Cisco’s TrustSec is designed as a policy management framework that gets rid of complexity associated with network security. The technology provides a simple matrix through which network security policies can be defined using plain language – doesn’t require vlans, acls, firewall rules. TrustSec has now been submitted to the IETF site as RFC 3514. The request for comments would push TrustSec (now Source-group tag eXchange Protocol – SXP) as a standard among network vendors.
SXP promises switch to switch wirespeed encryption services and security group tagging (SGT) of ethernet frames. Traffic is therefore forwarded based on the SGT assigned to a user or network device. As described in the post “Cisco TrustSec Makes Your Network Identity Aware” by James Heary on Network World:
…what it [TrustSec] really does is allow you to implement the most robust identity aware network with services on the planet. This technology, if Cisco executes on it properly, could forever change the way we design secure networks. Today’s business networks are so open and have so many ingress/egress perimeters that it is very risky to trust your internal packets anymore. The industry data on this topic backs that up with statistics that show right around 40% of breaches occur from inside the network. So what do we do now that we cannot trust our internal communication flows? Well for starters we need pervasive identity awareness in the network. If we can trace a communication flow or even a packet back to an identity then we can make a better security decision on what to allow that flow to do on the network. Once we have identity awareness of every internal packet then we need to be able to apply identity aware security policies to those packets. And that ladies and gentlemen is exactly what Cisco’s TrustSec solution does.
Cisco Identity Services Engine, Cisco Catalyst, Nexus Switches, Cisco Integrated Services Routers, Cisco ASA firewalls are the currently supported platforms for TrustSec/SXP.