Security Group Tagging Basics

Uncategorized 2 Minutes

Hi all! Back again.

In my last blog (which admittedly was a bit long, and verbose) I discussed the changing landscape of Identity Networking. With Identity Networking there are many different ways of controlling network access based on the context of a user and device. There is:

  • VLAN assignment, in which access is controlled at the Layer-3 edge, or by isolating that VLAN into a segmented virtual network (VRFs).
  • There is ACL assignment, which can be a local ACL, called into action by a RADIUS attribute, or a downloaded ACL (dACL). These ACLs are applied ingress at the switchport or virtual port in the case of the Wireless LAN Controller (WLC).
  • We just touched on the topic of a new scalable enforcement mechanism known as Security Group Tagging.

This new technology (Security Group Tagging) is going to be the focus of today’s blog.

Security Group Tagging allows for segmentation without needing VLANs, and even more importantly simplifies the operational management of firewall policy and access lists.  For our example in this blog there are two switches in the Access Layer, each with a user from the HR Department, and another user who needs access to Payment Card Industry (PCI) data.  These two users have absolutely NO need to ever communicate to one another.

The Policy is a simple one.  HR is allowed to communicate to HR, PCI is allowed to communicate with PCI.  However, they may not talk to one another, even though they could be on the same VLAN (same VLAN in the Access Layer or even the Data Center).

Our Policy:
01-Policy

With this SIMPLE policy, we are able to enable the flows as shown in the next figure:

  • PCI User attempting to talk to HR user on same switch & same VLAN is denied.
  • HR User on Switch 1 is able to communicate with HR User on Switch 2.
  • HR User is denied access to the PCI Server
  • PCI User is granted access to the PCI Server

02-TaggingInAction

 

If the benefits have not made themselves abundantly obvious already, let me point some out to you.  Security Group Tagging advantages are extensive throughout most IT network operations and may affect how they operate and the way decisions are made as it opens a variety of new possibilities that were not practical using VLAN-based topologies.

Advances Protection

Classifies endpoints by context, dynamically segments into security groups, and protects data center applications.

Simplifies Administration

Manages policy with plain language, enables changes in minutes, and automates the management of firewall rules.

Scales Extensively

Removes design complexity, helps increase network performance, and ensures dependable resource access.

Published by Loxx

Aaron Woland, CCIE No. 20113, is a Principal Engineer in Cisco’s Advanced Threat Security group and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security and futures. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer. Aaron is the author of: both editions of the Cisco ISE for BYOD and Secure Unified Access book; the All-in-one Cisco ASA Firepower Services, NGIPS and AMP book; the CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides. Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Security. His other certifications include: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications. You can follow Aaron on Twitter: @aaronwoland

Published

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.