Starting in Cisco’s Adaptive Security Appliance (ASA) software version 9.3.1, Cisco has added inline Security Group Tagging (SGT) support to the ASA-5500X and 5585X product lines.
If you are not familiar with SGT aka TrustSec, it allows you to tag a packet with an identity field as it travels through the network. Why would anyone want to do that, and why is it nice to have TrustSec on the ASA?
Let’s walk through a scenario.
If I am a user connecting to the network, I can get multiple IP addresses depending on how and where I am coming from:
Wireless = 172.16.10.78
VPN = 10.10.100.54
That is one user and one location. What if I move around the building or connect from different offices, I could receive and number of IP addresses from different ranges.
So where is the problem you ask? Well, if you are segmenting your network with firewalls (let me know if you are not and we can talk), you need to write access control lists (ACLs) to accommodate all those scenarios.
With TrustSec, it doesn’t matter where you connect from, you will be assigned a tag to identity you. That tag will be applied to all of your IP packets as they move through the network. So now the firewall policy becomes much easier to define and manage.
So for our one example user, we had at least three firewall rules going to one destination. And with TrustSec, we can bring that down to one! Cisco has case studies that demonstrate how customers have used TrustSec to simplify their security policy in this exact manner.
So what is so cool about adding inline-tagging support to the ASA? Without inline tagging, there was a method of sharing the IDs with a protocol called SXP. The ASA would peer with some other device to receive the ID mappings and apply policy that way.
But now with inline tagging, it can be set up to trust its neighbors and native send and receive packets without the added performance and administrative overhead of SXP, thus simplifying the solution.