. These tags also allow Cisco to segment network traffic by role, effectively creating routable, role-based VLANs within the campus network.

Converged Policy Framework: Provides an approach that can coordinate and converge multiple compliance and/or access policies applied once users are on the network. With many disparate authentication methods, a central policy engine is needed for converging the various regulatory compliance roles, servers and access definitions. This in turn simplifies the management of identity policies. With policy enforcement decentralized, a converged policy framework allows merging of multiple policy requirements into a single configuration on a switch or any other policy enforcement point. This ensures that network and security administrators can centralize the mapping of roles to policy. Whether the policy is applied to control access to applications or Web resources, the converged policy framework provides a simple mechanism to provision and monitor policy based on role throughout the network.

Access control policy has tended to be difficult to deal with because it is distributed across multiple owners of infrastructure. For example, one administrative group tends to control employees, another deals with contractors and consultants, and yet another with suppliers or partners. With Cisco TrustSec these policies can be converged into a centralized policy engine that communicates in a consistent manner with both a campus network infrastructure and back-end policy directories such as active directory, et al. From an administrator’s perspective what this means is that a role only has to be defined once and is pervasively applied across the campus infrastructure, with access rules being applied to only those places that matter.

Pervasive Data Integrity and Confidentiality: Provides an innovative encryption scheme based upon the IEEE 802.1AE standard. Data integrity and confidentiality is ensured while data is in motion throughout a network, safeguarding against data leakage in support of regulatory requirements. Authenticated users with authorized access also need the peace of mind that their information and transactions are completely confidential. Rather than attempting to encrypt individual applications, Cisco TrustSec provides the ability to secure every link in the campus with strong encryption. A new Cisco innovation simplifies the management of each link’s encryption keys. This not only helps secure the LAN but also provides security for every application without having to retrofit and encrypt at the application layer or deploy a massive number of encryption appliances.

Maintaining the integrity and confidentiality of data is a daunting task, especially when dealing with legacy applications where any change to old code could lead to undesirable side effects. Administrators also need to be able to balance policy control within the network and at end-points. Cisco TrustSec uses the 802.1AE standard to provide Link Layer data integrity and confidentiality at 1 and 10 GB while preserving the packet inspection and enforcement capabilities of mission critical applications such as Firewalls, Intrusion Protection, Content Inspection, etc. This is accomplished via the Hop-2-Hop crypto features built into the 802.1AE standard, according to Cisco.

Topology-Aware to Role-Aware

The three TrustSec components in essence transform an enterprise network into an identity-enabled network by increasing network intelligence beyond topology-awareness, that is being aware of mapping nodes, to being role-aware. Typically networks forward traffic and administer access control policies based on IP addresses. As IP addresses are generally dynamically assigned and independent of a user’s role, administrators cannot statically configure the network for IP-based policy. User roles on the other hand are more static. By provisioning and enforcing policy based on roles, policy management is greatly simplified.

TrustSec builds upon Cisco’s network security investments and product portfolio. Cisco’s security offerings fall into three areas: Access Control, Policy Enforcement, and Confidentiality. Its existing identity-based networking services and NAC come under the Access Control area. Cisco is now adding the new functionality of role-based access control to this area. Policy enforcement is comprised of firewalls and Intrusion Prevention. Cisco adds the switch policy engine, which provides the converged policy framework to policy enforcement. Cisco’s device integrity and WAN confidentiality products are now joined by LAN confidentiality, expanding its confidentiality capability from end-points to LANs, WLAN to WANs.

How TrustSec Works

Cisco’s architected approach to product development usually builds upon layers of existing network services embedded in the network fabric, specifically switching and routing. TrustSec does just that. For example, Application Intelligence introduced earlier in the year on the Catalyst 6500 supervisor 32 engines with PISA uses deep packet inspection to determine the type of traffic moving through the network and provides identifiers that can be used to dynamically manage traffic. The Firewall Services Module, also available on the Catalyst 6500 can act on that information to enforce policies.

I would expect that these and other services will interact with Cisco secure tags to deepen security services and add value. Imagine an employee is using a recreational application such as Skype. A company’s policy may be to allow Skype during non-peak hours. To enforce this policy, the PISA engine will identify the Skype application and tag the traffic. This information is seen by the Firewall Services Module, which makes a policy determination to drop the Skype traffic during peak hours. During non-peak hours the firewall allows the Skype traffic to pass on to the internet. The Skype policy could be time-based rather than peak traffic-based and role- based too.

For example, consider that a company’s policy is to restrict Skype based on user role and to only certain hours of the day. Assume Sales are granted access between 6am to 8pm; however Engineering does not have that restriction. As new members are added to the Engineering team or transition to Marketing, a password-based change management system becomes arduous for users and administrators. A more scalable and simpler to deploy and maintain approach is one that determines the role of an individual in the organization and can then dynamically grant access to the appropriate applications. So in this case the engineering employees, independent of network access are able to access Skype. If some one with a different role, say Finance, attempts to access Skype outside of the defined hours, their role is determined and the policy is enforced to deny access to Skype. Clearly the application can be any IT application, not just Skype.

This level of granularity of access is afforded by the centralization of policy management in the Switch policy engine dictated by Cisco’s TrustSec architecture. The point of the above is that TrustSec builds upon existing and new security services embedded in the network fabric, which leverages prior investments and adds value with new service deployments. With TrustSec, Cisco can now boast that it offers a compliance solution that spans and scales an entire enterprise-wide network. TrustSec promises to deliver to Cisco customers a more operationally efficient way to manage and administer regulatory compliant networks that allow corporations to do business in these richer and more complex environments in which we all live. In short, TrustSec allows corporate boards to expand their business strategies and networks to support mobile employees, partners, suppliers and customers while being in compliance with regulatory requirements.

Posted 5 December 2007 at 11:52 am under Lippis Report, Network Access Control and Protection, Cisco. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.