Cisco SAFE provides detailed design and implementation guidelines for organizations looking to build highly secure and reliable networks. SAFE takes advantage of the collaboration between Cisco's security and network platforms. The results are: Greater visibility into devices and security events on the network Enhanced control of users, devices, and traffic for coordinated threat responses Current SAFE modules include: Data Center LAN/Campus WAN Edge Extranet Internet Edge E-Commerce Branch Partner Cisco Virtual Office Remote User

Display Other Views SAFE Architecture Overview Step-by-step guidance Fully tested and validated Layered security using best practices Business-critical service availability Modular design to allow strategic improvement

Featured Content NEW Lippis Report on SAFE: The Gestalt Approach To IT Security Takes Shape Recently published Lippis Report 129: The Gestalt Approach To IT Security Takes Shape. This report includes a podcast by Bill McGee, titled Cisco Offers Security Framework Named SAFE. > Read More Cisco SAFE Security Reference Guide Design guidelines for securing networks. > Download Now Cisco SAFE Executive White Paper Overview of SAFE, including risk reduction, strategic deployment, and lifecycle services. > Read More Cisco SAFE Solution Overview SAFE technical overview, including the Security Control Framework and SAFE strategy for places in the network. > Download now Cisco SAFE Overview Poster Detailed overview of all SAFE modules, including recommended solutions and security strategies. > Download now Cisco SAFE Poster Purchase a 24x36 full-color copy of the SAFE Poster through Cisco Marketplace. > Order now (Login in required)

The SAFE architecture provides detailed design and implementation guidance for securing the devices and services at the branch.

Tested and validated security designs for the branch

Branch Overview
Branches provide connectivity to users and devices at remote locations. They typically implement one or more LANs and connect to central sites via a private WAN or an Internet connection. Branches may also host local data, voice, and video services.

Branches require much the same security as deployed at the enterprise level.

Branch Threats
Branch networks face a number of security threats:

• Service disruption caused by botnets, malware, viruses, and distributed denial-of-service attacks.
• Unauthorized access to network services and confidential data by unauthorized users.
• Data disclosure and modification threats resulting from sniffing, and man-in-the-middle attacks of data while in transit.
• Network abuse, including peer-to-peer and instant messaging abuse, out-of-policy browsing, and attempts to access forbidden content.

SAFE Steps to Securing Medium- and High-Performance Branches
To provide comprehensive branch security, SAFE provides detailed design and implementation guidelines for effective security strategies:

Medium-Performance Branches (up to 1.5 Mbps)

1. Integrated Services Router: This router includes integrated security services such as firewall, IPS, and VPN. It may also provide services such as a call manager express. Filtering mechanisms are implemented for antispoofing and to block invalid packets.
2. Switch Security: A Layer 2 switch provides connection ports to endpoints and other devices. The switch is secured by controlling administrative access, protecting the management and control planes, and securing DHC, ARP, and other vital protocols.
3. Secure Endpoints: Endpoints are secured with endpoint security software. A monitoring and analysis system processes alerts and alarms generated by IPS on the router or the endpoint security software.

High-Performance Branch (40 Mbps or more)

1. Secure Router: A router is primarily used for routing and VPN, and may also provide voice service. This router is hardened following the best practices described in SAFE’s Secure Network Foundation section. Access control lists and other filtering mechanisms are used for antispoofing and to block invalid packets.
2. Firewall and IPS: These security devices are implemented with an integrated security appliance. Administrative access is hardened using the procedures in SAFE’s Secure Network Foundation section.
3. Switch Security: A Layer 2 switch provides connection ports to endpoints and other devices. The switch is secured using best practices described in SAFE's Secure Network Foundation Section. This includes controlling administrative access, protecting the management and control planes, and securing DHC, ARP, and other vital protocols.
4. Secure Endpoints: Endpoints are secured with the use of endpoint security software. A monitoring and analysis system processes alerts and alarms generated by IPS on the router or the endpoint security software.

The SAFE architecture provides detailed design and implementation guidance for securing today's dynamic campus environments.

Validated security designs for campus environments

The enterprise campus is the center of activity on the network. It provides network access to end users and devices located at the same location, which may span several floors in a single building, or multiple buildings covering a larger area. The campus may also host local data, voice, and video services.

Security events within the campus can seriously disrupt activities and undermine productivity. In addition, because the campus is behind the perimeter, it can provide simplified access to sensitive or critical data.

Campus Threats
The SAFE security architecture addresses a wide range of security threats affecting the campus:

• Service disruption: Botnets, malware, viruses, and denial-of-service attacks on services and infrastructure.
• Unauthorized access: Unauthorized users, escalation of privileges, unauthorized access to restricted resources.
• Data disclosure and modification: Sniffing and man-in-the-middle attacks on data while in transit.
• Network abuse: Peer-to-peer and instant messaging abuse, out-of-policy browsing, access to forbidden content.
• Data leakage: Access to data in transit and in rest on servers and user endpoints.
• Identity theft and fraud: Targeting servers and end users, including phishing and email spam.

Design and Implementation Guidance
To address these threats, the SAFE campus architecture provides detailed design and implementation guidance that covers:

• Service availability and resiliency
• Prevention of unauthorized access, network abuse, intrusions, data leakage, and fraud
• Protection of data confidentiality, integrity, and availability
• Traffic control through user segmentation
• Enforcement of access control policies
• Protection of endpoints

The SAFE campus design addresses all campus segments, including core, distribution, and access layers, as well as essential campus management and services.

SAFE Steps to Securing the Campus
To achieve comprehensive campus security, SAFE provides detailed design and implementation guidelines for the following security strategies:

1. Full topological redundancy. To help ensure resiliency and availability of essential campus services, SAFE proposes implementing switches in pairs and deploying redundant links.
2. Switch hardening. Switches are protected from attacks through restricting and controlling administrative access, protecting the management and control planes, securing the dynamic exchange of routing information, and following VLAN best practices.
3. Protection of distribution switches. Because distribution switches aggregate connections from access switches, they can be leveraged as a single point of control. SAFE recommends connecting an inline IPS device to those switches to block known attacks and suspicious activity. Alerts and alarms are processed by a monitoring and analysis system.
4. Service switch protection. In many campus networks, an optional set of service switches is used to host services to the local campus users. A stateful firewall may be used to enforce access control policies to these services. The IPS device may connect to these service switches as well.
5. Endpoint security. Endpoint security software protects the desktops and laptops connecting to the access switches. The information generated from these endpoints is processed by a monitoring and analysis system.
6. Access switch protection. The access switches act as a first line of defense against threats generated by devices connecting to them. Port security, DHCP, and ARP security features may be deployed at this level. In addition, access switches may enforce authentication and role-based access to systems connecting to them.

The SAFE Architecture provides detailed design and implementation guidance for securing the next-generation data center.

Security for the next-generation data center

Data centers are the central repository for your organization's critical and sensitive data. They host the systems that serve your business and web applications, and store the data that should accessible only to internal users.

In today's threat environment, criminals target data centers in order to mine them for confidential customer, employee, and business data, and to implement catastrophic business disruption attacks.

Data Center Threats
The SAFE security architecture addresses a wide range of threats to the data center:

• Service disruption: Criminals target data center services with a wide range of attacks, including botnets, server-specific denial-of-service attacks, and distributed denial-of-service attacks on services and infrastructure.
• Data leakage: Criminals try to steal data from servers, intercept data in transit, and access data at rest.
• Breach of data confidentiality and integrity: Many attacks focus on the corruption of data, or the insertion of infected attachments or content into data either in storage or in transit.
• Intrusions and take over: Exploitation of public servers, web defacements, and abuse of applications provide criminals with opportunities to disrupt business and steal critical information.
• Identity theft, fraud: Phishing and email spam targeting servers and end users are a growing threat to individuals and organizations.

Design and Implementation Guidance
To address these threats, the SAFE Data Center architecture module provides detailed design and implementation guidance that covers:

• Service availability and resiliency through link and system redundancy
• Prevention of unauthorized access, application abuse, intrusions and takeover, data leakage, and fraud
• Prevention of data disclosure and modification
• Traffic control through user segmentation
• Enforcement of access control policies
• Protection of server endpoints

The SAFE data center design addresses devices and segments, including core, distribution, and access, as well as essential data center management and services.

SAFE Steps to Securing the Data Center
To provide comprehensive data center security, SAFE for Campus recommends and provides detailed design and implementation guidelines for the following security strategies:

1. Secure the core switches: Layer 2/Layer 3 switches build the data center core and aggregate links from other data centers. These switches are secured using the practices described in the Secure Network Foundation section of the SAFE Security Architecture design guide.
2. Segmentation of distribution switches: Redundant distribution switches are responsible for aggregating the Layer 2/Layer 3 links connecting the access switches. Where a multilayer design is required, each layer is implemented as a separate VLAN that may span from distribution all the way to the access switches.
3. Stateful firewall deployment: The SAFE Security Architecture for Data Centers design uses stateful firewalls configured in failover mode to protect servers and help ensure segregation between application layers.The firewall’s deep packet inspection mitigates DoS attacks and enforces protocol compliance. Web applications are protected with a web application firewall.
4. Traffic inspection and protection: An IDS device is used to identify well-known attacks and suspicious activity. Complementary to the IDS, an anomaly detection system is also deployed at the web tier.
5. Server protection: Servers residing at the different layers are protected with endpoint security software. Alerts and alarms generated by the IDS and endpoint security software are processed by a monitoring and analysis system.
6. Switch hardening: All switches are hardened using the procedures in the SAFE Security Architecture’s Secure Network Foundations section. In addition, the access switches may be configured with port security and other Layer 2 protection features.

The SAFE Architecture provides design and implementation guidance for securing devices and services at the Internet edge.

Tested security designs for the network Internet edge

The Internet Edge provides essential connectivity to the Internet and its services, each with its own unique security concerns.

Because it is at the extreme edge of the network, the Internet edge is the most common target for attacks and criminal activity.

Internet Edge Threats
The following are some of the security threats affecting the Internet Edge:

• Service Disruption: Service and availability attacks at the Internet edge include botnets, server-specific denial-of-service attacks, and distributed denial-of-service attacks on services and infrastructure. It is also the common point of attack for malware and virus infections.
• Network Abuse: Network and application services can be compromised by outsiders trying to break into the network, and by insiders abusing network use policies. These issues include peer-to-peer and instant messaging abuse, out-of-policy browsing, and access to forbidden content.
• Data Leakage: A wide variety of attack strategies attempt to intercept or steal critical or sensitive data from servers and user endpoints, including data in transit, in use, and at rest.
• Intrusions and Takeover: Many attacks vandalize web properties, defraud customers and employees, establish an attack beachhead on compromised servers, and exploit public servers.
• Identity Theft and Fraud: Phishing and email spam attacks, for example, pass through the Internet edge to target servers and end users.

Design and Implementation Guidance
To address these threats, the SAFE Internet Edge architecture module provides detailed design and implementation guidance that covers:

• Service availability and resiliency through link and system redundancy, traffic filtering, device hardening, and content analysis
• Prevention of unauthorized access, application abuse, intrusions and takeover, data leakage, and fraud
• Prevention of data theft, disclosure, and modification
• Enforcement of access control, application and network use, and Internet use policies
• Protection of servers and endpoint devices

The SAFE Internet edge design addresses edge devices and connection segments, including corporate access, DMZ, and remote access, as well as essential data center management and services.

SAFE Steps to Securing the Internet Edge
To provide comprehensive Internet edge security, SAFE provides detailed design and implementation guidelines for the following security strategies:

Corporate Access and DMZ

1. Firewall Protection: Redundant edge firewalls enforce access policies, keep track of connection status, and inspect packet payloads.
2. Redundancy and Distributed Denial of Service Protection: Two redundant outer switches provide Layer 2 connectivity between the edge routers and the firewalls. These outer switches also provide connectivity to the distributed denial of service (DDoS) mitigation component.
3. Secure Services: The public services DMZ is designed with a pair of redundant switches.
4. Secure Connection to the Internal Network: A pair of redundant inner switches provide Layer 3 and Layer 2 connectivity between the Internet edge and the rest of the enterprise network.
5. Hardening Switches: Switches are secured by restricting and controlling administrative access, protecting the management and control planes, and securing the switching infrastructure.
6. Anomaly Detection: An anomaly detection system can identify DDoS and other network-based attacks, and works in conjunction with the DDoS Mitigation System.
7. Intrusion Prevention: An IPS device is deployed inline at the level of the inner switches to identify and block known attacks or malicious activity.
8. Web Security: A web security system inspects web traffic bound to the Internet. This system blocks spyware, malware, and other known threats, provides content filtering, and optionally authenticates user requests.
9. Email Security: Email communications are inspected by the Secure Messaging system deployed at the DMZ that hosts the mail server.

Remote Access
The remote access VPN segment of the Internet edge provides secure connectivity to remote users.

1. Redundant VPN Firewalls: Two VPN firewalls authenticate access from remote users, provide encrypted access to applications and data, enforce access policies, and protect the organization's internal resources and data.
2. IPSec and SSL VPN: Remote user access is authenticated and encrypted with either SSL or IPSec.
3. Intrusion Prevention: An IPS device deployed inline at the firewall's inside segment inspects traffic coming and going to remote users.
4. Secure Remote Email: For remote users using the central email service, the secure messaging system at the mail server inspects all e-mail communications, analyzes email payloads, and eliminates threats.
5. Endpoint Security: Remote user endpoint security works in conjunction with the IPS and with the monitoring and analysis system. This collaboration allows better calculation of risk levels associated with an event, and the dynamic enforcement of watch lists for potentially compromised systems.

The SAFE architecture provides design and implementation guidance for securing devices and services at the WAN edge.

Tested and validated security designs for the WAN edge

WAN Edge Overview
The WAN edge aggregates the WAN links that connect geographically distant branch offices to a central or regional hub site. The WAN provides branch users with the same network services as campus users at the central site.

Internet Edge Threats
WAN edge services are vulnerable to a number of security threats:

• Service Disruption: Service and availability attacks at the WAN edge include botnets, server-specific denial-of-service attacks, and distributed denial-of-service attacks on services and infrastructure.
• Network Abuse: Network abuse issues include peer-to-peer and instant messaging abuse, out-of-policy browsing, and access to forbidden content.
• Data Disclosure and Modification: Common data-focused attacks include sniffing and man-in-the-middle attacks of data while in transit.

Design and Implementation Guidance
To address these threats, the SAFE WAN edge architecture module provides detailed design and implementation guidance that covers:

• Hardening each network infrastructure device, securing the routing and switching services, and enforcing network security policies
• Encrypting traffic over the WAN to secure communications
• Using various forms of network telemetry and integrating IPS into the corporate head-end to detect and mitigate threats
• Monitoring the network through the implementation of network telemetry and anomaly detection and correlation tools

SAFE Steps to Securing the WAN Edge
To provide comprehensive WAN edge security, SAFE includes detailed design and implementation guidelines for the following security strategies:

1. Redundant WAN routers: These routers aggregate the links to branch offices and other regional offices. These routers may also provide QoS and rate-limiting. Access control lists (ACLs) may be enforced to allow only VPN traffic from trusted sources. ACLs and other filtering mechanisms are implemented for antispoofing and to block invalid packets.
2. Redundant VPN Routers: Deployed behind the aggregation routers, these routers are responsible for authenticating VPN endpoints and terminating encrypted tunnels. The VPN routers are hardened and may also provide QoS and rate-limiting. The routers can also be configured to control spoke-to-spoke traffic transiting by the hub.
3. Intrusion Prevention: Distribution switches connect the VPN routers to the network core. An IPS connects to those switches to identify and block well-known attacks and suspicious activity coming from or directed to the branches. A monitoring and analysis system processes alerts and alarms.
4. Internet Backup: Internet WAN backup is implemented with a separate set of VPN routers, dedicated to authenticating branches, terminating the encrypted tunnels, and enforcing firewall policies. Should the WAN links to a branch fail, traffic is automatically redirected over the Internet and over an authenticated and encrypted VPN connection.