Trustsec: Overview of Trustsec and Terminology

This is going to be the start of a small series on Trustsec. We’re going to go over some of the common terminology and components of Trustsec and give an overview of why we would use SGTs.

Notes from the video:

  • What is Cisco Trustsec?

    • Short answer: Initially defined as as architecture comprising of several components but most of the time, people thing of Security Group Tags (SGTs) when they think of Trustsec

    • Long Answer: Several components including -

      • Centralized policy management, distributed policy enforcement and microsegmentation using Security Group Tags (SGTs)

      • Confidentiality and integrity using encryption based on IEEE 802.1AE (AES-GCM 128-bit)

        • Wire-rate hop-by-hop layer 2 encryption

        • Key management is based on 802.1n

      • Authenticated networking environment

        • Endpoints are authenticated via 802.1x, Easyconnect, MAB, WebAuth, etc

        • Network devices are authenticated and admitted into the Trustsec environment via 802.1x which creates a trusted networking environment

  • Terminology:

    • Security Group - Used for grouping users, endpoints, and resources that should have a similar access control policy

    • Security Group Tag (SGT) - Unique security group number that’s assigned to the security group

    • Trustsec-Capable Device - Network access device that’s capable hardware- and software-wise of understanding security group tags

    • Trustsec Seed Device - Network access device that authenticates directly against ISE and acts as both the authenticator and supplicant for other network access devices

    • Network Device Admission Control (NDAC) - In a Trustsec cloud, network devices are verified with credentials by the peer device:

      • 802.1x

      • EAP-FAST

      • Upon authentication and authorization, network devices negotiate for IEEE 802.1AE encryption

    • Protected Access Credential (PAC) - Unique shared credential used to mutually authenticate client and server

    • Endpoint Authentication Control - Devices authenticated to the Trustsec cloud via 802.1x, Easyconnect, MAB, Webauth, etc

    • Security Group Access Control List (SGACL) - Used for access and permissions based on SGTs, not IP addresses or subnets. Simplifies the security policy.

    • Security Exchange Protocol (SXP) - A service that’s used to propagate IP-to-SGT bindings across network devices that don’t support SGTs. Think of it like BGP propagating routes across a provider’s MPLS.

    • Environment Data Download - Download from ISE to the Network Access Device when it joins the trusted network. When it does this, it downloads the following:

      • ISE RADIUS server list it can use for future RADIUS authentications and authorizations

      • Device SGT - SGT for the network access device itself

      • Expiry Timeout - How often the network access device should download or refresh the environment data

    • Identity to port mapping - Switch defining the identity on a port and using this identity to look up a particular SGT value from ISE