思科TrustSec技术提供交换机到交换机线速度加密服务和安全组标签的以太网帧。但它真正做的是让你实现世界上最健壮的身份识别网络和服务。这项技术,如果思科正确地执行,可能永远改变我们设计安全网络的方式。今天的商业网络是如此的开放和有如此多的入口/出口的周长,它是非常危险的信任你的内部数据包了。有关这个话题的行业数据也支持这一说法,统计数据显示,大约40%的入侵发生在网络内部。既然我们不能信任我们的内部通信流,我们该怎么办呢?首先,我们需要网络中普遍存在的身份意识。如果我们可以追踪到一个通信流甚至一个数据包,并将其返回到一个身份,那么我们就可以在允许该流在网络上做什么方面做出更好的安全决策。一旦我们拥有了每个内部包的身份识别,我们就需要能够对这些包应用识别身份的安全策略。女士们先生们,这正是思科的TrustSec解决方案所做的。 Here is an example scenario for TrustSec protection. I plug my laptop into the switchport. I authenticate to the network using 802.1x and my AD credentials. A Cisco ACS policy server will send down a Security Group Tag (SGT) identifier to the switch based on the group my user account is a member of. Lets say it sends an SGT of 110 to the switch. An SGT of 110 translates to a memberof contractors in AD. The switch will then start put a SGT of 110 inside of every ethernet frame my laptop sends to the network. Now the fun starts! As that frame traverses the network heading toward its destination any network device in its path can read the SGT and apply a security policy to it. One of the options today is to apply a security group ACL (SGACL) to the frame. If the frame is destined for a server that is a member of SGT 120 you can set a policy in Cisco ACS that says if SGT 110 talks to SGT 120 then deny all TCP ports except 80 and 443. TrustSec just created an ACL based on tag values and not IP addresses as has been traditional. So the beauty of this is that you no longer have to create ACLs based on IP addresses and instead use a group based identity tag that is a part of the frame! These SGTs are centrally managed and distributed by a Cisco ACS server so you have a single pane of glass to view, modifiy or add SGTs and their associated policies. TrustSec can use location awareness, timerange, access type, AD attributes like memberof, and compound condition statements to make a security group tag decision. Once the decision is made you can then enforce policy today using VLAN assignment, downloadable ACLs and security group ACL policies. Here is an example ACS authorization policy.
如果用户802.1x使用来自任何位置的AD组医生成员的用户名进行身份验证,那么将分配医生的SGT (ID为06)和员工许可配置文件授权配置文件。该授权配置文件包括一个可下载的ACL,称为Restricted-IT-Services。考虑到这些策略的集中化特性,您可以仅使用ACS快速地进行更改。下面查看ACS中的安全组ACL矩阵。在这里,您可以将标记设置为标记安全策略。
从矩阵中您可以看到,当SGT医生与SGT语音服务器交谈时,拒绝任何IP规则将开始阻止通信。为了让你更酷,这里是一个看的以太网帧是SGT启用。因为标签是在帧级完成的,所以对IP数据包碎片或IP MTU没有影响。
这张照片显示的是被埋在战区的中士。它还显示可选的802.1AE/MACSEC加密头。如果您想使用switch to switch或switch to host MACSEC基于TrustSec的加密特性,那么这些也会出现。标记过程发生在其他第二层交换服务(如服务质量(QoS)动作)之前。这意味着,如果思科选择使QoS特征SGT感知,那么他们可以根据标签的值改变QoS。随着思科向美国证券交易委员会(Trustsec)提供的服务日趋成熟,思科有必要让美国证券交易委员会了解其所有网络设备。例如,了解trustsec的ASA设备将能够基于SGT信息做出决策。对于ip、VPN、Ironport web设备、ACE负载平衡器、WAAS等等,情况也是如此。trustsec解决方案允许您收集一次身份(最好通过访问层的802.1x),然后为任何trustsec感知设备维护该身份识别。如今,每个设备都需要自己收集用户标识。 The Firewall talks to AD, the web filtering service talks to AD the NAC solution talks to AD, etc. etc. TrustSec allows you to talk to AD once through a central point (ACS) and then have each service use the embedded Security group tags in the frames to gather the needed identity for making a policy decision. Pretty powerful stuff IMHO. To find out what is available today in the TrustSec solution go to: http://www.cisco.com/go/trustsec In a nutshell, the Cisco Nexus 7000 series fully support TrustSec, ACS 5.1 is the policy server and most other switches have limited TrustSec support starting in IOS 12.2(55)SE. For a security group tagging configuration guide go here: http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.html To download a 90 day eval of Cisco ACS 5.1 go here http://www.cisco.com/go/acs
在此陈述的观点和信息是我的个人观点,而不是我的雇主。我绝不是我雇主的官方发言人。
Jamey Heary报道。 信用卡扒窃:小偷如何在你不知道的情况下偷走你的信用卡信息 谷歌Nexus One与十大手机安全要求 为什么你总是要把登机牌撕成碎片 视频租赁记录提供了比你的在线数据更多的隐私保护 关于新的SSL攻击的真相 2009年度IT安全城市传奇/a>去 杰米的博客 浏览更多有关安全性的文章。*
*
*
*
*
*