Cisco injects role-based access control into the network

By Neil Roiter, Senior Technology Editor Information Security magazine 05 Dec 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The latest addition to Cisco Systems' vision of network-based security puts the spotlight on role-based access control (RBAC) to simplify management of user privileges across complex enterprises and defend corporate resources against unauthorized access.

Customers have the option to go to one place to define policies, which can be rich and complex. Bob Gleichauf, chief technology officer, Cisco Systems Inc.

Cisco Trusted Security (TrustSec) architecture will introduce new capabilities into Cisco switches, starting with the high-end Catalyst 6500 Series, supported by its Secure Access Control Server (ACS) in 2008, adding other Catalyst switches thereafter.

"Traditionally, the way security is thought of is threat defense, for example, identify and stop the Zotob worm," said Bob Gleichauf, chief technology officer at Cisco. "Access control is different: You have to figure out who you are and what you can do."

The traditional ACL approach results in a smorgasbord of rules to attempt to control every user's access to every enterprise resource. The result is confusion, error and security holes because admins cannot keep up with what they all do. TrustSec leverages the 802.1AE standard, which assures data confidentiality and integrity, to build a platform for streamlined, stronger security.

Role-based access control: Role based access control (RBAC): A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Implementing and managing RBAC: Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket. How do role-based access control methods authorize user accounts? In this expert Q&A, Joel Dubin demonstrates how to authorize groups using role-based access control (RBAC).

The three pillars of TrustSec are role-based secure campus access control, converged policy framework and pervasive integrity and confidentiality.

"Customers have the option to go to one place to define policies, which can be rich and complex," Gleichauf said.

802.1AE support is a key piece, allowing Cisco to add security tags—in this use case, what Cisco calls security group tags (SGTs) to carry role information to every enforcement point in the network, making the network role-aware. That means that a converged policy can be applied anywhere in the network, based on role.

TrustSec leverages the Cisco ACS for access policy and directory services, such as Active Directory.

"Most people have Active Directory with roles, but poor implementation on ACLs," Gleichauf said. "As long as we can do a directory lookup, we can mark your packet. Then, you only need filters at the points of interest where the user is allowed in, and you can reduce the number of rules dramatically."

Nonetheless, most corporations will admit they have a long way to go to even define, much less implement granular roles, much less implement granular RBAC. (NIST has developed a general purpose RBAC standard as a base to guide various verticals and eventually standardize vendor implementations. The U.S. Navy is going a step further, building on the NIST standard to develop a framework for dynamic access controls.) Glauchauf conceded as much, but said that TrustSec will help enable organizations to jump start their access control projects.

"Most customers try to use way too many roles. The network can be an amazing tool to help them to figure it out," he said. "They can start by using the network to define coarse-grained roles, deliver the user to a part of the network and let the application define fine-grained role-based access controls."

Tags: Secure Remote Access,  Network Firewalls, Routers and Switches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Remote Access Endpoint protection best practices manual: Combating issues, problems Best Mobile Data Security Products Perimeter defense in the era of the perimeterless network Securing the intranet with remote access VPN security What security software should be installed on Internet café computers? Information security book excerpts and reviews Diverse mobile devices changing security paradigm Cisco warns of security appliance flaws How to configure NAP for Windows Server 2008 Can home PCs provide a way for viruses and spyware to enter a corporate LAN? Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication  (SearchSecurity.com) RADIUS  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary