Better Security Policy Enforcement with Panorama Plugin for Cisco TrustSec

14,803 people reacted 6 4 min. read

Palo Alto Networks customers can now use Panorama, our network security management tool, for even greater network visibility, with a new plugin for Cisco TrustSec.

Enterprise networks have become increasingly vulnerable to advanced threats because of fundamental shifts in the way diverse groups of users access the network from multiple endpoints. Once an adversary breaches their way into the network through any of these endpoints, they move laterally to gain access to sensitive data. Segmenting the network is an effective security strategy in reducing the risks and impacts of these breaches. With segmentation, it’s easier to confine an adversary breaking into your network. However, network segmentation modeled on IP addresses alone is inefficient and complex to maintain, and can be exploited by adversaries.

Since our commitment is to provide the best security possible, we integrate with third parties so our customers can have security in heterogeneous environments. One example is our Panorama plugin integration. The Cisco Identity Services Engine (ISE) is designed to provide rich user device details when a user connects to the network. After the device is classified, Cisco TrustSec, which is configured on top of ISE, associates security group tags (SGTs) to the user’s endpoints. Other network components such as switches, routers, WLAN controllers and firewalls also utilize SGTs to enforce access control security policies. As a Palo Alto Networks customer, you can now leverage PanoramaTM to get visibility into this data to further enforce security across your network. 

With the new Panorama plugin for Cisco TrustSec, your enterprise IT teams can create a security policy for your TrustSec environment using dynamic address groups (DAGs). The Panorama plugin is designed to monitor changes in IP addresses and tags in the Cisco ISE/Platform Exchange Grid (pxGrid) service and register that data into Panorama. It processes the endpoint information and converts it to a set of tags that you can use as match criteria for placing IP addresses in dynamic address groups. Allowing you to create policies that automatically adapt to change. 

Use Case: Leverage Security Tags in Your Healthcare Environment

I talked with a customer recently who has a few hundred biomedical devices deployed on a network. An important part of the customer’s security policy is to segment these devices from the internal network for compliance, ensuring the availability of patient care and data security. Because the customer has a lot of external vendors, these devices also need to support remote VPN. 

This customer plans to adopt the Security Group Tag framework to classify and segment these biomedical devices. This will help prevent any lateral movement from the biomedical devices to the internal network that contains sensitive data.

How it Works

The new Panorama plugin consumes session objects from the ISE pxGrid service. Each session object contains a TrustSec SGT and the IP address of the device. The plugin then pushes the IP and SGT mapping to the firewalls. This improves on previous approaches because customers can use the tags to configure DAGs for security policy enforcement. With the new Panorama plugin, you can now use these tags in the Palo Alto Networks Next-Generation Firewall security policy and enforce segmentation and access.

Ready to Install Now?
The plugin requires Panorama with version 9.0 or later and is capable of supporting both PA-Series physical appliances and the VM-Series virtualized firewalls. Since the plugin is optional and not built-in, you must install or upgrade it on Panorama to enable functionality. 

If you do not have a Panorama, we have an alternative open source solution gridMeld. Feel free to check out the above link to get integration with Cisco TrustSec.

Read more in our TechDocs article: Endpoint Monitoring for Cisco TrustSec.