safe security architecture toolkit · the safe toolkit includes the elements required to facilitate...
TRANSCRIPT
SAFE Security Architecture Toolkit
July 2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Security Architecture ToolkitTable of Contents
• SAFE Toolkit Overview
• Capabilities Flows and Endpoints
• Architectures
• Designs
• SAFE Icon Library
• Tools, Rules and Techniques
• Contact
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SAFE simplifies security so your conversations can focus on the needs of a business. By mapping the flows of the business, specific threats can be addressed with corresponding security capabilities, architectures, and designs.
The SAFE Toolkit includes the elements required to facilitate security discussions. You can use the items on these slides to build presentations using SAFE best-practice illustrations and diagrams. And you can customize the diagrams to suit your business.
This toolkit complements the SAFE Overview, Architecture and Design Guides which can be found at www.cisco.com/go/safe
SAFE Toolkit Overview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
High-level SAFE Graphics
The following slides contain graphics that you can use to introduce SAFE and explain SAFE concepts and components.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Key to SAFE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Progression of Capabilities
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Architecture Wheel
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Capabilities Flows and Endpoints
First, identify the capabilities your customer needs their network to provide to the business.
Next, you can use the endpoints and capabilities icons to map the business flows.
Mapping the threats the customer faces onto the capabilities is the key to SAFE.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Master Capabilities Flows
WebsiteEmployee
Secure web access for employees: Employee researching product information
ColleagueExpert
Secure communications for collaboration: Subject matter expert consultation
ShareholderCEO
Secure communications for email: CEO sending email to shareholder
Payment Application
Secure applications for PCI: Clerk processing credit card transaction
Clerk
Internal Business Flows:
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Client-Based
Security
Identity Posture Assessment
Application Visibility Control
Email Security
Server-Based
Security
\
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Client-Based
Security
Identity Posture Assessment
Client-Based
Security
Identity Posture Assessment
Client-Based
Security
Identity Posture Assessment
Application Visibility Control
Server-Based
Security
Application Visibility Control
Client-Based
Security
IdentityPosture Assessment
WebSecurity
WebApplication
Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Master Capabilities FlowsThird-Party Business Flows:
Remote TechnicianThermostat
Secure remote access for third party: Connected device with remote vendor support
Workflow ApplicationEngineer
Secure remote access for employees: Field engineer updating work order
Database Payment Application
Secure east-west traffic for compliance: PCI compliance for financial transactions
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Client-Based
SecurityIdentity Posture
Assessment
Server-Based
Security
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Client-Based
Security
Identity Posture Assessment
Server-Based
SecurityWeb
Application Firewall
Identity
Server-Based
Security
DistributedDenial
of ServiceProtection
DNSSecurity
VirtualPrivate Network
VirtualPrivate Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Master Capabilities FlowsCustomer Business Flows:
WebsiteGuest
Secure web access for guests: Guest accessing the Internet for comparative shopping
Guest Website
Secure web access for guests: Guest accessing the Internet to watch hosted video
E-commerceCustomer
Secure applications for PCI: Customer making purchase
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Server-Based
SecurityWeb
Application Firewall
DistributedDenial
of ServiceProtection
Application Visibility Control
Identity
DNSSecurity
WirelessRogue
Detection
WirelessIntrusion
Prevention
DNSSecurity
WirelessRogue
Detection
WirelessIntrusion
Prevention
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Firewall IntrusionPrevention
TaggingAnti-Malware
Threat Intelligence
FlowAnalytics
Server-Based
SecurityWeb
Application Firewall
DistributedDenial
of ServiceProtection
Application Visibility Control
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use these endpoints to further customize your SAFE capabilities flows. Industry-specific endpoints are provided on the following slides.
SAFE Master Endpoints
CEO Guest ServerShareholder Customer Guest Salesperson ServerServerShareholder AutomatedProcess
Clerk Server CustomerManager Manager Salesperson ServerTechnician Building Controls
Remote Employee
ServerTechnician
AutomatedProcess
BuildingControls
BuildingControls
Remote Technician
ServerTechnician Server Server BuildingControls
BuildingControls
RemoteEmployee
SecurePartner
Subject Matter Expert
Remote Colleague
RemoteEmployee
Server VideoCamera
VideoSurveillance
CEO ClerkCustomer SubjectMatter Expert
GuestManagerShareholder
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Architecture Diagrams
SAFE architecture diagrams convey the network structure at a high level without naming specific products. Architectures can also reference capabilities.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The following architecture diagrams are best-practice references for each Place in the Network (PIN).
