Filter
Top Products
14-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 14 Managing TrustSec Firewall Policies
Overview of TrustSec Firewall Policies
Access requestors include end-point devices such PCs, laptops, mobile phones, printers, cameras,
and MACsec-capable IP phones.
• Policy Decision Point (PDP): A policy decision point is responsible for making access control
decisions. The PDP provides features such as 802.1x, MAB, and Web authentication. The PDP
supports authorization and enforcement through VLAN, DACL, and security group access
(SGACL/SXP/SGT).
In the Cisco TrustSec solution, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco
ISE provides identity and access control policy functionality.
• Policy Information Point (PIP): A policy information point is a source that provides external
information (for example, reputation, location, and LDAP attributes) to policy decision points.
Policy information points include devices such as Session Directory, Sensors IPS, and
Communication Manager.
• Policy Administration Point (PAP): A policy administration point defines and inserts policies into
authorization system. The PAP acts as an identity repository, by providing Cisco TrustSec tag to user
identity mapping and Cisco Trustsec tag to server resource mapping.
In the Cisco TrustSec solution, the Cisco Secure Access Control System (a policy server with
integrated 802.1x and SGT support) acts as the PAP.
• Policy Enforcement Point (PEP): A policy enforcement point is the entity that carries out the
decisions (policy rules and actions) made by the PDP for each AR. PEP devices learn identity
information through the primary communication path that exists across networks. PEP devices learn
the identity attributes of each AR from many sources, such as end-point agents, authorization
servers, peer-enforcement devices, and network flows. In turn, PEP devices use SXP to propagate
IP-SGT mappings to mutually-trusted peer devices across the network.
Policy enforcement points include network devices such as Catalyst switches, routers, firewalls
(specifically the ASA), servers, VPN devices, and SAN devices.
The ASA serves the role of the PEP in the identity architecture. Using SXP, the ASA learns identity
information directly from authentication points and uses that to enforce identity-based policies.
Security Group Policy Enforcement
Security policy enforcement is based on security group name. Compared to traditional IP-based policies
configured on firewalls, identity-based policies are configured based on user and device identities. For
example, mktg-contractor is allowed to access mktg-servers; mktg-corp-users are allowed to access
mktg-server and corp-servers.
The benefits of this type of deployment include:
• User group and Resource is defined and enforced using single object (SGT) - simplified policy
management.
• User identity and resource identity are retained throughout the Cisco Trustsec capable switch
infrastructure.