SAFE

SIMPLIFIES SECURITY

August 2015
SAFE Simplifies Security | Introduction 2

Compliance Segmentation

Security Intelligence Threat Defense

Management Secure Services

The Key to SAFE organizes the complexity of holistic

security into Places in the Network (PINs) and Secure
Domains. PINs are reference examples of locations
found in networks, and Secure Domains are the
taxonomical areas used to protect them.

Introduction
SAFE is a secure architectural framework example for business networks. SAFE simplifies complexity
using a model that focuses on the areas that a company must secure. Each area is treated with holistic
discussion of today’s threats and the capabilities needed to secure them. Critical challenges have been
deployed, tested, and validated at Cisco. These solutions provide guidance, complete with configuration
steps, to ensure effective and secure deployments for our customers.

For more information, visit cisco.com/go/safe

SAFE Simplifies Security | Secure Domains
Secure Domains
Secure Services
Provides technologies such as access control,
virtual private networks, and encryption. It
includes protection for insecure services
e.g., applications, collaboration, and wireless.
Compliance
Addresses policies, both internal and external.
It shows how multiple controls can be
satisfied by a single solution. Examples of
external compliance include PCI, HIPAA,
and Sarbanes-Oxley (SOX).
Compliance
Security Intelligence
Management
Threat Defense
Provides visibility into the most evasive
and dangerous cyber threats. It uses
network traffic telemetry, reputation, and
contextual information for that visibility.
Enables assessment of the nature and the
potential risk of the suspicious activity so
that the correct next steps for cyber
threats can be taken.
Security Intelligence
Provides global detection and aggregation of
emerging malware and threats. It enables an
infrastructure to enforce policy dynamically, as
reputations are augmented by the context of
new threats. This enables accurate and timely
security protection.
Segmentation
Threat Defense
Secure Services
Segmentation
Establishes boundaries for both data and
users. Traditional manual segmentation
uses a combination of network addressing,
VLANs, and firewalling for policy
enforcement. Advanced segmentation
leverages identity-aware infrastructure
to enforce policies in an automated and
scalable manner, greatly reducing
operational challenges.
Management
Management of devices and systems using
centralized services is critical for consistent
policy deployment, workflow change
management, and the ability to keep systems
patched. Management coordinates policies,
objects, and alerting.
 8 | Secure Edge

9 | Secure Cloud
5 | Secure Branch

6 | Secure Campus

10 | External Zones
7 | Secure Data Center
Best Practice Security

In
t
E er
ng n
in et
e Se
S a
e rc
rv h D
at
ic ab
e
Z ase
S Pu C o
e b o ne
rv lic m
Z er p P
o s lia C
S Sh ne A
Capability Flows Overview

e ar
rv e p Z nce I
o
i d p
Z ce S ne
o s e
ne r
Z ve
o r
ne
SAFE Simplifies Security | Best Practice Security Capability Flows Overview

W
W ire
ire le
S Sh le ss
e ar
rv e ss C
i d C o
Z ce o S nt
o s nt w ro
ne
ro itc le
C le h r
S r
C lou w
C R d
lo M -b C itc
ud S as h
W e e
rv d
e ic
b e
lo
S
e
cu V
ud
rit
y N irt
e ua
xt liz
-G e
e d
ne C
ra ap
tio ab
n ili
tie D
Fi
re s N
w e N
xt
al
l e
-G
at
xt
e a -G C
ne
ra e N
tio C ne e B
ra xt
E n tio -G
am
Fi e n e
ra
d re ne
w Fi
re p ra
g al
l
nt w
al
tio
n
nc
e C
e l Fi h
e
us
r re
N
nt w
e ra al
xt liz / R
e o
-G d
e M R
ut
e
ne an o r
ra R
tio ag ut
e o
n e r ut
e
m r
Fi e
re nt
w
al
W
A
N
4
SAFE Simplifies Security | Branch 5

Manager researching
product information

Wireless Controller
Return to Overview
L2/L3
Network

Host-based Wireless Wireless Posture Access Flow

Security Intrusion Assessment Control + Analytics
Prevention TrustSec
Web
Security
Services
Switch Next-Generation Firewall/Router

Host-based Posture Access Flow L2/L3 Firewall Next-Gen Anti- Flow AVC- Threat
Security Assessment Control + Analytics Network Intrusion Malware Analytics Application Intelligence
TrustSec Prevention Visibility VPN
System Control

Clerk processing
credit card transaction WAN
To Data Center

To Cloud

Secure Branch
Key Security Challenge
Branches are typically less secure than their campus and data center counterparts. Economics often dictate that it is cost prohibitive to duplicate
all the security controls typically found at larger locations when scaling to hundreds of branches. However, this makes them prime targets and
more susceptible to a breach. In response, it is important to include vital security capabilities while ensuring cost effective designs in the branch.

