Watch the TechWiseTV Episode: http://cs.co/9001Bvqpz Watch the workshop replay: http://bit.ly/2bAsxby See how the latest evolution of Cisco TrustSec helps protect critical assets by extending and enforcing policies anywhere in your network. Go in-depth with how Cisco TrustSec simplifies your network security with software-defined segmentation.

1. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplifying Network
Security with TrustSec
Kevin Regan
August 17, 2016
kregan@cisco.com

2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reduce IT burden
Take more control of environment
Deal with dynamic threat
landscape
Pace of technological change
Possible reasons for watching today?
Reduce
error prone
admin
Manage complexity
Reduce
OpEx
More
consistent
security
policy
Reduced time
to implement
changes
Deal with Security challenges
To Implement policy for things
like
Acquisitions and
partnerships
Cloud
Internet of
Things
Digitization
BYOD
Global operations
Mobility
2

3. …Or Because Segmentation is Important
“Eataly’s network segmentation
prevented a POS compromise at one
store from compromising systems at the
chain’s 26 other locations across the
globe”
“Network segmentation… is one
of the most effective controls an
agency can implement to
mitigate the second stage of a
network intrusion, propagation
or lateral movement”“Effective network
segmentation… reduces the
extent to which an adversary
can move across
the network”

4. Classification Based on Context
Any user, any device
using with this IP
Rich context awarenessPoor context awareness
Role-based group
assignment
?
??
ISE
Result Result
Who
What
When
Threat
Compliance
How
Where
IP Address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Bob (Employee)
Tablet
11:00 AM EST on April 10th
Building 200, 2nd floor
Wireless
Yes
Monitored by IPS, anomaly
detection

5. Manual, time-consuming
security and maintenance
IP-based security policy tied to network topology results in:
Traditional Segmentation - ACL and VLAN
Complexity
Employee
Info
Developmen
t Servers
Policy inconsistencies
across devices and networks
Enterprise Network
InternetFinancial Servers
Complicated
access management
More policies using more VLANs
Guest
VLANs
Employee
VLANs
Developer
VLANs
Non
Compliant
VLANs
2
Locations
Guest
VLANs
Employee
VLANs
Developer
VLANs
Non
Compliant
VLANs
1
Guest
VLANs
Employee
VLANs
Developer
VLANs
Non
Compliant
VLANs
3

6. TrustSec simplifies security management
Deny Employee to Financial Server
Permit Developer to Developer Server
Permit Guest to Web
Permit Developer to Developer Server
Consistent
Policy Anywhere
Key
Employee Tag
Developer Tag
Voice Tag
Non-Compliant Tag
SGACLs
Employee Info Developer Server
Simplified Access
Management
Accelerated
Security Options
Scalable and agile segmentation technology in over 40 different Cisco product families, enabling
dynamic, role-based policy enforcement anywhere on your network
Simplified Access Management
Manage policies using plain language
and maintain compliance by regulating
access based on business role
Rapid Security Administration
Speed-up adds, moves, and changes,
simplifying firewall administration to
speed up server onboarding
HTTPFinancial Server
Consistent Policy Anywhere
Control all network segments
centrally, regardless of whether or not
devices are wired, wireless or on VPN
Enterprise Network
Guest
endpoint
Employee
endpoint
Developer
endpoint
Non
Compliant
endpoint
8
Employee Info Tag
Developer Server Tag
Financial Server Tag
HTTP Tag

7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Concepts
• Classification of systems/users based on context (user role, device, location etc.)
• Context (role) expressed as Security Group Tag (SGT)
• Firewalls, routers and switches use SGT to make filtering decisions
• Classify once – reuse SGT multiple times anywhere on network, or….
Users, Devices
Switch Router DC FW DC Switch
Dev Servers
Enforcement
SGT Propagation
Prod Servers SGT = 4
SGT = 10
ISE Directory
Classification
SGT:5
7

8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec – Simple Starting Points
• Distribute SGT information directly from ISE to specific devices
• Minimal config effort
Users, Devices
Switch Router
DC FW DC Switch
HR Servers
Enforcement
SGT Propagation Fin Servers SGT = 4
SGT = 10
ISE Directory
Classification
SGT:5SGT:5
8

9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Functions to Enable
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
Enforcement
Threat
Defense
Propagation
Inline tagging or Data Plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
9

10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Functions to Enable
Endpoint
Group tag management
Group policy management
Security
Group
Tags
Enforcement
Enforcement
Threat
Defense
Propagation
Inline tagging or Data Plane
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Central management
Software-Defined Segmentation
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
10

11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Printer 1 Printer 2
Use security groups to demote common roles & policy requirements
Security Group Tag Management
• Business-based
groupings to provide
consistent policy and
access independent of
network topology
• Leverage attributes
such as location and
device type to define
group assignments
SGT_Guest SGT_Building
Management
SGT_Employee
Guest 1
Guest 2
Guest 3 Guest 4
Employee 1 Employee 2 Employee 3
Employee 4
SGT_FinanceServer SGT_Printers
Fin 1 Fin 2
Temperature
Device 1
Temperature
Device 2
Surveillance
Device 1
Surveillance
Device 2
50°
50°
11

12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Management in ISE
12

13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Getting Group Info to Network Devices
• Network devices need to be
defined in ISE to get group
information downloads :-
• At periodic intervals
• On demand from ISE “Push”
• Device ID and password here
needs to match the ‘cts
credential id’ in the network
device
13

14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Groups in Network Devices
• Group information appears in network
devices as “Environment Data”
• ISE is the single source of truth for
Group information
IOS#show cts environment-data
CTS Environment Data
====================
Security Group Name Table:
0001-22 :
7-98 : 80 -> Network_Admin_User
6-98 : 80 -> Full_Access
5-98 : 80 -> Production
4-98 : 80 -> Dev
3-98 : 80 -> BYOD
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY
14

15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group tag management
Group policy management
TrustSec Functions to enable
Enforcement
Enforcement
Threat
Defense
SGT-enabled network
Software-defined segmentation
Heterogeneous environment
Propagation
Inline tagging
(many options)
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
Classification
Static
classification
Security
Group
Tags
Endpoint
Endpoint
identification
Dynamic
classification
15

16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flexible Classification Methods
Dynamic mechanisms
Static mechanisms
VPN
V. Port
Profile
IP
Address
VLANsSubnets
L3
Interface
Port
ACI (App-
Centric)
Ideal for users and
mobile devices
User endpoints
Internal IT
infrastructure and
topology-based policy
Internal resources
External partners and
3rd party connections
Partner & external
StaticDynamic
SGT #1
SGT #2
SGT #3
SGT #4
Virtual Systems
Passive
ID (Easy
Connect)
MAB,
Profiling
802.1X.
WebAuth
pxGrid &
REST
APIs
16

17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assigning SGTs to Users: ISE Authorization Rules
17

18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assigning SGTs to Extranet Connections
Business
Partners
Suppliers
• Complex supply chain – many third party connections
• Many groups need access to specific production areas
• L3 interface maps allow supplier networks to change without impact
18
Press & Weld
Paint Shop
Assembly Shop
Routes learned and
SGTs applied to them
by L3 interface
SGTs applied to
internal subnets

19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managing Static Classifications in ISE
Mappings pushed to device
configurations using SSH
Mappings propagated over
SXP from ISE to SXP
devices (see next section)
19

20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group tag management
Group policy management
Central management
TrustSec Functions to enable
Endpoint
Security
Group
Tags
Propagation
Inline tagging
(many options)
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Software-defined segmentation
Heterogeneous environment
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
Enforcement
Enforcement
Threat
Defense
20

21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Enforcement – Security Group ACL (SGACL)
Application Servers
Database Servers
FIB Lookup
Destination MAC/Port
SGT 30 Destination Classification
App_Svr: SGT 20
DB_Svr: SGT 30
End user authenticated
Employee: SGT 5
Destination
Source
App_Servers
(20)
DB_Servers
(30)
Employees (5)  
BYOD (10)  
Unknown (0)  
10.1.100.100
SGT: 20
10.1.101.100
SGT: 30
SRC: 10.1.10.100
DST: 10.1.100.100
SGT: 5
5

22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Egress Policy Matrix (SGACL)
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
deny tcp src dst eq www

23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic SGACL Downloads
• New User/Device/Server provisioned
• Switch requests policies for assets they
protect
• Policies downloaded & applied dynamically
Dev_Server
(SGT=10)
Prod_Server
(SGT=7)
Dev_ServersProd_Servers
Switches request
policies for assets
they protect
SGT=3
SGT=4
SGT=5
Switches pull down
only the policies
they need
• Result: Software-Defined Segmentation
• All controls centrally managed
• Security policies de-coupled from network
topology
• No switch-specific security configs needed
• One place to audit network-wide policies
23

24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Enforcement in Firewalls: ASA
Can still use Network Object (Host,
Range, Network (subnet), or
FQDN)
AND / OR the SGT
Security Group definitions from
ISE
Trigger FirePower services
by SGT matches
24

25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Converting Firewalls to Use SGT-based rules
Real ASA Configuration
• Before conversion: 99,000 lines
• Converts to:
• IP-SGT mapping file: 3,897 lines
• ACL_INSIDE file: 10,493 lines
• ACL_OUTSIDE file: 4,954 lines
• Total 19,344 lines 80% Reduction 0
20000
40000
60000
80000
100000
120000
Rule table size
Using IP
rules
Using
SGT-
based
rules

26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group tag management
Group policy management
Central management
TrustSec Functions to Enable
Endpoint
Security
Group
Tags
Enforcement
Enforcement
Threat
Defense
Classification
Static
classification
Endpoint
identification
Dynamic
classification
SGT-enabled network
Software-defined segmentation
Heterogeneous environment
Propagation
Inline tagging
(many options)
Control plane
(SXP or pxGrid)
Switch
Router
Firewall
26

27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrying Security Group Tags in the data plane
Inline Tagging
Interface GigabitEthernet1/5
mtu 9216
cts manual
policy static sgt 2 trusted
Branches
Inline tagging
Untagged
ISE• Enable hop-by-hop with ‘cts
manual’ interface command
• Cat. 3560X, 3750X, 3x50
• Cat 4500, 6x00 Sup2T
• Nexus 7/6/5/1000V
• IE 4000/5000
• ISR G2, ISR4k, ASR1000
• ASA
• ‘trusted’ option means trust
tag values from peer
27

28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane SGT Propagation
Firepower
NGFW
SXP
pxGrid
SXP IP-SGT Bindings
IP Address SGT SRC
10.1.100.98 50 Local
ISE
Ecosystem
vendor
products
• Security appliances
subscribe to pxGrid
topics
• IP-SGT bindings then
published by ISE
pxGrid
• Propagate from ISE or
access-layer devices to
any enforcement point
SXP
www
WSARouter 2
Router 1
Switch 1ANY
network
device ISE
supports
Generate IP-SGT
mappings from ISE
Send IP-SGT mappings
to SXP & pxGrid peers
28

29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE SXP Configuration
Generate IP-SGT from ISE
RADIUS-based classifications will
create IP-SGT mappings & sent to
SXP peers
IP-SGT can be generated with 3rd
party access-layer
Routers Firewall Switches
SXP
ISE
29

30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Configuration
• ISE “Session” info. available via
pxGrid
• pxGrid clients can subscribe to the
‘TrustSec topic’ for SGT bindings
• Bindings received over SXP can
also be published via pxGrid
W ww
Firepower Threat Defense
CheckPoint
ISE
Web Security
Appliance
Any pxGrid ecosystem vendor
e.g. Infoblox
pxGrid
30

31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SXP Domains in ISE (2.1)
SXP
SXP IP-SGT Binding Table
IP Address SGT SRC
10.1.100.98 50 Local
ISE
IP-SGT mappings to
SXP peers shared
within SXP Domain 1Inline Tagging IP-SGT mappings
shared within SXP
Domain 2
Inline Tagging
SGT carried in data plane
removes need to exchange
IP-SGT mappings between
SXP domains
31

32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650
WLC 5760
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X, 3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (7E, 8), 4500X
Catalyst 6500E (Sup720)
Catalyst 6500E (2T), 6800
WLC 2500, 5500, WiSM2
WLC 5760
Nexus 1000v
Nexus 6000/5600
Nexus 5500/22xx FEX
Nexus 7000/22xx FEX
ISRG2, CGS2000
ASR1000
ASA
SXP
SXP
IE2000/3000, CGS2000
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-CX (IA only)
Catalyst 3560-X
Catalyst 3750-X
Catalyst 4500-X
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Catalyst 3850/3650
WLC 5760
Nexus 7000/7700
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ISR 4000
ASA 5500 Firewall
ASAv Firewall
Web Security Appliance
ASR 1000 Router
CSR-1000v Router
SXP
SGT
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000 Nexus 5500
Nexus 5600
SXP SGT
SGT
GETVPN. DMVPN, IPsec
SGT
www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
For Your
Reference
For Your
Reference
32

33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center
Segmentation
Campus and Branch
Segmentation
User to Data Center
Access Control
Most Common Deployment Scenarios
33

34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
User to Data Center Access Control
Building 3 WLAN Data VLAN
TrustSec-enabled
data center
Main Building Data VLAN
Employee DeveloperVoice
ISE
Router
Employee
Non
Compliant
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
Guest
Employee
TS-
enabled
DC Remediation Internet
Employee
Developer
Guest
Non-
Compliant
✓ X ✓ ✓
X X ✓ ✓
X X ✓ X
Non
CompliantEmployee
Non
Compliant
SwitchSwitch
• Enterprise-wide, role-based access control
• Automated BYOD access control
• End-to-end regulatory and compliance
requirements such as PCI and HIPAA
✓ ✓ ✓ ✓
Voice
TrustSec supports:
Policy in action:
TrustSec
Policy DomainProd server
Dev server
ACI policy domain
ACI Data Center
APIC
DC
Dev server
Prod server
34

35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling TrustSec-ACI Integration
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
ACI Policy Domain
• Sharing Groups between TrustSec and ACI domains with ISE 2.1
• Allow TrustSec security groups to be used in ACI policies
• Allow ACI EndPoint Groups to be used in policies in TrustSec domain
TrustSec Policy Domain
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-ACI DC
TrustSec Policy Domain
Voice
VLAN
Data
VLAN
35

36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring TrustSec-ACI Integration
36

37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Groups Shared with ACI
37

38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Groups Shared with TrustSec Domain
38

39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Employee Developer
Data
center Internet
Employee
Developer
Building
Mgmt
Non-
Compliant
TrustSec supports:
Campus and Branch Segmentation
Router
Employee Tag
Developer Tag
Building Mgmt Tag
Non-Compliant Tag
Switch
Switch
Building 3 WLAN Data VLAN Main Building Data VLAN
Branch - 3 WLAN Data VLAN
✓ X X ✓
X X X ✓
X X X X
✓ ✓ ✓ ✓
HQ
Data
Center
Policy in action: Switch
Non
Compliant
Non
Compliant
Non
Compliant DeveloperVoiceVoice
Employee
EmployeeEmployee
Building
Mgmt
• Role-based segmentation across multiple
locations
• End-to-end regulatory and compliance
requirements such as PCI and HIPAA
• Restriction of lateral threat movement
39

40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus and Branch Segmentation
Enforcement
Wired
Access
Wireless
Access
Distribution Core
SGACL segmentation available on :-
• Catalyst 3560-X, 3750-X
• Catalyst 3650, 3850
• Catalyst 4500E S7E, S8, 4500X
• Catalyst 6500(2T)/6800
• WLC 5760
• Cat 3560CX
• IE 4000, IE 5000
• Nexus 7000
• Extending to latest ISR4k and ASR
40

41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless User – User Policy Enforcement
Permit
Deny
WLAN
Controller
interface Vlan2
ip local-proxy-arp
ip route-cache same-interface
!
cts role-based enforcement
cts role-based enforcement vlan-list 2
6500
ISE
Vlan 2
SXP
• Apply user-user policies as defined in ISE
on traffic from the WLC
41

42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breaches & Lateral Movement
enterprise network
Attacker
Perimeter
(Inbound)
Perimeter
(Outbound)
Research targets
(SNS)
1
C2 Server
Spear Phishing
(you@gmail.com)
2
http://welcome.to.jangle.com/exploit.ph
p
Victim clicks link unwittingly3
Bot installed, back door established and
receives commands from C2 server
4
Scan LAN for vulnerable hosts to exploit &
find privileged users
5
Privileged account found.6
Admin Node
Data exfiltrated7
System compromised and data breached.8
Lateral Movement
(Scanning, Pivoting, Privilege
Escalation, Brute Force, etc.)
www
42

