Cisco Tightens Network Security with Role-Based Architecture

Cisco on Wednesday unveiled a new security architecture that wraps together identity and role-based security measures for scaled implementation across enterprise networks, capabilities the San Jose, Calif.-based networking powerhouse said will allow VARs and channel partners to sell a more pervasive set of network security solutions.

Dubbed Cisco Trusted Security, or TrustSec, the architecture targets compliance requirements for the global and mobile workforce, creating a more agile and secure infrastructure, Cisco execs said.

"Customers are demanding a highly secure way to expand their businesses and compliance policies," Cisco senior vice president of data center, switching and security technology Jayshree Ullal said in a prepared statement, adding that a TrustSec architecture allows role-based user access to applications and resources without "compromising business velocity."

TrustSec essentially creates a trusted enterprise network comprising switches, routers and wireless network controllers as a foundation for authenticating users, assigning roles, enforcing access policies and delivering integrity and confidentiality to network traffic. The TrustSec model features role-aware security campus access control through which network access is determined by an individual's role within a company. That role is used to enforce identity-based security policies across the network regardless of the access method or device used. A converged policy framework ties together different authentication mechanisms into a central policy engine that can communicate across the switch infrastructure to alleviate the challenge of managing policies consistently across the network. TrustSec simplifies management of identity policies over disparate authentication methods.

TrustSec maintains the integrity and confidentiality of data as it moves through all points in the network to protect against data leakage and support regulatory requirements. It also increases the privacy of the network itself.

Robert Gleichauf, CTO of Cisco's security technology group, said TrustSec, when working in concert with Network Admission Control (NAC) and PISA, Cisco's packet inspection, creates a complete security ecosystem that determines who users are, what devices they're using and what areas of the network they can access.

"It's a logical continuum," he said, adding that the complete package enables a "suite of identity credentials."

The framework will allow VARs to offer their customers a secure switching architecture based on role and identity.

"VARs can build a set of offerings on top of this product to allow customers to better control who can get on and where can they go and not go," Gleichauf said.

Gleichauf said TrustSec will use existing hardware capabilities within Cisco Catalyst switches. The model distributes admission and access control mechanisms throughout the network, reducing the complex, manual and error-prone nature of policy enforcement. On the user side, TrustSec offers one consistent access experience regardless of method.

NEXT: VARs Get More Security Options

Many customers struggle with getting the network to pay attention to what's defined in directories. Gleichauf said companies want to be able to track where peoples' traffic goes and doesn't go, which has been done with applications, but has not yet been integrated into the network.

"Is it appropriate for your packets to be going here or not?" he said is a common question. With TrustSec, companies can set a single policy and distribute it across the infrastructure. Roles are defined once and enforced at different locations across the network.

Role-based access control lets the network recognize identity at the time of access to the network and attach a role to it, essentially pinpointing who is accessing the network and what their privileges are while on the network, said John McCool, senior vice president of the Internet systems business unit at Cisco.

McCool added that a TrustSec architecture will not require a forklift upgrade, but will require software upgrades in access switches.

Not requiring a massive upgrade, Gleichauf said, will also be attractive to VARs, who can sell customers integrated security at a lower cost.

"When a VAR or channel partner starts selling this next-generation equipment, they're selling stuff that has the security already in it," he said. "VARs and channel partners can sell this class of equipment with a lower op-ex."

According to Andreas Antonopoulos, senior vice president and founding partner of Numerates Research, role-based security has been top of mind for enterprises.

"Understanding which users do what and where, on networks and on applications, is a key component of the compliance strategy of virtually every enterprise," Antonopoulos said. "Doing so requires implementing a security architecture based on the roles and identities of users."

TrustSec functionality is expected to be available across Cisco switching platforms throughout the next 18 months, starting in the fist quarter of 2008.

Along with detailing TrustSec, Cisco on Wednesday also outlined two new partnerships to bolster interoperability between the network and devices.

First, Cisco and Santa Clara, Calif.-based Intel announced shared support of IEEE 802.1AE, a standard that helps the network intelligently prioritize data in alignment with business objectives while preserving the integrity of encrypted data. The pairing enhances interoperability between Cisco TrustSec capable switches and Intel Ethernet controllers that support 802.1AE.

Second, Cisco announced a partnership with Ixia, which provides IP performance testing systems. Ixia, based in Calabasas, Calif., will support 802.1AE encrypted line card in its test equipment so customers can test with Cisco TrustSec switches.