1-2
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Information About the ASA Integrated with Cisco TrustSec
means that a combination of user attributes plus end-point attributes provide the key characteristics, in
addition to existing 5-tuple based rules, that enforcement devices, such as switches and routers with
firewall features or dedicated firewalls, can reliably use for making access control decisions.
As a result, the availability and propagation of end point attributes or client identity attributes have
become increasingly important requirements to enable security solutions across the customers’
networks, at the access, distribution, and core layers of the network and in the data center to name but a
few examples.
Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware
infrastructure to ensure data confidentiality between network devices and integrate security access
services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of
user attributes and end-point attributes to make role-based and identity-based access control decisions.
The availability and propagation of this information enables security solutions across networks at the
access, distribution, and core layers of the network.
Implementing Cisco TrustSec into your environment has the following advantages:
•
Provides a growing mobile and complex workforce with appropriate and more secure access from
any device
•
Lowers security risks by providing comprehensive visibility of who and what is connecting to the
wired or wireless network
•
Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
•
Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
For information about Cisco TrustSec, see
http://www.cisco.com/go/trustsec
.
About SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec solution, security group access transforms a topology-aware network into a
role-based network, thus enabling end-to-end policies enforced on the basis of role-based access-control
(RBACL). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with an security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path. An SGT can indicate a privilege level across the domain when the
SGT is used to define a security group access list.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which happens with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group access lists. SXP, a control plane protocol, passes
IP-SGT mappings from authentication points (such as legacy access layer switches) to upstream devices
in the network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well known TCP port number 64999 when initiating a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......