Solved: Re: SGT - Extend to VMware

Aileron88 · ‎08-05-2022

Hi,

What options are there for enforcing SGT policy as close to the Virtual machine/application as possible in a VMware environment? I know previously we could have used the Nexus 1000V but with that no longer being solved, is there a solution for this?

Many thanks

ahollifield · ‎08-05-2022

Cisco Secure Workload: https://www.cisco.com/c/en/us/products/security/tetration/index.html

Or integration ISE with ACI and ACI into VM-Ware. Not sure if there is a newer integration doc than this: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/cts-aci-intgn.html.xml

View solution in original post

Damien Miller · ‎08-05-2022

You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology.

Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives.

View solution in original post

ahollifield · ‎08-05-2022

Cisco Secure Workload: https://www.cisco.com/c/en/us/products/security/tetration/index.html

Or integration ISE with ACI and ACI into VM-Ware. Not sure if there is a newer integration doc than this: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16-7/sec-usr-cts-xe-16-7-book/cts-aci-intgn.html.xml

Damien Miller · ‎08-05-2022

You've run across a limitation that exists with TrustSec. As you pointed out, this used to be possible with the 1000v, but that isn't viable anymore. TrustSec shines in the facility/LAN/edge, but it's really not a DC technology.

Adam already brought up Secure Workload and it's probably the most viable solution at the moment. The solution would leverage Cisco Secure Workload (Tetration) agents on the application servers, integrate ISE and Secure Workload, then write application scopes with facility/endpoint SGTs. This moves the enforcement point to the application servers native firewall. This does have its own scale considerations because firewall policy is written on IP and not SGT, Secure Workload is doing that translation based on the ISE sessions context it receives.

Aileron88 · ‎08-08-2022

Thank you both for the answers!