Solved: TrustSec Segmentation with Exceptions

nspasov · ‎02-08-2018

One of my customers have the following requirements wants to prevent malware from spreading rapidly from an infected computer to the rest of the environment. As a result, they want to prevent users/machines that are located on the same VLAN/Broadcast domain from communicating with each other.

My initial thought was to evaluate ISE with TrustSec. However, they also have a requirement where they also want to be able to allow exceptions for particular users/machines so they are allowed to communicate with each other. Is this possible with TrustSec? Can we combine SGTs with additional attributes such as IPs, MACs, AD Groups, etc? Based on my research this is not possible with I figured I would still ask. Here is an example:

Permit

Src_sgt_10 and ad_user=User1 to Dst_sgt_10 and ad_user=User2

Deny

Src_sgt_10 to Dst_sgt_10

The other two alternatives that we considered are:

Private VLANs:

- No support for dynamic PVLANs

- No support for Voice VLANs

DACLs

- DACL Entries could potentially become too long and exaust TCAM resources

Thank you in advance!

Neno

jeaves@cisco.com · ‎02-09-2018

You're right, the access switch East-West traffic (L2 same VLAN/Bcast domain) can be enforced using TrustSec software defined segmentation but that is with inter-SG and intra-SG, without exceptions. Some level of precedence can be accommodated using extra groups and the authorization table as described above but it's not as flexible as you would like.

View solution in original post

Jason Kunst · ‎02-08-2018

Moved to Trustsec

jeaves@cisco.com · ‎02-08-2018

Hi Neno,

some of what you're talking about is actually supported in the ASA FW. You can define rules with

source: IP, SGT and/or User to

destination: IP and/or SGT. It just doesn't support to destination User.

Using switches and routers, you can only define SGT to SGT enforcement.

Also, some of what you want to do may be supported by creating additional security groups and using the ordered authorization rule list in ISE. If you place more granular rules first then these will be actioned before more general rules lower down the list. So, if a member of an AD group + condition1 + condition2 etc then assign SGTx .Then lower down the authorization list, if condition2 then assign SGTy, for example.

That way you may be able to provide policies to satisfy at least some of your requirements, albeit the definition is at classification time and your policy would be based on those classifications.

nspasov · ‎02-08-2018

Thank you for the reply Jeaves! The ASA trick would work nice but it would not satisfy the east-west (L2 - Same VLAN/Bcast Domain) segmentation.

I will keep on digging and see if there is anything else but DACLs might be the only way to go here..

Neno

jeaves@cisco.com · ‎02-09-2018

You're right, the access switch East-West traffic (L2 same VLAN/Bcast domain) can be enforced using TrustSec software defined segmentation but that is with inter-SG and intra-SG, without exceptions. Some level of precedence can be accommodated using extra groups and the authorization table as described above but it's not as flexible as you would like.

nspasov · ‎02-09-2018

Thank you for the suggestions!

gbekmezi-DD · ‎02-15-2018

You could use ISE to assign a different SGT for the exception users/machines. So if ad_group=x and ad_group=y SGT 11, but if ad_group=y only then SGT 10. You can then create policies accordingly.