CHAP TER
14-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
14
Managing TrustSec Firewall Policies
Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware
infrastructure to ensure data confidentiality between network devices and integrate security access
services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of
user attributes and end-point attributes to make role-based and identity-based access control decisions.
ASA devices integrate with Cisco TrustSec to provide security group based policy enforcement. Access
policies within the Cisco TrustSec domain are topology-independent, based on the roles of source and
destination devices rather than on network IP addresses.
Security group awareness is integrated into several existing firewall rules; there is no unique TrustSec
firewall policy. This chapter explains TrustSec firewall policies and how to implement them in the
various policies that support security group awareness.
This chapter contains the following topics:
Overview of TrustSec Firewall Policies, page14-1
Configuring TrustSec Firewall Policies, page14-7
Monitoring TrustSec Firewall Policies, page14-14

Overview of TrustSec Firewall Policies

Traditionally, security features such as firewalls performed access control based on predefined IP
addresses, subnets and protocols. However, with enterprises transitioning to borderless networks, both
the technology used to connect people and organizations and the security requirements for protecting
data and networks have evolved significantly. End points are becoming increasingly nomadic and users
often utilize a variety of end points (for example, laptop versus desktop, smart phone, or tablet), which
means that a combination of user attributes plus end-point attributes provide the key characteristics, in
addition to existing 6-tuple based rules, that enforcement devices, such as switches and routers with
firewall features or dedicated firewalls, can reliably use for making access control decisions.
As a result, the availability and propagation of end point attributes or client identity attributes have
become increasingly important requirements to enable security solutions across the customers’
networks, at the access, distribution, and core layers of the network and in the data center to name but a
few examples.
Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware
infrastructure to ensure data confidentiality between network devices and integrate security access
services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of
user attributes and end-point attributes to make role-based and identity-based access control decisions.
Implementing Cisco TrustSec into your environment has the following advantages: