Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SAFE SIMPLIFIES SECURITY August 2015

advertisement 
SAFE
SIMPLIFIES SECURITY
August 2015
SAFE Simplifies Security | Introduction
2
Compliance
Security Intelligence
Segmentation
Threat Defense
Management
Secure Services
The Key to SAFE organizes the complexity of holistic
security into Places in the Network (PINs) and Secure
Domains. PINs are reference examples of locations
found in networks, and Secure Domains are the
taxonomical areas used to protect them.
Introduction
SAFE is a secure architectural framework example for business networks. SAFE simplifies complexity
using a model that focuses on the areas that a company must secure. Each area is treated with holistic
discussion of today’s threats and the capabilities needed to secure them. Critical challenges have been
deployed, tested, and validated at Cisco. These solutions provide guidance, complete with configuration
steps, to ensure effective and secure deployments for our customers.
For more information, visit cisco.com/go/safe
SAFE Simplifies Security | Secure Domains
Compliance
Security Intelligence
Management
Segmentation
Threat Defense
Secure Services
Secure Domains
Secure Services
Threat Defense
Segmentation
Provides technologies such as access control,
virtual private networks, and encryption. It
includes protection for insecure services
e.g., applications, collaboration, and wireless.
Provides visibility into the most evasive
and dangerous cyber threats. It uses
network traffic telemetry, reputation, and
contextual information for that visibility.
Enables assessment of the nature and the
potential risk of the suspicious activity so
that the correct next steps for cyber
threats can be taken.
Establishes boundaries for both data and
users. Traditional manual segmentation
uses a combination of network addressing,
VLANs, and firewalling for policy
enforcement. Advanced segmentation
leverages identity-aware infrastructure
to enforce policies in an automated and
scalable manner, greatly reducing
operational challenges.
Compliance
Security Intelligence
Management
Addresses policies, both internal and external.
It shows how multiple controls can be
satisfied by a single solution. Examples of
external compliance include PCI, HIPAA,
and Sarbanes-Oxley (SOX).
Provides global detection and aggregation of
emerging malware and threats. It enables an
infrastructure to enforce policy dynamically, as
reputations are augmented by the context of
new threats. This enables accurate and timely
security protection.
Management of devices and systems using
centralized services is critical for consistent
policy deployment, workflow change
management, and the ability to keep systems
patched. Management coordinates policies,
objects, and alerting.
xt
-G
e
N
n
tio
ra
e
ne
w
al
Fi
re
In
t
E er
ng n
in et
e Se
S a
e rc
rv h
ic
e
9 | Secure Cloud
10 | External Zones
ud
lo
C
N
n
tio
ra
ne
e
xt
-G
e
l
w
al
re
Fi
e
g
d
E
S Sh
e ar
rv e
i d
Z ce
o s
ne
e
S
d
e
liz
ua
irt
V
s
tie
ili
ab
ap
C
p P
lia C
Z nce I
o
ne
ab
Z ase
o
ne
at
7 | Secure Data Center
r
Z ve
o r
ne
p
p
A
m
o
C
D
e
nt
ra
liz
e
l
w
al
re
Fi
d
M
an
ag
e
m
e
nt
r
ut
e
R
o
a
at
D
r
nt
e
e
C
W
A
N
C
r
le
nt
ro
o
n
tio
ra
ne
e
xt
-G
e
N
l
w
al
Fi
re
ut
e
R
o
r
C
am
p
us
h
S
w
itc
W
ire
le
ss
C
le
nt
ro
o
r
e
N
e
xt
-G
ne
n
ra
tio
Fi
re
w
al
/
ut
e
R
o
r
B
ra
nc
h
Best Practice Security
Capability Flows Overview
C
n
tio
ra
ne
e
xt
-G
e
N
h
itc
6 | Secure Campus
S
w
ss
le
W
ire
5 | Secure Branch
C
C lou
C
R d
lo
M -b
ud
S as
e e
W
rv d
e
ic
b
e
S
e
cu
rit
y
S Sh
e ar
rv e
i d
Z ce
o s
ne
S Pu
e b
rv lic
Z er
o s
ne
SAFE Simplifies Security | Best Practice Security Capability Flows Overview
4
8 | Secure Edge
SAFE Simplifies Security | Branch
5
Manager researching
product information
Wireless Controller
Return to Overview
L2/L3
Network
Host-based
Security
Wireless
Intrusion
Prevention
Wireless
Posture
Access
Assessment Control +
TrustSec
Flow
Analytics
Next-Generation Firewall/Router
Switch
Host-based
Security
Posture
Access
Assessment Control +
TrustSec
Flow
Analytics
L2/L3
Network
Clerk processing
credit card transaction
Firewall
Next-Gen
Intrusion
Prevention
System
AntiMalware
Flow
Analytics
AVCApplication
Visibility
Control
Web
Security
Services
Threat
Intelligence
VPN
WAN
To Data Center
To Cloud
Secure Branch
Key Security Challenge
Branches are typically less secure than their campus and data center counterparts. Economics often dictate that it is cost prohibitive to duplicate
all the security controls typically found at larger locations when scaling to hundreds of branches. However, this makes them prime targets and
more susceptible to a breach. In response, it is important to include vital security capabilities while ensuring cost effective designs in the branch.
Top Threats Mitigated
• Endpoint malware (e.g., POS malware) • Wireless infrastructure exploits (e.g., rogue AP, MitM)
• Unauthorized/malicious client activity
• Exploitation of trust
Capability
Product
Capability
Product
Capability
Product
Cloud Web Security,
Meraki MX,
FirePOWER URL
Cisco Advanced Malware
Protection for Networks
AnyConnect Agent, Centralized
Identity Services Engine
Adaptive Security Appliance,
Integrated Services Router,
Meraki MX
Wireless Controller/Catalyst Switch,
Centralized Identity Services Engine
Cisco Advanced Malware
Protection for Endpoint,
AnyConnect, Anti-Virus (partner)
Cisco Collective Security
Intelligence, Cisco Talos
Security Intelligence
Cisco FirePOWER Services on
Adaptive Security Appliance,
UCS-E, or FirePOWER Appliance
Centralized Mobility Services
Engine, Centralized Wireless
LAN Controller, Meraki
Integrated Services Router, Adaptive
Security Appliance, Wireless LAN
Controller, Catalyst Switch
Adaptive Security Appliance,
Integrated Services Router,
Meraki MX
FirePOWER Services Module
or Appliance, Meraki MX
SAFE Simplifies Security | Campus
6
CEO sending email
to shareholders
Wireless Controller
Return to Overview
L2/L3
Network
Hostbased
Security
Wireless
Identity
Wireless
Intrusion
Prevention
Mobile
Device
Management
Posture
Assessment
Access
Control +
TrustSec
Flow
Analytics
Switch
Identity
Hostbased
Security
Posture
Assessment
Access
Control +
TrustSec
Next-Generation Firewall
Flow
Analytics
L2/L3
Network
Salesmen accessing
customer database
Firewall
Next-Gen AntiMalware
Intrusion
Prevention
System
Access
Control +
TrustSec
Router
Threat
Access
Intelligence Control +
TrustSec
Flow
Analytics
VPN
WAN
To Data Center
Secure Campus
Key Security Challenge
Campuses contain large user populations with a variety of device types and traditionally little internal security controls. Due to the large number of
security zones (subnets and VLANs), secure segmentation is difficult. Because of the lack of security control, visibility, and guest/ partner access,
campuses are prime targets for attack.
Top Threats Mitigated
• Phishing
• Web-based exploits
Capability
• Unauthorized network access
• Malware propagation
Product
• BYOD — Larger attack surface/increased risk of data loss
• Botnet infestation
Capability
Product
Capability
Product
Cloud Web Security, Centralized
Web Security Appliance
Cisco Advanced Malware
Protection for Networks
AnyConnect Agent,
Identity Services Engine
Adaptive Security Appliance,
Integrated Services Router,
Meraki MX
Wireless Controller/
Catalyst Switch,
Identity Services Engine
Cisco Advanced Malware
Protection for Endpoint,
AnyConnect, Anti-Virus (partner)
Cisco Collective Security
Intelligence, Cisco Talos
Security Intelligence
Cisco FirePOWER Services on
Adaptive Security Appliance,
UCS-E, or FirePOWER Appliance
Mobility Services Engine,
Wireless LAN Controller
Integrated Services Router, Wireless
LAN Controller, Catalyst Switch
Adaptive Security Appliance,
Aggregation Services Router,
Meraki MX
Identity Services Engine,
Meraki Mobile Device
Management
SAFE Simplifies Security | Data Center
7
Next-Gen
Intrusion
Load
Prevention
Firewall Balancer Switch
System
Host-based
Security
Database
Zone
To Campus
Flow
Analytics
Threat
Intelligence
Next-Gen
Access
Intrusion
Control + AntiPrevention
Firewall
TrustSec Malware System
Access
Control +
L2/L3
Network TrustSec
VPN
PCI
Compliance
Zone
Next-Generation Firewall
App Server
Zone
Router
WAN
L2/L3
Network
Centralized Management
Web
Application
Firewall
Flow
Analytics
Shared
Services
Zone
Policy/
Configuration
Visibility/
Context
Analysis/
Correlation
Analytics
Threat
Intelligence
Vulnerability
Management
Monitoring
Virtualized Capabilities
Logging/
Reporting
To Edge
Return to Overview
Secure Data Center
Key Security Challenge
Data centers contain the majority of information assets and intellectual property. These are the primary goal of all targeted attacks, and thus require the highest level
of effort to secure. Data centers contain hundreds to thousands of both physical and virtual servers, segmented by application type, data classification zone, and
other methods. Creating and managing proper security rules to control access to (north/south) and between (east/west) resources can be exceptionally difficult.
Top Threats Mitigated
• Data exfiltration (data loss)
• Malware propagation
Capability
• Unauthorized network access (e.g., application compromise,
data loss, privilege escalation, reconnaissance)
Product
Capability
Product
• Botnet infestation (e.g., scrumping)
Capability
Product
Adaptive Security Appliance,
Virtual Security Gateway,
Firepower 9300 Appliance
Adaptive Security Appliance,
Aggregation Services Router
Web Application Firewall
Technology Partner
FirePOWER Services Module,
Appliance, Virtual, Firepower
9300 Appliance
Adaptive Security Appliance,
Aggregation Services Router,
Firepower Appliance
Load Balancer Technology Partner
Cisco Collective Security
Intelligence, Cisco Talos
Security Intelligence
Cisco Advanced Malware
Protection for Networks
Cisco Advanced Malware
Protection for Endpoint,
AnyConnect, Anti-Virus (partner)
Netflow Generation Appliance,
Lancope FlowSensor,
Adaptive Security Appliance
Nexus/Catalyst Switch
SAFE Simplifies Security | Edge
8
To Campus
Return to Overview
Flow Analytics
Email
Security
Web
Security
Next-Generation Firewall
Public
Servers
Zone
Hostbased
Security
Load
Web
Transport
Application Balancer Layer
Firewall
Security
Off-Load
L2/L3
Network
AntiMalware
Next-Gen Firewall
Intrusion
Prevention
System
Access
Control +
TrustSec
Distributed L2/L3
Threat
AVCDenial of
Network
Application Intelligence
Service
Visibility
VPN
Control
Concentrator
To External Zones
To Cloud
Secure Edge
Internet
Key Security Challenge
The Internet Edge is the highest risk PIN because it is the primary ingress point for public traffic and the primary egress point to the Internet.
Simultaneously, it is the critical resource that businesses need in today’s Internet-based economy.
Top Threats Mitigated
• Webserver vulnerabilities
• Data loss
Capability
• DDoS
• Man-in-the-Middle
Product
Capability
Product
Capability
Product
Adaptive Security Appliance,
Aggregation Services Router
Cisco Advanced Malware
Protection for Networks
Web Application Firewall
Technology Partner
Cisco Collective Security
Intelligence, Cisco Talos Security
Intelligence
Web Security Appliance,
Cloud Web Security
Cisco Advanced Malware
Protection for Endpoint,
AnyConnect, Anti-Virus (partner)
Adaptive Security Appliance,
Aggregation Services Router,
Catalyst Switch
Email Security Appliance,
Cloud Web Security
FirePOWER Services Module
or Appliance, Meraki MX
Adaptive Security Appliance,
Firepower 9300 Appliance,
Meraki MX
Transport Layer Security
Offload Technology Partner
FirePOWER Services Module
or Appliance
Distributed Denial of Service
Technology Partner
SAFE Simplifies Security | Cloud
9
To Branch
To Edge
Host-based
Security
Internet
Shared
Services
Zone
Cloud-based
CRM Service
Cloud Web Security
Internet Search
Engine Service
Threat
Intelligence
Anomaly
Detection
AVCApplication
Visibility
Control
Web
Reputation/
Filtering
Internet
Anti-Malware
Return to Overview
Secure Cloud
Key Security Challenge
The majority of cloud security risk stems from loss of control, lack of trust, shared access, and shadow IT. Service
Level Agreements (SLAs) are the primary tool for businesses to dictate control of security capabilities selected in
cloud-offered services. Independent certification and risk assessment audits should be used to improve trust.
Top Threats Mitigated
• Webserver vulnerabilities
• Virus and malware
Capability
Product
• Loss of access
• Man-in-the-Middle
Capability
Product
Capability
Product
Adaptive Security Appliance,
Integrated Services Router,
AnyConnect, Meraki MX
Cisco FirePOWER Services
on ASA and UCS-E
Cloud Web Security, Web
Security Appliance, Meraki MX,
Partner OpenDNS
Adaptive Security Appliance,
Integrated Services Router,
Meraki MX
Advanced Malware
Protection
Cisco Advanced Malware Protection
for Endpoint, Anti-Virus (partner),
AnyConnect
SAFE Simplifies Security | External Zones
10
Internet
To Edge
EXTERNAL ZONES
Customers
Key Security Challenge
Field engineer
submitting
work order
Host-based
Security
Identity
Posture
Assessment
Securing connections to service offerings is the
primary goal when establishing communications
with customers outside of the corporate
enterprise. A breach or loss of data creates an
immediate and heightened lack of trust resulting
in loss of commerce.
VPN
Remote Workers
Next-Generation Firewall
Technician
remotely
checking logs
Host-based
Security
Firewall
Next-Gen
Intrusion
Prevention
System
Web
AntiReputation/ Malware
Filtering
Key Security Challenge
VPN
Securing remote access for employees
connecting to the corporate enterprise from
untrusted sites (such as coffee shops and
hotels) is critical for maintaining data security.
Identity-aware access controls, posture
assessments, and encryption enforce a
consistent set of policies before allowing access.
Third-Party Vendors and Partners
Key Security Challenge
Customer
updating
profile
Host-based
Security
Return to Overview
Insecure access by partners and vendors can
quickly compromise business operations.
Implement granular access controls, anomaly
detection, and SLAs to block unauthorized access
and exploitation of trust.
External Zones
Businesses are Connected to Risk
Recent breaches underscore the need to consider the full ecosystem of your partners, customers, vendors, and employees. Traditional perimeter defenses
are not sufficient for the attack vectors present today. Identity aware, policy enforced, and threat anomalies must accompany relationships to secure trust.
Top Threats Mitigated
• Endpoint malware
• Unauthorized/malicious client activity
Capability
Product
• Exploitation of trust
• Man-in-the-Middle
Capability
Product
Capability
Product
Adaptive Security Appliance,
Integrated Services Router,
AnyConnect, Meraki MX
Cisco FirePOWER Services
on ASA and UCS-E
Cloud Web Security, Web
Security Appliance, Meraki MX,
Partner OpenDNS
Adaptive Security Appliance,
Integrated Services Router,
Meraki MX
Advanced Malware
Protection
Cisco Advanced Malware Protection
for Endpoint, Anti-Virus (partner),
AnyConnect
Related documents
energy performance certification testing of appliances and
energy performance certification testing of appliances and
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
FUNCTIONAL APPLIANCES
FUNCTIONAL APPLIANCES
Response to Bidders Questions – December 04, 2016
Response to Bidders Questions – December 04, 2016
master_thesis_ECA_appliances_recognition201415
master_thesis_ECA_appliances_recognition201415
Hazardous Materials: Awareness and Operations
Hazardous Materials: Awareness and Operations
Download
advertisement