Tweet

MACsec encryption has become increasing popular and important to campus network design, but previous switch performance degraded when encrypted traffic was passing through it. Here we show that the catalyst 6500 does not suffer a performance degrade while MACsec traffic is passing through it. We tested the Catalyst 6500 via the cPacket Networks cTap 10G passive probe to verify traffic flows were either MACsec encrypted or unencrypted. We found that there is no material difference in throughput performance, other than 802.1ae encryption key overhead, thanks to 16 additional bytes per packet. The cPacket passive probe also measured line rate throughput performance. This is a great short video that verifies how the old encryption performance penalty is now gone.

Download “A Comprehensive Testing of Cisco Systems Catalyst 6500 Sup2T” report here.

Visit the Link

Tweet

Many IT leaders are striving to understand who is on their network and what they are doing. These are two simple questions and yet, in many cases, IT business leaders do not have a good way to answer them. And once IT leaders are able to obtain this information the question then becomes what else I can do with the data: obtain a history report, perform statistics for analysis and planning, generate compliance reports and much more. To tightly link business processes with networked applications, IT leaders need to wrap policy, identity and security around users and IT assets.

This is the essence of Cisco’s TrustSec; that TrustSec provides security services as its primary value proposition but the data and insight it generates assist IT business leaders with network design to meet future growth. Cisco’s TrustSec organizes and simplifies existing authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user’s role in the organization. TrustSec also provides encrypted links between end-points and servers. TrustSec is an architecture which builds upon existing network services embedded into network infrastructure, addressing not only security issues but delivering certain business services too.

A key pillar of strength for TrustSec is its ability to create a consistent and unified set of policies across the entire network. Its second pillar is the ability to identify users; from the moment a user accesses the network, everything about this user is known and it follows them wherever they go. TrustSec identity is embedded in the traffic that the user generates, which goes well beyond initial Network Access Control (NAC) and offers unique design capabilities that we’ll discuss below. The third pillar is security, which is reflected in a number of areas such as NAC, encryption, etc.

TrustSec is an architecture delivering network access control, policy, identity and encryption. Policy is the glue that ties business processes to network behavior and thus TrustSec has expanded its role in policy creation. TrustSec policy is segmented into three areas:

Authentication: The foundation of the technologies is authentication as it defines user identity. Authentication is how TrustSec understands users; who they are, what roles they have in the organization and what type of credentials they possess as well as confirmation of these attributes. TrustSec provides multiple authentication approaches, such as 802.1x, web authentication and MAC authentication bypass (MAB). All three approaches are implemented and supported on Cisco Catalyst or Cisco Nexus switches. Cisco uses the term “Flexible Authentication” to represent these three methods. What’s unique about Cisco’s TrustSec authentication approach is that it is providing all three methods together and they are completely adjustable. What this means is that IT administrators can configure these authenticating methods in any sequence of their choice, in one place, to host all authentication configurations, greatly simplifying the process of configuration and change management. There is yet another TrustSec authentication method, namely appliance-based network authentication provided by the Cisco NAC Appliance. This method expands beyond LAN switches to include wireless and remote access as well.

A powerful feature is that once authentication is configured on a centralized policy server all switches receive this data, easing deployment while providing consistency and scale. No more authentication configuration on a per switch basis but rather a consistent policy is realized. For IT leaders not ready to implement Catalyst or Nexus switch policy enforcement but who would rather use an appliance there is an in- and out-of-band NAC appliance approach to policy enforcement.

Authorization: Once a user has been authenticated and their organizational role confirmed then services could be designed specifically for them, implemented via control mechanisms. It’s common in the industry to typically assign a VLAN or ACL for the user depending upon a layer 2 or 3 construct. TrustSec supports both VLAN and ACL implementations. What’s unique about TrustSec is that it allows IT administrators to create a security group tag or SGT. SGT essentially allows every single packet to be tracked throughout the entire infrastructure so user control is not relegated to the initial network entry point that VLAN and ACLs dictate. SGT enables user control and support deep down in the interior of the network. For example, to strictly control access to a critical file server, an IT administrator can enable SGT to filter network egress to that server for only those allowed access. The control point is on the switch so that when traffic leaves the switch trying to reach the file server, authorized users via SGT are able to egress.

