Visibility has always been a core component of building effective security policy. Starting with the discovery phase of understanding the behavior of the users and assets on a network through the effective monitoring of the policy once the policy is implemented. Through the collection and analysis of NetFlow data from the network infrastructure Cisco Stealthwatch has always proven invaluable in the development of effective segmentation policies. Through the integration with the Cisco Identity Services Engine (ISE) and the export TrustSec Security Group Tags (SGTs) values in NetFlow Cisco Stealthwatch is also able to effectively model and monitor TrustSec group policy.

In a recent blog post, Kevin Regan discussed the policy plane integration between Cisco TrustSec and Cisco Application Centric Infrastructure (ACI) enabled with Cisco ISE version 2.1. This new enhancement in ISE 2.1 ensured consistent security policy by sharing contextual and policy group information between a TrustSec and ACI domain. With ISE 2.1 it is now possible that an SGT defined in ISE for a TrustSec-enabled network could be translated to an Endpoint Group (EPG) defined in the ACI Controller (APIC-DC) inside an ACI-enabled data center and vice versa.

By creating a set of enterprise wide groups the policy plane integration between Cisco TrustSec and Cisco ACI also extends to Cisco Stealthwatch, allowing Stealthwatch visibility into the unified TrustSec-ACI policy. Much like Stealthwatch was able to model and monitor TrustSec group policy, Stealthwatch can now model and monitor the unified group policy.

In the example below a Security Group “pci_users” was defined in ISE and a Endpoint Group “EV_appProfile_LOB2_App1EPG” was defined in APIC-DC and pushed to the network infrastructure in their respective domains. Thorough the policy plane integration ISE is able to push the EPG definition into the TrustSec domain as well. When a network traffic flow between a host in the “pci_users” Security Group and a host in the “EV_appProfile_LOB2_App1EPG” occurs the network devices in the TrustSec domain will export the EPG in the SGT NetFlow fields and Stealthwatch is able to monitor the communication between SGT “pci_users” and EPG “EV_appProfile_LOB2_App1EPG “ just as if the EPG was a Security Group.


The figures below are two screenshots in Stealthwatch showing a flow between the “pci_users” Security Group and the “EV_appProfile_LOB2_App1EPG” Endpoint Group.



This first phase of integration between Stealthwatch, TrustSec and ACI can effectively allow organizations to model, monitor and validate their segmentation policies across the organization reducing risk, more easily meeting compliance goals and reducing the effort required managing complex and disparate security polices.


Matthew Robertson

Principal Engineer

Security Business Group