Cisco SecureX Architecture and Context-Aware Security
To respond to the evolving security needs of today’s borderless network environments, Cisco developed the SecureX architecture. It is a new context-aware security architecture that enforces security policies across the entire distributed network, not just at a single point in the data stream.
The architecture starts with a solid network technology foundation that ensures the network infrastructure is not compromised in any way. It has security enforcement elements in the form of appliances, modules, or cloud services built on top. This architecture can deal with the full spectrum of devices, ranging from the traditional corporate PC or Mac, all the way to next-generation mobile devices such as iPads and Androids. With Cisco AnyConnect, security is enforced in the network by tethering these myriad devices into the security infrastructure at the most optimal point and attaching seamlessly.
The components of the SecureX strategy include the following:
- Context awareness
- Cisco TrustSec
- Cisco AnyConnect
- Cisco Talos
Figure 3-1 illustrates the components of the SecureX strategy.
Figure 3-1 Cisco SecureX Components
Components of the Cisco SecureX strategy include the following:
Allows enforcement elements such as infrastructure devices to use user information (for example, user identity, security posture of the connecting device, and the point of access to the network) to define the access policy.
TrustSec is an intelligent and scalable access control solution that mitigates security access risks across the entire network to provide access to anyone, anywhere, anytime.
Cisco AnyConnect Client
AnyConnect Client provides for secure connectivity across a broad set of PC- and smartphone-based mobile devices. The enforcement devices provide posture assessment, access control services, and policy enforcement.
Cisco Talos Security Intelligence and Research Group (Talos) correlates data of almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions to detect, analyze, and protect against both known and emerging threats. Information is shared with Cisco customers and devices on demand.
TrustSec is an umbrella term that encompasses the Cisco next-generation Network Access Control (NAC) framework, including the following:
- Policy-based access control
- Identity-aware networking based on roles
- Data confidentiality
- Data integrity
It does so by incorporating the following technologies:
- IEEE 802.1x (Dot1x)
- Cisco NAC Appliance
- Profiling technologies
- Guest services
- Security group tags (SGTs) and security group ACLs (SGACLs)
- MACSec (802.1AE)
- Access Control Server (ACS)
- Identity Services Engine (ISE)
When user TrustSec identities are not based on IP addresses or usernames, they are role based. When users authenticate, their privileges are based on their SGT and SGACL.
Cisco ISE combines the functionality of other Cisco products—such as the Cisco Secure Access Control Server (ACS) for authentication, authorization, and accounting (AAA) services, and Network Admission Control (NAC)—into this next-generation policy server.
TrustSec implementation follows this process:
- A user connects to a switch using 802.1X. The switch relays the authentication credentials to an ISE. The ISE authenticates the user and assigns the user an SGT.
- Traffic from the authenticated user is tagged with its specific SGT. Network devices along the data path read this tag and enforce its associated policy by restricting access to predetermined network destinations and resources. The devices do so by using SGACLs.
- TrustSec can also provide data confidentiality by using MACSec. For example, if a policy requires that data should be secured, Cisco TrustSec understands this policy and dynamically encrypts the user data.
Cisco AnyConnect protects mobile employees on PC-based or smartphone platforms using an SSL or IP Security (IPsec) virtual private network (VPN) to deliver a more seamless, always-on, and always-protected experience to end users, while enabling IT administrators to enforce policies and block malware with cloud-based or hybrid web security.
Cisco AnyConnect provides the following:
- Device support regardless of device type (for example, PC, laptop, smartphone, tablet, or PDA)
- Multifunctional security by combining multiple security controls in one client application
- Consistent experience by providing an always-on intelligent connection for seamless experience and performance
Cisco Talos combines the Cisco Security Intelligence Operations (SIO) and Sourcefire VRT to provide collective security intelligence. Talos baselines the current global state of threats and provides the network with valuable information to detect, prevent, and react to threats. It operates as an early-warning system by correlating threat information from the SensorBase, analyzed by the Threat Operations Center. This information is then provided to enforcement devices such as the Cisco Adaptive Security Appliance (ASA), Integrated Services Router (ISR), and IPS device for real-time threat prevention.