Hi all! Back again.
In my last blog (which admittedly was a bit long, and verbose) I discussed the changing landscape of Identity Networking. With Identity Networking there are many different ways of controlling network access based on the context of a user and device. There is:
- VLAN assignment, in which access is controlled at the Layer-3 edge, or by isolating that VLAN into a segmented virtual network (VRFs).
- There is ACL assignment, which can be a local ACL, called into action by a RADIUS attribute, or a downloaded ACL (dACL). These ACLs are applied ingress at the switchport or virtual port in the case of the Wireless LAN Controller (WLC).
- We just touched on the topic of a new scalable enforcement mechanism known as Security Group Tagging.
This new technology (Security Group Tagging) is going to be the focus of today’s blog.
Security Group Tagging allows for segmentation without needing VLANs, and even more importantly simplifies the operational management of firewall policy and access lists. For our example in this blog there are two switches in the Access Layer, each with a user from the HR Department, and another user who needs access to Payment Card Industry (PCI) data. These two users have absolutely NO need to ever communicate to one another.
The Policy is a simple one. HR is allowed to communicate to HR, PCI is allowed to communicate with PCI. However, they may not talk to one another, even though they could be on the same VLAN (same VLAN in the Access Layer or even the Data Center).
With this SIMPLE policy, we are able to enable the flows as shown in the next figure:
- PCI User attempting to talk to HR user on same switch & same VLAN is denied.
- HR User on Switch 1 is able to communicate with HR User on Switch 2.
- HR User is denied access to the PCI Server
- PCI User is granted access to the PCI Server
If the benefits have not made themselves abundantly obvious already, let me point some out to you. Security Group Tagging advantages are extensive throughout most IT network operations and may affect how they operate and the way decisions are made as it opens a variety of new possibilities that were not practical using VLAN-based topologies.
Classifies endpoints by context, dynamically segments into security groups, and protects data center applications.
Manages policy with plain language, enables changes in minutes, and automates the management of firewall rules.
Removes design complexity, helps increase network performance, and ensures dependable resource access.