Name: Cisco TrustSec
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

CHAPTER

1-1

Cisco TrustSec Configuration Guide

OL-22192-01

Cisco TrustSec Overview

Revised: June 16, 2011, OL-22192-01

This chapter contains the following topics:

• Information about Cisco TrustSec Architecture, page 1-1

• Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network, page 1-13

Information about Cisco TrustSec Architecture

The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted

network devices. Each device in the domain is authenticated by its peers. Communication on the links

between devices in the domain is secured with a combination of encryption, message integrity check,

and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials

acquired during authentication for classifying the packets by security groups (SGs) as they enter the

network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec

network so that they can be properly identified for the purpose of applying security and other policy

criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce

the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.

The Cisco TrustSec architecture incorporates three key components:

• Authenticated networking infrastructure—After the first device (called the seed device)

authenticates with the authentication server to begin the Cisco TrustSec domain, each new device

added to the domain is authenticated by its peer devices already within the domain. The peers act as

intermediaries for the domain’s authentication server. Each newly-authenticated device is

categorized by the authentication server and assigned a security group number based on its identity,

role, and security posture.

• Security group-based access control—Access policies within the Cisco TrustSec domain are

topology-independent, based on the roles (as indicated by security group number) of source and

destination devices rather than on network addresses. Individual packets are tagged with the security

group number of the source.

• Secure communication—With encryption-capable hardware, communication on each link between

devices in the domain can be secured with a combination of encryption, message integrity checks,

and data-path replay protection mechanisms.

Questions and Answers:

Need help?

Do you have a question about the Cisco TrustSec and is the answer not in the manual?

Cisco TrustSec Specifications

General

Category	Network Security
Functionality	Provides role-based access control, network segmentation, and policy enforcement.
Key Components	Security Group Tags (SGT), Security Exchange Protocol (SXP).
Authentication Methods	802.1X, MAC Authentication Bypass (MAB), Web Authentication
Security Group Tagging (SGT)	Assigns security group tags to users and devices for identity-based segmentation.
Security Exchange Protocol (SXP)	A protocol used to propagate SGT information across network devices.
Policy Enforcement	Enforces security policies based on SGTs and SGACLs.
Benefits	Enhanced security, simplified policy management, and improved compliance.
Encryption	Supports encryption for data in transit through IPsec and MACsec.
Scalability	Scalable to large enterprise networks with thousands of devices.
Compatibility	Compatible with a wide range of Cisco network devices.
Description	Cisco TrustSec is a security architecture framework designed to build secure networks. It uses identity-based access control to segment the network and enforce policies based on user roles and device types, rather than relying solely on IP addresses.