6-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
About Cisco TrustSec
•
Offers exceptional control over activity of network users accessing physical or cloud-based IT
resources
•
Reduces total cost of ownership through centralized, highly secure access policy management and
scalable enforcement mechanisms
•
For more information, see the following URLs:
About SGT and SXP Support in Cisco TrustSec
In the Cisco TrustSec feature, security group access transforms a topology-aware network into a
role-based network, which enables end-to-end policies enforced on the basis of role-based access control
(RBAC). Device and user credentials acquired during authentication are used to classify packets by
security groups. Every packet entering the Cisco TrustSec cloud is tagged with a security group tag
(SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce
security policies along the data path. An SGT can indicate a privilege level across the domain when the
SGT is used to define a security group ACL.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC
authentication bypass (MAB), which occurs with a RADIUS vendor-specific attribute. An SGT can be
assigned statically to a particular IP address or to a switch interface. An SGT is passed along
dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT
mapping from authentication points (such as legacy access layer switches) to upstream devices in the
network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the
well-known TCP port number 64999 to initiate a connection. Additionally, an SXP connection is
uniquely identified by the source and destination IP addresses.
Reference
Description
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/ind
ex.html
Describes the Cisco TrustSec system and architecture for
the enterprise.
Provides instructions for deploying the Cisco TrustSec
solution in the enterprise, including links to component
design guides.
Provides an overview of the Cisco TrustSec solution when
used with the ASA, switches, wireless LAN (WLAN)
controllers, and routers.
http://www.cisco.com/c/en/us/soluti
ons/enterprise-networks/trustsec/tru
stsec_matrix.html
Provides the Cisco TrustSec Platform Support Matrix,
which lists the Cisco products that support the Cisco
TrustSec solution.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...