43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Blocking Lateral Movement
Employee
Non
Compliant
Employee  
Block Lateral Movement SGACL
deny icmp
deny udp src dst eq domain
deny tcp src dst eq 3389
deny tcp src dst eq 1433
deny tcp src dst eq 1521
deny tcp src dst eq 445
deny tcp src dst eq 137
deny tcp src dst eq 138
deny tcp src dst eq 139
deny udp src dst eq snmp
deny tcp src dst eq telnet
deny tcp src dst eq www
deny tcp src dst eq 443
deny tcp src dst eq 22
deny tcp src dst eq pop3
deny tcp src dst eq 123
deny tcp match-all -ack +fin -psh -rst -syn -urg
deny tcp match-all +fin +psh +urg
permit tcp match-any +ack +syn
• SGT dynamically
assigned or statically
mapped to a VLAN
• SGACL applied
statically via CLI or
dynamically
downloaded from
ISE
• Lateral Movement
and Privilege
Escalation Blocked
Employee
43

44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Acting on Potentially Compromised Hosts
WLAN
Controller
Quarantine is based on MAC Address
preventing compromised device accessing
from other location / access methods
FW
Policy
Server
Business Data
App / Storage
Compromised
Endpoint
10.10.10.10 (aa:bb:cc:dd:ee:ff)
Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
NIDS SIM Event: Reconnaissance
Source IP: 10.10.10.10/32
Response: Quarantine
PXGRID: EPS Quarantine: 10.10.10.10
WLAN Controller
OS Type: Windows 8
User: Fay
AD Group: Employee
Asset Registration: Yes
MAC Address: aa:bb:cc:dd:ee:ff
Policy Mapping  SGT: Suspicious
44

45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center Segmentation
Database Servers
Web Servers
Storage
Web Servers
TrustSec supports:
Policy in action:
Switch
Middleware
ServersWeb
Servers
Middleware
Servers
Database
Servers Storage
Web
Servers
Middleware
Servers
Database
Servers
Storage
✓ ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ ✓ ✓
X ✓ X X
• Firewall rule simplification
• Data center regulatory and compliance
requirements such as PCI and HIPAA
• Server zoning
• Micro-segmentation
• Physical and virtual workload segmentation
45

46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• TrustSec is easy to enable and manage
• Can start with specific use-cases with minimal platform dependencies
• Non-disruptive deployments; SGACL enforcement can be enabled incrementally and
gradually via the policy matrix
• TrustSec can provide right now:
• More effective segmentation – centrally managed
• Reduce management effort compared to VLAN/dACL efforts and admin
• Topology-independent security policies - policy managers/auditors do not need to
understand the topology or the underlying technology to use the policy matrix
• Firewall rule simplification and OpEx reduction
• Faster and easier deployment of new services – cuts the cost of change
Summary
46

47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Forrester: The Total Economic Impact of Cisco
TrustSec
“Cisco TrustSec enabled the organizations interviewed to reduce
operational costs by avoiding additional IT headcount, deploy new
environments faster, and implement consistent and effective network
segmentation resulting in lower downtime.”
47

48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For More Information
• For everything TrustSec-related: http://www.cisco.com/go/trustsec
• TrustSec platform support matrix
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
• Case studies
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/customer-case-study-listing.html
• Cisco IT Use of TrustSechttp://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-
02292016-Policies-to-Control-User-Access.pdf
• Gartner webcast on Software-Defined Segmentation and TrustSec
http://event.on24.com/r.htm?e=1124906&s=1&k=14EEFF1DFC42C2BE06E07DA934E47C45
• PCI Scope Reduction with Cisco TrustSec – QSA (Verizon) Validation:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf
48

49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For More Information – Part 2
• For our latest system bulletin covering validation testing that we do, please refer to:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-
system-bulletin.pdf
• TrustSec DC Config Guide http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/trustsec/trustsec-data-center-segmentation-guide.pdf
• Campus and Branch Segmentation
Guidehttp://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/trustsec/branch-segmentation.pdf
• Securing BYOD and using VPN with TrustSec
http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/trustsec/white-paper-
c11-732290.html
49

50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you for watching.