Article

Cisco injects role-based access control into the network

Neil Roiter

The latest addition to Cisco Systems' vision of network-based security puts the spotlight on role-based access control (RBAC) to simplify management of user privileges across complex enterprises and defend corporate resources against unauthorized access.

    Requires Free Membership to View

Customers have the option to go to one place to define policies, which can be rich and complex.
Bob Gleichauf,
chief technology officerCisco Systems Inc.

Cisco Trusted Security (TrustSec) architecture will introduce new capabilities into Cisco switches, starting with the high-end Catalyst 6500 Series, supported by its Secure Access Control Server (ACS) in 2008, adding other Catalyst switches thereafter.

"Traditionally, the way security is thought of is threat defense, for example, identify and stop the Zotob worm," said Bob Gleichauf, chief technology officer at Cisco. "Access control is different: You have to figure out who you are and what you can do."

The traditional ACL approach results in a smorgasbord of rules to attempt to control every user's access to every enterprise resource. The result is confusion, error and security holes because admins cannot keep up with what they all do. TrustSec leverages the 802.1AE standard, which assures data confidentiality and integrity, to build a platform for streamlined, stronger security.

Role-based access control:
Role based access control (RBAC): A method of regulating access to computer or network resources based on the roles of individual users within an enterprise.

Implementing and managing RBAC: Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket.

How do role-based access control methods authorize user accounts? In this expert Q&A, Joel Dubin demonstrates how to authorize groups using role-based access control (RBAC).

The three pillars of TrustSec are role-based secure campus access control, converged policy framework and pervasive integrity and confidentiality.

"Customers have the option to go to one place to define policies, which can be rich and complex," Gleichauf said.

802.1AE support is a key piece, allowing Cisco to add security tags—in this use case, what Cisco calls security group tags (SGTs) to carry role information to every enforcement point in the network, making the network role-aware. That means that a converged policy can be applied anywhere in the network, based on role.

TrustSec leverages the Cisco ACS for access policy and directory services, such as Active Directory.

"Most people have Active Directory with roles, but poor implementation on ACLs," Gleichauf said. "As long as we can do a directory lookup, we can mark your packet. Then, you only need filters at the points of interest where the user is allowed in, and you can reduce the number of rules dramatically."

Nonetheless, most corporations will admit they have a long way to go to even define, much less implement granular roles, much less implement granular RBAC. (NIST has developed a general purpose RBAC standard as a base to guide various verticals and eventually standardize vendor implementations. The U.S. Navy is going a step further, building on the NIST standard to develop a framework for dynamic access controls.) Glauchauf conceded as much, but said that TrustSec will help enable organizations to jump start their access control projects.

"Most customers try to use way too many roles. The network can be an amazing tool to help them to figure it out," he said. "They can start by using the network to define coarse-grained roles, deliver the user to a part of the network and let the application define fine-grained role-based access controls."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: