Threat defense : Security Design

Security Design of the network: Cisco Safe

The Cisco SAFE uses the Cisco Security Control Architecture (SCF), a common framework for selecting products and services that enhance visibility and control, the two most important security aspects. It also implements a security baseline that incorporates best practices for a secure network design

SAFE can help simplify your security strategy  This Cisco security reference architecture features easy-to-use visual icons that help you design a secure infrastructure for the edge, branch, data center, campus, cloud, and WAN.

The framework focus on domains such as management, security intelligence, compliance, segmentation, threat defense, and secure services.

There is no specific solution available that can protect organizations from all threats. To mitigate the problem, Cisco Systems introduced Cisco SAFE to help in the development of security services and solutions for the following places in the network (PINs):

Branch

The branch PINs are usually less secure compared with campus and data center PINs since branches are greater in number. Implementing all of the security features used in campus and data center PINs would be costly, making them perfect candidates for security breaches.

Threats:

Endpoint malware, wireless infrastructure vulnerabilities, unauthorized and malicious client activity, and trust exploitation  

Campus

Campuses accommodate a large number of users, including personnel, guests, etc

Threats: . Phishing, web-based exploits, unauthorized network access, malware distribution, and botnet attacks are prevalent on campus PINs. 

Data Center

Data centers are the primary focus of all targeted threats because they store an organization’s most valuable information assets and intellectual property. In addition, a data center can have thousands of servers. In data centers, servers are typical, making it hard to install and maintain adequate security policies to regulate network access.

 Threats:data acquisition, malware distribution, unauthorized network access, botnet infections, data loss, backdoors, and reconnaissance. 

Edge

The Internet edge is the most critical PIN since it is the primary entrance and exit point for traffic to and from the Internet.

Threats: web server vulnerabilities, DDoS attacks, data loss, and Man-in-the-Middle attacks. 

Cloud

Service-level agreements (SLAs) with cloud service providers mandate cloud security and necessitates independent certification audits and risk assessments. 

Threats: web server vulnerabilities, loss of data and access, malware, and Man-in-the-Middle attacks. 

Wide Area Network (WAN)

The WAN links all of the PINs. Managing WAN security can be very difficult, especially with hundreds of branches. 

Threats: unauthorized network access, WAN sniffing, malware propagation, and Man-in-the-Middle attacks.

Cisco SAFE Secure Domains

1. Management – coordinates policies, objects, and alerts. It uses centralized services to manage workflow changes, policy deployments, and patching systems.
2. Security Intelligence – used to detect malware and emerging threats. It also allows dynamic policy enforcement for accurate and appropriate security.
3. Compliance – PINs must comply with security requirements such as PCI DSS 3.0 and HIPAA.
4. Segmentation – defines data and user boundaries. Traditional manual segmentation employs network addresses and VLANs for policy enforcement, while advanced segmentation incorporates identity-aware infrastructure.
5. Threat Defense – provides cyber threat visibility through network traffic telemetry, file reputation, and contextual data. It assesses the nature and possible risk of suspicious activities to respond appropriately to cyber threats.
6. Secure Services – include Virtual Private Networks (VPNs), access control, and encryption. The security services also enable protection against insecure services through various methods such as authentication and authorization to secure access.