Date post: | 08-Jan-2017 |
Category: |
Technology |
Upload: | robb-boyd |
View: | 272 times |
Download: | 8 times |
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplifying Network Security with TrustSec
Kevin ReganAugust 17, 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Reduce IT burden
Take more control of environment
Deal with dynamic threat landscape
Pace of technological change
Possible reasons for watching today?
Reduce error prone
admin
Manage complexity
ReduceOpEx
More consistent security policy
Reduced time to implement
changes
Deal with Security challengesTo Implement policy for things like
Acquisitions andpartnerships
Cloud
Internet of Things
Digitization
BYOD
Global operations
Mobility
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
…Or Because Segmentation is Important“Eataly’s network segmentation prevented a POS compromise at one store from compromising systems at the chain’s 26 other locations across the globe”
“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”“Effective network
segmentation… reduces the extent to which an adversary can move across the network”
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Classification Based on Context
Any user, any device using with this IP
Rich context awarenessPoor context awareness
Role-based group assignment
? ??
ISE
Result Result
Who
What
When
Threat
Compliance
How
Where
IP Address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Bob (Employee)
Tablet
11:00 AM EST on April 10th
Building 200, 2nd floor
Wireless
Yes
Monitored by IPS, anomaly detection
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Manual, time-consumingsecurity and maintenance
IP-based security policy tied to network topology results in:
Traditional Segmentation - ACL and VLAN Complexity
5© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Employee Info
Development Servers
Policy inconsistencies across devices and networks
Enterprise Network
InternetFinancial ServersComplicated
access management
More policies using more VLANs
GuestVLANs
EmployeeVLANs
DeveloperVLANs
NonCompliant
VLANs
2
Locations
GuestVLANs
EmployeeVLANs
DeveloperVLANs
NonCompliant
VLANs
1
GuestVLANs
EmployeeVLANs
DeveloperVLANs
NonCompliant
VLANs
3
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TrustSec simplifies security management
6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deny Employee to Financial ServerPermit Developer to Developer ServerPermit Guest to WebPermit Developer to Developer Server
Consistent Policy Anywhere
KeyEmployee Tag
Developer Tag
Voice Tag
Non-Compliant Tag
SGACLsEmployee Info Developer Server
Simplified Access Management
AcceleratedSecurity Options
Scalable and agile segmentation technology in over 40 different Cisco product families, enabling dynamic, role-based policy enforcement anywhere on your network
Simplified Access ManagementManage policies using plain language and maintain compliance by regulating
access based on business role
Rapid Security AdministrationSpeed-up adds, moves, and changes, simplifying firewall
administration to speed up server onboarding
HTTPFinancial Server
Consistent Policy AnywhereControl all network segments
centrally, regardless of whether or not devices are wired, wireless or on VPN
Enterprise Network
Guestendpoint
Employeeendpoint
Developerendpoint
NonCompliantendpoint
8
Employee Info Tag
Developer Server Tag
Financial Server Tag
HTTP Tag
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
TrustSec Concepts
• Classification of systems/users based on context (user role, device, location etc.)
• Context (role) expressed as Security Group Tag (SGT)
• Firewalls, routers and switches use SGT to make filtering decisions
• Classify once – reuse SGT multiple times anywhere on network, or….
Users, Devices
Switch Router DC FW DC Switch
Dev Servers
Enforcement
SGT Propagation
Prod Servers SGT = 4
SGT = 10
ISE DirectoryClassification
SGT:5
RADIUS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
TrustSec – Simple Starting Points
• Distribute SGT information directly from ISE to specific devices
• Minimal config effort
Users, Devices
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation Fin Servers SGT = 4
SGT = 10
ISE Directory
Classification
SGT:5SGT:5
RADIUS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
TrustSec Functions to Enable
Endpoint
Group tag management
Group policy management
SecurityGroupTags
Enforcement
Enforcement Threat Defense
Propagation
Inline tagging or Data Plane(many options)
Classification
Staticclassification
Endpoint identification
Dynamicclassification
SGT-enabled network
Central management
Software-Defined Segmentation
Heterogeneous environment
Control plane(SXP or pxGrid)
Switch
Router
Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
TrustSec Functions to Enable
Endpoint
Group tag management
Group policy management
SecurityGroupTags
Enforcement
Enforcement Threat Defense
Propagation
Inline tagging or Data Plane(many options)
Classification
Staticclassification
Endpoint identification
Dynamicclassification
SGT-enabled network
Central management
Software-Defined Segmentation
Heterogeneous environment
Control plane(SXP or pxGrid)
Switch
Router
Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Printer 1 Printer 2
Use security groups to demote common roles & policy requirements
Security Group Tag Management
• Business-based groupings to provide consistent policy and access independent of network topology
• Leverage attributes such as location and device type to define group assignments
SGT_Guest SGT_BuildingManagement
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature Device 1
Temperature Device 2
SurveillanceDevice 1
SurveillanceDevice 2
50°
50°
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Security Group Management in ISE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Getting Group Info to Network Devices• Network devices need to be
defined in ISE to get group information downloads :-• At periodic intervals• On demand from ISE “Push”
• Device ID and password here needs to match the ‘cts credential id’ in the network device
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Groups in Network Devices• Group information appears in network
devices as “Environment Data”
• ISE is the single source of truth for Group information
IOS#show cts environment-data CTS Environment Data====================
Security Group Name Table: 0001-22 : 7-98 : 80 -> Network_Admin_User 6-98 : 80 -> Full_Access 5-98 : 80 -> Production 4-98 : 80 -> Dev 3-98 : 80 -> BYOD 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Group tag management
Group policy management
TrustSec Functions to enable
Enforcement
Enforcement Threat Defense
SGT-enabled networkSoftware-defined segmentation
Heterogeneous environment
Propagation
Inline tagging(many options)
Control plane(SXP or pxGrid)
Switch
Router
Firewall
Classification
Staticclassification
SecurityGroupTags
Endpoint
Endpoint identification
Dynamicclassification
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Flexible Classification MethodsDynamic mechanisms
Static mechanisms
VPN
V. Port Profile
IP Address
VLANsSubnets
L3 Interface Port
ACI (App-Centric)
Ideal for users and mobile devices
User endpoints
Internal IT infrastructure and topology-based policy
Internal resources
External partners and 3rd party connections
Partner & externalSta
ticD
ynam
ic
SGT #1
SGT #2
SGT #3
SGT #4
Virtual Systems
Passive ID (Easy Connect)
MAB,Profiling
802.1X.WebAuth
pxGrid & REST APIs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Assigning SGTs to Users: ISE Authorization Rules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Assigning SGTs to Extranet Connections
BusinessPartners
Suppliers
• Complex supply chain – many third party connections• Many groups need access to specific production areas• L3 interface maps allow supplier networks to change without impact
Press & Weld
Paint Shop
Assembly Shop
Routes learned andSGTs applied to them by L3 interface
SGTs applied to internal subnets
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Managing Static Classifications in ISE
Mappings pushed to device configurations using SSH
Mappings propagated over SXP from ISE to SXP devices (see next section)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Group tag management
Group policy management
Central management
