Browse Prior Art Database

MERGING USER PERMISSION AND APPLICATION INFORMATION FOR TAGGING PACKETS

IP.com Disclosure Number: IPCOM000245387D
Publication Date: 2016-Mar-04
Document File: 7 page(s) / 64K

Publishing Venue

The IP.com Prior Art Database

Related People

Vinny Parla: AUTHOR [+4]

Abstract

A user has a network access capabilities based on their group or what is defined in policy; applications themselves will have defined access capabilities assigned independent of the user. Packets and flows are associated with the merging of these two access capabilities to provide fine grain access control in the network. The uniqueness lies in the combination of the application information into a policy decision that will define the routing capabilities of the Security Group Tag (SGT).

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 23% of the total text.

Page 01 of 7

MERGING USER PERMISSION AND APPLICATION INFORMATION FOR TAGGING PACKETS

AUTHORS:

   Vinny Parla Antonio Martin Andrew Zawadowskiy

Donovan O'Hara

CISCO SYSTEMS, INC.

ABSTRACT

    A user has a network access capabilities based on their group or what is defined in policy; applications themselves will have defined access capabilities assigned independent of the user. Packets and flows are associated with the merging of these two access capabilities to provide fine grain access control in the network. The uniqueness lies in the combination of the application information into a policy decision that will define the routing capabilities of the Security Group Tag (SGT).

DETAILED DESCRIPTION

     The concept of user/role based tagging of frames through TrustSec Security Group Tags (SGTs) is known. When a user authenticates to the network, their packets are tagged with the user's trust level at the first hop in the network. Switches are then able to examine this tag and decide if the packets are allowed to flow, be dropped or routed elsewhere. This helps the administrator to discern the user, device and location and is a key component in policy management engines such as an Identity Services Engine (ISE) but does not limit individual applications on the device. It pushes to the network the device and user for routing decision but not the application.

    Currently, it is not possible to tag application information in a similar manner and by extension, the data being sent in a flow. This information is needed to allow networks to make more intelligent decision. For application based routing, endpoints need to signal to the network the application information but are not trusted to tag packets with

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 7

SGTs nor does the application identify the user. What is needed is a way to link both the user and the application for routing.

    Application identity identifies a specific application's network access; this can be leveraged to help increase a network's visibility into the end user's access. The purpose is to increase the network's and a firewall's visibility with the authoritative knowledge of a specific packet's or flow's originating application.

    Currently, though TrustSec, network devices are able to tag packets and associate them with a user or a user's group. An example of this can be found in an ISE policy management deployment where a switch will tag all packets from a port with a specific SGT. This is used to route in the network.

    It is desirable to be able to merge the application information with the user's SGT to an Application and User SGT (AUSGT). The client cannot be trusted to tag packets with the SGT based on their authorization.

    The user has base access capabilities based on their group or what is defined in policy. These base access capabilities dictate the resources they can and cannot access in the network. Applications themselves will have defined access capabilities. These capabilities will prob...