The Cisco For More Information

SAFE Security › cisco.com/go/safe › cisco.com/go/security

Reference Architecture
Management WAN Edge Remote Sites

Threat Detection Edge Protection Secure WAN Connectivity

Monitoring, Analysis and Correlation Network Security Policy Core and Mitigation Traffic filtering, routing security, Core WAN Distribution Private WAN Edge Data confidentiality and integrity through Medium Site

The Foundation for

Infrastructure-based network
telemetry, AAA, firewall, IPS event
data, centrally collected and
correlated for threat identification
and mitigation.
Management Private WAN
Network Access Control, network
Cisco Security Intrusion prevention and network telemetry to identify firewall integration, and IP a range of VPN options and PKI for
Intelligence and mitigate threats. IPS based global correlation, spoofing protection to discard SP 1 strong, scalable authentication. Granular
endpoint profiler, network compliance
Operation reputation-based filtering, botnet and malware blocking. anomalous traffic flows, prevent access control.
management, firewall policies, IPS
unauthorized access and block
signature, and response enforcement.
illegitimate traffic.

Secure Borderless Networks

Secure WAN Connectivity Private WAN
SP 2 Private Private WAN
Data confidentiality and integrity through a range of
Secure Administrative Access WAN Edge
Authorization, authentication, accounting Management VPN options and PKI for strong, scalable authentication.
Granular access control. Network Foundation Protection
(AAA) services, and directory services. Device hardening, control and
SSL, SSH confidentiality and integrity. management plane protection
Administrative VPN access and granular Enhanced Availability and Resiliency throughout the entire

Cisco SAFE is a security reference architecture that provides detailed

® device access controls. Hardened devices and high-availability design infrastructure to maximize
Internet Large Site
ensure optimal service availability. Per-branch availability and resiliency.
QoS policies and application optimization Internet WAN Edge
design and implementation guidelines to assist organizations looking Configuration Management
Router, switch, Wireless LAN and security
preserve and optimize remote site services. Internet Internet
WAN Edge
to build highly secure and reliable networks. SAFE’s modular designs configuration management

take advantage of cross-platform network intelligence and Out-of-Band Management

VLAN segregation, or dedicated switches
Edge Protection
Traffic filtering, routing security, firewall
collaboration between Cisco security and network devices, to better that are independent and physically disparate
from the data network. Leverages endpoint Extranet
integration, and IP spoofing protection
to discard anomalous traffic flows,
prevent unauthorized access and block
address the unique security requirements of every part of the network. protection, dedicated management
interfaces, and management VRFs. illegitimate traffic.

The SAFE designs also integrate Cisco cloud-based security services, In-Band Management
Encryption, endpoint server protection,
Network Foundation Protection Partner DMZ Extranet DMZ Applications Extranet Edge Protection
Secure Unified Wireless Network
offering flexible deployment options, as well as global threat stateful firewall inspection, application
Device hardening, control and management plane protection throughout the entire
infrastructure to maximize availability and resiliency.
Extranet resources secured
with endpoint server
WAN Edge Private
WAN
Traffic filtering, rate-limiting,
routing security, firewall
Secure, pervasive access to business
applications. Guest access and location
deep-packet inspection, DDoS protection. protection, inline intrusion integration, and IP spoofing Network Foundation Local Threat Detection
correlation and response. The result is persistent protection and the prevention, stateful firewall protection to discard
services. Integrated wired and wireless
security, including confidentiality,
Protection and Mitigation
inspection, application anomalous traffic flows, Device hardening, control and Intrusion prevention and network
consistent enforcement of context-aware security policies for all types deep-packet inspection, prevent unauthorized access
and block illegitimate traffic.
identity-based access control, policy
enforcement, telemetry and threat
management plane protection telemetry to identify and mitigate threats.
Firewall and IPS based global correlation,
and DDoS protection. throughout the entire
Internet Edge detection and mitigation.
of users. This provides greater visibility into device and network infrastructure to maximize
availability and resiliency.
reputation-based filtering, botnet and
malware blocking.

security events, and enhanced control of users, devices, and traffic for Campus ISP A TrustSec
Identity aware access controls
Internet Secure Collaboration Endpoint Security
coordinated threat response. SAFE’s comprehensive security strategy Core enforcing a consistent set of policies
for users and network devices. Secure data, voice, video and Endpoint signature and behavioral-based
ISP B Policy-based controls define how mobile applications across the protection, operating system and
improves an organization’s ability to identify, prevent, and respond to Endpoint Security
Endpoint signature and
Access Catalyst Integrated
Security Features
Network Foundation Protection
Device hardening, control and Secure Partner Connectivity
network access should be granted, network. Secure call processing, application hardening.
what security requirements must be voice and video encryption
threats, and securely deploy critical business applications and behavioral-based protection,
operating system and
Access layer protection
provided by port security,
management plane protection
throughout the entire
Data confidentiality and
integrity through a range of
met, and what network resources services, dynamic and granular
access control, network security Access Edge Security
are authorized. Link level data integrity
VPN options and PKI for
services. application hardening. Dynamic ARP inspection,
IP Source guard, DHCP
infrastructure to maximize
availability and resiliency.
Extranet strong, scalable authentication.
and confidentiality with standard
encryption. 802.1X infrastructure and
policy enforcement, secure
firewall traversal.
iACLs, STP security, DHCP protection,
ARP and IP spoofing protection, MAC
snooping. Internet VPN Granular access control.
appliance based deployment options.
and traffic flooding protection, QoS
policy enforcement.
TrustSec
Identity aware access controls
enforcing a consistent set of Threat Detection and Mitigation Network Foundation Enhanced Availability Secure Mobility for Partners
Distribution Core
High-Level View
policies for users and network Intrusion prevention and Protection and Resiliency Protection for PC-based and smartphone
devices. Policy-based controls infrastructure based network Device hardening, control Hardened devices and high mobile users. Persistent and consistent policy
define how network access
should be granted, what
telemetry to identify and mitigate and management plane availability design ensure enforcement independent of user location. Partner Site
threats. Firewall and IPS based protection throughout the optimal service availability. Enforcement of Client Firewall Policies.
security requirements must global correlation, entire infrastructure to Design leverages redundant Optimal gateway selection to ensure best
be met, and what network reputation-based filtering, botnet maximize availability and systems, stateful failover, and connectivity. Integration with web security and
resources are authorized. and malware blocking. resiliency. topological redundancy. malware threat defense systems deployed at
Management Extranet Mobile Access Extranet
Link level data integrity and the enterprise premises. Private WAN
confidentiality with standard WAN Edge
encryption. 802.1X
WAN Edge Remote Site infrastructure and appliance
based deployment options.
Extranet
Campus WAN Internet Edge Internet
Enhanced Availability Partner Site
Partner Site
Extranet and Resiliency
Internet Edge
Hardened devices leveraging
Threat Detection Secure WAN/Internet Connectivity Granular Access Control
redundant systems, stateful
Core Borderless failover, and topological and Mitigation Data confidentiality and integrity through a range Extranet edge firewall and filtering rules provide granular
Inline intrusion prevention, of VPN options and PKI for strong, scalable access control to necessary resources.
redundancy to ensure service Internet Corporate Access
Mobility Distribution authentication.
Internet Edge availability. QoS policies network telemetry, and Corporate Access/DMZ Appliance and cloud-based web and email malware protection, reputation
to preserve and optimize endpoint monitoring to filtering, policy enforcement and data loss prevention. Stateful firewall inspection,
identify and mitigate threats.
Internet Cisco network services. Web DNS intrusion prevention, granular application access control and context-aware
Data Center Cloud-based
policy enforcement.

E-Commerce Security Services Secure Unified Network Foundation Protection

Device hardening, control and management plane protection throughout the entire
Borderless Mobility
Wireless Network Edge Protection Secure Collaboration
Secure, pervasive access to infrastructure to maximize availability and resiliency.
Traffic filtering, routing Secure data, voice, video and
business applications. Guest security, and IP spoofing mobile applications across the Enhanced Availability and Resiliency
access and location services.
Integrated wired and wireless
protection to discard network. Secure call processing, Hardened devices and high-availability design ensure optimal service availability. Network Foundation Protection Small Offices
anomalous traffic flows, voice and video encryption Design leverages redundant systems, stateful failover, and topological redundancy. Device hardening, control and
security, including confidentiality, prevent unauthorized services, dynamic and granular management plane protection
and Teleworkers

Icon Key identity based access control, access and block access control, network security Threat Detection and Mitigation throughout the entire infrastructure to Corporate
policy enforcement, telemetry illegitimate traffic. policy enforcement, secure Intrusion prevention and infrastructure-based network telemetry to identify and maximize availability and resiliency. VPN Access
and threat detection and firewall traversal. mitigate threats. Firewall and IPS based global correlation, reputation-based
mitigation. filtering, botnet and malware blocking.
Cisco Nexus 2100 Non-Corporate
Cisco ACS Hardened Endpoint Corporate DMZ VPN Access
Series
Endpoint server protection, inline intrusion
prevention, stateful firewall inspection, Corporate
ISP A
application deep-packet inspection, DDoS Internet Internet
Cisco Nexus 5000 ISP A protection. Edge
Cisco ASA
Switch
IP-Enabled Phone Mobile Users
Data Center Internet
Secure Mobility
Always-on VPN protection for PC-based
and smartphone mobile users. Persistent
Cisco ASA with Cisco Nexus 7000 and consistent policy enforcement
Intrusion Prevention ISP B independent of user location. Enforcement
IPS Module Switch TrustSec
System Data Center Core of Client Firewall Policies. Optimal gateway Integrated Security
Consistent enforcement of security policies ISP B
with Security Group ACL, and to control selection to ensure best connectivity. Integrated firewall, IPS, and content
access to resources based on user identity Integration with web security and malware filtering protects the employee and the
Cisco Catalyst Cisco ScanSafe Light Weight and group membership. Link level data Edge threat defense systems deployed at the corporate network.
Wireless Carrier
Access Switch SaaS Web Security Access Point enterprise premises. Consolidated SaaS
integrity and confidentiality with standard Mobile Access Access Control.
encryption.
Secure Small Secure Mobility Secure Small Office Connectivity
SAN Data Center Network Foundation Protection Office Connectivity Edge Protection Always-on VPN protection for PC-based and Data confidentiality and integrity through a range of VPN options and
Distribution Data confidentiality and smartphone mobile users. Persistent and consistent PKI for strong, scalable authentication. Granular access control.
Cisco Catalyst Switch Cisco SensorBase MDS Storage VDC Infrastructure Security features are enabled Traffic filtering, routing security, firewall
to protect device, traffic plane, and control integrity through a range of integration, and IP spoofing protection to policy enforcement independent of the user’s
plane. Device virtualization provides control, VPN options and PKI for strong, discard anomalous traffic flows, prevent location. Enforcement of Client Firewall Policies. Secure Unified Wireless Network
Cisco Cisco Unified
data, and management plane segmentation. Core scalable authentication. unauthorized access and block illegitimate Optimal gateway selection to ensure best Secure pervasive access to business applications. Integrated wired
Small Office VPN Granular access control. traffic. connectivity. Integration with web security and and wireless security, including confidentiality, identity based
IOS Firewall/VPN/Voice/ Communications malware threat defense systems deployed at the access control, policy enforcement, telemetry and threat detection
IDS/WAE Router Manager NAC Appliance enterprise premises. and mitigation.

Cisco IOS Cisco Unified Personal Secure WAN/Internet Connectivity TrustSec

Firewall/VPN Router Communicator NAC Manager vPC vPC vPC vPC vPC vPC Services vPC vPC Multiple VPN options for teleworkers, small offices, Identity aware access controls enforcing a consistent set of policies
and mobile users consolidated into headend for users and network devices. Policy-based controls define how
VSS
E-Commerce aggregation and management model. DMVPN, Easy network access should be granted, what security requirements
must be met, and what network resources are authorized.
VPN, GET, SSL VPN, and mobile phone VPN.
Cisco Unity
Cisco VPN/Voice Router NAC Profiler
Connection Server
Server Farm Traffic Filtering
Firewall and IPS based protection. Virtual Contexts Server Farms Aggregation Core Network Foundation
provide segmentation and policy enforcement for Protection
Cisco Voice, server to server communication. Infrastructure security
Server Load Balancing
Unity Express Router
Cisco Webex Client
VM VM VM Threat Detection and Mitigation
features are enabled to
protect device, traffic Cisco Cloud-based Security Services
plane, and control plane.
Server Rack Server Rack Unified Computing Intrusion prevention and network telemetry to
Virtual device contexts Cisco Security Intelligence Operation
System Centralized Security and Application identify and mitigate threats. Firewall and IPS IronPort Email Security
Cisco IronPort Email Service Modules and Appliances can be applied based global correlation, reputation-based provides control and Threat Operations Cisco SensorBase Dynamic
Hosted Email Security (SaaS), Hybrid Hosted Email Security and
CS-MARS Smart Mobile Device Zone Zone Zone per zone data plane Manager Updates
Security Appliance filtering, botnet and malware blocking. Managed Email Security deployment options for anti-spam,
segmentation. reputation-based filtering, data loss prevention, malware
Application Security filtering, and email confidentiality.
Stateful Packet Network Intrusion Virtual Firewall Access Edge Flow-Based Traffic Server Load
Cisco IronPort TelePresence Server load balancing masks servers and Internet
CSM Filtering Prevention Firewall service Security Analysis Balancing applications. Application firewall mitigates XSS-, ScanSafe SaaS Web Security
Web Security Appliance Additional IPS/IDS provides to extend security ACL, Dynamic ARP NAM virtual blade. Masks servers and SaaS (Software-as-a-Service) Web Security service that
HTTP-, SQL-, and XML-based attacks. Network IPS
Internet Edge Corporate Internet Edge
Application Firewall traffic analysis and posture into Inspection, DHCP Traffic analysis and applications and provides in-depth traffic analysis and filtering. protects organizations against known and zero-day malware
Services for Server forensics virtualized Snooping, IP reporting, provides scaling Cisco SensorBase attacks. Real-time web security and filtering with centralized
Farm zone specific Database ISP A
Cisco IronPort Email multi-tenant Source Guard, Port Application The world’s largest threat-monitoring network that captures policy control, granular user policies, and mobile user protection
Console Server Unified Computing System protection environment, Security, Private performance Access Edge Security Tier global threat telemetry data from an exhaustive footprint of (Anywhere+ client).
Security Services Access List, Dynamic ARP Inspection, DHCP ISP A
with policies that VLANs, QoS monitoring. Cisco devices and services. Provides real-time reputation
are dynamically VM-level interface Snooping, IP Traffic filtering, STP security, DHCP
database updates for Email, Web Security, IPS and ASA Dynamic updates
provisioned and statistics protection, ARP and IP spoofing protection, MAC Internet appliances.
FWSM Integrated and traffic flooding protection, and private VLANs to Real-time updates automatically delivered to security devices,
Cisco Nexus 1000 transparent to along with best- practice recommendations and other content
Virtual Switch with Cisco Catalyst Wireless LAN Controller VM mobility
discard anomalous traffic flows, prevent ISP B
Cisco Threat Operations Center dedicated to helping customers track threats, analyze
Switch unauthorized access and block illegitimate traffic.
Application Tier Web Tier Edge ISP B A global team of security analysts and automated systems intelligence, and ultimately improve their organization's overall
QoS and network policy enforcement.
that extract actionable intelligence. security posture.
Cisco Nexus 1010
FWSM or Cisco ASA
Series

Copyright © 2010 Cisco Systems, Inc. All rights reserved.