Professional Documents
Culture Documents
Safe Overview Guide
Safe Overview Guide
January 2018
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Contents January 2018
Contents
3 The Need for SAFE
4 What is SAFE?
The SAFE Security Reference Model 5
The SAFE Method 5
11 Attack Surface
12 Securing the Attack Surface
13 Business Flows
Functional Controls 14
15 Capabilities
The Business Flow Capability Diagram 19
Cisco’s John Chambers famously said, The industry desperately needs a resource
“There are two types of companies: ones that simplifies the problem. The solution must
that have been breached and those that do be comprehensive, credible, and about more
not realize it…” When attackers violate your than just products; it needs to focus on the
network, having a threat defense that helps threats to your business.
you react and minimize the impact of the
SAFE meets this need.
attack is critical.
curity Guarantee
Se d
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | What is SAFE? January 2018
What is SAFE?
SAFE is a security model and method used in a language that changes the way we think
to secure business. It focuses on threats—and about security. It uses simple concepts to focus
best practices for defending against them. on the complexities of today, so that we’re
SAFE illustrates today’s business challenges prepared for the challenges of tomorrow.
Compliance Segmentation
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | What is SAFE? January 2018
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | How to Use SAFE January 2018
Business Business flows use colored lines to depict use cases and show
Use Case
Flow where data flows through a network.
Unauthorized Packets.
Threat This threat is blocked The top security threats of an organization are catalogued.
by firewalls.
G0: G1:
Return to Contents Design 4451x with Firewall Designs are used to provide specific products and services.
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information. 4451-x
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | How to Use SAFE January 2018
1
Capability phase
Business flows, or use cases, are defined in this phase. Using them as a basis,
security capabilities are applied to address threats, risks, and policy.
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Firewall
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Expert Colleague
Secure communications for collaboration: Subject matter expert consultation
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec Posture Identity Client-Based
Security Assessment Prevention Analytics Intelligence Malware Assessment Security
DNS Security Identity Firewall Intrusion Flow Threat Anti- TrustSec VPN Posture Client-Based Identity
Prevention Analytics Intelligence Malware Assessment Security
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
System (WIPS)
Figure 1 In the capability phase, business flows are analyzed to determine the required security capabilities.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | How to Use SAFE January 2018
2
Firepower Appliance
Architecture phase
A logical security architecture is defined using the security
capabilities that were identified in the business flows.
Secure Web
Branch Manager
browsing information Corporate Device
Guest Wireless
Customer
browsing prices Wireless Guest Wireless
Access Point
Secure Applications
Subject Matter
Expert Employee Phone
Comparative
Shopping Website
Building Controls
Environmental Controls Server
Payment
Processing
Third-party Technician
accessing logs
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Firewall
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
DNS Security Identity Firewall Intrusion Flow Threat Anti- TrustSec VPN Posture Client-Based Identity
Prevention Analytics Intelligence Malware Assessment Security
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
System (WIPS)
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | How to Use SAFE January 2018
3
Design phase
Using the security architecture, a specific design is created
to implement the required security capabilities, complete with
a product list, configuration, services, and cost.
FP-AMP-LC
Secure Web UMBRELLA-SUB
WIRELESS SSID:EMPLOYEE
Host Firewall
G0/1
Guest Device
MANAGEMENT VLAN
WDATA VLAN
VOICE VLAN
G1/6 G1/10
ISR4351-K9
FP-AMP-LC
Secure Communications UMBRELLA-SUB P1 P0
DATA VLAN
Host Firewall VOICE VLAN
Building Controls
Firepower Appliance
Secure Web
Branch Manager
browsing information Corporate Device
Secure Web
Guest Wireless
Branch Manager
Corporate Device Customer
Figure 3 In this phase, the
browsing information Wireless Guest Wireless
Secure Applications
the logical architecture. Although
the emphasis is on the specifics
Guest Wireless Clerk processing
credit card
Corporate Device Access Switch
of the solution, the original
Router
Comparative
Shopping Website
10
KEY TO SAFE
THE
Threat and
Capability Guide
Secure Secure
Data Center Services
Secure
Cloud SAFE Threat
Defense
Overview
Secure
WAN Segmentation
Secure Compliance
Internet Edge
YOU ARE
Secure Security
Branch HERE Intelligence
Secure Management
Campus
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Attack Surface January 2018
11
Attack Surface
The attack surface of a company is anyone or anything that can be targeted.
Any human, using any device, on any network, accessing any application can be attacked.
Threat Figure 5 The attack surface that needs to be secured. Attack Surface
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overiew Guide Capabilities and Threats January 2018
12
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Web Security Cloud Security Server-Based
Security Detection Security
TrustSec Flow
Analytics
Figure 6 Security capabilities are applied logically to mitigate the threats along the attack surface.
Capability
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Business Flows January 2018
13
Business Flows
Three categories of users have a role on your SAFE’s color-coded business flows illustrate
network: the security needed for each role. These
flows depict the attack surface, ensuring
Internal: Internal flows are activities that
that controls are easily accounted for. For
employees perform on the company network.
example, when an employee goes online to
Third Party: Third-party flows are guests, do research, or a customer makes a purchase
vendors, service providers, or partners who on your e-commerce site, these activities
access the company network. provide fraudsters something to attack.
Customers: Customer flows can be a variety By documenting and planning the security
of services, such as website portals and of all business flows within your company,
customer information. maintaining security is simplified.
Color Code
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Business Flows January 2018
14
Functional Controls
Functional controls are common security considerations that are derived from the technical
aspects of the business flows.
Secure East/West Traffic Data that securely moves between internal or external resources.
Secure Remote Access Secure remote access for employees and third-party partners
that are external to the company network.
Secure Web Access Web access controls enforce usage policy and help prevent
network infection.
Functional Control
Employee Secure web access for employees: Employee researching product information Website
Internal
Secure remote access for third party: Connected device with remote vendor support
Third Party
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
15
Capabilities
SAFE’s capability icons simplify the security Security capabilities are used to mitigate
discussion by putting the focus on the threats on the attack surface of a business
function necessary to perform a specific flow. The appropriate capability icons are
feature before identifying a product. applied along the business flow based on the
policy, risk, and threats of its attack surface.
For example, Cisco sells Adaptive Security
Appliances, Firepower appliances, Meraki For example, the “Employee researching
routers with firewalls, Cat6k with firewalls, product information” business flow is
and Cisco ISR with firewalls. For simplicity, analyzed from source to destination.
any of these are identified by their capability
(firewall). Subsequent SAFE steps will specify
model and feature requirements.
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Source Destination
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
16
Based on where they are applied on the business flows, security capabilities
can be grouped into three types: Foundational, Access, and Business.
Foundational Capabilities
Foundational Capabilities work together to protect applications and traffic. They use segmentation,
visibility, and analysis in a comprehensive architectural approach. All business flows require
foundational security capabilities.
Figure 10 Foundational Capability Group: Secure Applications and Secure East West Traffic
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
FOUNDATIONAL
Firewall:
Stateful filtering and protocol inspection Unauthorized access and malformed
between layers and the outside Internet packets between and within the branch.
and service provider connections.
Intrusion Prevention:
Attacks using worms, viruses, or other
Blocking of attacks by signatures
techniques.
and anomaly analysis.
Flow Analytics:
Traffic, telemetry, and data exfiltration from
Network traffic metadata identifying
successful attacks.
security incidents.
Threat Intelligence:
Contextual knowledge of existing Zero-day malware and attacks.
and emerging hazards.
Anti-Malware:
Malware distribution across networks or
Identify, block, and analyze malicious files
between servers and devices.
and transmissions.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
17
Access Capabilities
Access capabilities secure users, devices, and servers as they access or provide network services.
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
ACCESS
Client-/Server-based Security:
Security software for devices with
the following capabilities:
Posture Assessment:
Compromised devices connecting
Client endpoint compliance verification
to infrastructure.
and authorization.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
18
Business Capabilities
Business capabilities are used to secure risks introduced by business practices that are not
handled by the foundational and access groups. Email, web access, and remote access directly
connect to potential malicious entities (like the web, phishing, and compromised partners) which
are outside the control of a company and require additional security capabilities.
Figure 12 Business Capability Group: Secure Communications, Secure Web Access, Secure Remote Access
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
BUSINESS
AVC Web
Security
Web Security:
Attacks from malware, viruses,
Web, DNS, and IP-layer security
and redirection to malicious URLs.
and control for the branch.
Email Security:
Infiltration and exfiltration via email.
Messaging integrity and protections.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Capabilities January 2018
19
The Business Flow business. This map is used as the basis for the
next phase in SAFE: The Security Architecture.
Capability Diagram See the Appendix for all of these SAFE use
cases with their capabilties.
Combining capabilities with business flows
creates a security capability map to the
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Firewall
Employee Website
Secure web access for employees: Employee researching product information
Internal
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Expert Colleague
Secure communications for collaboration: Subject matter expert consultation
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec Posture Identity Client-Based
Security Assessment Prevention Analytics Intelligence Malware Assessment Security
Secure remote access for third party: Connected device with remote vendor support
DNS Security Identity Firewall Intrusion Flow Threat Anti- TrustSec VPN Posture Client-Based Identity
Prevention Analytics Intelligence Malware Assessment Security
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
Customer
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
System (WIPS)
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
20
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
21
Secure Branch
Branches are typically less secure than
Top Threats Mitigated in the Branch
their campus and data center counterparts.
• Endpoint malware (POS malware)
Economics often dictate that it is cost prohibitive
• Wireless infrastructure exploits (rogue AP,
to duplicate all the security controls typically Man in the Middle)
found at locations when scaling to hundreds • Unauthorized/malicious client activity
of branches. However, this makes branch • Exploitation of trust
locations prime targets and more susceptible
For a deeper discussion on defending attacks within
to a breach. In response, it is important to the Secure Branch, see www.cisco.com/go/SAFE.
include vital security capabilities while ensuring
cost-effective designs in the branch.
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Web Security Cloud Security Server-Based
Security Detection Security
TrustSec Flow
Analytics
22
Secure Campus
Campuses contain large user populations
Top Threats Mitigated in the Campus
with a variety of device types and traditionally
• Phishing
few internal security controls. Due to the
• Web-based exploits
large number of security zones (subnets and
• Unauthorized network access
VLANs), secure segmentation is difficult. • Malware propagation
Because of the lack of security control, • BYOD—Larger attack surface/
visibility, and guest/partner access, campuses increased risk of data loss
are prime targets for attack. • Botnet infestation
Figure 16 shows the progression of security For a deeper discussion on defending attacks within
the Secure Campus, see www.cisco.com/go/SAFE.
capabilities that are used to help defend
against the attacks common in a campus.
Voice
Video
Security
Identity Client-Based Firewall Wireless Rogue Anti-Malware Virtual Private Cloud Server-Based
Security Detection Network (VPN) Security Security
TrustSec Flow
Analytics
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
23
type, data classification zone, and other For a deeper discussion on defending
methods. Creating and managing proper attacks within the Secure Data Center,
security rules to control access to (north/ see www.cisco.com/go/SAFE.
Employees, Client Network Wireless Public WAN Public/Hybrid Load Balancer Server
Third Parties, Connection Cloud
Customers, and
Administrators
Voice
Storage
Video
Security
Return to Contents Figure 17 Secure Data Center Attack Surface and Security Capabilities
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
24
Secure Edge
The edge is the highest-risk PIN because it
Top Threats Mitigated in the Edge
is the primary ingress point for public traffic
• Webserver vulnerabilities
from the Internet and the primary egress
• Distributed denial of service (DDoS)
point for corporate traffic to the Internet.
• Data loss
Simultaneously, it is the most critical business • Man-in-the-Middle (MitM)
resource in today’s Internet-based economy.
For a deeper discussion on defending attacks within
Figure 18 shows the progression of security the Secure Edge, see www.cisco.com/go/SAFE.
Employees, Client Network Wireless Public WAN Public/Hybrid Load Balancer Server
Third Parties, Connection Cloud
Customers, and
Administrators
Voice
Storage
Video
Security
Identity Firewall Mobile Device Anti-Malware VPN Concentrator Email Web Application Server-Based
Management Security Firewall Security
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
25
Secure Cloud
The majority of cloud security risk stems from
Top Threats Mitigated in the Cloud
loss of control, lack of trust, shared access,
• Webserver vulnerabilities
and shadow IT. Service Level Agreements
• Loss of access
(SLAs) are the primary tool for businesses to
• Virus and malware
dictate control of security capabilities selected • Man-in-the-Middle (MitM)
in cloud-powered services. Independent
For a deeper discussion on defending attacks within
certification and risk assessment audits should
the Secure Cloud, see www.cisco.com/go/SAFE.
be used to improve trust.
Storage
Security
Access Firewall Anti-Malware VPN Concentrator Cloud Web Application Visibility Server-Based
Security Control Security
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Places in the Network January 2018
26
Secure WAN
The WAN connects all company locations
Top Threats Mitigated in the WAN
together to provide a single point of control
• Malware propagation
and access to all resources. Managing
• Unauthorized network access
security and quality of service (QoS) policies
• WAN sniffing and MitM attacks
to control communication can be exceptionally
For a deeper discussion on defending attacks within
difficult and complex.
the Secure WAN, see www.cisco.com/go/SAFE.
Figure 20 shows the progression of security
capabilities used to help defend against the
attacks common in a WAN.
Administrators Network
Security
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
27
Secure Domains
The Secure Domains represent the operational side of the Key. Operational security is divided
by function and the people in the organization that are responsible for them. Each domain has a
class of security capabilities and operational aspects that must be considered. (See Figure 21.)
Secure Services
Threat Defense
Segmentation
Compliance
Security Intelligence
Management
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
28
Management
Management of devices and systems using centralized services is critical for consistent
policy deployment, workflow change management, and the ability to keep systems patched.
Management coordinates policies, objects, and alerting.
Figure 22 shows the progression of security capabilities used for the operations of Management.
Policy/Configuration
Logging/Reporting USER
Time Synchronization
ION
APPLICAT
PINs
VIC E
DE
Vulnerability Monitoring
Management
NE
TW
ORK
Analysis/Correlation Anomaly
Detection
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
29
Security Intelligence
Security Intelligence provides global detection and aggregation of emerging malware and
threats. It enables an infrastructure to enforce policy dynamically, as reputations are augmented
by the context of new threats, providing accurate and timely security protection.
Figure 23 shows the progression of security capabilities used for the operations of Security
Intelligence.
User
De
vi
ce
Access
Client
Email Security Security
e
vic
Ser
Posture
Assessment
Application Server-Based
Visibility, Security
Wi r e d
Control Intrusion
Detection
Malware Intrusion
Web Application
Sandbox PINs Prevention
Firewall
Firewall
Flow Analytics
ir e
ud
Security Detection
Distributed Denial
of Service
Threat
Intelligence
Anti-Malware
WA is
N lys
Ana
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
30
Compliance
Compliance addresses internal and external policies. It shows how multiple controls can
be satisfied by a single solution. Examples of external compliance include PCI, HIPAA, and
Sarbanes-Oxley (SOX).
User
De
vi
ce
Access
Client
e
Server-Based
vic
Security
Security
Ser
Wi r e d
TLS Offload
Web Application
Firewall Firewall
Intrusion
PINs Detection
Wireless Intrusion
Detection
s
Mobile Device
le s
Clo
Management
ir e
ud
Virtual Private
Network
WA is
N lys
Ana
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
31
Segmentation
Segmentation establishes boundaries for data and users. Traditional manual segmentation uses
a combination of network addressing, VLANs, and firewalls for policy enforcement. Advanced
segmentation leverages identity-aware infrastructure to enforce automated and scalable policies.
User
De
vi
ce
Access
Client
Security
e
vic
Ser
Posture
Assessment
Wi r e d
Server-Based
Security
Firewall
PINs
Mobile Device
Management
s
le s
Clo
Flow Analytics
ir e
ud
Virtual Private
Network
Threat
Intelligence
WA is
N lys
Ana
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
32
Threat Defense
Threat Defense provides visibility into the most evasive and dangerous cyber threats. Using
network traffic telemetry, reputation, and contextual information, it enables assessment of the
nature and potential risk of the suspicious activity so you can take corrective action.
Figure 26 shows the progression of security capabilities used for the operations of Threat Defense.
User
De
vi
ce
Access
Client
Security
Email Security
e
vic
Ser
Posture
Assessment
Application Server-Based
Visibility,
Wi r e d
Security Intrusion
Control Detection
Intrusion
Web Application
Firewall
Malware
Sandbox PINs Prevention
Firewall
Cloud Web
Security
s
le s
Clo
Flow Analytics
ir e
ud
Wireless Intrusion
Detection
W
Threat
Intelligence
Anti-Malware
WA is
N lys
Ana
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Secure Domains January 2018
33
Secure Services
Secure Services provide technologies such as access control, virtual private networks, and
encryption. This domain includes protection for insecure services such as applications,
collaboration, and wireless.
Figure 27 shows the progression of security capabilities used for Secure Services.
User
De
vi
ce
Access
Email Security
e
Client
vic
Security
Ser
Server-Based
Application Security
Visibility,
Wi r e d
Control
Malware
Sandbox
TLS Offload
Web Application
PINs
Firewall
Cloud Web
Security
s
le s
Clo
Virtual Private
Network
ir e
ud
VPN Concentrator
WA is
N lys
Ana
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
34
SAFE Capabilities
Capabilities describe the primary functions of a security service. Table 5 provides a definition
for the capabilities used in SAFE. The recommended products are mapped to each capability,
where and when it is used, and the top threats mitigated.
Human
Devices
Viruses
Anti-Virus compromising
Clients: systems.
Devices such
as PCs, laptops, Redirection of
smartphones, user
tablets. Cloud Security
to malicious
website.
Unauthorized
access and
Personal Firewall
malformed
packets
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
35
Table 5 Cisco Security Capabilities and Threats
Network
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
36
Table 5 Cisco Security Capabilities and Threats
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
37
Table 5 Cisco Security Capabilities and Threats
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
38
Table 5 Cisco Security Capabilities and Threats
Applications
Applications
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
39
Table 5 Cisco Security Capabilities and Threats
Applications
Viruses
(continued) Anti-Virus compromising
systems.
Redirection of
user
Cloud Security
to malicious
website.
Unauthorized
access and
malformed
Host-based Firewall
packets
connecting to
server.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | SAFE Capabilities January 2018
40
Management
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
41
Cloud
SERVICES NETWORK APPLICATIONS SERVICES
Anti-Malware Identity
Authorization
Database
vFirepower Appliance vSwitch Storage Server Zone
Payment
vFirepower Appliance vRadware Appliance vSwitch Secure Server Application
vRouter vSwitch
Anomaly
Detection
h
Application Visibility
Control (AVC) Workflow
Secure Server
Ed
vFirepower Appliance vSwitch Application
nc
Hosted
vFirepower Appliance vRadware Appliance vSwitch Secure Server E-Commerce
ge
Bra
Services Business
Use Cases
HUMAN DEVICES NETWORK APPLICATIONS
NETWORK
Perimeter Services
Customer
browsing prices Wireless Guest Wireless
Web Security Switch Firepower
Appliance
Trusted
Access Point
Untrusted Enterprise
Payment
Clerk processing Router Switch Firepower Switch Radware Switch Secure Server Application Switch
Corporate Device Access Switch Switch Router Appliance Appliance
credit card
DMZ
VPN
Wholesaler Website
Technician
submitting task
Third-party Technician
accessing logs
Wireless Controller Adaptive Security Radware Appliance Nexus Fabric Switch Hyperflex Server Database
Appliance
Communications
Manager
Firepower Appliance Nexus Switch Nexus Fabric Switch Blade Server Payment
Application
r
nte
Employee browsing Corporate Device Switch Distribution Switch Core Switch Firepower Appliance Switch Router
Ca
Workflow
Secure Server Firepower Appliance Nexus Switch Nexus Fabric Switch Secure Server
Application
Ce
Communication
FMC Adaptive Security Radware Appliance Secure Server
Services
Appliance
Business Endpoints Access Distribution Core Services NETWORK
Use Cases
Services Core Distribution Access Endpoints Business
Use Cases
Services
us
Da
WA N
Figure 28 SAFE Model. The SAFE Model simplifies
complexity across a business by using Places in the
Network (PINs) that it must secure. Business Flows
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
42
Attack Surface
Firepower Appliance
Architecture Layers
Small Branch Architecture
HUMAN DEVICES NETWORK APPLICATIONS
ATTACK ATTACK ATTACK ATTACK
SURFACE SURFACE SURFACE SURFACE
Branch Manager
browsing information Corporate Device
Guest Wireless
Customer
browsing prices Wireless Guest Wireless
Access Point
Secure Applications
Subject Matter
Employee Phone
Comparative
Shopping Website
Building Controls
Environmental Controls Server
Payment
Processing
architecture layers illustration
Business
Use Cases
Endpoints Access Services
Remote Colleague
represents a portion of the full
Third-party Technician
SAFE architecture illustration.
accessing logs
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
43
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
44
Endpoints Layer
Zero day and other advanced attacks can Capability
bypass existing security. A secure company
uses the network and the devices connecting Client-Based Security
to it as baselines of behavior. Under attack,
new behavior compared to baselines provides
alarm. Visibility using the network as a sensor,
Endpoints Access Services
enables effective containment through
Anti-Virus Anti-Malware
intelligent architectural design.
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
45
Distribution Layer
This layer is an aggregation point for all of
the access switches. It controls the boundary
Posture TrustSec
between the access and core layers and serves Assessment
as an integration point for security capabilities
such as IPS and network policy enforcement.
Core Layer
Wireless Rogue
The core layer provides high-speed, highly Detection
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
redundant forwarding services, connecting the
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
46
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | The SAFE Architecture January 2018
47
Business-based Security
Server-based Security
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Summary January 2018
48
Summary
Companies are threatened by increasingly the business is secured. Finally, designs
sophisticated attacks. SAFE provides a model complete with materials, configurations, and
and a method for simplifying the complexity cost are created based on these security
associated with defense. By segmenting business architectures.
company business into role-based business
SAFE simplifies the security challenges of today
flows, appropriate security capabilities
and prepares for the threats of tomorrow.
are applied. Organizing these capabilities
into architectures, SAFE standardizes how
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
SAFE Overview Guide Threats, Capabilities, and the Security Reference Architecture | Appendix January 2018
49
Appendix
Internal Business Flows
CEO Shareholder
Secure communications for email: CEO sending email to shareholder
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Email Security Host-Based
Security Assessment Prevention Analytics Intelligence Malware Security
CEO Shareholder
Secure communications for email: CEO sending email to shareholder
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Clerk Firewall Payment Application
Secure applications for PCI: Clerk processing credit card transaction
Employee Website
Secure web access for employees: Employee researching product information
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Application Security
Firewall
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Employee Website
Secure web access for employees: Employee researching product information
Expert Colleague
Secure communications for collaboration: Subject matter expert consultation
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec AVC Web
Security Assessment Prevention Analytics Intelligence Malware Security
Client-Based Identity Posture Firewall Intrusion Flow Threat Anti- TrustSec Posture Identity Client-Based
Security Assessment Prevention Analytics Intelligence Malware Assessment Security
Expert Colleague
Secure communications for collaboration: Subject matter expert consultation
Thermostat Remote Technician
Secure remote access for third party: Connected device with remote vendor support
DNS Security Identity Firewall Intrusion Flow Threat Anti- TrustSec VPN Posture Client-Based Identity
Prevention Analytics Intelligence Malware Assessment Security
Thermostat Remote Technician
Secure remote access for third party: Connected device with remote vendor support
Client-Based Identity Posture VPN Firewall Intrusion Flow Threat Anti- TrustSec Distributed Web Host-Based
Security Assessment Prevention Analytics Intelligence Malware Denial of Service Application Security
Engineer Protection Firewall Workflow Application
Secure remote access for employees: Field engineer updating work order
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
Host-Based Firewall Intrusion Flow Threat Anti- TrustSec Host-Based
Security Prevention Analytics Intelligence Malware Security
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
Guest System (WIPS)
Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
Guest Website
Secure web access for guests: Guest accessing the Internet to watch hosted video
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
DNS Security System (WIPS) Anti- AVC
Wireless Wireless Firewall Intrusion Flow Threat TrustSec Distributed Web Host-Based
Intrusion Rogue Prevention Analytics Intelligence Malware Denial of Service Application Security
Prevention Detection Protection Firewall
Guest Website
Return to Contents System (WIPS)
Secure web access for guests: Guest accessing the Internet to watch hosted video
© 2018 Cisco and/or its affiliates. All rights reserved.
Customer
This document is Cisco Public Information. E-commerce
Secure applications for PCI: Customer making purchase
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
Intrusion Rogue Prevention Analytics Intelligence Malware Denial of Service Application Security
Prevention Detection Protection Firewall
Engineer Workflow Application
Secure remote access for employees: Field engineer updating work order
50 Database
Secure east-west traffic for compliance: PCI compliance for financial transactions
Payment Application
Guest Website
Secure web access for guests: Guest accessing the Internet for comparative shopping
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec
Intrusion Rogue Prevention Analytics Intelligence Malware
Prevention Detection
System (WIPS)
Guest Website
Secure web access for guests: Guest accessing the Internet to watch hosted video
DNS Security Wireless Wireless Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
Intrusion Rogue Prevention Analytics Intelligence Malware Denial of Service Application Security
Prevention Detection Protection Firewall
System (WIPS)
Customer E-commerce
Secure applications for PCI: Customer making purchase
Identity Firewall Intrusion Flow Threat Anti- TrustSec Distributed AVC Web Host-Based
Prevention Analytics Intelligence Malware Denial of Service Application Security
Protection Firewall
Return to Contents
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
© 2018 Cisco and/or its affiliates. All rights reserved.
This document is Cisco Public Information.