07-08-2024 12:39 AM
I find no firewall in SDAccess network diagram.
Is SGT replace firewall functions in SDAccess network diagram?
or firewall only exist in SDWan ?
07-08-2024 01:43 AM - edited 07-08-2024 01:52 AM
Cisco Trustsec/SGTs provides micro segmentation functionality with SGACLs(security group access lists) within each VN/VRF in SDA. You insert a security group tag(SGT) on ingress to the fabric and match based on this tag in an SGACL on egress from the fabric. If you want any more advanced firewalling capabilitiy you would want to put source and destination within different VRFs/VNs and route the traffic through a firewall outside of the fabric.
07-09-2024 07:23 PM - edited 07-09-2024 07:27 PM
SGT had already told where client computer can go.
besides filtering malware and IPS function, which advanced firewalling capabilitiy can firewall further do that SGT can not do?
Assume computer infected virus and SGT restrict where it can go, where will this virus be? is it finally also need a firewall outside of border routers ?
07-10-2024 01:19 AM
SGTs only provide simple SGACL rules that match based on source and destination tag, where the "action" can be to filter based on an access contract(ACL/permit all/deny all). The magic thing about SGTs compared to a firewall is where the rules are enforced - at the edge node.
Let's say you have an IoT VN contianing all of your IoT devices. In said VN you have a set of robot vacuums that only should be able to communicate with a local server with MQTT and your server should only be allowed to communicate to the internet. You configure the SGACL for this VN to be default deny and permit only the required flows. If your robot vacuum provider is hacked and a malicious firmware version is published, the potential spread is limited to be between the vacuums. Without SGTs the potential spread/lateral movement would be to all other devices in your IoT VN.
If you were to implement the same level of security in a traditional network you would have to create a private VLAN for your vacuums, a vlan for your management server and implement policy on the gateway or have it routed through a firewall. With the number of different possibly poorly secured IoT devices the average enterprise has today this quickly becomes a nightmare to deploy and manage. Instead you can have your one large IoT VN where you implement microsegmentation with SGTs to limit east-west spread.
For you client computer example the same will apply. You can also do more advanced things like assigning different SGTs based on ISE policy/profiling, or quarantining clients based on Cisco Secure Endpoint(AMP) events.
07-10-2024 10:43 PM
YES and NO, SGT 100% can not replace Firewalls, SGT give you ability to segment the traffic allow and deny in the Campus LAN.
All the device not support SGT - but new hardware like Cat 9K which are part of SD-Access can support.
If you have full Blown SD-Access Environment - DNAC+Cat9K+ISE+stealthwatch - you can enforce user traffic based on VN.
If you add Firewall for additional security in the Sd-Access will be get more secure., look at the example design guide :
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide