Professional Documents
Culture Documents
The SAFE designs also integrate Cisco cloud-based security services, In-Band Management
Encryption, endpoint server protection,
Network Foundation Protection Partner DMZ Extranet DMZ Applications Extranet Edge Protection
Secure Unified Wireless Network
offering flexible deployment options, as well as global threat stateful firewall inspection, application
Device hardening, control and management plane protection throughout the entire
infrastructure to maximize availability and resiliency.
Extranet resources secured
with endpoint server
WAN Edge Private
WAN
Traffic filtering, rate-limiting,
routing security, firewall
Secure, pervasive access to business
applications. Guest access and location
deep-packet inspection, DDoS protection. protection, inline intrusion integration, and IP spoofing Network Foundation Local Threat Detection
correlation and response. The result is persistent protection and the prevention, stateful firewall protection to discard
services. Integrated wired and wireless
security, including confidentiality,
Protection and Mitigation
inspection, application anomalous traffic flows, Device hardening, control and Intrusion prevention and network
consistent enforcement of context-aware security policies for all types deep-packet inspection, prevent unauthorized access
and block illegitimate traffic.
identity-based access control, policy
enforcement, telemetry and threat
management plane protection telemetry to identify and mitigate threats.
Firewall and IPS based global correlation,
and DDoS protection. throughout the entire
Internet Edge detection and mitigation.
of users. This provides greater visibility into device and network infrastructure to maximize
availability and resiliency.
reputation-based filtering, botnet and
malware blocking.
security events, and enhanced control of users, devices, and traffic for Campus ISP A TrustSec
Identity aware access controls
Internet Secure Collaboration Endpoint Security
coordinated threat response. SAFE’s comprehensive security strategy Core enforcing a consistent set of policies
for users and network devices. Secure data, voice, video and Endpoint signature and behavioral-based
ISP B Policy-based controls define how mobile applications across the protection, operating system and
improves an organization’s ability to identify, prevent, and respond to Endpoint Security
Endpoint signature and
Access Catalyst Integrated
Security Features
Network Foundation Protection
Device hardening, control and Secure Partner Connectivity
network access should be granted, network. Secure call processing, application hardening.
what security requirements must be voice and video encryption
threats, and securely deploy critical business applications and behavioral-based protection,
operating system and
Access layer protection
provided by port security,
management plane protection
throughout the entire
Data confidentiality and
integrity through a range of
met, and what network resources services, dynamic and granular
access control, network security Access Edge Security
are authorized. Link level data integrity
VPN options and PKI for
services. application hardening. Dynamic ARP inspection,
IP Source guard, DHCP
infrastructure to maximize
availability and resiliency.
Extranet strong, scalable authentication.
and confidentiality with standard
encryption. 802.1X infrastructure and
policy enforcement, secure
firewall traversal.
iACLs, STP security, DHCP protection,
ARP and IP spoofing protection, MAC
snooping. Internet VPN Granular access control.
appliance based deployment options.
and traffic flooding protection, QoS
policy enforcement.
TrustSec
Identity aware access controls
enforcing a consistent set of Threat Detection and Mitigation Network Foundation Enhanced Availability Secure Mobility for Partners
Distribution Core
High-Level View
policies for users and network Intrusion prevention and Protection and Resiliency Protection for PC-based and smartphone
devices. Policy-based controls infrastructure based network Device hardening, control Hardened devices and high mobile users. Persistent and consistent policy
define how network access
should be granted, what
telemetry to identify and mitigate and management plane availability design ensure enforcement independent of user location. Partner Site
threats. Firewall and IPS based protection throughout the optimal service availability. Enforcement of Client Firewall Policies.
security requirements must global correlation, entire infrastructure to Design leverages redundant Optimal gateway selection to ensure best
be met, and what network reputation-based filtering, botnet maximize availability and systems, stateful failover, and connectivity. Integration with web security and
resources are authorized. and malware blocking. resiliency. topological redundancy. malware threat defense systems deployed at
Management Extranet Mobile Access Extranet
Link level data integrity and the enterprise premises. Private WAN
confidentiality with standard WAN Edge
encryption. 802.1X
WAN Edge Remote Site infrastructure and appliance
based deployment options.
Extranet
Campus WAN Internet Edge Internet
Enhanced Availability Partner Site
Partner Site
Extranet and Resiliency
Internet Edge
Hardened devices leveraging
Threat Detection Secure WAN/Internet Connectivity Granular Access Control
redundant systems, stateful
Core Borderless failover, and topological and Mitigation Data confidentiality and integrity through a range Extranet edge firewall and filtering rules provide granular
Inline intrusion prevention, of VPN options and PKI for strong, scalable access control to necessary resources.
redundancy to ensure service Internet Corporate Access
Mobility Distribution authentication.
Internet Edge availability. QoS policies network telemetry, and Corporate Access/DMZ Appliance and cloud-based web and email malware protection, reputation
to preserve and optimize endpoint monitoring to filtering, policy enforcement and data loss prevention. Stateful firewall inspection,
identify and mitigate threats.
Internet Cisco network services. Web DNS intrusion prevention, granular application access control and context-aware
Data Center Cloud-based
policy enforcement.
Icon Key identity based access control, access and block access control, network security Threat Detection and Mitigation throughout the entire infrastructure to Corporate
policy enforcement, telemetry illegitimate traffic. policy enforcement, secure Intrusion prevention and infrastructure-based network telemetry to identify and maximize availability and resiliency. VPN Access
and threat detection and firewall traversal. mitigate threats. Firewall and IPS based global correlation, reputation-based
mitigation. filtering, botnet and malware blocking.
Cisco Nexus 2100 Non-Corporate
Cisco ACS Hardened Endpoint Corporate DMZ VPN Access
Series
Endpoint server protection, inline intrusion
prevention, stateful firewall inspection, Corporate
ISP A
application deep-packet inspection, DDoS Internet Internet
Cisco Nexus 5000 ISP A protection. Edge
Cisco ASA
Switch
IP-Enabled Phone Mobile Users
Data Center Internet
Secure Mobility
Always-on VPN protection for PC-based
and smartphone mobile users. Persistent
Cisco ASA with Cisco Nexus 7000 and consistent policy enforcement
Intrusion Prevention ISP B independent of user location. Enforcement
IPS Module Switch TrustSec
System Data Center Core of Client Firewall Policies. Optimal gateway Integrated Security
Consistent enforcement of security policies ISP B
with Security Group ACL, and to control selection to ensure best connectivity. Integrated firewall, IPS, and content
access to resources based on user identity Integration with web security and malware filtering protects the employee and the
Cisco Catalyst Cisco ScanSafe Light Weight and group membership. Link level data Edge threat defense systems deployed at the corporate network.
Wireless Carrier
Access Switch SaaS Web Security Access Point enterprise premises. Consolidated SaaS
integrity and confidentiality with standard Mobile Access Access Control.
encryption.
Secure Small Secure Mobility Secure Small Office Connectivity
SAN Data Center Network Foundation Protection Office Connectivity Edge Protection Always-on VPN protection for PC-based and Data confidentiality and integrity through a range of VPN options and
Distribution Data confidentiality and smartphone mobile users. Persistent and consistent PKI for strong, scalable authentication. Granular access control.
Cisco Catalyst Switch Cisco SensorBase MDS Storage VDC Infrastructure Security features are enabled Traffic filtering, routing security, firewall
to protect device, traffic plane, and control integrity through a range of integration, and IP spoofing protection to policy enforcement independent of the user’s
plane. Device virtualization provides control, VPN options and PKI for strong, discard anomalous traffic flows, prevent location. Enforcement of Client Firewall Policies. Secure Unified Wireless Network
Cisco Cisco Unified
data, and management plane segmentation. Core scalable authentication. unauthorized access and block illegitimate Optimal gateway selection to ensure best Secure pervasive access to business applications. Integrated wired
Small Office VPN Granular access control. traffic. connectivity. Integration with web security and and wireless security, including confidentiality, identity based
IOS Firewall/VPN/Voice/ Communications malware threat defense systems deployed at the access control, policy enforcement, telemetry and threat detection
IDS/WAE Router Manager NAC Appliance enterprise premises. and mitigation.