Role-based access control can provide security and business benefits by protecting the network and ensuring the integrity of intellectual property. Which both rate high on the priority lists of most large organizations as far as network security goes.
In addition, more stringent privacy laws have imposed new levels of confidentiality on health care and insurance companies, and financial institutions. As a result, identity management has become a critical component in ensuring information security and access control.
Traditional access control methods segment and protect assets using VLANs and access control lists (ACLs).
Unlike access control mechanisms which are based on network topology, Cisco TrustSec® controls are defined using logical policy groupings. Users and assets with the same role classification are assigned to a security group, where resource segmentation and secure access are easily and consistently maintained, even if resources move in mobile and virtualized networks.
Cisco TrustSec® simplifies the provisioning and management of secure network access, accelerates security operations and consistently enforces policy anywhere in the network.
The good news for network and security administrators is that across many Cisco device platforms, TrustSec® is supported in a flexible NetFlow export. NetFlow reporting allows admins to monitor the traffic from, and between, the different CTS groups.
Let’s take a look at how to enable CTS NetFlow exports using Flexible NetFlow configuration on a Catalyst 6500 series switch.
- Create a flow record. In this case we will create a record that aggregates on the standard 5-tuple, plus the direction and Source and Destination Group Tags. But also collects other data like packet and bytes counts, input and output interface references.
flow record cts-record-ipv4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect interface input
collect interface output
collect counter bytes
collect counter packets
- Create a flow exporter that defines how the switch is going to export the NetFlow UDP datagrams to the collector.
flow exporter scrutinizer
description Exports to Scrutinizer
destination 10.1.1.1
source loopback0
template data timeout 60
transport udp 2055
- Create a flow monitor that ties the flow record and the flow exporter together.
flow monitor netflow-cts
record cts-record-ipv4
exporter scrutinizer
cache timeout active 60
- Apply the flow monitor to the interfaces that you want to collect traffic statistics from.
interface ethernet 0/0
ip flow monitor netflow-cts input
For even greater detail in the flexible NetFlow exports, apply the Flow Monitor to packets dropped by Role-Based Access Control Lists (RBACLs) for all TrustSec interfaces on the router or switch:
router(config)# cts role-based ip flow monitor netflow-cts dropped
Network traffic monitoring, network forensics, and incident response using NetFlow technologies to monitor communication behaviors, maintaining baselines, and detecting advanced persistent threats is becoming more relevant.
Utilizing advanced Cisco TrustSec NetFlow reporting, network and security administrators can easily see who and what is connecting to the network, and can set alarms when what they do and where they go while on the network is not what is expected or allowed.
In short, by building and reporting on identity based access policies, it makes it easier to protect critical data throughout the network. It enables corporate governance for all users, devices, and addresses that mandate monitoring, auditing and reporting requirements.
Are you ready to add this type of network visibility and alarming to your monitoring solution? Give us a call and we’ll help you get NetFlow configured on your network.