Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
1
Replies

What is TrustSec and what is its real world purpose?

Steven Williams
Level 4
Level 4

‎03-15-2019 09:32 AM

I am failing to grasp what trustsec is in relation to ISE and something like ASA. Is it group/user based authorization that can be tied to ACLs?

0 Helpful
1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

‎03-17-2019 02:35 AM - edited ‎03-17-2019 02:55 AM

There are some cisco live sessions on trustsec and I would reccomend giving the cisco live on demand library a visit.

 

In short though, TrustSec is a method of segmenting traffic via the use of a scalable group tags, SGTs, and SGACL's. 

 

While ISE is not a requirement to implement TrustSec, it's much easier to use a central policy server for your tag provisioning and SGACL/policy. When you authorize endpoints via ISE, you assign a SGT with the authorization result. From that point on, the ip and traffic for that endpoint would be classified with that tag. How you use that tag can vary greatly depending on the design. You use ISE's TrustSec policy matrix to build the SGT to SGT relationships forming the SGACL policy that switches will download/be provisioned with.

 

There are many ways to implement TrustSec, but the ideal end state is to have all traffic tagged with SGT's and to carry the Tag inline throughout the network. Depending on the security goals, you might want access layer peer to peer blocking on the same switch (east to west), or just central enforcement on a single core switch into a data center (north and south). It's a huge topic within a TrustSec design and there are many intricacies. Without a doubt though, TrustSec's end state utilizing end to end tagging provides unparalleled traffic segmentation.

0 Helpful
Customers Also Viewed These Support Documents