Cisco TrustSec is an effective and open software-defined segmentation technology that simplifies access control. With TrustSec, controls are defined using endpoint rolls, not IP addresses. Essentially, its human-friendly logical groups are more flexible, and much easier to manage than IP address-based controls.
TrustSec makes it easy to configure new groups or users without disrupting current groups. By simplifying adding a column to the TrustSec Policy Matrix within Cisco Identify Services Engine, for ISE, you can define the selected group and adds it to your policy in minutes. Meanwhile, another serious issue crops up.
With Cisco TrustSec, your network has already restricted the lateral movement of the threat. TrustSec enabled devices like firewalls, IPS, and ISE, work together to isolate the infected system itself. The security centers in your network will be continuously scanning for suspicious activity and when a threat is detected, the admins will be notified at once.
At the same time, ISE changes the group membership of the suspicious device and automatically quarantines it. It all adds up to faster security and more efficient IT for your company.
Cisco TrustSec builds security and intelligence into the network with policy-based access control, identity aware networking, data confidentiality and data integrity. Basically, TrustSec is role-based, which means for every user and device on the network, you must stablish what their job is. In order to do that, TrustSec first starts with making your network role-aware.
Cisco TrustSec is designed to use the network devices that you already have and since the role enforcement is actually is done at the device level, the first step for TrustSec deployment is to authenticate the device itself within the TrustSec framework. This identifies all legitimate devices or roles on your network with the express purpose of keeping rogue devices from entering and being used as an attack vector.
once your infrastructure is authenticated, you need to look at two key concepts: Security Group Tags (SGTs) and Security Group Access Control Lists (SGACL).
Briefly, SGACLs are the enforcement arm of TrustSec and the advantage of that over plain ACL, is that they do not use IP addresses. In addition, SGT is a unique 16-bit tag assigned to each individual role and device that connects it to a TrustSec domain. The Tag itself indicates a privilege level across the entire domain.
Therefore, an SGT is passed along dynamically to a switch or an access point, after either the 802.1X. the web authentication or the MAC authentication bypass which would happen with the RADIUS vendor-specific attribute.
SGTs dynamically automate the process of network-wide policy deployment and enforcement. So instead of manually typing entries into an ACL, you can benefit from a security policy change. This innovation is going to spare a lot of time.
Moreover, to ensure confidentiality and integrity, there is also hop-by-hop encryption based on 802.1AE is available to complete TrustSec deployment. So if the frames are being captured, no information would be leaked. Packets are encrypted on egress and decrypt it on ingress.
What is pxGrid?
Generally, Platform Exchange Grid (pxGrid) solution is an open standard, multi-Vendor, Cross-Platform Network System solution for context sharing which helps the enterprises to identify the hidden threats and prevent them from moving into the network.
Also, Cisco ISE uses pxGrid to share network context about Who, What, When, and Where users and endpoints are connecting to the network. Furthermore, an application may use pxGrid to instruct Cisco ISE to quarantine
users and devices.
Essentially, pxGrid operates in Publisher and Subscriber model and is consisted of different rules:
- pxGrid Controller: it manages client authentications, authorizations, topics, and the subscription list.
- pxGrid Publisher: it publishes topics of interest or capabilities to pxGrid.
- pxGrid subscriber: it gets the contextual information and alerts that are published to the grid.