Professional Documents
Culture Documents
SIMPLIFIES SECURITY
August 2015
SAFE Simplifies Security | Introduction 2
Compliance Segmentation
Introduction
SAFE is a secure architectural framework example for business networks. SAFE simplifies complexity
using a model that focuses on the areas that a company must secure. Each area is treated with holistic
discussion of today’s threats and the capabilities needed to secure them. Critical challenges have been
deployed, tested, and validated at Cisco. These solutions provide guidance, complete with configuration
steps, to ensure effective and secure deployments for our customers.
Compliance Segmentation
Secure Domains
9 | Secure Cloud
5 | Secure Branch
6 | Secure Campus
10 | External Zones
7 | Secure Data Center
Best Practice Security
In
t
E er
ng n
in et
e Se
S a
e rc
rv h D
at
ic ab
e
Z ase
S Pu C o
e b o ne
rv lic m
Z er p P
o s lia C
S Sh ne A
Capability Flows Overview
e ar
rv e p Z nce I
o
i d p
Z ce S ne
o s e
ne r
Z ve
o r
ne
SAFE Simplifies Security | Best Practice Security Capability Flows Overview
W
W ire
ire le
S Sh le ss
e ar
rv e ss C
i d C o
Z ce o S nt
o s nt w ro
ne
ro itc le
C le h r
S r
C lou w
C R d
lo M -b C itc
ud S as h
W e e
rv d
e ic
b e
lo
S
e
cu V
ud
rit
y N irt
e ua
xt liz
-G e
e d
ne C
ra ap
tio ab
n ili
tie D
Fi
re s N
w e N
xt
al
l e
-G
at
xt
e a -G C
ne
ra e N
tio C ne e B
ra xt
E n tio -G
am
Fi e n e
ra
d re ne
w Fi
re p ra
g al
l
nt w
al
tio
n
nc
e C
e l Fi h
e
us
r re
N
nt w
e ra al
xt liz / R
e o
-G d
e M R
ut
e
ne an o r
ra R
tio ag ut
e o
n e r ut
e
m r
Fi e
re nt
w
al
W
A
N
4
SAFE Simplifies Security | Branch 5
Manager researching
product information
Wireless Controller
Return to Overview
L2/L3
Network
Host-based Posture Access Flow L2/L3 Firewall Next-Gen Anti- Flow AVC- Threat
Security Assessment Control + Analytics Network Intrusion Malware Analytics Application Intelligence
TrustSec Prevention Visibility VPN
System Control
Clerk processing
credit card transaction WAN
To Data Center
To Cloud
Secure Branch
Key Security Challenge
Branches are typically less secure than their campus and data center counterparts. Economics often dictate that it is cost prohibitive to duplicate
all the security controls typically found at larger locations when scaling to hundreds of branches. However, this makes them prime targets and
more susceptible to a breach. In response, it is important to include vital security capabilities while ensuring cost effective designs in the branch.
Integrated Services Router, Adaptive Adaptive Security Appliance, FirePOWER Services Module
Security Appliance, Wireless LAN Integrated Services Router, or Appliance, Meraki MX
Controller, Catalyst Switch Meraki MX
SAFE Simplifies Security | Campus 6
Wireless Controller
Return to Overview
L2/L3
Network
Host- Identity Posture Access Flow L2/L3 Firewall Next-Gen Anti- Access Threat Access Flow VPN
based Assess- Control + Analytics Network Intrusion Malware Control + Intelligence Control + Analytics
Security ment TrustSec Prevention TrustSec TrustSec
System
Salesmen accessing
customer database WAN
To Data Center
Secure Campus
Key Security Challenge
Campuses contain large user populations with a variety of device types and traditionally little internal security controls. Due to the large number of
security zones (subnets and VLANs), secure segmentation is difficult. Because of the lack of security control, visibility, and guest/ partner access,
campuses are prime targets for attack.
Integrated Services Router, Wireless Adaptive Security Appliance, Identity Services Engine,
LAN Controller, Catalyst Switch Aggregation Services Router, Meraki Mobile Device
Meraki MX Management
SAFE Simplifies Security | Data Center 7
Next-Gen
Intrusion
To Campus
Host-based Prevention Load Flow
Security System Firewall Balancer Switch Analytics
Database Next-Gen
Zone Threat Access Intrusion Access
Intelli- Control + Anti- Prevention L2/L3 Control +
gence TrustSec Malware System Firewall Network TrustSec VPN
PCI
Compliance
Zone
Next-Generation Firewall Router WAN
App Server L2/L3
Zone Network
Shared
Services Policy/
Configuration
Visibility/
Context
Analysis/
Correlation
Analytics
Zone
Virtualized Capabilities
Logging/ Threat Vulnerability Monitoring
Reporting Intelligence Management
To Edge
Return to Overview
FirePOWER Services Module, Adaptive Security Appliance, Load Balancer Technology Partner
Appliance, Virtual, Firepower Aggregation Services Router,
9300 Appliance Firepower Appliance
To Campus
Email Web
Security Security
Next-Generation Firewall
Public
Servers
Zone
Host- Web Load Transport L2/L3 Anti- Next-Gen Firewall Access AVC- Threat Distributed L2/L3
based Application Balancer Layer Network Malware Intrusion Control + Application Intelligence Denial of Network
Security Firewall Security Prevention TrustSec Visibility Service
VPN
Off-Load System Control Concentrator
To External Zones
To Cloud
To Branch
To Edge
Host-based
Security
Shared
Internet
Services
Zone
Cloud-based
CRM Service
Internet Search
Engine Service
Threat Anomaly AVC- Web Anti-Malware Internet
Intelligence Detection Application Reputation/
Visibility Filtering
Control
Return to Overview
Secure Cloud
Key Security Challenge
The majority of cloud security risk stems from loss of control, lack of trust, shared access, and shadow IT. Service
Level Agreements (SLAs) are the primary tool for businesses to dictate control of security capabilities selected in
cloud-offered services. Independent certification and risk assessment audits should be used to improve trust.
Adaptive Security Appliance, Cisco FirePOWER Services Cloud Web Security, Web
Integrated Services Router, on ASA and UCS-E Security Appliance, Meraki MX,
AnyConnect, Meraki MX Partner OpenDNS
To Edge Internet
EXTERNAL ZONES
Customers
Key Security Challenge
Securing connections to service offerings is the
Field engineer primary goal when establishing communications
submitting with customers outside of the corporate
work order Host-based Identity Posture VPN enterprise. A breach or loss of data creates an
Security Assessment immediate and heightened lack of trust resulting
in loss of commerce.
Remote Workers
Next-Generation Firewall Key Security Challenge
Securing remote access for employees
Technician connecting to the corporate enterprise from
remotely untrusted sites (such as coffee shops and
checking logs Host-based Firewall Next-Gen Web Anti- VPN hotels) is critical for maintaining data security.
Security Intrusion Reputation/ Malware Identity-aware access controls, posture
Prevention Filtering
System assessments, and encryption enforce a
consistent set of policies before allowing access.
External Zones
Businesses are Connected to Risk
Recent breaches underscore the need to consider the full ecosystem of your partners, customers, vendors, and employees. Traditional perimeter defenses
are not sufficient for the attack vectors present today. Identity aware, policy enforced, and threat anomalies must accompany relationships to secure trust.
Adaptive Security Appliance, Cisco FirePOWER Services Cloud Web Security, Web
Integrated Services Router, on ASA and UCS-E Security Appliance, Meraki MX,
AnyConnect, Meraki MX Partner OpenDNS