Value-Added Services: With user authentication and authorization configured along with control, IT administrators can now design specified user services that are linked to business processes. Services such as IP telephony integration and IP phone end-points that need to be authenticated and authorized but are non-user devices, meaning that they don’t possess an 802.1x supplicant and there is no human behind the device. TrustSec utilizes aspects of 802.1x to authenticate and authorize the IP phone’s user taking into account various scenarios such as when the IP phone is powered down or its behind a PC, etc. Other services are guest access, device profiling, device posture and link encryption via MACSec, an IEEE standard that specifies how encryption may be used to secure links within local area networks.

TrustSec’s MACSec implementation is supported on the Nexus switches and on the new Cisco Catalyst 3560-X and 3750-X series switches that connect desktops, WLAN access points and laptops. In short, with MACSec supported on Nexus 7000 and Catalyst 3560-X and 3750-X switches Cisco is working towards full native layer 2 encryption as the Nexus switches are located in the data center while the Catalyst 3000s are closet switches connecting desktops. This is a welcome development for high security environments such as government agencies, certain research and development laboratories and other environments that require a higher level of security.

TrustSec Innovations
Cisco is announcing a set of new TrustSec features and innovations such as Security Group Access Control List that allows IT administrators to control group access based upon MACSec key technology. Security group Tag Exchange Protocol (SXP) is useful for Catalyst switches that do not have the processing power to support SGT today. So Cisco developed SXP to insure Cisco customers can use their existing Catalyst switches to participate in the overall SGT implementation. Flexible Authentication is another innovation for scenarios when end-points do not have an 802.1x supplicant and require access to an 802.1x network. Flexible Authentication offers web authentication which is useful for printers, guest access, etc.

Open Mode offers additional options or modes to being simply denied network access, a dramatic event when it occurs. Cisco TrustSec designed multiple modes to ease this transition. For example, monitor mode is like an audit mode. IT is able to monitor all users and their traffic thus allowing IT to view network dynamics before turning on 802.1x.

In addition to monitor mode there is ‘low impact’ mode. In this case 802.1x authentication is engaged but allows certain types of traffic to pass onto the network even if authentication denies access. This is useful for DNS or maintenance related network traffic; for example, allowing this specific traffic to pass even if it didn’t pass authentication. There are configurable options for “low impact” mode. There is also a “high security” mode where only authenticated users/devices are granted access.

Value-Added Services:

There are tools to automate the process of adding value-added services such as device profiling which recognizes defined end-points such as a printer which is very handy when the printer is moved, replaced or a new one is added, thus saving IT operations configuration time. Automated device profiling tracks devices by monitoring these end-points as they boot up on the network. TrustSec identifies that the new device is a printer, and then loads the printer policy placing the printer in the right VLAN, ACL or SGT; then it updates the device database, saving IT a lot of effort.

Guest services are now integrated with the Cisco NAC appliance guest server, streamlining guest account creation and user notification. The integration of guest services into the NAC Appliance allows report creation; for example, history tracking. Guest services now works in both 802.1x and NAC environments offering IT choice, convenience and simplified operations, an industry first. Thus any worker with authorization can create a guest account, reducing dependence on IT or the helpdesk which often fielded guest access requests.

Posture assessment provides device compliance status, such as which version of Anti-Virus, spyware scan, network configuration assessment, etc., which is added to authentication services.

Cisco has enhanced end-to-end troubleshooting and monitoring capabilities into TrustSec for 802.1x environments. When an 802.1x end-point attempts to access the network a string of exchanges occur between that end-point and the network. There is a protocol exchange to obtain user information while the authenticator or network switch transfers the information to the authentication policy server. During this protocol exchange between the three entities there could be a number of reasons why things do not work. Typically when things went wrong there was limited information available to IT administrators to troubleshoot and resolve the issue. To fix this problem TrustSec collects user supplicant information from the network, the policy server and switch as a log message, which is passed through certain algorithms or scripts to isolate the problem. This increased visibility enables quick problem identification and resolution, pin pointing the trouble to the switch configuration, supplicant issue or determining whether it’s simply a wrong password. These scripts are not only useful with troubleshooting, but also compliance as collected information can generate reports. These scripts are available in Cisco’s ACS 5.1 policy server.

Implementing TrustSec

There are currently two TrustSec deployment scenarios: 1) 802.1x and 2) Appliance based. In 802.1x environments ACS server is the policy server with Catalyst and Nexus switches providing enforcement with Radius as the control plane. In the appliance-based approach Catalyst switches provide enforcement, NAC Manager is the policy server while SNMP is the control plane. The appliance-based approach does not support SGT but it provides posture assessment which 802.1x does not.

TrustSec features and attributes are implemented across many Cisco products such as the Cisco Catalyst and Nexus switches providing policy enforcement and encryption services. Policy is defined in the Cisco ACS (Access Control System) while its key authentication and authorization are implemented in the NAC Manager, Server, Profiler and Guest Server. There are two TrustSec end-point clients, those being Cisco’s or any 802.1x supplicant and its NAC client. It’s not a stretch to see that Cisco will consolidate the end-point clients and policy components over time to minimize the number of appliances needed to fully utilize TrustSec. ACS already works with the NAC Profiler and Guest Server plus directory services such as active directory or LDAP. Knowing Cisco the NAC manager may also hold all this functionality for those who choose to deploy TrustSec in an appliance form factor. Over time these two TrustSec approaches will consolidate to one, allowing 802.1x and NAC users and devices connect to the network with one policy server, and either switch or appliance enforcement method leaving choice to IT departments. The end-point clients would fit nicely into Cisco’s AnyConnect client offering both LAN and remote security services in one client.

TrustSec has expanded to include 802.1x and NAC environments offering customer choice to either proceed with one approach or a combination of the two. TrustSec’s attributes are based on policy, identity and security. Over time we expect that many of the TrustSec attributes will be integrated into the network allowing its services to be ubiquitous throughout the corporate network fabric, significantly adding to corporate security architecture.

To make TrustSec truly successful Cisco should add more support for mobile and remote access end-points in addition to LAN-based end-points to the architecture. In addition video end-points will require TrustSec services too and will have to be supported. There are slight tradeoffs between 802.1x and NAC clients such as posture assessment and SGT support. These two client features should blend over time and converge into one to simplify TrustSec client software.

Tweet

By Cisco Systems

The traditional network and physical perimeter is no longer the only borderline to defend information security. Collaboration, IT consumerization, mobility, and new computing technologies are driving productivity gains while presenting renewed security requirements. There is greater pressure on IT to meet the demands of a dynamic workforce, both in terms of service delivery and security challenges. New solutions are needed to protect borderless networks and to help further improve business efficiencies in the mean time. Cisco® TrustSec is such a solution.

To find out how to protect your network with TrustSec download this white paper now

Get the White Paper

Tweet

Cisco’s TrustSec is architecture with its implementation spread across client software, infrastructure (Catalyst & Nexus) and policy (Access Control System and NAC appliance). Cisco has expanded TrustSec to incorporate 802.1x clients allowing IT leaders to mix and match NAC and 802.1x endpoints. TrustSec organizes and simplifies authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user roles in the organization. TrustSec also provides encrypted links at the switch port level. Steven Song Security Business Manager in the Network Systems & Security group at Cisco Systems joins me to discuss TrustSec and how Cisco is expanding its services and importance for IT business leaders.

Listen to the Podcast