The latest addition to Cisco Systems' vision of network-based security puts the spotlight on role-based access control (RBAC) to simplify management of user privileges across complex enterprises and defend corporate resources against unauthorized access.
Cisco Trusted Security (TrustSec) architecture will introduce new capabilities into Cisco switches, starting with the high-end Catalyst 6500 Series, supported by its Secure Access Control Server (ACS) in 2008, adding other Catalyst switches thereafter.
"Traditionally, the way security is thought of is threat defense, for example, identify and stop the Zotob worm," said Bob Gleichauf, chief technology officer at Cisco. "Access control is different: You have to figure out who you are and what you can do."
The traditional ACL approach results in a smorgasbord of rules to attempt to control every user's access to every enterprise resource. The result is confusion, error and security holes because admins cannot keep up with what they all do. TrustSec leverages the 802.1AE standard, which assures data confidentiality and integrity, to build a platform for streamlined, stronger security.
The three pillars of TrustSec are role-based secure campus access control, converged policy framework and pervasive integrity and confidentiality.
"Customers have the option to go to one place to define policies, which can be rich and complex," Gleichauf said.
802.1AE support is a key piece, allowing Cisco to add security tags—in this use case, what Cisco calls security group tags (SGTs) to carry role information to every enforcement point in the network, making the network role-aware. That means that a converged policy can be applied anywhere in the network, based on role.
TrustSec leverages the Cisco ACS for access policy and directory services, such as Active Directory.
"Most people have Active Directory with roles, but poor implementation on ACLs," Gleichauf said. "As long as we can do a directory lookup, we can mark your packet. Then, you only need filters at the points of interest where the user is allowed in, and you can reduce the number of rules dramatically."
Nonetheless, most corporations will admit they have a long way to go to even define, much less implement granular roles, much less implement granular RBAC. (NIST has developed a general purpose RBAC standard as a base to guide various verticals and eventually standardize vendor implementations. The U.S. Navy is going a step further, building on the NIST standard to develop a framework for dynamic access controls.) Glauchauf conceded as much, but said that TrustSec will help enable organizations to jump start their access control projects.
"Most customers try to use way too many roles. The network can be an amazing tool to help them to figure it out," he said. "They can start by using the network to define coarse-grained roles, deliver the user to a part of the network and let the application define fine-grained role-based access controls."