Cisco ASA Series Cli Configuration Manual page 906

Information About the ASA Integrated with Cisco TrustSec
means that a combination of user attributes plus end-point attributes provide the key characteristics, in
addition to existing 5-tuple based rules, that enforcement devices, such as switches and routers with
firewall features or dedicated firewalls, can reliably use for making access control decisions.
As a result, the availability and propagation of end point attributes or client identity attributes have
become increasingly important requirements to enable security solutions across the customers'
networks, at the access, distribution, and core layers of the network and in the data center to name but a
few examples.
Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware
infrastructure to ensure data confidentiality between network devices and integrate security access
services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of
user attributes and end-point attributes to make role-based and identity-based access control decisions.
The availability and propagation of this information enables security solutions across networks at the
access, distribution, and core layers of the network.
Implementing Cisco TrustSec into your environment has the following advantages:
•
•
•
•
For information about Cisco TrustSec, see http://www.cisco.com/go/trustsec.
About SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec solution, security group access transforms a topology-aware network into a
role-based network, thus enabling end-to-end policies enforced on the basis of role-based access-control
(RBACL). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with an security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path. An SGT can indicate a privilege level across the domain when the
SGT is used to define a security group access list.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which happens with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group access lists. SXP, a control plane protocol, passes
IP-SGT mappings from authentication points (such as legacy access layer switches) to upstream devices
in the network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well known TCP port number 64999 when initiating a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Cisco ASA Series CLI Configuration Guide
1-2
Provides a growing mobile and complex workforce with appropriate and more secure access from
any device
Lowers security risks by providing comprehensive visibility of who and what is connecting to the
wired or wireless network
Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec