Cisco SAFE poster · SAFE Simpli˜es Security | Best Practice Security Capability Flows Overview...
Transcript of Cisco SAFE poster · SAFE Simpli˜es Security | Best Practice Security Capability Flows Overview...
SAFESIMPLIFIES SECURITY
August 2015
Management
Security Intelligence
Secure Services
Threat Defense
Compliance Segmentation
The Key to SAFE organizes the complexity of holistic security into Places in the Network (PINs) and Secure Domains. PINs are reference examples of locations found in networks, and Secure Domains are the taxonomical areas used to protect them.
SAFE Simpli�es Security | Introduction
IntroductionSAFE is a secure architectural framework example for business networks. SAFE simpli�es complexity using a model that focuses on the areas that a company must secure. Each area is treated with holistic discussion of today’s threats and the capabilities needed to secure them. Critical challenges have been deployed, tested, and validated at Cisco. These solutions provide guidance, complete with con�guration steps, to ensure e�ective and secure deployments for our customers.
For more information, visit cisco.com/go/safe
2
Management
Security Intelligence
Secure Services
Threat Defense
Compliance Segmentation
SAFE Simpli�es Security | Secure Domains
Secure Domains
Threat DefenseProvides visibility into the most evasive and dangerous cyber threats. It uses network tra�c telemetry, reputation, and contextual information for that visibility. Enables assessment of the nature and the potential risk of the suspicious activity so that the correct next steps for cyber threats can be taken.
ComplianceAddresses policies, both internal and external. It shows how multiple controls can be satis�ed by a single solution. Examples of external compliance include PCI, HIPAA, and Sarbanes-Oxley (SOX).
Security IntelligenceProvides global detection and aggregation of emerging malware and threats. It enables an infrastructure to enforce policy dynamically, as reputations are augmented by the context of new threats. This enables accurate and timely security protection.
ManagementManagement of devices and systems using centralized services is critical for consistent policy deployment, work�ow change management, and the ability to keep systems patched. Management coordinates policies, objects, and alerting.
SegmentationEstablishes boundaries for both data and users. Traditional manual segmentation uses a combination of network addressing, VLANs, and �rewalling for policy enforcement. Advanced segmentation leverages identity-aware infrastructure to enforce policies in an automated and scalable manner, greatly reducing operational challenges.
Secure ServicesProvides technologies such as access control, virtual private networks, and encryption. It includes protection for insecure services e.g., applications, collaboration, and wireless.
SAFE Simpli�es Security | Best Practice Security Capability Flows Overview
Branch
Campus
Data Center
Edge
Cloud
WAN
Next-Generation Firewall
Wireless Controller
Switch
Next-Generation Firewall/Router
Wireless Controller
Switch
Next-Generation Firewall
Router
Router
Next-Generation Firewall
Virtualized Capabilitie
sDatabase
Zone
PCI
ComplianceZone
App ServerZone
Shared
ServicesZone
Centralized Management
Public
ServersZone
Next-Generation Firewall
Cloud Web Security
Shared
ServicesZone
Cloud-based
CRM Service
Internet Search
Engine Service
Best Practice Security Capability Flows Overview
4
5 | Secure Branch
6 | Secure Campus
7 | Secure Data Center
8 | Secure Edge
9 | Secure Cloud
10 | External Zones
Wireless Controller
Switch Next-Generation Firewall/Router
Host-based Security
Wireless Intrusion Prevention
Access Control + TrustSec
Posture Assessment
Flow Analytics
L2/L3 Network
Firewall Next-Gen Intrusion Prevention System
Anti-Malware
Flow Analytics
Wireless
Host-based Security
Access Control + TrustSec
Posture Assessment
Flow Analytics
L2/L3 Network
VPN
WebSecurity Services
AVC-Application Visibility Control
Threat Intelligence
Secure BranchKey Security ChallengeBranches are typically less secure than their campus and data center counterparts. Economics often dictate that it is cost prohibitive to duplicate all the security controls typically found at larger locations when scaling to hundreds of branches. However, this makes them prime targets and more susceptible to a breach. In response, it is important to include vital security capabilities while ensuring cost e�ective designs in the branch.
Top Threats Mitigated• Endpoint malware (e.g., POS malware) • Wireless infrastructure exploits (e.g., rogue AP, MitM)• Unauthorized/malicious client activity • Exploitation of trust
Capability Product
Cloud Web Security,Meraki MX,FirePOWER URL
Adaptive Security Appliance, Integrated Services Router, Meraki MX
Cisco Collective Security Intelligence, Cisco Talos Security Intelligence
Integrated Services Router, Adaptive Security Appliance, Wireless LAN Controller, Catalyst Switch
Capability Product Capability Product
Cisco FirePOWER Services on Adaptive Security Appliance, UCS-E, or FirePOWER Appliance
Adaptive Security Appliance, Integrated Services Router, Meraki MX
AnyConnect Agent, Centralized Identity Services Engine
Cisco Advanced Malware Protection for Endpoint, AnyConnect, Anti-Virus (partner)
Centralized Mobility Services Engine, Centralized Wireless LAN Controller, Meraki
FirePOWER Services Module or Appliance, Meraki MX
Cisco Advanced Malware Protection for Networks
Wireless Controller/Catalyst Switch, Centralized Identity Services Engine
SAFE Simpli�es Security | Branch
To Data Center
Return to Overview
To Cloud
WAN
Manager researchingproduct information
Clerk processingcredit card transaction
5
CEO sending emailto shareholders
Salesmen accessingcustomer database
Wireless Controller
Switch Next-Generation Firewall Router
L2/L3 Network
L2/L3 Network
VPNAccess Control + TrustSec
Access Control + TrustSec
Access Control + TrustSec
Access Control + TrustSec
Posture Assess-ment
Posture Assess-ment
Host-based Security
Host-based Security
Wireless Wireless IntrusionPrevention
Mobile Device Manage-ment
Firewall Next-Gen Intrusion Prevention System
Anti-Malware
Threat Intelligence
Flow Analytics
Flow Analytics
Flow Analytics
Identity
Identity
To Data Center
WAN
Cisco Advanced Malware Protection for Networks
Cisco FirePOWER Services on Adaptive Security Appliance, UCS-E, or FirePOWER Appliance
Adaptive Security Appliance, Aggregation Services Router, Meraki MX
AnyConnect Agent, Identity Services Engine
Cisco Advanced Malware Protection for Endpoint, AnyConnect, Anti-Virus (partner)
Mobility Services Engine, Wireless LAN Controller
Wireless Controller/Catalyst Switch, Identity Services Engine
Identity Services Engine, Meraki Mobile Device Management
Capability Product
Cloud Web Security, Centralized Web Security Appliance
Adaptive Security Appliance, Integrated Services Router, Meraki MX
Cisco Collective Security Intelligence, Cisco Talos Security Intelligence
Integrated Services Router, Wireless LAN Controller, Catalyst Switch
Secure CampusKey Security ChallengeCampuses contain large user populations with a variety of device types and traditionally little internal security controls. Due to the large number of security zones (subnets and VLANs), secure segmentation is di�cult. Because of the lack of security control, visibility, and guest/ partner access, campuses are prime targets for attack.
Top Threats Mitigated• Phishing• Web-based exploits
• BYOD — Larger attack surface/increased risk of data loss• Botnet infestation
• Unauthorized network access• Malware propagation
Capability Product Capability Product Capability Product
SAFE Simpli�es Security | Campus 6
Return to Overview
RouterNext-Generation Firewall
Virtualized Capabilities
DatabaseZone
PCICompliance
Zone
App ServerZone
SharedServices
Zone
Centralized Management
L2/L3 Network
Analysis/Correlation
Visibility/Context
Policy/Con�guration
Analytics
Logging/Reporting
VPN
Access Control + TrustSecFirewall
Next-Gen Intrusion Prevention System
Next-Gen Intrusion Prevention System
Anti-Malware
Access Control + TrustSec
Threat Intelli-gence
Flow Analytics
Flow Analytics
L2/L3 Network
Load Balancer SwitchFirewall
Host-based Security
Web Application Firewall
Threat Intelligence
Vulnerability Management
Monitoring
WAN
To Edge
To Campus
Capability Product
Secure Data CenterKey Security ChallengeData centers contain the majority of information assets and intellectual property. These are the primary goal of all targeted attacks, and thus require the highest level of e�ort to secure. Data centers contain hundreds to thousands of both physical and virtual servers, segmented by application type, data classi�cation zone, and other methods. Creating and managing proper security rules to control access to (north/south) and between (east/west) resources can be exceptionally di�cult.
Top Threats Mitigated• Data ex�ltration (data loss)• Malware propagation
• Botnet infestation (e.g., scrumping)• Unauthorized network access (e.g., application compromise, data loss, privilege escalation, reconnaissance)
Capability Product Capability Product Capability Product
SAFE Simpli�es Security | Data Center
Adaptive Security Appliance, Virtual Security Gateway, Firepower 9300 Appliance
FirePOWER Services Module, Appliance, Virtual, Firepower 9300 Appliance
Cisco Collective Security Intelligence, Cisco Talos Security Intelligence
Net�ow Generation Appliance, Lancope FlowSensor, Adaptive Security Appliance
Adaptive Security Appliance, Aggregation Services Router
Web Application Firewall Technology Partner
Load Balancer Technology Partner
Cisco Advanced Malware Protection for Endpoint, AnyConnect, Anti-Virus (partner)
Adaptive Security Appliance, Aggregation Services Router, Firepower Appliance
Cisco Advanced Malware Protection for Networks
Nexus/Catalyst Switch
7
Return to Overview
Secure EdgeKey Security ChallengeThe Internet Edge is the highest risk PIN because it is the primary ingress point for public tra�c and the primary egress point to the Internet. Simultaneously, it is the critical resource that businesses need in today’s Internet-based economy.
Top Threats Mitigated• Webserver vulnerabilities • DDoS• Data loss • Man-in-the-Middle
SAFE Simpli�es Security | Edge
PublicServers
Zone
Next-Generation Firewall
Next-Gen Intrusion Prevention System
Flow Analytics
Host-based Security
Web Application Firewall
Transport Layer Security O�-Load
Load Balancer
Anti-Malware
L2/L3 Network
Firewall Access Control + TrustSec
Distributed Denial of Service
L2/L3 Network
Email Security
Web Security
Threat Intelligence
AVC-Application Visibility Control
To Cloud
To External Zones
To Campus
VPNConcentrator
Email Security Appliance, Cloud Web Security
Transport Layer Security O�oad Technology Partner
Distributed Denial of Service Technology Partner
Web Application Firewall Technology Partner
Cisco Advanced Malware Protection for Networks
Cisco Advanced Malware Protection for Endpoint, AnyConnect, Anti-Virus (partner)
FirePOWER Services Module or Appliance, Meraki MX
Web Security Appliance, Cloud Web Security
Capability Product
Adaptive Security Appliance, Aggregation Services Router
Cisco Collective Security Intelligence, Cisco Talos Security Intelligence
Adaptive Security Appliance, Aggregation Services Router, Catalyst Switch
Adaptive Security Appliance, Firepower 9300 Appliance, Meraki MX
FirePOWER Services Module or Appliance
Capability Product Capability Product
Internet
8
Return to Overview
Secure CloudKey Security ChallengeThe majority of cloud security risk stems from loss of control, lack of trust, shared access, and shadow IT. Service Level Agreements (SLAs) are the primary tool for businesses to dictate control of security capabilities selected in cloud-o�ered services. Independent certi�cation and risk assessment audits should be used to improve trust.
Top Threats Mitigated• Webserver vulnerabilities • Loss of access• Virus and malware • Man-in-the-Middle
Capability Product Capability Product Capability Product
SAFE Simpli�es Security | Cloud
Cisco FirePOWER Services on ASA and UCS-E
Cloud Web Security, Web Security Appliance, Meraki MX, Partner OpenDNS
Cisco Advanced Malware Protection for Endpoint, Anti-Virus (partner), AnyConnect
Advanced Malware Protection
Adaptive Security Appliance, Integrated Services Router, AnyConnect, Meraki MX
Adaptive Security Appliance, Integrated Services Router, Meraki MX
Internet
Cloud Web Security
SharedServices
ZoneCloud-basedCRM Service
Internet SearchEngine Service
Anti-MalwareWeb Reputation/Filtering
AVC-Application Visibility Control
Anomaly Detection
Threat Intelligence
Host-based Security
To Branch
To Edge
Internet
9
Return to Overview
External ZonesBusinesses are Connected to RiskRecent breaches underscore the need to consider the full ecosystem of your partners, customers, vendors, and employees. Traditional perimeter defenses are not su�cient for the attack vectors present today. Identity aware, policy enforced, and threat anomalies must accompany relationships to secure trust.
Top Threats Mitigated• Endpoint malware • Exploitation of trust • Unauthorized/malicious client activity • Man-in-the-Middle
Capability Product Capability Product
SAFE Simpli�es Security | External Zones 10
CustomersKey Security ChallengeSecuring connections to service o�erings is the primary goal when establishing communications with customers outside of the corporate enterprise. A breach or loss of data creates an immediate and heightened lack of trust resulting in loss of commerce.
Remote WorkersKey Security ChallengeSecuring remote access for employees connecting to the corporate enterprise from untrusted sites (such as co�ee shops and hotels) is critical for maintaining data security. Identity-aware access controls, posture assessments, and encryption enforce a consistent set of policies before allowing access.
Third-Party Vendors and PartnersKey Security ChallengeInsecure access by partners and vendors can quickly compromise business operations. Implement granular access controls, anomaly detection, and SLAs to block unauthorized access and exploitation of trust.
VPNHost-based Security
Posture Assessment
Identity
Next-Generation Firewall
Anti-Malware
VPNWeb Reputation/Filtering
Next-Gen Intrusion Prevention System
FirewallHost-based Security
Host-based Security
To Edge
E X T E R N A L Z O N E S
Internet
Field engineersubmittingwork order
Technicianremotely
checking logs
Customerupdating
pro�le
Cloud Web Security, Web Security Appliance, Meraki MX, Partner OpenDNS
Cisco Advanced Malware Protection for Endpoint, Anti-Virus (partner), AnyConnect
Advanced Malware Protection
Cisco FirePOWER Services on ASA and UCS-E
Capability Product
Adaptive Security Appliance, Integrated Services Router, AnyConnect, Meraki MX
Adaptive Security Appliance, Integrated Services Router, Meraki MX
Return to Overview