05-18-2019 12:01 PM - edited 05-18-2019 12:02 PM
Hi All,
I am new to TrustSec and i'm trying to determine if enforcing the following policy with SGTs is the best method.
From our CCTV network, we need to permit access to host 10.1.1.1 on port 8443, and to host 10.1.1.2 on port 2222, and then deny traffic to all other networks. Devices on the CCTV network have been classified and assigned an SGT of 'CCTV' using ISE. Hosts 10.1.1.1 and 10.1.1.2, have been assigned to two different SGTs (CCTV_Server1, CCTV_Server2). The required security group ACLs and policies have been configured to permit the above access. CCTV to SGT 'unknown' is then used to block all other traffic.
This works ok and fulfils the requirements, however, I have to put the hosts into two separate SGTs to keep access to ports 8443 and 2222 strictly to the required host.
Is there a better way of doing this as assigning SGTs on a per host/IP basis doesn't seem very scalable. Are SGTs intended for this purpose or is using a standard ACL better?
Thank you
05-18-2019 06:29 PM
05-18-2019 11:38 PM
Hi Damien,
Thanks for the response, that makes sense.
I'm also trying to work out if it is possible to block traffic to all private/RFC1918 networks using SGTs. For example, I also have a policy that should allow https to all external/unknown destinations, but block to internal networks. Is it possible/common to map 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 to an SGT, for example, Private_Networks?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: