One of the key design approaches of any successful design is the ‘holistic approach’. With this approach, as a network designer or architect, typically you need to look at the big picture first.
For example, if you are designing a data center or a campus LAN, you need to look at the architecture of the enterprise holistically and see how it will fit with the other places in the network. Also, in today’s modern networks security is a critical requirement, therefore, you must consider the end to end architecture (not only focusing on one place in the network at a time) to be able to identify and propose a solution architecture capable to provide simple, reliable, efficient and secure communication. For example, define enterprise wide policy model to provide consistent ‘end to end’ segmentation among the different users’ groups, places in the network as well as control what are the applications and services they are allowed to access within the data center.
Cisco TrustSec simplifies the provisioning and management of secure access to network services and applications. Cisco Trust Sec, is an intelligent access control solution mitigates security risks by providing comprehensive visibility into who and what is connecting across the entire network infrastructure, and control over what and where they can go.
Cisco Security Group Tag (SGT) is a key element as part of the Cisco TrustSec architecture, that overcomes the shortcomings of the traditional approaches to policy administration. If Cisco ISE is used, it transmits the tag information to all the supported Cisco devices in the network (centralized configuration and provisioning).
Cisco TrustSec classifies traffic based on the contextual identity of the endpoint versus its IP address. This means that Cisco TrustSec policy security group tag (SGT) is assigned to an endpoint typically based on that endpoint’s user, device, and location attributes (pre defined profiling). The SGT denotes the endpoint access entitlements, and all traffic from the endpoint will carry the SGT information. Switches, routers, and firewalls use SGT to make forwarding decisions that are based on a security policy.
With this approach, you can use Cisco TrustSec controls to define your access polices in terms of business needs. For example, the business or the enterprise security policy may state that any personal device such as tablet or a smart phone used by the employees should be restricted to access the external mail server at the DMZ and the Internet only, even though when the users use their corporate credentials to login to the network from these devices. With the Cisco TrusSes using (SGT and profiling) this goal can be achieved and maintained in a centralized and efficient manner without introducing any operational complexity
On the other hand, Cisco ACI, uses a policy based approach to abstract traditional network constructs (e.g. VLANs, VRFs, IP subnets, etc.). Cisco Nexus 9000 (running in ACI mode) + APIC Controller comprise the ACI elements which use the policy based approach by focusing on the application. The Nexus 9000 platform forms the physical switching infrastructure, while the APIC is a clustered policy management system (SDN and policy Controller) responsible for all aspects of fabric configuration.
The previous blog “ACI – Policy Based Data Center Model – Foundations” covered the foundation of the ACI policy-based model, this model is constructed of the following key elements:
At this stage we have two robust approaches to secure the network communications and control traffic segmentations
As mentioned earlier, one of the key design approaches is to follow a holistic approach, this means focusing only on securing your data center perimeter and/or building micro segmentation security polices among the virtual machines is important, but not enough in today’s modern and dynamic networks.
For example, let’s consider a realistic scenario of an educational institute environment (university). This university wants to achieve the following:
Controlling such a dynamic environment (number of people, devices and type of access that is very frequently changing) can be a nightmare. Especially if you consider using the classical control/filtering way that is based on IP sources and destinations at the DC or network access edge!
With Cisco TrustSec integrated with Cisco ACI, you can provision and mange a cohesive solution to achieve the aforementioned requirements without introducing any operational complexity.
As shown in the figure below, Cisco ISE (the central of the TrustSec) integrate with the Cisco ACI APIC (the ACI/SDN controller). With this integration the ACI-APIC can pull and translate the SGTs into external EPGs. Then from the APIC simply you can control who can access what, using the contract concept between an external EPG and the existing internal EPGs where the intended servers/applications are grouped.
Similarly, from the ISE point of view, the internal EPGs can be pulled translated into SGTs, in which ISE can enforce the desired policy based on these SG tags
In summary, securing your data center from external networks and among the applications/VMs within the data center is a must, but not enough in today’s networks. By sharing contextual and different policy group information among TrustSec and ACI domains, Enterprises are able today to address network access breaches, compliance challenges and meet complex, and dynamic security segmentation requirements of today’s networks. In fact, with the group-based policy approach used by TrustSec and ACI, enterprises can define a unified and consistent security policies to gain ‘end to end’ visibility and control with vastly simplified security design, management and compliance across the different places in the network (remote sites, Campus, VPN users and Data center).