They may be used as is or you may customize them. Customization instructions are in the Tools and Rules section beginning on slide 38.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BusinessUse Cases
Endpoints Access Services
BuildingControls
Third-party Technicianaccessing logsSecure Third Parties
Subject MatterExpert
Remote ColleagueSecure Communications
Payment ProcessingClerk processing credit card
Secure Applications
Customer browsing prices
Comparative Shopping Website
Guest Wireless
Product Information Website
\Branch Manager browsing
information
Secure Web
Server
RouterAccess Switch
WirelessAccess Point
EnvironmentalControls
EmployeePhone
CorporateDevice
MobileDevice
CorporateWi-Fi Device
APPLICATIONSNETWORKDEVICESHUMAN
Small Branch Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BusinessUse Cases
Endpoints Access Services
Secure Third Parties
BuildingControls
Third-party Technicianaccessing logs
Secure Communications
Subject MatterExpert
Remote Colleague
Secure Applications
Clerk processing credit card
Payment Processing
Guest Wireless
Customer browsing prices
Comparative Shopping Website
Secure Web
Branch Manager browsing
information
Product Information Website
WirelessAccess Point
EnvironmentalControls
EmployeePhone
CorporateDevice
MobileDevice
Access Switch DistributionSwitch
Router
Server
Wireless ControllerCorporateWi-Fi Device
APPLICATIONSNETWORKDEVICESHUMAN
Medium Branch Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BusinessUse Cases
Endpoints Access Collapsed Core & Distribution
Services
Secure Third Parties
BuildingControls
Third-party Technicianaccessing logs
Secure Communications
Subject MatterExpert
Remote Colleague
Secure Applications
Clerk processing credit card
Payment Processing
Guest Wireless
Customer browsing prices
Comparative Shopping Website
Secure Web
Branch Managerbrowsing
information
Product Information Website
Router
CommunicationsManager
Switch
Web Security
Server
Switch
Firewall
Switch
WirelessController
Distribution Switch
Switch
WirelessAccess Point
EnvironmentalControls
EmployeePhone
CorporateDevice
MobileDevice
CorporateWi-Fi Device
APPLICATIONSNETWORKDEVICESHUMAN
Large Branch Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBUILDING BLOCK CORE BLOCK
BusinessUse Cases
Endpoints Access Distribution Core Services
Third-party Technicianaccessing logs
BuildingControls
Secure Third Parties
Remote Colleague
Subject MatterExpert
Secure Communications
Wholesaler WebsiteEmployeebrowsing
Secure Web
Comparative Shopping Website
Guestbrowsing
Guest WirelessShareholder receiving
email from CEO
CEO sending email to
Shareholders
Secure Email
Router
CommunicationsManager
Switch
Guest Wireless
Blade Server
Switch
Firewall
Switch
Web Security
Core Switch
Firewall
Wireless Controller
Distribution Switch
Switch
WirelessAccess Point
EnvironmentalControls
EmployeePhone
CorporateDevice
MobileDevice
CorporateWi-Fi Device
APPLICATIONSNETWORKDEVICESHUMAN
Campus Architecture
TO CAMPUS/ BRANCH
TO DATA CENTER
Services
PaymentProcessing
Clerk processing credit card
Third-party Technician
accessing logs
BuildingControls
Shareholder receiving email
from CEO
CEO sending email to Shareholders
Comparative Shopping Website
Guestbrowsing
WholesalerWebsite
Employeebrowsing
SwitchFirewallSwitchRouter
NETWORK
WAN Architecture
Software-defined
BusinessUse Cases
EndpointsAccessDistributionCoreServices
Database
East/West Traffic
PaymentApplication
PaymentProcessing
Clerk processing credit card
Comparative Shopping Website
Guestbrowsing
ShareholderEmails
CommunicationServices
Shareholder receiving Email
from CEO
CEO sending email to
Shareholders
WholesalerWebsite
Employeebrowsing
WorkflowApplication
WorkflowAutomation
Field Engineer submitting work order
Third-party Technician
accessing logs
BuildingControls
Secure Server
Secure Server
Secure Server
Secure Server
Fabric Switch
Leaf Switch
Load BalancerAppliance
Load BalancerAppliance
Spine Switch
Controller
Firewall
Distribution Switch
Leaf Switch
Firewall
Core Switch
IdentityServer
Firewall
Distribution Switch
Firewall
Management Console
CommunicationsManager
Wireless Controller
APPLICATIONSSERVERSNETWORK
Data Center Architecture
TO EDGE
TO WAN
TO INTERNET TO ENTERPRISE CORE
TrustedEnterpriseUntrusted
VPN
DMZ
Perimeter Services
BuildingControls
Third-party Technicianaccessing logs
Workflow Application
Field engineer submitting work order
Customer making purchase
PaymentApplication
Employee browsing
WholesalerWebsite
CEO sending email to Shareholders
Shareholder receiving email from CEO
Corporate Guest accessing Internet
Comparative Shopping Website
SwitchSecure ServerSwitchLoad BalancerAppliance
SD WAN
Switch
Wireless Controller
Switch
Firewall
Firewall
Firewall
Switch
VPNConcentrator
Switch
Switch
Email Security
Router
Web Security
NETWORK
Edge Architecture
TO INTERNET
BusinessUse Cases
Services
DatabaseZone
East/West Traffic
Guest browsing
HostedE-Commerce
ShareholderEmails
Techniciansubmitting task
Workflow Application
WorkflowAutomation
Customer making purchase
PaymentApplication
PaymentProcessing
DistributedDenial ofService
Protection
DNS Security
Anti-Malware
ThreatIntelligence
AnomalyDetection
Web Reputation/Filtering/DCS
Application Visibility
Control (AVC)
IdentityAuthorization
Secure Server
Secure Server
Secure Server
Storage Server
vSwitch
vSwitch
vSwitch
vSwitch
Load Balancer
Load Balancer
Firewall Virtual Appliance
Firewall Virtual Appliance
Firewall Virtual Appliance
Firewall Virtual Appliance
vSwitchvRouter
NETWORKSERVICES APPLICATIONS SERVICES
Cloud Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Design Diagrams
SAFE design diagrams show the specific products and flow/ structure needed to satisfy the desired security capabilities of a particular network.
The following design diagrams are best-practice references for selected Places in the Network (PINs). Contact the Cisco SAFE Team for assistance in building customized SAFE designs in Visio.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAFE Icon LibraryIf you need to customize SAFE capabilities flows or architectures, you’ll find the icons on the following slides.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Human IconsUsers:Employees, third parties, customers, and administrators.
Rogue:Attackers accessing restricted information resources.
Identity:Identity-based access.
Identity Directory • Cisco Identity Services Engine Appliance
• Cisco Identity Services Engine Virtual Appliance
IdentityDirectory
Identity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Humans Icons
IdentityDirectory
MS ActiveDirectory
Identity Directory
Identity Directory
CEO Clerk Customer Guest Manager ShareholderExpert RemoteEmployee
SecurePartner
MS ActiveDirectory
Person People
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Devices IconsClients:Devices such as PCs, laptops,smartphones, tablets.
Malware: Viruses, malware, and attacks that compromise systems.
Client-Based Security:This capability represents multiple types of security software to protect clients.
Corporate Device • Cisco Advanced Malware Protection for Endpoints
• Cisco Umbrella
• Cisco AnyConnect
• Built-in OS Firewall or Partner Products
• Cisco Advanced Malware Protection for EndpointsAnti-MalwareMalware: Viruses, malware, and attacks that compromise systems.
• Cisco Advanced Malware Protection for Endpoints (TETRA)Anti-VirusVirus:Viruses compromising systems.
Client-BasedSecurity
Anti-Malware
Anti-Virus
Corporate DeviceWorkstation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Devices IconsClients:Devices such as PCs, laptops,smartphones, tablets.
Exploit Redirection:Unauthorized access and malformed packets connecting to client.
Personal Firewall Corporate Device • Built-in OS Firewall
• Partner Products
• Cisco Umbrella - Secure Internet Gateway (SIG)
• Cisco AnyConnect Agent
• Cisco Cloudlock
• Cisco Web Security Appliance
• Cisco Meraki MX
• Cisco Firepower with URL Filtering
• Cisco Viptela SD-WAN
Cloud Security:Combination icon representing several security capabilities provided by the cloud.
Phish Link:Redirection of user to malicious web site.
• Cisco AnyConnect Agent
• Cisco Identity Services Engine
• Cisco Meraki MDM
Posture Assessment:Client endpointcompliance verificationand authorization.
Botnets DDOS:Compromised devices connecting to infrastructure.
Firewall
Cloud Security
Posture Assessment
Corporate DeviceWorkstation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Devices IconsVoice:Phone
Rogue:Attacker accessing private information.
Phone • Cisco Unified Communications
• Cisco IP Phones
• Cisco Unified Communications
• Cisco Telepresence
• Cisco WebEx Teams
• Cisco IP Phones
Video Endpoint
Autonomous Device:Building controls, manufacturing systems, automation.
• Partner devices and controllersEnvironmental ControlsRogue:Attacker accessing private information.
Phone
Video Endpoint
Environmental Controls
Video:Displays, collaboration, smartboards.
Rogue:Attacker accessing private information.
phone
VideoEndpoint
sensor
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Devices Icons
CorporateDevice
Corporate Wireless Device
Mobile Phone Video Endpoint Sensor Automated System
Actuator
Corporate Device Corporate Wireless Device
Mobile Phone
Phone
Actuator SensorVideo Endpoint
Video Endpoint
Automated System
Automated System
Server BuildingControls
Server BuildingControls
Camera
StandardizedSystem Images
InfrastructureRedundancy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network IconsWired Network:Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together
Exploit Redirection: Unauthorized access and malformed packets connecting to client.
Firewall:Stateful filtering and protocol inspection.
Firewall • Cisco Adaptive Security Appliance (ASA)
• Cisco Firepower Appliance
• Cisco Next Generation Firewall
• Cisco Next Generation Firewall Virtual
• Cisco Adaptive Security Appliance (ASA)
• Cisco Firepower Appliance
• Cisco Next Generation Intrusion Prevention System
• Cisco Next Generation Intrusion Prevention System Virtual
Intrusion Prevention:Blocking of attacks by signatures and anomaly analysis.
Exploit Redirection: Attacks using worms, viruses, or other techniques.
• Cisco Adaptive Security Appliance (ASA)
• Cisco Firepower Appliance
• Cisco Catalyst Switches
• Cisco Wireless Controller and Access Points
• Cisco Identity Services Engine
• Cisco Integrated Services Routers
• Cisco Aggregation Services Routers
• Cisco Nexus Switches
• Cisco ACI Fabric
• Cisco DNA Fabric
• Cisco Tetration
Tagging:Policy-based, software-defined segmentation.
Unauthorized Network Access:Lateral spread of infiltration.
Firewall
Intrusion Prevention
Tagging
Firewall
Intrusion Prevention
Switch
Intrusion Prevention
Switch
L2/L3Network
Router
DistributionSwitch
FabricSwitch
AccessSwitch
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network IconsWireless Network:Physical network infrastructure; access points and controllers used to connect mobile devices to the access layer.
Malware: Compromised devices connecting to infrastructure.
Mobile DeviceManagement (MDM):Endpoint access controlbased on policies.
MDM Appliance • Cisco Identity Services Engine
• Cisco Meraki Mobile Device Management
• Cisco Catalyst Switches with Unified Access
• Cisco Wireless Controller and Access Points
• Cisco Mobility Services Engine
Wireless Rogue Detection:Detection and containment of malicious wireless devices not controlled by the company.
Rogue: Unauthorized access and disruption of wireless network.
• Cisco Catalyst Switches with Unified Access
• Cisco Wireless Controller and Access PointsWireless Intrusion Prevention (WIPS):Blocking of wireless attacks by signatures and anomaly analysis.
Rogue:Attacks on the infrastructure via wireless technology.
Mobile Device Management (MDM)
Wireless Rogue Detection
Wireless Intrusion Prevention (WIPS)
MDM Appliance
Wireless LAN Controller
Wireless LAN Controller
Wireless Access Point
Wireless Access Point
Wireless
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Analysis:Telemetry and analysis of traffic across the enterprise.
Malware: Malware distribution across networks or between servers and devices.
Anti-Malware for Networks:Identify, block, and analyze malicious files and transmissions.
Firewall • Cisco Advanced Malware Protection for Networks
• Cisco Next Generation Firewall
• Cisco Next Generation Firewall Virtual
• Cisco Next Generation Intrusion Prevention System
• Cisco Next Generation Intrusion Prevention System Virtual
• Cisco Collective Security Intelligence
• Cisco Global Threat Analytics and Encrypted Traffic Analytics
• Cisco Talos Security Intelligence
• Cisco Firepower Management Center
• Cisco Umbrella Investigate
• Cisco AMP Console – Telemetry
• Cisco Stealthwatch Management Console
Threat Intelligence:Contextual knowledgeof emerging hazards.
Advanced Threat:Zero-day malware and attacks.
Flow Sensors and Collectors:
• Cisco Integrated Services Router
• Cisco Adaptive Security Appliance
• Cisco Wireless LAN Controller
• Cisco Catalyst Switch
• Cisco Nexus Switch
• Cisco NetFlow Generation Appliance
• Cisco Stealthwatch Flow Sensor
Analysis:
• Cisco Stealthwatch Management Console
• Cisco Stealthwatch Cloud
Flow Analytics:Network traffic metadataidentifying security Incidents.
Exfiltration:Traffic, telemetry, and data exfiltration from successful attacks.
Network Anti-Malware
Threat Intelligence
Flow Analytics
Firewall
Threat Intelligence is a capability leveraged by many systems andnot deployed separately;there is no dedicated architecture icon.
Flow Sensor
Flow Sensor
Network Icons
AnalyticEngine
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network IconsWAN:Public and untrusted Wide Area Networks that connect to the company, such as the Internet.
VPN Concentrator:Encrypted remote access.
VPN Concentrator • Cisco Adaptive Security Appliance (ASA)
• Cisco Firepower Appliance
• Cisco Next Generation Firewall
• Cisco Next Generation Firewall Virtual
• Cisco Adaptive Security Appliance (ASA)
• Cisco Aggregation Services Routers
• Cisco Cloud Services Router
• Cisco Integrated Services Router
• Cisco Firepower Appliance
• Cisco Meraki SD-WAN
• Cisco IWAN
• Cisco Next Generation Firewall
• Cisco Next Generation Firewall Virtual
• Cisco Viptela SD-WAN vEdge
Virtual Private Network (VPN):Encrypted communication tunnels.
Man-in-the-Middle:Connection of information and identities.
• Cisco Aggregation Services Routers with Radware
• Cisco Firepower Appliance with Radware
• Distributed Denial of Service Technology Partner
DDOS Protection:Protection against scaledattack forms.
Botnets DDOS:Massively scaled attacks that overwhelm services.
VPN Concentrator
Virtual Private Network (VPN)
Distributed Denialof Service Protection
VPN Concentrator
DDOS Protection Appliance
DDOS Protection Appliance
Exfiltration:Traffic, telemetry, and data exfiltration from successful attacks.
SD WAN
SD WAN
WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network IconsCloud:Security services from the cloud.
Cloud Security:Combination icon representing several security capabilities provided by the cloud.
VPN Concentrator • Cisco Umbrella - Secure Internet Gateway (SIG)
• Cisco AnyConnect Agent
• Cisco Cloudlock
• Cisco Cloud Services Router
• Cisco Web Security Appliance
• Cisco Meraki MX
• Cisco Firepower with URL Filtering
• Cisco Viptela SD-WAN
• Cisco UmbrellaDNS Security:Name resolution filtering.
Phish Link:Redirection of user to malicious website.
Cloud Access Security Broker (CASB):Monitor and protect SaaS services.
Rogue:Unauthorized access to cloud SaaS services, data loss.
Cloud Security
DNS Security
CASB
Cloud Security
Phish Link:Attacks from malware, viruses, and malicious URLs.
Secure DNS
Secure DNS
• Cisco CloudLock
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network IconsCloud:Security services from the cloud.
Web Security:Internet access integrityand protections.
Web Security • Cisco Umbrella - Secure Internet Gateway (SIG)
• Cisco Web Security Virtual Appliance
• Cisco Meraki URL Filtering
• Cisco Umbrella - Secure Internet Gateway (SIG)
• Cisco Web Security Virtual Appliance
• Cisco Meraki URL Filtering
Web Reputation/Filtering:Tracking against URL-based threats.
Malware C2:Attacks directing to a malicious URL.
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Cloud Services Router
• Cisco Next Generation Firewall Virtual (NGFWv)
Cloud-based Firewall:Filter and inspect traffic via the cloud.
Redirect Link:Unauthorized access and malformed packets connecting to services.
Web Security
Web Reputation/Filtering/DCS
Firewall
Web Security
Redirect Link:Infiltration and exfiltration viaWeb protocols.
Web Reputation Filtering
Web Filtering
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Network Icons
Firewall IntrusionPrevention
Router VPN Concentrator DDOSProtection
IdentityDirectory
Web Security
Firewall IPS
Firewall
Adaptive SecurityAppliance
IPS
FirepowerAppliance
Router VPN Concentrator
VPN ConcentratorRouter
DDOSProtection
DDOSProtection
IdentityDirectory
IdentityDirectory
Web Security
Web Security
MS ActiveDirectory
MS ActiveDirectory
Web Filtering
Web Filtering
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Network Icons
AccessSwitch
DistributionSwitch
Core Switch
FabricSwitch
LeafSwitch
SpineSwitch
SDController
SD WAN WirelessAccess Point
Mobile DeviceManagement (MDM)
WirelessLAN Controller
Access Switch
Access Switch
SwitchStack
DistributionSwitch
CoreSwitch
FabricSwitch
LeafSwitch
SpineSwitch
ACIController
ACIController
SD WAN
SD WAN
Access Point Mobile DeviceManagement (MDM)
Mobile DeviceManagement (MDM)
WirelessLAN Controller
WirelessLAN Controller
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Network Icons
Flow Sensor FlowConnector
EndpointConcentrator
UDPDirector
ManagementConsole
SecureDNS
Flow Sensor FlowConnector
EndpointConcentrator
UDPDirector
ManagementConsole
SecureDNS
Flow Sensor FlowConnector
EndpointConcentrator
UDPDirector
ManagementConsole
SecureDNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applications IconsApplications:Application-specific security services.
Redirect Link: Attacks against poorly-developed applications.
Web Application Firewalling:Advanced application inspection and monitoring.
Web Application Firewall • Web Application Firewall Technology Partner
• Cisco Aggregation Services Router
• Cisco Cloud Services Router
• Cisco Integrated Services Router
• Cisco Next Generation Firewall
• Cisco Next Generation Firewall Virtual
Application Visibility Control (AVC):Deep packet inspection of application flows.
C2 Sites: Attack tools hiding in permitted applications.
• Cisco Next Generation Firewall
• Transport Layer Security Offload Technology PartnerTLS Encryption Offload:Accelerated encryption/ decryption of data services.
Spying:Theft of unencrypted traffic.
Web Application Firewall
Application Visibility Control (AVC)
TLS Offload
Web Application Firewall
TLS Appliance
TLS Appliance
Application
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applications IconsApplications:Application-specific security services.
Phishing:Infiltration and exfiltration viaemail.
Email Security:Messaging integrityand protections.
Email Security • Cisco Email Security Appliance
• Cisco Cloud Email Security
• Cisco ThreatgridSandbox ApplianceMalware Sandbox:Detonation and analysisof file behavior.
Storage:Drives, databases, media.
• Disk Encryption Technology Partner
Email Security Email Security
Malware Sandbox Sandbox
Appliance
Malware:Polymorphic threats.
Spying:Theft of unencrypted traffic.
Disk Encryption:Encryption of data at rest.
DiskEncryption
Application
Storage
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applications IconsServers:Application hosting operation systems.
Malware: Viruses, malware and attacks that compromise systems.
Server-based Security:Combination icon representing several security capabilities to secure the server.
Secure Server • Cisco Advanced Malware Protection for Endpoint
• Cisco Umbrella
• Cisco Tetration
• Built-in OS Firewall or Partner Products
Server-BasedSecurity Secure Server
LoadBalancer
Secure Server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Applications Icons
Server SecureServer
BladeServer
Storage LoadBalancer
Wide AreaApplication Engine
TLS Appliance
Server SecureServer
BladeServer
Storage
Storage
LoadBalancer
LoadBalancer
Wide AreaApplication Engine
Wide AreaApplication Engine
TLS Appliance
TLS Appliance
CiscoAnyConnect
Cisco AMP
Server SecureServer
BladeServer
GenericAppliance
CiscoAppliance
RadwareAppliance
RadwareAppliance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management IconsManagement:Infrastructure systems management and orchestration.
Analysis/Correlation:Security event management of real-time information.
SIEM • Cisco Stealthwatch
• Cisco Stealthwatch Cloud
• Cisco Visibility
• SIEM Technology Partner Products
• Cisco Identity Services Engine
• Cisco Meraki
• Cisco Tetration
• Cisco Stealthwatch
Anomaly Detection:Identification of infected hosts scanning for other vulnerable hosts.
• Cisco Identity Services EngineIdentity/Authorization:Centralized identity andadministration policy.
Analysis/Correlation
AnomalyDetection
Identity/Authorization
SIEM
Identity Directory
Identity Directory
CentralManagement
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management IconsManagement:Infrastructure systems management and orchestration.
Logging/Reporting:Centralized event information collection.
Log Collector • Cisco Stealthwatch
• Logging Technology Partner Products
• Cisco Stealthwatch
• Cisco Stealthwatch Cloud
• Cisco Tetration
Monitoring:Network traffic inspection.
• Cisco UmbrellaName Resolution:Centralized DNS Services
Logging/Reporting
Monitoring
NameResolution
Secure DNS
Monitoring
Log Collector
SecureDNS
Monitoring
CentralManagement
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management IconsManagement:Infrastructure systems management and orchestration.
Policy/Configuration:Unified infrastructure management and compliance verification.
Policy • Cisco Firepower Management Center
• Cisco Identity Services Engine
• Cisco DNA Center
• Cisco ACI APIC
• Cisco Stealthwatch Management Console
• Cisco Advanced Malware Protection Console
• Cisco Defense Orchestrator
• Cisco Tetration
• Cisco Security Manager
• Cisco Prime LMS
• Cisco Firewalls, Routers, and SwitchesTime Synchronization:Device clock calibration for accurate event correlation.
• Endpoint Technology PartnerVulnerability Management:Continuous scanning, patching, and reporting of infrastructure.
Policy/Configuration
TimeSynchronization
VulnerabilityManagement
Policy
Vulnerability Management
Vulnerability Management
NTP
NTP
CentralManagement
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Management Icons
Secure DNS NTP Monitoring VulnerabilityManagement
Policy LogCollector
SIEM
Secure DNS
NTP Monitoring VulnerabilityManagement
VulnerabilityManagement
Policy
Policy
LogCollector
LogCollector
SIEM
SIEMNTP Monitoring
GenericAppliance
Secure DNS
IdentityDirectory
IdentityDirectory
MS ActiveDirectory
MS ActiveDirectory
IdentityDirectory
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools and RulesPlease refer to the guidelines and helpful elements on these pages to ensure that your diagrams and presentations are SAFE!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building SAFE Architectures
To customize one of the architecture diagrams on slides 20-27, or to build one, please refer to this key as well as the Architecture Toolkit and the Dos and Don’ts information on the following slides.
For assistance, contact Christian Janoff. [email protected]
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Icon Title Example
Title Example
Area Title Example
Icon Title Example
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Selection PaneThe Selection Pane enables you to view and access layers easily1. Turn on the Selection Pane2. Each object in the pane is listed in the hierarchical order (depth) that it is on the slide.3. Click the eye to make them invisible/visible so you can access objects below them without having
to move them from their position4. By clicking on an object or group name you can select objects that are hard to grab5. Once selected, you can change their order via the Arrange menu, or move them with cursor keys
1 2 3 4 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
By editing the points of a freeform shape you can create smooth consistent corners (steps 1-8).• Make the line with square turns, click and drag to make each segment (hold shift to constrain)• Select Edit Shape then Edit Points from the Drawing Tools menu• Using the gridlines from the View menu, add points before and after (Ctrl+click) • After adding the new points, then select and delete the corner point • Stretch handles as appropriate (back to where the corner point was, and the next corner)
to create a smooth arching corner
1 2 3
4 5 6 7 8
How to draw smooth business flows
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design/Drawing Elements
G1/6 VLAN201HSRP
VLAN
201
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
If you have questions about SAFE and constructing SAFE architectures with the resources in this toolkit, contact Christian Janoff. [email protected]