14-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 14 Managing TrustSec Firewall Policies
Overview of TrustSec Firewall Policies
Provides a growing mobile and complex workforce with appropriate and more secure access from
any device
Lowers security risks by providing comprehensive visibility of who and what is connecting to the
wired or wireless network
Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
For information about Cisco TrustSec, see http://www.cisco.com/go/trustsec.
This section contains the following topics:
Understanding SGT and SXP Support in Cisco TrustSec, page 14-2
Roles in the Cisco TrustSec Solution, page 14-2
Security Group Policy Enforcement, page 14-3
About Speaker and Listener Roles, page 14-6
Prerequisites for Integrating an ASA with Cisco TrustSec, page 14-6
Understanding SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec solution, security group access transforms a topology-aware network into a
role-based network, thus enabling end-to-end policies enforced on the basis of role-based access-control
(RBACL). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with an security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path.
An SGT can indicate a privilege level across the domain when the SGT is used to define a security group
ACL. An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which happens with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT
mappings from authentication points (such as legacy access layer switches) to upstream devices in the
network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well known TCP port number 64999 when initiating a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Roles in the Cisco TrustSec Solution
To provide identity and policy-based access enforcement, the Cisco TrustSec solution includes the
functionality:
Access Requestor (AR): Access requestors are end-point devices that request access to protected
resources in the network. They are primary subjects of the architecture and their access privilege
depends on their Identity credentials.