On May 29th, Fabio Mano presented a session on Cisco's TrustSec at the Stanford Networking Seminar. He prefaced his talk by saying this was the first time Cisco has presented this topic without a nondisclosure.
TrustSec is a fundamental change in the way enterprise network security is implemented. architecture builds on top of a strong identity framework to provide authentication for each network device and a centralized Role Based Access Control. All network entities including switches and routers, in addition to users and hosts, are identified and strongly authenticated to build a trusted network infrastructure. Identities are then mapped onto topology-independent Security Groups by a centralized Attribute Based Access Control policy engine, and carried within each packet through the network. Access control policies are no longer expressed in term of IP addresses, but simply in term of Security Groups.
To protect the integrity of the Security Group Tag each frame is encrypted at the egress port of every network device and decrypted at the next ingress port using the IEEE 802.1AE standard frame format (draft standards 802.1af and 802.1AR will also be supported).
By encrypting packets at every hop of the network user-data are protected over the entire enterprise network, preserving the capability to provide added-value services in the network (such as netflow, quality of service, load balancing, application-level caching,intrusion prevention).
Essentially TrustSec adds a layer of indirection to accomplish its goals. When I get a moment I'll add a simple diagram that expresses the layer of indirection.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment