Safe Overview Guide

SAFE Overview Guide
Threats, Capabilities, and the

Security Reference Architecture
January 2018
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Contents January 2018
Contents
3 The Need for SAFE
4 What is SAFE?
The SAFE Security Reference Model 5
The SAFE Method 5
6 How to Use SAFE

The three phases of SAFE 8
SAFE’s toolkit and collateral simplify the discussion 10
11 Attack Surface
12 Securing the Attack Surface
13 Business Flows
Functional Controls 14
15 Capabilities
The Business Flow Capability Diagram 19
20 Places in the Network

27 Secure Domains
34 SAFE Capabilities
41 The SAFE Architecture
48 Summary
49 Appendix
© 2018 Cisco and/or its affiliates. All rights reserved.

This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The Need for SAFE January 2018
The Need for SAFE

Today, attacks like phishing, ransomware, and Complexity is one of the main challenges
advanced persistent threats are common. No facing security professionals. Technology
single product can successfully secure your constantly fragments into new uses, and
business from these risks. An architectural organizations utilize dozens of products
approach that addresses the full range—from that do not interoperate seamlessly. This
people, to devices, to applications—is needed. multiplies attack surfaces, which in turn
Your data flows from offices to the data complicates defenses. Fraudsters exploit this
center to the cloud. And you must understand weakness to develop advanced threats for
where your data is to protect it. more lucrative schemes.
Cisco’s John Chambers famously said, The industry desperately needs a resource
“There are two types of companies: ones that simplifies the problem. The solution must
that have been breached and those that do be comprehensive, credible, and about more
not realize it…” When attackers violate your than just products; it needs to focus on the
network, having a threat defense that helps threats to your business.
you react and minimize the impact of the
SAFE meets this need.
attack is critical.
curity Guarantee
Se d
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | What is SAFE? January 2018
What is SAFE?
SAFE is a security model and method used in a language that changes the way we think
to secure business. It focuses on threats—and about security. It uses simple concepts to focus
best practices for defending against them. on the complexities of today, so that we’re
SAFE illustrates today’s business challenges prepared for the challenges of tomorrow.
Compliance Segmentation
Security Intelligence Threat Defense
Management Secure Services
Figure 1 Key to SAFE.
Places in the Network (PINs) Domains
SAFE provides the Key to simplify cybersecurity into

Secure Places in the Network (PINs) for infrastructure
and Secure Domains for operational guidance.
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | What is SAFE? January 2018
The SAFE Security The SAFE Method

Reference Model The SAFE method customizes the model
for individual companies. Using the SAFE
Using a security reference model, the
toolkit and collateral, companies can analyze
challenges of securing today’s business
the threats and risks to their own business.
functions are simplified into a building
Contact your Cisco account team to use the
block approach. The model incorporates
method in a guided SAFE workshop. The
today’s security best practices, architectural
workshop can be refreshingly helpful because
discussions, and laboratory-tested designs
it brings departments of the company together
from the brightest security minds across
that might not normally interact. Executives
Cisco, its customers, and partners. SAFE’s
come together with stakeholders from
Cisco Validated Designs address critical
business and compliance as well as security
security topics. They have been deployed,
and Infrastructure technologists to map out
tested, and they document “how to do it.”
concerns related to how security affects the
SAFE includes: business. The workshop results in a tailored
security architecture for your business.
• Business use cases illustrating the surface
that fraudsters can attack
• Security capabilities mapped to common
threats within business use cases
• Reference architectures that logically arrange
the security capabilities into blueprints
• Designs using the reference architectures for
common deployment scenarios and solutions
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | How to Use SAFE January 2018
How to Use SAFE

SAFE is not a single answer. coming from the cloud present additional
business security concerns. SAFE provides
The model is a reference for common
guidance to common business functions that
threats, risks, and policies across the
require security capabilities, culminating in a
business of a company. This does not mean
reference for end-to-end security.
that all companies are the same. Obviously,
the concerns of retailers are not the same The SAFE method customizes the best
as the needs of healthcare organizations. practices of the reference model to individual
However, when viewing the challenges of companies. It ensures that business goals
security in its entirety, patterns begin to are measurably secured according to each
emerge. Regardless of the industry, certain company’s security policy and risk appetite,
business methods are likely to be employed using the following steps:
and, consequently, exploited. Foundational
• Identify business goals
capabilities and functional controls are
• Break down the network into
necessary to defend the attack surface. For
manageable pieces
example, access to the network, utilization of
business applications, and communications • Establish a criteria for the success
using email are common across all of the business
companies. Connections to the Internet • Categorize risks, threats, and policies
for web browsing and to access services • Build the security solution
Table 1 The SAFE Model Icons
Phase/Example Icon Description Function
The Key to SAFE provides the Key to simplify cybersecurity

Key Organizational Model into Secure Places in the Network (PINs) for infrastructure and
Secure Domains for operational guidance.
Business Business flows use colored lines to depict use cases and show
Use Case
Flow where data flows through a network.
Unauthorized Packets.
Threat This threat is blocked The top security threats of an organization are catalogued.
by firewalls.
Capability Firewall Capabilities are used to describe security functions.
Logical Router. This

Architecture logical router has Architectures are used to logically arrange the security capabilities.
firewall capability.
G0: G1:
Return to Contents Design 4451x with Firewall Designs are used to provide specific products and services.
This document is Cisco Public Information. 4451-x
The three phases of the SAFE method are:
1
Capability phase
Business flows, or use cases, are defined in this phase. Using them as a basis,
security capabilities are applied to address threats, risks, and policy.
Small Branch Capabilities and Business Flows
Clerk Payment Application

Secure applications for PCI: Clerk processing credit card transaction
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Firewall
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Expert Colleague
Secure communications for collaboration: Subject matter expert consultation
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec Posture Identity Client-Based
Security Assessment Prevention Analytics Intelligence Malware Assessment Security
Thermostat Remote Technician

Secure remote access for third party: Connected device with remote vendor support
DNS Security Identity Firewall Intrusion Flow Threat Anti- TrustSec VPN Posture Client-Based Identity
Prevention Analytics Intelligence Malware Assessment Security
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
System (WIPS)
Figure 1 In the capability phase, business flows are analyzed to determine the required security capabilities.
Return to Contents
2
Firepower Appliance
Architecture phase
A logical security architecture is defined using the security
capabilities that were identified in the business flows.
Small Branch Architecture

HUMAN DEVICES NETWORK APPLICATIONS
ATTACK ATTACK ATTACK ATTACK
SURFACE SURFACE SURFACE SURFACE
Secure Web
Branch Manager
browsing information Corporate Device
Guest Wireless
Customer
browsing prices Wireless Guest Wireless
Access Point
Secure Applications
Clerk processing Router

Corporate Device Access Switch
credit card
Secure Communications Product

Information
Website
Subject Matter
Expert Employee Phone
Comparative
Shopping Website
Secure Third Parties
Building Controls
Environmental Controls Server
Payment
Processing
Business Endpoints Access Services

Use Cases Remote Colleague
Third-party Technician
accessing logs

Firewall
Employee Website
Figure 2 In the architecture phase,

Expert Colleague
security capabilities are arranged into
Client-Based Identity Posture Firewall Intrusion Flow

a logical architecture. Note that the
Threat Anti- TrustSec Posture Identity Client-Based
Security Assessment Prevention Analytics
business flows can still be identified.
Intelligence Malware Assessment Security

Guest Website
System (WIPS)
Return to Contents
3
Design phase
Using the security architecture, a specific design is created
to implement the required security capabilities, complete with
a product list, configuration, services, and cost.
Small Branch Design

Corporate Laptop AIR-CAP3702E-A-K9
FP-AMP-LC
Secure Web UMBRELLA-SUB
WIRELESS SSID:EMPLOYEE
Host Firewall
G0/1
Guest Device
MANAGEMENT VLAN
WDATA VLAN
VOICE VLAN
Guest Wireless UMBRELLA-SUB

L-FP4351-TAMC UCS-E160S-M3
WIRELESS SSID:GUEST
Branch Point of Sale

G1/11
UCS-E 2/0/0 UCS-E 1/0/0
WS-C3560CX-12PC-S
FP-AMP-LC
Secure Applications UMBRELLA-SUB P0 G1/5 G1/1
TRUNK
G0/1 G3/0/1
PCI VLAN
Host Firewall
G1/6 G1/10
ISR4351-K9
Corporate Computer CP-9951-C-K9
FP-AMP-LC
Secure Communications UMBRELLA-SUB P1 P0
DATA VLAN
Host Firewall VOICE VLAN
Building Controls
Firepower Appliance

VENDOR VLAN

Use Cases

HUMAN DEVICES ATTACK SURFACE
NETWORK APPLICATIONS
SURFACE SURFACE HUMAN SURFACE
DEVICES NETWORK SURFACEAPPLICATIONS
Secure Web
Branch Manager
Secure Web
Guest Wireless
Branch Manager
Corporate Device Customer
Figure 3 In this phase, the
browsing information Wireless Guest Wireless
design is created to implement

browsing prices
Access Point
Secure Applications
the logical architecture. Although
the emphasis is on the specifics
Guest Wireless Clerk processing
credit card
of the solution, the original
Router
business flows are still present.

Customer Secure Communications Product
browsing prices Wireless Guest Wireless Information

Website
Access Point
Subject Matter
Expert Employee Phone
Comparative
Shopping Website

Secure Applications
Building Controls
Payment
Processing

credit card
Corporate Device Business
Access Switch Endpoints Access Services
Return to Contents Use Cases Remote Colleague

Secure Communications accessing logs

10
SAFE’s toolkit and SAFE tools include:
collateral simplify • Capability icons to represent business flows

and the appropriate security controls
the discussion • Architecture guides to reference appropriate
layers of security and their justifications
SAFE bridges the gap between business • Design guides that provide solutions
and technical audiences by providing a with step-by-step instructions on how
communal security-centric language for to configure the infrastructure based on
business concerns and technical solutions. Cisco’s validated laboratory testing
Using innovative icons, each business line
can visualize the security required, including
accounting for the gaps.
KEY TO SAFE
THE
Design Guides Design Guides

Architecture Guides Operations Guides
Threat and
Capability Guide
Secure Secure
Data Center Services
Secure
Cloud SAFE Threat
Defense
Overview
Secure
WAN Segmentation
Secure Compliance
Internet Edge
YOU ARE
Secure Security
Branch HERE Intelligence
Secure Management
Campus
Figure 4 SAFE Guidance Hierarchy
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Attack Surface January 2018
11
Attack Surface
The attack surface of a company is anyone or anything that can be targeted.
Any human, using any device, on any network, accessing any application can be attacked.
HUMAN Know who is on your network
DEVICE Know that devices are not infected
NETWORK Networks can be compromised
APPLICATIONS Services can be exploited
Users Endpoints Wired Wireless Analysis WAN Cloud Services

Attack Surface
Employees Client Network Wireless Public WAN Public/Hybrid Application

Connection Cloud
Rogue Infection Unauthorized Rogue Walware Untrusted Untrusted Infection
Threat Figure 5 The attack surface that needs to be secured. Attack Surface
Return to Contents
SAFE Overiew Guide Capabilities and Threats January 2018
12
Securing the Attack Surface

The attack surface needs to be secured by appropriate capabilities. Each target may be part of
a larger overall attack. By identifying a company’s business flows which represent the companys
attack surface, proper security capabilities can be applied.

Attack Surface
Employees, Client Network Wireless Public WAN Public/Hybrid Application

Third Parties, Connection Cloud
Customers, and
Administrators
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Web Security Cloud Security Server-Based
Security Detection Security
Posture Intrusion Wireless Intrusion Threat Virtual Private

Assessment Prevention Prevention System Intelligence Network (VPN)
TrustSec Flow
Analytics
Figure 6 Security capabilities are applied logically to mitigate the threats along the attack surface.
Capability
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Business Flows January 2018
13
Business Flows
Three categories of users have a role on your SAFE’s color-coded business flows illustrate
network: the security needed for each role. These
flows depict the attack surface, ensuring
Internal: Internal flows are activities that
that controls are easily accounted for. For
employees perform on the company network.
example, when an employee goes online to
Third Party: Third-party flows are guests, do research, or a customer makes a purchase
vendors, service providers, or partners who on your e-commerce site, these activities
access the company network. provide fraudsters something to attack.
Customers: Customer flows can be a variety By documenting and planning the security
of services, such as website portals and of all business flows within your company,
customer information. maintaining security is simplified.
Policy, risks, and threats affect each of them,

requiring security capabilities for protection.
Employee Employee researching product information Website

Internal
Connected device with remote vendor support

Third Party
Customer Customer making purchase E-commerce

Customer
Figure 7 SAFE color codes business use cases as business flows.
Color Code
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Business Flows January 2018
14
Functional Controls
Functional controls are common security considerations that are derived from the technical
aspects of the business flows.
Secure Applications Applications require sufficient security controls for protection.
Secure East/West Traffic Data that securely moves between internal or external resources.
Secure Access Employees, third parties, customers, and devices securely

accessing the network.
Secure Remote Access Secure remote access for employees and third-party partners
that are external to the company network.
Secure Communications Email, voice, and video communications connect to potential

threats outside of company control and must be secured.
Secure Web Access Web access controls enforce usage policy and help prevent
network infection.
Functional Control
Employee Secure web access for employees: Employee researching product information Website
Internal
Third Party
Customer Secure applications for PCI: Customer making purchase E-commerce

Customer
Figure 8 Business flows reveal functional controls to be secured.
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
15
Capabilities
SAFE’s capability icons simplify the security Security capabilities are used to mitigate
discussion by putting the focus on the threats on the attack surface of a business
function necessary to perform a specific flow. The appropriate capability icons are
feature before identifying a product. applied along the business flow based on the
policy, risk, and threats of its attack surface.
For example, Cisco sells Adaptive Security
Appliances, Firepower appliances, Meraki For example, the “Employee researching
routers with firewalls, Cat6k with firewalls, product information” business flow is
and Cisco ISR with firewalls. For simplicity, analyzed from source to destination.
any of these are identified by their capability
(firewall). Subsequent SAFE steps will specify
model and feature requirements.
Figure 9 Business Flow with Required Security Capabilities
Employee Website
Source Destination
Firewall Intrusion Flow Threat

Prevention Analytics Intelligence
Security Capabilities
Return to Contents
16
Based on where they are applied on the business flows, security capabilities
can be grouped into three types: Foundational, Access, and Business.
Foundational Capabilities
Foundational Capabilities work together to protect applications and traffic. They use segmentation,
visibility, and analysis in a comprehensive architectural approach. All business flows require
foundational security capabilities.
Figure 10 Foundational Capability Group: Secure Applications and Secure East West Traffic
Employee Website
FOUNDATIONAL
Firewall Intrusion Flow Threat Anti- TrustSec

Prevention Analytics Intelligence Malware
Table 2 Foundational Capabilities
Security Capability Threat
Firewall:
Stateful filtering and protocol inspection Unauthorized access and malformed
between layers and the outside Internet packets between and within the branch.
and service provider connections.
Intrusion Prevention:
Attacks using worms, viruses, or other
Blocking of attacks by signatures
techniques.
and anomaly analysis.
Flow Analytics:
Traffic, telemetry, and data exfiltration from
Network traffic metadata identifying
successful attacks.
security incidents.
Threat Intelligence:
Contextual knowledge of existing Zero-day malware and attacks.
and emerging hazards.
Anti-Malware:
Malware distribution across networks or
Identify, block, and analyze malicious files
between servers and devices.
and transmissions.
TrustSec: Unauthorized access and malicious traffic

Policy-based segmentation. between branch layers.
Return to Contents
17
Access Capabilities
Access capabilities secure users, devices, and servers as they access or provide network services.
Figure 11 Access Capability Group: Secure Access
Employee Website
ACCESS
Client-Based Identity Posture

Security Assessment
Table 3 Access Capabilities
Client-/Server-based Security:
Security software for devices with
the following capabilities:
Anti-Malware Malware compromising systems.
Anti-Virus Viruses compromising systems.
Cloud Security Redirection of user to malicious website.
Unauthorized access and malformed

Personal Firewall
packets connecting to client.
Identity: Attackers accessing restricted

Identity-based access. information resources.
Posture Assessment:
Compromised devices connecting
Client endpoint compliance verification
to infrastructure.
and authorization.
Return to Contents
18
Business Capabilities
Business capabilities are used to secure risks introduced by business practices that are not
handled by the foundational and access groups. Email, web access, and remote access directly
connect to potential malicious entities (like the web, phishing, and compromised partners) which
are outside the control of a company and require additional security capabilities.
Figure 12 Business Capability Group: Secure Communications, Secure Web Access, Secure Remote Access
Employee Website
BUSINESS
AVC Web
Security
Table 4 Business Capabilities
Web Security:
Attacks from malware, viruses,
Web, DNS, and IP-layer security
and redirection to malicious URLs.
and control for the branch.
Email Security:
Infiltration and exfiltration via email.
Messaging integrity and protections.
Application Visibility and Control (AVC):

Deep packet inspection (DPI) Attack tools hiding in permitted applications.
of application flows.
Web Application Firewalling: Attacks against poorly-developed

Advanced application inspection and monitoring. applications.
DDoS Protection: Massively scaled attacks that

Protection against scaled attack forms. overwhelm services.
Virtual Private Network (VPN): Exposed services and data theft

Encrypted communication tunnels. of remote workers and third parties.
Return to Contents
19
The Business Flow business. This map is used as the basis for the
next phase in SAFE: The Security Architecture.
Capability Diagram See the Appendix for all of these SAFE use
cases with their capabilties.
Combining capabilities with business flows
creates a security capability map to the
Branch Capabilities Non-Branch Capabilities

Firewall
Employee Website
Internal
Expert Colleague

Third Party
Guest Website
Customer
System (WIPS)
Figure 13 The Secure Branch Business Flow Capability Diagram
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
20
Places in the Network

SAFE simplifies network security by providing PINs are locations that are commonly found
solution guidance using the Places in the in networks (see Figure 14) and conceptually
Network (PINs). represent the infrastructure deployed in
these locations. They are blueprints for
• Branch
the fundamentals that comprise today’s
• Campus
organizations: authentication, routing, switching,
• WAN wireless, firewall, intrusion detection, and so on.
• Data Center Specific industry guidance for healthcare, retail,
• Edge financial, and other verticals is covered in the
• Cloud Secure Domains.
Places in the Network (PINs)
Figure 14 Places in the Network
Return to Contents
21
Secure Branch
Branches are typically less secure than
Top Threats Mitigated in the Branch
their campus and data center counterparts.
• Endpoint malware (POS malware)
Economics often dictate that it is cost prohibitive
• Wireless infrastructure exploits (rogue AP,
to duplicate all the security controls typically Man in the Middle)
found at locations when scaling to hundreds • Unauthorized/malicious client activity
of branches. However, this makes branch • Exploitation of trust
locations prime targets and more susceptible
For a deeper discussion on defending attacks within
to a breach. In response, it is important to the Secure Branch, see www.cisco.com/go/SAFE.
include vital security capabilities while ensuring
cost-effective designs in the branch.
Figure 15 shows the progression of security

capabilities used to help defend against the
attacks common in a branch.

Attack Surface

Customers, and
Administrators
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Web Security Cloud Security Server-Based
Security Detection Security
Posture Intrusion Wireless Intrusion Threat Virtual Private

Assessment Prevention Prevention System Intelligence Network (VPN)
TrustSec Flow
Analytics
Figure 15 Secure Branch Attack Surface and Security Capabilities

Return to Contents
22
Secure Campus
Campuses contain large user populations
Top Threats Mitigated in the Campus
with a variety of device types and traditionally
• Phishing
few internal security controls. Due to the
• Web-based exploits
large number of security zones (subnets and
• Unauthorized network access
VLANs), secure segmentation is difficult. • Malware propagation
Because of the lack of security control, • BYOD—Larger attack surface/
visibility, and guest/partner access, campuses increased risk of data loss
are prime targets for attack. • Botnet infestation
Figure 16 shows the progression of security For a deeper discussion on defending attacks within
the Secure Campus, see www.cisco.com/go/SAFE.
capabilities that are used to help defend
against the attacks common in a campus.
Users Devices Wired Wireless Analysis WAN Cloud Applications

Attack Surface

Customers, and
Administrators
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Virtual Private Cloud Server-Based
Security Detection Network (VPN) Security Security
Posture Intrusion Wireless Intrusion Threat

Assessment Prevention Prevention System Intelligence
TrustSec Flow
Analytics
Figure 16 Secure Campus Attack Surface and Security Capabilities
Return to Contents
23
Secure Data Center

Data centers contain the majority of
Top Threats Mitigated in the Data Center
information assets and intellectual property.
• Data extraction (data loss)
These are the primary goals of all targeted
• Malware propagation
attacks and thus require the highest level
of effort to secure. Data centers contain (application compromise)
hundreds to thousands of physical and virtual • Botnet infestation (scrumping) data loss, privilege
servers that are segmented by application escalation, reconnaissance)
type, data classification zone, and other For a deeper discussion on defending
methods. Creating and managing proper attacks within the Secure Data Center,
security rules to control access to (north/ see www.cisco.com/go/SAFE.
south) and between (east/west) resources

can be exceptionally difficult.

capabilities that are used to help defend
against the attacks common in a data center.

Attack Surface
Employees, Client Network Wireless Public WAN Public/Hybrid Load Balancer Server
Customers, and
Administrators
Voice
Storage
Video
Security
Access Firewall Anti-Malware Web Application Server-Based

Firewall Security
Intrusion Detection Threat Intelligence Application Visibility Email Security

Control
Intrusion Prevention Flow Analytics SSL/TLS Offload Malware

Sandbox
Return to Contents Figure 17 Secure Data Center Attack Surface and Security Capabilities
24
Secure Edge
The edge is the highest-risk PIN because it
Top Threats Mitigated in the Edge
is the primary ingress point for public traffic
• Webserver vulnerabilities
from the Internet and the primary egress
• Distributed denial of service (DDoS)
point for corporate traffic to the Internet.
• Data loss
Simultaneously, it is the most critical business • Man-in-the-Middle (MitM)
resource in today’s Internet-based economy.
Figure 18 shows the progression of security the Secure Edge, see www.cisco.com/go/SAFE.
capabilities that are used to help defend against

the attacks common at the network edge.

Attack Surface
Employees, Client Network Wireless Public WAN Public/Hybrid Load Balancer Server
Customers, and
Administrators
Voice
Storage
Video
Security
Identity Firewall Mobile Device Anti-Malware VPN Concentrator Email Web Application Server-Based
Management Security Firewall Security
Intrusion Threat Distributed Denial Web Security Application Malware

Prevention Intelligence of Service Visibility Sandbox
Control (AVC)
Flow Web Reputation/ SSL/TLS

Analytics Filtering/DCS Offload
Figure 18 Secure Internet Edge Attack Surface and Security Capabilities
Return to Contents
25
Secure Cloud
The majority of cloud security risk stems from
Top Threats Mitigated in the Cloud
loss of control, lack of trust, shared access,
• Webserver vulnerabilities
and shadow IT. Service Level Agreements
• Loss of access
(SLAs) are the primary tool for businesses to
• Virus and malware
dictate control of security capabilities selected • Man-in-the-Middle (MitM)
in cloud-powered services. Independent
certification and risk assessment audits should
the Secure Cloud, see www.cisco.com/go/SAFE.
be used to improve trust.
Figure 19 shows the progression of

security capabilities used to help defend
against the attacks common in the cloud.

APPLICATIONS

Attack Surface
User Network Public Cloud Load Balancer Server
Storage
Security
Access Firewall Anti-Malware VPN Concentrator Cloud Web Application Visibility Server-Based
Security Control Security
Intrusion Detection Threat Intelligence Web Reputation/

Filtering/DCS
Intrusion Prevention Flow

Analytics
Figure 19 Secure Cloud Attack Surface and Security Capabilities
Return to Contents
26
Secure WAN
The WAN connects all company locations
Top Threats Mitigated in the WAN
together to provide a single point of control
• Malware propagation
and access to all resources. Managing
security and quality of service (QoS) policies
• WAN sniffing and MitM attacks
to control communication can be exceptionally
difficult and complex.
the Secure WAN, see www.cisco.com/go/SAFE.
capabilities used to help defend against the
attacks common in a WAN.

Attack Surface
Administrators Network
Security
Access Firewall Anti-Malware Virtual Private

Network
Intrusion Detection Threat Intelligence
Intrusion Prevention Flow Analytics
Figure 20 Secure WAN Attack Surface and Security Capabilities
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
27
Secure Domains
The Secure Domains represent the operational side of the Key. Operational security is divided
by function and the people in the organization that are responsible for them. Each domain has a
class of security capabilities and operational aspects that must be considered. (See Figure 21.)
Secure Services
Threat Defense
Segmentation
Compliance
Security Intelligence
Management
Figure 21 SAFE Model Secure Domains
Return to Contents
28
Management
Management of devices and systems using centralized services is critical for consistent
policy deployment, workflow change management, and the ability to keep systems patched.
Management coordinates policies, objects, and alerting.
Figure 22 shows the progression of security capabilities used for the operations of Management.
Policy/Configuration
Logging/Reporting USER
Time Synchronization
ION
APPLICAT
PINs
VIC E
DE
Vulnerability Monitoring
Management
NE
TW
ORK
Analysis/Correlation Anomaly
Detection
Figure 22 Management Domain Capabilities
Return to Contents
29
Security Intelligence
Security Intelligence provides global detection and aggregation of emerging malware and
threats. It enables an infrastructure to enforce policy dynamically, as reputations are augmented
by the context of new threats, providing accurate and timely security protection.
Figure 23 shows the progression of security capabilities used for the operations of Security
Intelligence.
User
De
vi
ce
Access
Client
Email Security Security
e
vic
Ser
Posture
Assessment
Application Server-Based
Visibility, Security
Wi r e d
Control Intrusion
Detection
Malware Intrusion
Web Application
Sandbox PINs Prevention
Firewall
Firewall
Web Security Web Reputation/ Wireless Intrusion Mobile Device

Filtering Prevention Management
s
le s
Clo
Flow Analytics
ir e
ud
Cloud Web Wireless Intrusion

W
Security Detection
Distributed Denial
of Service
Threat
Intelligence
Anti-Malware
WA is
N lys
Ana
Figure 23 Security Intelligence Capabilities
Return to Contents
30
Compliance
Compliance addresses internal and external policies. It shows how multiple controls can
be satisfied by a single solution. Examples of external compliance include PCI, HIPAA, and
Sarbanes-Oxley (SOX).
Figure 24 shows the progression of security capabilities used for Compliance.
User
De
vi
ce
Access
Client
e
Server-Based
vic
Security
Security
Ser
Wi r e d
TLS Offload
Web Application
Firewall Firewall
Intrusion
PINs Detection
Wireless Intrusion
Detection
s
Mobile Device
le s
Clo
Management
ir e
ud
Virtual Private
Network
WA is
N lys
Ana
Figure 24 Compliance Capabilities
Return to Contents
31
Segmentation
Segmentation establishes boundaries for data and users. Traditional manual segmentation uses
a combination of network addressing, VLANs, and firewalls for policy enforcement. Advanced
segmentation leverages identity-aware infrastructure to enforce automated and scalable policies.
Figure 25 shows the progression of security capabilities used for Segmentation.
User
De
vi
ce
Access
Client
Security
e
vic
Ser
Posture
Assessment
Wi r e d
Server-Based
Security
Firewall
PINs
Mobile Device
Management
s
le s
Clo
Flow Analytics
ir e
ud
Virtual Private
Network
Threat
Intelligence
WA is
N lys
Ana
Figure 25 Segmentation Capabilities
Return to Contents
32
Threat Defense
Threat Defense provides visibility into the most evasive and dangerous cyber threats. Using
network traffic telemetry, reputation, and contextual information, it enables assessment of the
nature and potential risk of the suspicious activity so you can take corrective action.
Figure 26 shows the progression of security capabilities used for the operations of Threat Defense.
User
De
vi
ce
Access
Client
Security
Email Security
e
vic
Ser
Posture
Assessment
Application Server-Based
Visibility,
Wi r e d
Security Intrusion
Control Detection
Intrusion
Web Application
Firewall
Malware
Sandbox PINs Prevention
Firewall
Wireless Intrusion Mobile Device

Prevention Management
Cloud Web
Security
s
le s
Clo
Flow Analytics
ir e
ud
Wireless Intrusion
Detection
W
Threat
Intelligence
Anti-Malware
WA is
N lys
Ana
Figure 26 Threat Defense Capabilities
Return to Contents
33
Secure Services
Secure Services provide technologies such as access control, virtual private networks, and
encryption. This domain includes protection for insecure services such as applications,
collaboration, and wireless.
Figure 27 shows the progression of security capabilities used for Secure Services.
User
De
vi
ce
Access
Email Security
e
Client
vic
Security
Ser
Server-Based
Application Security
Visibility,
Wi r e d
Control
Malware
Sandbox
TLS Offload
Web Application
PINs
Firewall
Cloud Web
Security
s
le s
Clo
Virtual Private
Network
ir e
ud
VPN Concentrator
WA is
N lys
Ana
Figure 27 Secure Services Capabilities
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
34
SAFE Capabilities
Capabilities describe the primary functions of a security service. Table 5 provides a definition
for the capabilities used in SAFE. The recommended products are mapped to each capability,
where and when it is used, and the top threats mitigated.
Table 5 Cisco Security Capabilities and Threats
Places in the Recommended

Attack Surface Capabilities Threats Network Products
Human
Users: Identity/Authorization: Unauthorized Secure Branch Identity Services

Employees, third Restriction of user Network Access: Engine
Secure Campus
parties, customers, access to services Attackers
and administrators. and resources. accessing Secure Cloud
restricted
Secure Data Center
information.
Secure Edge
Secure WAN
Devices
Client-Based Security: Malware: Secure Branch Cisco Advanced

Security software to Viruses or Malware Protection
Secure Campus
protect clients. malware for Endpoint
compromising Secure External
Anti-Virus
systems. Zones
AnyConnect
Malware Cisco Umbrella
Anti-Malware compromising
systems.
Viruses
Anti-Virus compromising
Clients: systems.
Devices such
as PCs, laptops, Redirection of
smartphones, user
tablets. Cloud Security
to malicious
website.
Unauthorized
access and
Personal Firewall
malformed
packets
Posture Assessment: Virus and Secure Branch AnyConnect Agent

Client endpoint Malware:
Secure Campus Centralized Identity
compliance verification Compromised
Services Engine
and authorization. devices Secure External
connecting to Zones
infrastructure.
Return to Contents
35

Secure Branch Cisco Unified

N/A: Attackers Communications
Voice: Secure Campus
Covered in Secure accessing private
Phone.
Services domain. information.
Secure Branch Cisco TelePresence

Video: N/A: Attackers Secure Campus
Displays, Covered in Secure accessing private
collaboration. Services domain. information.
Network
Firewall Segmentation: Unauthorized Secure Branch Adaptive

Stateful filtering and access and Secure Campus Security
protocol inspection. malformed Appliance
packets. Secure Cloud
Integrated
Secure External Services Router
Zones
Meraki MX
Secure WAN
Secure Data Center Adaptive Security

Secure Edge Appliance
Integrated Services
Router
Intrusion Detection Attacks using Secure Campus Cisco Firepower

and Prevention: worms, viruses, or Secure Data Center Services on
Identification of attacks other techniques. Adaptive Security
by signatures and Secure Edge Appliance
anomaly analysis. Secure External FirePOWER
Wired Network: Zones Appliance
Physical network
Secure WAN Firepower Virtual
infrastructure;
routers, switches, Appliance
used to connect
access, distribution, Secure Branch Cisco FirePOWER
core, and services Services on ASA
layers together and UCS-E
Meraki MX
Secure Cloud Firepower Virtual

Appliance
Access Control Unauthorized Secure Branch Wireless Controller/

+ TrustSec: Network Access: Catalyst Switch
Secure Campus
Contextual segmentation. Lateral spread of
Centralized Identity
inflitration.
Services Engine
Secure Data Center Adaptive Security

Appliance
Secure Edge
Aggregation
Services Router
Nexus/Catalyst
Switch
Return to Contents
36

Mobile Device Compromised Secure Edge Identity Services

Management (MDM): devices Engine
Endpoint access control connecting to
Meraki Mobile
based on policies. infrastructure.
Device
Management
Wireless Network: Wireless Rogue
Branches vary from Secure Branch Wireless LAN
Detection: Controller
having robust local Unauthorized Secure Campus
Detection and
wireless controller access Mobility Services
containment of malicious
security services and disruption of Engine
wireless devices that
to a central, cost- wireless network.
are not controlled by the Centralized Mobility
efficient model. company. Services Engine
Wireless Intrusion Centralized Wireless
Attacks on the
Prevention (WIPS): LAN Controller
infrastructure via
Blocking of wireless
wireless Cisco Meraki
attacks by signatures
technology.
and anomaly analysis.
Anti-Malware: Malware Secure Branch Cisco Advanced

Identify, block, and distribution across Malware Protection
Secure Campus
analyze malicious files networks or for Networks
and transmissions. between servers Secure Cloud
and devices.
Secure Data Center
Secure Edge
Secure WAN
Secure External Advanced Malware

Zones Protection
Threat Intelligence: Zero-day malware Secure Branch Cisco Collective

Contextual knowledge and attacks. Security Intelligence
Secure Campus
of emerging hazards.
Cisco Talos Security
Secure Cloud
Intelligence
Secure Data Center
Analysis: Secure Edge
Analysis of network
Secure WAN
traffic within the
campus. Flow Analytics: Traffic, telemetry, Secure Branch Integrated Services
Network traffic metadata and data Router
Secure Campus
identifying security exfiltration from
Adaptive Security
incidents. successful
Appliance
attacks.
Wireless LAN
Controller
Catalyst Switch
Secure Cloud Stealthwatch Cloud
Secure Data Center NetFlow Generation

Appliance
Secure Edge
Stealthwatch
Secure WAN
FlowSensor
Adaptive Security
Appliance
Return to Contents
37

VPN Concentrator: Exposed services Secure Edge Adaptive Security

Encrypted remote and data theft. Appliance
access.
Aggregation
Services Router
Virtual Private Easily collecting Secure Branch Adaptive Security

Network (VPN): information and Secure Campus Appliance
Encrypted communication identities. Integrated Services
tunnels. Router
Meraki MX
WAN: Secure Data Center Adaptive Security

Public and Appliance
untrusted Wide
Aggregation
Area Networks
Services Router
that connect to the
company, such as Firepower Appliance
the Internet.
Secure Cloud Adaptive Security
External Zones Appliance
Secure WAN Aggregation
Services Router
AnyConnect
Meraki MX
DDoS Protection: Massively Secure Edge Distributed Denial of

Protection against scaled scaled attacks Service Technology
attack forms. that overwhelm Partner
services.
Return to Contents
38

Cloud Security: Attacks from Secure Branch Cloud Web Security

Security and control for malware, viruses,
Secure Campus Meraki MX
the distributed enterprise. and malicious
URLs. Secure Cloud Firepower URL
Secure Data Center Web Security
Appliance
Secure Edge
Redirection of
AnyConnect Agent
user Secure External
DNS Security
to malicious Zones Cisco Umbrella
website. Secure Internet
Secure WAN
Gateway (SIG)
Unauthorized
Cloudlock
access and
malformed
Cloud-based Firewall
packets
connecting to
services.
Software-Defined Easily collecting

Cloud Perimeter information and
(SDP/SD-WAN): identities.
Web Security: Infiltration and

Internet access integrity exfiltration via
and protections. HTTP.
Web Reputation/ Attacks directing

Filtering: to a malicious
Tracking against URL.
URL-based threats.
Cloud Access Security

Broker (CASB) Unauthorized
access
and Data loss.
Applications
Web Application Attacks against Secure Data Center Web Application

Firewalling: poorly-developed Firewall Technology
Secure Edge
Advanced application applications. Partner
inspection and
monitoring.
Applications
Application Visibility Attack tools hiding Secure Branch FirePOWER

Control (AVC): in permitted Services Module
Secure Edge
Deep packet inspection applications. or Appliance
(DPI) of application flows.
Meraki MX
Cisco ASR
Return to Contents
39

TLS Encryption Offload: Theft of Secure Data Center Transport Layer

Hardware accelerated unencrypted Security Offload
Secure Edge
encryption of data traffic. Technology Partner
services.
Storage: Secure Branch NAS/SAN (Partner)

Information storage
Secure Campus
on all media types.
Secure Cloud
Secure Data Center
Secure Edge
Server-Based Security: Viruses or Secure Cloud Cisco Advanced

Security software to malware Malware Protection
Secure Data Center
protect hosts. compromising for Endpoint
systems. Secure Edge
AnyConnect
Cisco Umbrella
Anti-Virus
Anti-Malware:
Malware
Identify, block, and
distribution
analyze malicious files
across servers.
and transmissions.
Applications
Viruses
(continued) Anti-Virus compromising
systems.
Redirection of
user
Cloud Security
to malicious
website.
Unauthorized
access and
malformed
Host-based Firewall
packets
connecting to
server.
Email Security: Infiltration and Secure Data Center Email Security

Messaging integrity exfiltration via Appliance
Secure Edge
and protections. email.
Cloud Web Security
Malware Sandbox: Polymorphic Secure Branch Cloud Web Security

Detonation and analysis threats.
Secure Data Center Cisco Threatgrid
of file behavior.
Secure Edge
Return to Contents
40

Management
Logging/Reporting: Unauthorized All Prime Infrastructure

Centralized event network access Manager
information collection. or configuration.
Stealthwatch
Management
Console
Partner Tools
Policy/Configuration: Seizure of Prime Management

Unified infrastructure infrastructure Suite
management and or devices.
compliance verification.
Time Synchronization: Misdirection and All systems and

Device clock calibration. correlation of devices
attacks
Vulnerability Malicious device Firepower

Management: connected to Management
Continuous scanning infrastructure. Center
and reporting of
Identity Services
infrastructure.
Engine
Cisco Meraki
Analysis/ Correlation: Diverse and Firepower

Security event polymorphic Management
management of real-time attacks. Center
information.
Stealthwatch
Prime
SIEM partner
Anomaly Detection: Worm traffic that Fiepower

Identification of infected exhibits scanning Management
hosts scanning for other behavior. Center
vulnerable hosts.
Stealthwatch
Management
Console
AMP for Endpoints
Console
Monitoring: Traffic, telemetry, Stealthwatch

Network traffic and data
Cisco NAM
inspection. exfiltration from
successful Cisco NGA
attacks.
Partner Tools
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
41
The SAFE Architecture

The SAFE security reference architecture logically maps business flows to security capabilities
from the source to the destination using Places in the Network (PINs). Each PIN has
architectural layers that define where and why security controls are used.
Cloud PIN Edge Architecture Layer
Cloud
SERVICES NETWORK APPLICATIONS SERVICES
Anti-Malware Identity
Authorization
Database
vFirepower Appliance vSwitch Storage Server Zone
Threat Intelligence DNS Security
Payment
vFirepower Appliance vRadware Appliance vSwitch Secure Server Application
Web Reputation/ Distributed

Filtering/DCS Denial of Service
Protection
vRouter vSwitch
Anomaly
Detection
h
Application Visibility
Control (AVC) Workflow
Secure Server
Ed
vFirepower Appliance vSwitch Application
nc
Hosted
vFirepower Appliance vRadware Appliance vSwitch Secure Server E-Commerce
ge
Bra
Services Business
Use Cases
NETWORK
Branch Manager Email Security Switch Wireless Controller

browsing information Corporate Device Wireless Controller
Perimeter Services
Customer
Web Security Switch Firepower
Appliance
Trusted
Access Point
Untrusted Enterprise
Payment
Clerk processing Router Switch Firepower Switch Radware Switch Secure Server Application Switch
Corporate Device Access Switch Switch Router Appliance Appliance
credit card
DMZ
Subject Matter Firepower

Expert Employee Phone Appliance
VPN
Building Controls RA VPN Switch DMVPN

Product Information
Website

Use Cases Comparative
REMOTE USERS
Shopping Website
Wholesaler Website
Technician
submitting task
Customer Shareholder receiving

making purchase email from CEO
accessing logs

Internet
NETWORK SERVERS APPLICATIONS
CEO sending email Corporate Device Web Security Guest Wireless

to Shareholders
Wireless Controller Adaptive Security Radware Appliance Nexus Fabric Switch Hyperflex Server Database
Appliance
Guest browsing Wireless Guest Wireless Wireless Controller Switch

Access Point
Communications
Manager
Firepower Appliance Nexus Switch Nexus Fabric Switch Blade Server Payment
Application
r
nte
Employee browsing Corporate Device Switch Distribution Switch Core Switch Firepower Appliance Switch Router
Ca
Distribution Switch Nexus Switch
Subject Matter Employee Phone Firepower Appliance Switch

Expert
Workflow
Secure Server Firepower Appliance Nexus Switch Nexus Fabric Switch Secure Server
Application
Ce
Building Controls Environmental Controls Blade Server Communications

Manager
mp
Communication
FMC Adaptive Security Radware Appliance Secure Server
Services
Appliance
Business Endpoints Access Distribution Core Services NETWORK
Use Cases
Services Core Distribution Access Endpoints Business
Use Cases
BUILDING BLOCK CORE BLOCK

Router Switch Firepower Appliance Switch
ta
Services
us
Da
WA N
Figure 28 SAFE Model. The SAFE Model simplifies
complexity across a business by using Places in the
Network (PINs) that it must secure. Business Flows
Return to Contents
42
The Attack Surface and Architecture Layers

The SAFE architecture uses layers that align to the attack surface. Business use cases connect
through the network to application services. Each layer has standardized controls relating to its
function. Some layers provide access and visibility while others perform enforcement. Not all PINs
contain all layers (see further definition in the architecture guide for each Place in the Network).
Attack Surface
Figure X Alignment of attack surface to architecture layers

Clerk Corporate Switch Switch Payment

Application
Business Endpoints Access Collapsed Core Services

Use Cases & Distribution
Firepower Appliance
Architecture Layers
Endpoints Access Services

Secure Web
Branch Manager
Guest Wireless
Customer
Access Point
Secure Applications

credit card
Secure Communications Product

Information
Website
Subject Matter
Employee Phone
The attack surface and

Expert
Comparative
Shopping Website
Building Controls
Payment
Processing
architecture layers illustration
Business
Use Cases
Remote Colleague
represents a portion of the full
SAFE architecture illustration.
accessing logs
Return to Contents
43
Attack Surface: Human

A Business Use Case is a role performed by a Human connecting to network services.


Application

Business Use Case Layer

Humans use network services to perform Capability
business functions. Each business use case
defines what services are needed and where
the flow of data will go. Some users will perform
Identity – Assign each user a role-based
multiple roles requiring respective security.
identity that has a respective set of
Humans can be the weakest link in your security capability controls.
security architecture. If their identity is
compromised, downstream technical controls
can be bypassed. Visibility and segmentation
limit the impact of compromised employees,
malicious partners, or customers.
Return to Contents
44
Attack Surface: Devices

The Devices layer includes devices that vary from traditional PCs and laptops to smart phones,
tablets, and increasingly, things such as building controls, cameras, and robotics. Devices
require respective client-based security defined by policy.


Application

Endpoints Layer
Zero day and other advanced attacks can Capability
bypass existing security. A secure company
uses the network and the devices connecting Client-Based Security
to it as baselines of behavior. Under attack,
new behavior compared to baselines provides
alarm. Visibility using the network as a sensor,
enables effective containment through
Anti-Virus Anti-Malware
intelligent architectural design.
Cloud Security Personal Firewall
Return to Contents
45
Attack Surface: Network

The SAFE model aligns to the traditional network model of access, distribution, and core. Each
layer in the hierarchy benefits by dividing a flat network into scalable blocks. Traffic remains local
unless it is destined for other networks, and it is elevated to a higher layer. The network acts as
a sensor utilizing flow analytics to capture anomalies and provide visibility to attacks.


Application

Access Layer distribution layer to the services layer. In smaller

The purpose of the access layer is to securely locations not requiring scale, distribution or
connect humans and devices to the network. It access layers connect directly to the core.
connects to the distribution layer and is the first
line of enforcement to the rest of the network. Its
Primary Security Capability
purpose is to identify and segment users, and to
assess compliance of devices seeking
Endpointsaccess.Access Services
Ths layer enables enforcement of violations of
posture, identity, or anomalous behavior.
Identity Flow Analytics
Distribution Layer
This layer is an aggregation point for all of
the access switches. It controls the boundary
Posture TrustSec
between the access and core layers and serves Assessment
as an integration point for security capabilities
such as IPS and network policy enforcement.
Core Layer
Wireless Rogue
The core layer provides high-speed, highly Detection
Return to Contents
redundant forwarding services, connecting the
46
Attack Surface: Applications

The purpose of the services layer is to provide and secure services used by business functions.


Application

Services Layer Business-based security protects against

The services layer typically connects to threats introduced outside the company,
the core layer and provides foundational such as email correspondence, web surfing,
capabilities. The security capabilities segment and remote access. Many businesses need
traffic and provide visibility into separated to satisfy compliance mandates using rogue
business flows. Through analytics, each Place wireless detection regardless of whether the
in the Network has protection from known company uses wireless itself. If a company
malware and other malicious intrusions. In the uses wireless for business functions, WIPS is
event of zero-day attacks where the threat needed in addition to foundational IPS.
has not been categorized, flow analytics
identifies anomalous behavior, reducing time to
detection. Policy is enforced against violations.
Return to Contents
47
Primary Security Capability
Foundational Security Services
Firewall IPS Threat Anti- Flow TrustSec Identity

Intelligence Malware Analytics
Business-based Security
Web VPN Application WIPS Wireless

Security Visibility Rogue
Control Detection
Server-based Security
Server-Based Anti-Virus Anti-Malware Cloud Security Host-Based

Security Firewall
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Summary January 2018
48
Summary
Companies are threatened by increasingly the business is secured. Finally, designs
sophisticated attacks. SAFE provides a model complete with materials, configurations, and
and a method for simplifying the complexity cost are created based on these security
associated with defense. By segmenting business architectures.
company business into role-based business
SAFE simplifies the security challenges of today
flows, appropriate security capabilities
and prepares for the threats of tomorrow.
are applied. Organizing these capabilities
into architectures, SAFE standardizes how
Return to Contents
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Appendix January 2018
49
Appendix
Internal Business Flows
CEO Shareholder
Secure communications for email: CEO sending email to shareholder
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Email Security Host-Based
CEO Shareholder
Secure communications for email: CEO sending email to shareholder

Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Email Security Host-Based
Clerk Firewall Payment Application
Employee Website
Firewall
Employee Website
Expert Colleague
Expert Colleague
Third-Party Business Flows

Engineer Workflow Application

Secure remote access for employees: Field engineer updating work order
Client-Based Identity Posture VPN Firewall Intrusion Flow Threat Anti- TrustSec Distributed Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Denial of Service Application Security
Engineer Protection Firewall Workflow Application
Database Payment Application

Secure east-west traffic for compliance: PCI compliance for financial transactions
Client-Based Identity Posture VPN Firewall Intrusion Flow Threat Anti- TrustSec Distributed Web Host-Based
Protection Firewall
Host-Based Firewall Intrusion Flow Threat Anti- TrustSec Host-Based

Security Prevention Analytics Intelligence Malware Security
Database Payment Application
Guest Website
Security Prevention Analytics Intelligence Malware Security
Guest System (WIPS)
Website
Guest Website
Secure web access for guests: Guest accessing the Internet to watch hosted video
DNS Security System (WIPS) Anti- AVC
Wireless Wireless Firewall Intrusion Flow Threat TrustSec Distributed Web Host-Based
Intrusion Rogue Prevention Analytics Intelligence Malware Denial of Service Application Security
Prevention Detection Protection Firewall
Guest Website
Return to Contents System (WIPS)
Customer
This document is Cisco Public Information. E-commerce
Secure applications for PCI: Customer making purchase
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
Engineer Workflow Application
SAFE Overview Guide

Client-Based Threats,
Identity Capabilities,
Posture VPN and
Firewall the Intrusion
Security Flow
Reference
ThreatArchitecture
Anti- | Appendix
TrustSec Distributed Web January 2018
Host-Based
Protection Firewall
50 Database
Payment Application

Security
Customer Business Flows Prevention Analytics Intelligence Malware Security
Guest Website
System (WIPS)
Guest Website
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
System (WIPS)
Customer E-commerce
Secure applications for PCI: Customer making purchase
Identity Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
Prevention Analytics Intelligence Malware Denial of Service Application Security
Protection Firewall
Return to Contents
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Return to Contents For more information on SAFE, see www.cisco.com/go/SAFE.
Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)

Safe Overview Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safe Overview Guide

Uploaded by

Copyright:

Available Formats

SAFE Overview Guide

Threats, Capabilities, and the

6 How to Use SAFE

20 Places in the Network

© 2018 Cisco and/or its affiliates. All rights reserved.

The Need for SAFE

Security Intelligence Threat Defense

Management Secure Services

Figure 1 Key to SAFE.

Places in the Network (PINs) Domains

SAFE provides the Key to simplify cybersecurity into

The SAFE Security The SAFE Method

How to Use SAFE

Table 1 The SAFE Model Icons

Phase/Example Icon Description Function

The Key to SAFE provides the Key to simplify cybersecurity

Capability Firewall Capabilities are used to describe security functions.

Logical Router. This

The three phases of the SAFE method are:

Small Branch Capabilities and Business Flows

Clerk Payment Application

Thermostat Remote Technician

Small Branch Architecture

Clerk processing Router

Secure Communications Product

Secure Third Parties

Business Endpoints Access Services

Clerk Payment Application

Figure 2 In the architecture phase,

Client-Based Identity Posture Firewall Intrusion Flow

Thermostat Remote Technician

Small Branch Design

Corporate Laptop AIR-CAP3702E-A-K9

Guest Wireless UMBRELLA-SUB

Branch Point of Sale

Corporate Computer CP-9951-C-K9

Secure Third Parties

Business Endpoints Access Services

Small Branch Architecture

design is created to implement

business flows are still present.

browsing prices Wireless Guest Wireless Information

Secure Third Parties

Clerk processing Router

© 2018 Cisco and/or its affiliates. All rights reserved.

Secure Communications accessing logs

SAFE’s toolkit and SAFE tools include:

collateral simplify • Capability icons to represent business flows

Design Guides Design Guides

Figure 4 SAFE Guidance Hierarchy

HUMAN Know who is on your network

DEVICE Know that devices are not infected

NETWORK Networks can be compromised

APPLICATIONS Services can be exploited

HUMAN DEVICES NETWORK APPLICATIONS

Users Endpoints Wired Wireless Analysis WAN Cloud Services

Employees Client Network Wireless Public WAN Public/Hybrid Application

Rogue Infection Unauthorized Rogue Walware Untrusted Untrusted Infection

Securing the Attack Surface

HUMAN DEVICES NETWORK APPLICATIONS

Users Endpoints Wired Wireless Analysis WAN Cloud Services

Employees, Client Network Wireless Public WAN Public/Hybrid Application

Posture Intrusion Wireless Intrusion Threat Virtual Private