Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3931
Views
0
Helpful
2
Replies

SGTs per IP

dm2020
Level 1
Level 1

‎05-18-2019 12:01 PM - edited ‎05-18-2019 12:02 PM

Hi All,

 

I am new to TrustSec and i'm trying to determine if enforcing the following policy with SGTs is the best method.

 

From our CCTV network, we need to permit access to host 10.1.1.1 on port 8443, and to host 10.1.1.2 on port 2222, and then deny traffic to all other networks. Devices on the CCTV network have been classified and assigned an SGT of 'CCTV' using ISE. Hosts 10.1.1.1 and 10.1.1.2, have been assigned to two different SGTs (CCTV_Server1, CCTV_Server2). The required security group ACLs and policies have been configured to permit the above access. CCTV to SGT 'unknown' is then used to block all other traffic.

 

This works ok and fulfils the requirements, however, I have to put the hosts into two separate SGTs to keep access to ports 8443 and 2222 strictly to the required host. 

 

Is there a better way of doing this as assigning SGTs on a per host/IP basis doesn't seem very scalable. Are SGTs intended for this purpose or is using a standard ACL better?

 

Thank you

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

‎05-18-2019 06:29 PM

It's fine to do this so long as you consider SGT scale in your environment. Hardware platforms have a total number of unique endpoint SGT's that they can handle at a given time, and ISE has a 10k limit that I wouldn't want to get anywhere near. Managing to SGACL policy matrix at that size would be brutal.

If these are static IP endpoints and it's a one off thing, a standard ACL would still probably be my choice.
0 Helpful

dm2020
Level 1
Level 1
In response to Damien Miller

‎05-18-2019 11:38 PM

Hi Damien,

 

Thanks for the response, that makes sense.

 

I'm also trying to work out if it is possible to block traffic to all private/RFC1918 networks using SGTs. For example, I also have a policy that should allow https to all external/unknown destinations, but block to internal networks. Is it possible/common to map 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 to an SGT, for example, Private_Networks?

 

Thanks

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents