Cisco this week rolled out yet another method for securing corporate networks.
Called TrustSec, the architecture is intended to determine, through policies, the role of users and devices in the network before granting access to resources. This has been practised in applications for years, Cisco officials say, but is only now being enforced at the network level.
TrustSec differs from Cisco's six-year-old Self-Defending Networks architecture in that Self-Defending Networks is intended to mitigate threats via intrusion-detection systems and firewalls, while TrustSec is designed for "hop-to-hop" integrity and confidentiality of users and their role in the network, Cisco officials say.
"It's a follow-on phase" to Self-Defending Networks, says Bob Gleichauf, CTO of Cisco's Security Technology Group. "We're getting this threat defence thing down pretty good; now let's start worrying about where we can go in the network."
With TrustSec, for example, users in company departments such as sales and finance would be identified by Cisco switches and assigned access to resources – such as a Skype phone call – during a specific time period based on pre-defined policies. Once that time period elapses, the Cisco switches would drop the Skype session for both departments.
TrustSec was four years in the making, Cisco officials say. It can work with Cisco Catalyst 6500 switches equipped with the Supervisor Engine 32 Programmable Intelligent Services Accelerator (PISA) as an overlay, but does not require PISA, Gleichauf says.
The PISA module analyses stateful and stateless application traffic flows for security, compliance with corporate policies and management of network resource utilization.
But TrustSec requires additional hardware and software upgrades to Cisco switches, and to a Cisco authentication, authorization, and accounting (AAA) policy server to support the TrustSec switch policy engine for storing and enforcing role-based access policies.