Cisco TrustSec Overview
Revised: June 16, 2011, OL-22192-01
This chapter contains the following topics:
•
•
Information about Cisco TrustSec Architecture
The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted
network devices. Each device in the domain is authenticated by its peers. Communication on the links
between devices in the domain is secured with a combination of encryption, message integrity check,
and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials
acquired during authentication for classifying the packets by security groups (SGs) as they enter the
network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec
network so that they can be properly identified for the purpose of applying security and other policy
criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce
the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
The Cisco TrustSec architecture incorporates three key components:
•
•
•
OL-22192-01
Information about Cisco TrustSec Architecture, page 1-1
Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network, page 1-13
Authenticated networking infrastructure—After the first device (called the seed device)
authenticates with the authentication server to begin the Cisco TrustSec domain, each new device
added to the domain is authenticated by its peer devices already within the domain. The peers act as
intermediaries for the domain's authentication server. Each newly-authenticated device is
categorized by the authentication server and assigned a security group number based on its identity,
role, and security posture.
Security group-based access control—Access policies within the Cisco TrustSec domain are
topology-independent, based on the roles (as indicated by security group number) of source and
destination devices rather than on network addresses. Individual packets are tagged with the security
group number of the source.
Secure communication—With encryption-capable hardware, communication on each link between
devices in the domain can be secured with a combination of encryption, message integrity checks,
and data-path replay protection mechanisms.
1
C H A P T E R
Cisco TrustSec Configuration Guide
1-1