TrustSec Functions to enable
Endpoint
SecurityGroupTags
Propagation
Inline tagging(many options)
Classification
Staticclassification
Endpoint identification
Dynamicclassification
SGT-enabled networkSoftware-defined segmentation
Heterogeneous environment
Control plane(SXP or pxGrid)
Switch
Router
Firewall
Enforcement
Enforcement Threat Defense
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Enforcement – Security Group ACL (SGACL)
Application Servers
Database Servers
FIB LookupDestination MAC/Port
SGT 30 Destination ClassificationApp_Svr: SGT 20DB_Svr: SGT 30
End user authenticatedEmployee: SGT 5
DestinationSource
App_Servers (20)
DB_Servers(30)
Employees (5) BYOD (10)
Unknown (0)
10.1.100.100SGT: 20
10.1.101.100SGT: 30
SRC: 10.1.10.100DST: 10.1.100.100SGT: 5
5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Egress Policy Matrix (SGACL)
deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Dynamic SGACL Downloads• New User/Device/Server provisioned• Switch requests policies for assets they
protect• Policies downloaded & applied dynamically
Dev_Server(SGT=10)
Prod_Server(SGT=7)
Dev_ServersProd_Servers
Switches request policies for assets they protect
SG
T=3
SG
T=4
SG
T=5
Switches pull down only the policies
they need
• Result: Software-Defined Segmentation• All controls centrally managed• Security policies de-coupled from network
topology• No switch-specific security configs needed• One place to audit network-wide policies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Policy Enforcement in Firewalls: ASA
Can still use Network Object (Host, Range, Network (subnet), or FQDN)
AND / OR the SGT
Security Group definitions from ISE
Trigger FirePower services by SGT matches
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Converting Firewalls to Use SGT-based rules
Real ASA Configuration
• Before conversion: 99,000 lines
• Converts to:
• IP-SGT mapping file: 3,897 lines
• ACL_INSIDE file: 10,493 lines
• ACL_OUTSIDE file: 4,954 lines
• Total 19,344 lines 80% Reduction Rule table size
020000400006000080000
100000120000
Using IP rulesUsing SGT-based rules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Group tag management
Group policy management
Central management
TrustSec Functions to Enable
Endpoint
SecurityGroupTags
Enforcement
Enforcement Threat Defense
Classification
Staticclassification
Endpoint identification
Dynamicclassification
SGT-enabled networkSoftware-defined segmentation
Heterogeneous environment
Propagation
Inline tagging(many options)
Control plane(SXP or pxGrid)
Switch
Router
Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Carrying Security Group Tags in the data plane
Inline Tagging
Interface GigabitEthernet1/5 mtu 9216 cts manual policy static sgt 2 trusted
Branches
Inline taggingUntagged
ISE• Enable hop-by-hop with ‘cts manual’ interface command• Cat. 3560X, 3750X, 3x50• Cat 4500, 6x00 Sup2T• Nexus 7/6/5/1000V • IE 4000/5000• ISR G2, ISR4k, ASR1000• ASA • ‘trusted’ option means trust
tag values from peer
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Control Plane SGT Propagation
FirepowerNGFW
SXP
pxGrid
SXP IP-SGT BindingsIP Address SGT SRC
10.1.100.98 50 Local
ISE
Ecosystem vendor
products• Security appliances
subscribe to pxGrid topics
• IP-SGT bindings then published by ISE
pxGrid
• Propagate from ISE or access-layer devices to any enforcement point
SXP
www
WSARouter 2
Router 1
Switch 1ANY network
device ISE supports
IP addre
ss
Generate IP-SGT mappings from ISE
Send IP-SGT mappings to SXP & pxGrid peers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ISE SXP Configuration
Generate IP-SGT from ISERADIUS-based classifications will create IP-SGT mappings & sent to SXP peers
IP-SGT can be generated with 3rd party access-layer
Routers Firewall Switches
SXP
ISE
RADIUS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
pxGrid Configuration• ISE “Session” info. available via
pxGrid
• pxGrid clients can subscribe to the ‘TrustSec topic’ for SGT bindings
• Bindings received over SXP can also be published via pxGrid
W ww
Firepower Threat DefenseCheckPoint
ISE
RADIUS
Web Security Appliance
Any pxGrid ecosystem vendore.g. Infoblox
pxGrid
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
SXP Domains in ISE (2.1)
SXP
SXP IP-SGT Binding TableIP Address SGT SRC
10.1.100.98 50 Local
ISE
IP-SGT mappings to SXP peers shared within SXP Domain 1
Inline Tagging IP-SGT mappings shared within SXP Domain 2
Inline Tagging
SGT carried in data plane removes need to exchange IP-SGT mappings between SXP domains
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-XCatalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650WLC 5760
Wireless LAN Controller 2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X, 3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (7E, 8), 4500XCatalyst 6500E (Sup720)Catalyst 6500E (2T), 6800WLC 2500, 5500, WiSM2WLC 5760Nexus 1000vNexus 6000/5600 Nexus 5500/22xx FEXNexus 7000/22xx FEX ISRG2, CGS2000 ASR1000ASA
SXP
SXP
IE2000/3000, CGS2000
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-CX (IA only)Catalyst 3560-XCatalyst 3750-X
Catalyst 4500-XCatalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800
Catalyst 3850/3650WLC 5760
Nexus 7000/7700
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000ISR 4000
ASA 5500 FirewallASAv FirewallWeb Security Appliance
ASR 1000 RouterCSR-1000v Router
SXP
SGT
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000 Nexus 5500Nexus 5600
SXP SGT
SGT
GETVPN. DMVPN, IPsec
SGT
www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Data Center Segmentation
Campus and Branch Segmentation
User to Data Center Access Control
Most Common Deployment Scenarios
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
User to Data Center Access Control
Building 3 WLAN Data VLAN
TrustSec-enabled data center
Main Building Data VLAN
Employee DeveloperVoice
ISE
Router
EmployeeNon
Compliant
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
Guest
Employee
TS-enabled
DC Remediation Internet
Employee
Developer
Guest
Non-Compliant
✓ X ✓ ✓
X X ✓ ✓
X X ✓ X
Non CompliantEmployee
Non Compliant
SwitchSwitch
• Enterprise-wide, role-based access control• Automated BYOD access control• End-to-end regulatory and compliance
requirements such as PCI and HIPAA
✓ ✓ ✓ ✓
Voice
TrustSec supports:
Policy in action:
TrustSec Policy DomainProd server
Dev server
ACI policy domain
ACI Data Center
APICDC
Dev server
Prod server
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Enabling TrustSec-ACI Integration
Web App DBACI Fabric
Data CenterAPIC Policy DomainAPIC
ACI Policy Domain
• Sharing Groups between TrustSec and ACI domains with ISE 2.1• Allow TrustSec security groups to be used in ACI policies• Allow ACI EndPoint Groups to be used in policies in TrustSec domain
TrustSec Policy Domain
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-ACI DCTrustSec Policy Domain
VoiceVLAN
DataVLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Configuring TrustSec-ACI Integration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
TrustSec Groups Shared with ACI
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ACI Groups Shared with TrustSec Domain
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Employee Developer Data center Internet
Employee
Developer
Building Mgmt
Non-Compliant
TrustSec supports:
Campus and Branch Segmentation
RouterEmployee Tag
Developer Tag
Building Mgmt Tag
Non-Compliant TagSwitch
Switch
Building 3 WLAN Data VLAN Main Building Data VLAN
Branch - 3 WLAN Data VLAN
✓ X X ✓
X X X ✓
X X X X
✓ ✓ ✓ ✓
HQ Data Center
Policy in action: Switch
Non Compliant
Non Compliant
Non Compliant DeveloperVoiceVoice
Employee
EmployeeEmployeeBuildingMgmt
• Role-based segmentation across multiple locations
• End-to-end regulatory and compliance requirements such as PCI and HIPAA
• Restriction of lateral threat movement
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Campus and Branch SegmentationEnforcementWired
Access
WirelessAccess
Distribution Core
SGACL segmentation available on :-
• Catalyst 3560-X, 3750-X
• Catalyst 3650, 3850
• Catalyst 4500E S7E, S8, 4500X
• Catalyst 6500(2T)/6800
• WLC 5760
• Cat 3560CX
• IE 4000, IE 5000
• Nexus 7000
• Extending to latest ISR4k and ASR
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Wireless User – User Policy Enforcement
Permit
Deny
WLAN
Controller
interface Vlan2 ip local-proxy-arp ip route-cache same-interface!cts role-based enforcementcts role-based enforcement vlan-list 2
6500
ISE
Vlan 2
SXP
• Apply user-user policies as defined in ISE on traffic from the WLC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Breaches & Lateral Movement
enterprise network
Attacker
Perimeter(Inbound)
Perimeter(Outbound)
Research targets(SNS)
1
C2 Server
Spear Phishing([email protected])
2
http://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly 3
Bot installed, back door established and receives commands from C2 server
4
Scan LAN for vulnerable hosts to exploit & find privileged users
5
Privileged account found. 6
Admin Node
Data exfiltrated7
System compromised and data breached. 8
Lateral Movement(Scanning, Pivoting, Privilege Escalation, Brute Force, etc.)
www
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Blocking Lateral MovementEmployee
NonCompliant
Employee
Block Lateral Movement SGACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn
• SGT dynamically assigned or statically mapped to a VLAN
• SGACL applied statically via CLI or dynamically downloaded from ISE
• Lateral Movement and Privilege Escalation Blocked
Employee
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Acting on Potentially Compromised Hosts
WLANController
Quarantine is based on MAC Address preventing compromised device accessing from other location / access methods
FW
PolicyServer
Business DataApp / Storage
CompromisedEndpoint
10.10.10.10 (aa:bb:cc:dd:ee:ff)
Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
NIDS SIM Event: ReconnaissanceSource IP: 10.10.10.10/32Response: Quarantine
PXGRID: EPS Quarantine: 10.10.10.10
WLAN Controller
OS Type: Windows 8User: FayAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ffPolicy Mapping SGT: Suspicious
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Data Center Segmentation
Database Servers
Web Servers
Storage
Web Servers
TrustSec supports:
Policy in action:Switch
Middleware ServersWeb
ServersMiddleware
ServersDatabase Servers Storage
Web Servers
MiddlewareServers
Database Servers
Storage
✓ ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ X X
• Firewall rule simplification• Data center regulatory and compliance
requirements such as PCI and HIPAA• Server zoning• Micro-segmentation• Physical and virtual workload segmentation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
• TrustSec is easy to enable and manage• Can start with specific use-cases with minimal platform dependencies• Non-disruptive deployments; SGACL enforcement can be enabled incrementally and
gradually via the policy matrix
• TrustSec can provide right now:• More effective segmentation – centrally managed• Reduce management effort compared to VLAN/dACL efforts and admin• Topology-independent security policies - policy managers/auditors do not need to
understand the topology or the underlying technology to use the policy matrix• Firewall rule simplification and OpEx reduction • Faster and easier deployment of new services – cuts the cost of change
Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Forrester: The Total Economic Impact of Cisco TrustSec
“Cisco TrustSec enabled the organizations interviewed to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime.”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
For More Information• For everything TrustSec-related: http://www.cisco.com/go/trustsec
• TrustSec platform support matrixhttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
• Case studieshttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/customer-case-study-listing.html
• Cisco IT Use of TrustSechttp://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-02292016-Policies-to-Control-User-Access.pdf
• Gartner webcast on Software-Defined Segmentation and TrustSechttp://event.on24.com/r.htm?e=1124906&s=1&k=14EEFF1DFC42C2BE06E07DA934E47C45
• PCI Scope Reduction with Cisco TrustSec – QSA (Verizon) Validation:http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
For More Information – Part 2• For our latest system bulletin covering validation testing that we do, please refer to: http
://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-system-bulletin.pdf
• TrustSec DC Config Guide http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf
• Campus and Branch Segmentation Guidehttp://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf
• Securing BYOD and using VPN with TrustSec http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/trustsec/white-paper-c11-732290.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you for watching.