Cisco this week rolled out yet another method for securing corporate networks.
Called TrustSec, the architecture is intended to determine, through policies, the role of users and devices in the network before granting access to resources. This has been practiced in applications for years, Cisco officials say, but is only now being enforced at the network level.
TrustSec differs from Cisco's 6-year-old Self-Defending Networks architecture in that Self-Defending Networks is intended to mitigate threats via intrusion-detection systems and firewalls, while TrustSec is designed for "hop-to-hop" integrity and confidentiality of users and their role in the network, Cisco officials say.
"It's a follow on phase" to Self-Defending Networks, says Bob Gleichauf, CTO of Cisco's Security Technology Group. "We're getting this threat defense thing down pretty good; now let's start worrying about where we can go in the network."
With TrustSec, for example, users in company departments such as sales and finance would be identified by Cisco switches and assigned access to resources -- such as a Skype phone call -- during a specific time period based on pre-defined policies. Once that time period elapses, the Cisco switches would drop the Skype session for both departments.
TrustSec was four years in the making, Cisco officials say. It can work with Cisco Catalyst 6500 switches equipped with the Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA) as an overlay, but does not require PISA, Gleichauf says.
The PISA module analyzes stateful and stateless application traffic flows for security, compliance with corporate policies and management of network resource utilization.
But TrustSec requires additional hardware and software upgrades to Cisco switches, and to a Cisco authentication, authorization, and accounting (AAA) policy server to support the TrustSec switch policy engine for storing and enforcing role-based access policies.
The upgrades would support line-rate cryptography; and TrustSec concepts of security group tags (SGT) based on the IEEE 802.1AE standard, security group access control lists (SGACL), and the Security Association Protocol (SAP).
802.1AE is designed to prioritize data in alignment with business objectives while preserving the integrity of the encrypted data. SGTs tag traffic with 802.1AE role information, while SGACLs are based on role rather than IP subnets to allow access control policy to be decoupled from physical topology.
SAP is intended to simplify the management of each link's encryption keys for application and LAN security without having to retrofit and encrypt at the application layer.
Cisco has lined up Intel and Ixia for end point and testing equipment interoperability, respectively, with TrustSec via the 802.1AE standard.
TrustSec functionality is scheduled to be available across the Cisco switching platforms throughout the next 18 months beginning with the Catalyst 6500 in the first quarter of 2008.
The TrustSec launch comes a day after Cisco juiced up its intrusion-prevention sensor and announced a relationship with Reconnex for data-loss prevention.