Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1695
Views
5
Helpful
5
Replies

Will TrustSec replace Firewalls

AIN UL BADAR
Level 4
Level 4

‎06-03-2020 08:53 AM

Hello,

Does ISE TrustSec replace regular internal L3/L4 ASA Firewalls? These firewalls could be protecting two subnets from talking to each other or protecting the DMZ from internal/external traffic. I'm trying to understand if I deploy TrustSec, will I throw out my L3/L4 Firewalls?

Thanks

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-03-2020 12:15 PM

Hi,

The enforcement point can either be a firewall, router or switch. However a firewall is the best device to act as an enforcement point, that's what it is designed to do.

 

A switch or router is fine (to an extent) to protect resources within the DC from users on the access layer, but you definitely want to be using a firewall on the perimeter to protect your network from outside threats.

 

With an FTD NGFW you get the L7 features that a switch or router acting as enforcement point do not have.

 

HTH

0 Helpful

AIN UL BADAR
Level 4
Level 4
In response to Rob Ingram

‎06-03-2020 12:40 PM

We are not using the Firewall as an enforcement point at the moment. It's all access layer switches that are part of the TrustSec design. Keeping that in mind, should we keep the internal firewall (not perimeter) in place and add TrustSec (on Switches) as an another layer of security OR should we get rid of the internal firewall?
0 Helpful

Rob Ingram
VIP
VIP
In response to AIN UL BADAR

‎06-03-2020 12:50 PM

What model of switch, does it even support SGACL? Does it scale of the number of SGT bindings? If it's a small environment then possibly it would be acceptable.

I'd personally keep the internal firewall in place, it would act as a dedicated enforcement point and you'll get better performance. Leave the switch(es) doing the switching and routing of the traffic.

AIN UL BADAR
Level 4
Level 4
In response to Rob Ingram

‎06-04-2020 02:14 PM

We have Cat 9300s over but at the same time we have 500 sites and around 25K endpoints. 

Are you saying 9300 aren't capable of handling ip-to-sgt mappings for 25K endpoints?

0 Helpful

Rob Ingram
VIP
VIP
In response to AIN UL BADAR

‎06-04-2020 02:35 PM

You should check out the TrustSec matrix to confirm scalability for your devices.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf

 

The Catalyst 9300 supports a maximum of 10,000 IP SGT Bindings. You wouldn't expect to have all IP SGT bindings for the entire network on an access layer switch, normally just IP SGT bindings that have been dynamically assigned to devices authenticating to a port on the switch.

 

What is your intended trustec design?

What type of traffic are you attempting to filter? Lateral movement on the same switch, Access layer to DC?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents