14-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 14 Managing TrustSec Firewall Policies
Overview of TrustSec Firewall Policies
Figure 14-1 Security Group Name Based Policy Enforcement Deployment
Implementing Cisco TrustSec allows for configuration of security policies supporting server
segmentation.
• A pool of servers can be assigned an SGT for simplified policy management.
• The SGT information is retained within the infrastructure of Cisco Trustsec capable switches.
• The ASA can leverage the IP-SGT mapping for policy enforcement across the Cisco TrustSec
domain.
• Deployment simplification is possible because 802.1x authorization for servers is mandatory.
How the ASA Enforces Security Group Based Policies
Note User-based security policies and security-group based policies, can coexist on the ASA. Any
combination of network, user-based and security-group based attributes can be configured in a security
policy.
After the ASA establishes a secure communication channel with the Cisco Identity Services Engine
(ISE), the ASA initiates a PAC secure RADIUS transaction with the ISE and downloads Cisco TrustSec
environment data; specifically, the ASA downloads the security group table. The security group table
maps SGTs to security group names. Security group names are created on the ISE and provide
user-friendly names for security groups.
Note For more information about the Cisco Identity Services Engine, see
http://www.cisco.com/en/US/products/ps11640/index.html.
The first time the ASA downloads the security group table, it walks through all entries in the table and
resolves all the security group names contained in security policies configured on the ASA; then, the
ASA activates those security policies locally. If the ASA is unable to resolve a security group name, it
generates a system log message for the unknown security group name.
The following figure shows how a security policy is enforced in Cisco TrustSec.