Top Threats Mitigated

• Endpoint malware (e.g., POS malware) • Wireless infrastructure exploits (e.g., rogue AP, MitM)
• Unauthorized/malicious client activity • Exploitation of trust

Capability Product Capability Product Capability Product

Cloud Web Security, Cisco Advanced Malware AnyConnect Agent, Centralized

Meraki MX, Protection for Networks Identity Services Engine
FirePOWER URL

Adaptive Security Appliance, Wireless Controller/Catalyst Switch, Cisco Advanced Malware

Integrated Services Router, Centralized Identity Services Engine Protection for Endpoint,
Meraki MX AnyConnect, Anti-Virus (partner)

Cisco Collective Security Cisco FirePOWER Services on Centralized Mobility Services

Intelligence, Cisco Talos Adaptive Security Appliance, Engine, Centralized Wireless
Security Intelligence UCS-E, or FirePOWER Appliance LAN Controller, Meraki

Integrated Services Router, Adaptive Adaptive Security Appliance, FirePOWER Services Module
Security Appliance, Wireless LAN Integrated Services Router, or Appliance, Meraki MX
Controller, Catalyst Switch Meraki MX
SAFE Simplifies Security | Campus 6

CEO sending email

to shareholders

Wireless Controller
Return to Overview

L2/L3
Network

Host- Wireless Wireless Identity Mobile Posture Access Flow

based Intrusion Device Assess- Control + Analytics
Security Prevention Manage- ment TrustSec
ment

Switch Next-Generation Firewall Router

Host- Identity Posture Access Flow L2/L3 Firewall Next-Gen Anti- Access Threat Access Flow VPN
based Assess- Control + Analytics Network Intrusion Malware Control + Intelligence Control + Analytics
Security ment TrustSec Prevention TrustSec TrustSec
System

Salesmen accessing
customer database WAN
To Data Center

Secure Campus
Key Security Challenge
Campuses contain large user populations with a variety of device types and traditionally little internal security controls. Due to the large number of
security zones (subnets and VLANs), secure segmentation is difficult. Because of the lack of security control, visibility, and guest/ partner access,
campuses are prime targets for attack.

Top Threats Mitigated

• Phishing • Unauthorized network access • BYOD — Larger attack surface/increased risk of data loss
• Web-based exploits • Malware propagation • Botnet infestation

Capability Product Capability Product Capability Product

Cloud Web Security, Centralized Cisco Advanced Malware AnyConnect Agent,

Web Security Appliance Protection for Networks Identity Services Engine

Adaptive Security Appliance, Wireless Controller/ Cisco Advanced Malware

Integrated Services Router, Catalyst Switch, Protection for Endpoint,
Meraki MX Identity Services Engine AnyConnect, Anti-Virus (partner)

Cisco Collective Security Cisco FirePOWER Services on Mobility Services Engine,

Intelligence, Cisco Talos Adaptive Security Appliance, Wireless LAN Controller
Security Intelligence UCS-E, or FirePOWER Appliance

Integrated Services Router, Wireless Adaptive Security Appliance, Identity Services Engine,
LAN Controller, Catalyst Switch Aggregation Services Router, Meraki Mobile Device
Meraki MX Management
SAFE Simplifies Security | Data Center 7

Next-Gen
Intrusion
To Campus
Host-based Prevention Load Flow
Security System Firewall Balancer Switch Analytics

Database Next-Gen
Zone Threat Access Intrusion Access
Intelli- Control + Anti- Prevention L2/L3 Control +
gence TrustSec Malware System Firewall Network TrustSec VPN

PCI
Compliance
Zone
Next-Generation Firewall Router WAN
App Server L2/L3
Zone Network

Web Centralized Management

Application
Flow
Firewall
Analytics

Shared
Services Policy/
Configuration
Visibility/
Context
Analysis/
Correlation
Analytics

Zone

Virtualized Capabilities
Logging/ Threat Vulnerability Monitoring
Reporting Intelligence Management
To Edge

Return to Overview

Secure Data Center

Key Security Challenge
Data centers contain the majority of information assets and intellectual property. These are the primary goal of all targeted attacks, and thus require the highest level
of effort to secure. Data centers contain hundreds to thousands of both physical and virtual servers, segmented by application type, data classification zone, and
other methods. Creating and managing proper security rules to control access to (north/south) and between (east/west) resources can be exceptionally difficult.

Top Threats Mitigated

• Data exfiltration (data loss) • Unauthorized network access (e.g., application compromise, • Botnet infestation (e.g., scrumping)
• Malware propagation data loss, privilege escalation, reconnaissance)

Capability Product Capability Product Capability Product

Adaptive Security Appliance, Adaptive Security Appliance, Web Application Firewall

Virtual Security Gateway, Aggregation Services Router Technology Partner
Firepower 9300 Appliance

FirePOWER Services Module, Adaptive Security Appliance, Load Balancer Technology Partner
Appliance, Virtual, Firepower Aggregation Services Router,
9300 Appliance Firepower Appliance

Cisco Collective Security Cisco Advanced Malware Cisco Advanced Malware

Intelligence, Cisco Talos Protection for Networks Protection for Endpoint,
Security Intelligence AnyConnect, Anti-Virus (partner)

Netflow Generation Appliance, Nexus/Catalyst Switch

Lancope FlowSensor,
Adaptive Security Appliance
SAFE Simplifies Security | Edge 8

To Campus

Flow Analytics Return to Overview

Email Web
Security Security

Next-Generation Firewall

Public
Servers
Zone
Host- Web Load Transport L2/L3 Anti- Next-Gen Firewall Access AVC- Threat Distributed L2/L3
based Application Balancer Layer Network Malware Intrusion Control + Application Intelligence Denial of Network
Security Firewall Security Prevention TrustSec Visibility Service
VPN
Off-Load System Control Concentrator

To External Zones

To Cloud

Secure Edge Internet

Key Security Challenge

The Internet Edge is the highest risk PIN because it is the primary ingress point for public traffic and the primary egress point to the Internet.
Simultaneously, it is the critical resource that businesses need in today’s Internet-based economy.

Top Threats Mitigated

• Webserver vulnerabilities • DDoS
• Data loss • Man-in-the-Middle

Capability Product Capability Product Capability Product

Adaptive Security Appliance, Cisco Advanced Malware Web Application Firewall

Aggregation Services Router Protection for Networks Technology Partner

Cisco Collective Security Web Security Appliance, Cisco Advanced Malware

Intelligence, Cisco Talos Security Cloud Web Security Protection for Endpoint,
Intelligence AnyConnect, Anti-Virus (partner)

Adaptive Security Appliance, Email Security Appliance, FirePOWER Services Module

Aggregation Services Router, Cloud Web Security or Appliance, Meraki MX
Catalyst Switch

Adaptive Security Appliance, Transport Layer Security

Firepower 9300 Appliance, Offload Technology Partner
Meraki MX

FirePOWER Services Module Distributed Denial of Service

or Appliance Technology Partner
SAFE Simplifies Security | Cloud 9

To Branch

To Edge

Host-based
Security

Shared
Internet
Services
Zone
Cloud-based
CRM Service

Cloud Web Security

Internet Search
Engine Service
Threat Anomaly AVC- Web Anti-Malware Internet
Intelligence Detection Application Reputation/
Visibility Filtering
Control

Return to Overview

Secure Cloud
Key Security Challenge
The majority of cloud security risk stems from loss of control, lack of trust, shared access, and shadow IT. Service
Level Agreements (SLAs) are the primary tool for businesses to dictate control of security capabilities selected in
cloud-offered services. Independent certification and risk assessment audits should be used to improve trust.

Top Threats Mitigated

• Webserver vulnerabilities • Loss of access
• Virus and malware • Man-in-the-Middle

Capability Product Capability Product Capability Product

Adaptive Security Appliance, Cisco FirePOWER Services Cloud Web Security, Web
Integrated Services Router, on ASA and UCS-E Security Appliance, Meraki MX,
AnyConnect, Meraki MX Partner OpenDNS

Adaptive Security Appliance, Advanced Malware Cisco Advanced Malware Protection

Integrated Services Router, Protection for Endpoint, Anti-Virus (partner),
Meraki MX AnyConnect
SAFE Simplifies Security | External Zones 10

To Edge Internet

EXTERNAL ZONES

Customers
Key Security Challenge
Securing connections to service offerings is the
Field engineer primary goal when establishing communications
submitting with customers outside of the corporate
work order Host-based Identity Posture VPN enterprise. A breach or loss of data creates an
Security Assessment immediate and heightened lack of trust resulting
in loss of commerce.

Remote Workers
Next-Generation Firewall Key Security Challenge
Securing remote access for employees
Technician connecting to the corporate enterprise from
remotely untrusted sites (such as coffee shops and
checking logs Host-based Firewall Next-Gen Web Anti- VPN hotels) is critical for maintaining data security.
Security Intrusion Reputation/ Malware Identity-aware access controls, posture
Prevention Filtering
System assessments, and encryption enforce a
consistent set of policies before allowing access.

Third-Party Vendors and Partners

Key Security Challenge
Customer Insecure access by partners and vendors can
quickly compromise business operations.
updating
Host-based Implement granular access controls, anomaly
profile Security detection, and SLAs to block unauthorized access
Return to Overview
and exploitation of trust.

External Zones
Businesses are Connected to Risk
Recent breaches underscore the need to consider the full ecosystem of your partners, customers, vendors, and employees. Traditional perimeter defenses
are not sufficient for the attack vectors present today. Identity aware, policy enforced, and threat anomalies must accompany relationships to secure trust.

Top Threats Mitigated

• Endpoint malware • Exploitation of trust
• Unauthorized/malicious client activity • Man-in-the-Middle

Capability Product Capability Product Capability Product

Adaptive Security Appliance, Cisco FirePOWER Services Cloud Web Security, Web
Integrated Services Router, on ASA and UCS-E Security Appliance, Meraki MX,
AnyConnect, Meraki MX Partner OpenDNS

Adaptive Security Appliance, Advanced Malware Cisco Advanced Malware Protection

Integrated Services Router, Protection for Endpoint, Anti-Virus (partner),
Meraki MX AnyConnect