SAFE Blueprint and the Security Ecosystem

2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design Objectives  Security Ecosystem

3 SAFE  To see the entire SAFE Blueprint 394/ns171/ns128/networking_solutions_pa ckage.html

4 SAFE Blueprint Overview  Cisco document – not a standard  Use as a guide to design and implement network security  based on Cisco and partner products  uses a defense-in-depth and modular approach to security design

5 SAFE White Papers

6 SAFE Overview  Cisco describes SAFE as a defense- in-depth approach a system has multiple security measures in place  if one defense is breached, another is in place to prevent further damage SAFE blueprint discourages having only one device performing a security function  mitigate threats throughout the network

7 SAFE Overview Security capabilities can be hosted on  Dedicated appliances, such as firewalls  Incorporated in the Cisco IOS on routers and switches  Running in the background on end systems  Blueprint guidelines encourage you to make security decisions based on the dangers to be avoided, rather than solely on security devices

8 Achieving The Balance  It is commonly thought that a network cannot be totally secure So why try?  SAFE is not an absolute answer, but a guide to help designers develop workable solutions achieving an acceptable balance between accessibility and usability The network security policy defines this balance

9 Security Policy  Develop the security policy with the participation and agreement of the highest levels of an organization’s management Helps to build the required support for the creation, acceptance, and adaptation of the security design

10 Defining Customer Expectations  Organizations have different requirements for security Separate segments on the network can have different security requirements  SAFE assumes that a security policy is already in place One may not be in place  Therefore you must start by creating one

11 Complete Security Is Not Achievable  A key expectation  Company must adapt a proactive regime to keep the security systems robust

12 Where Most Breaches Occur (or Not)  Commonly accepted that network- security breaches occur inside the network A firewall that protects a network from the outside is not sufficient Need security measures that also can detect and reduce risks that begin on a “secured” segment

13 Design Objectives  Approach focuses on how vulnerabilities are exploited  Assess the existing network to understand the nature of threats Determine how to mitigate these threats

14 Design Objectives  Design objectives of the SAFE blueprint: Security and attack mitigation based on policy Security implementation throughout the infrastructure (not just on specialized security devices) Secure management and reporting Authentication and authorization of users and administrators to critical network resources Intrusion detection for critical resources and subnets Support for emerging networked applications

15 Design Objectives  SAFE blueprint emphasizes the defining modules within a network first level of modules are functional areas

16 Design Objectives  Second layer are the modules within the functional areas  Table 16-3, page 413

17 Included Modules

18 Design Objectives  Not all actual enterprise networks have specific devices, blades, cards, or ports clearly assigned to all the modules mentioned  Still is useful to the designer to identify where all the functions occur and the interactions between the functions

19 Design Objectives

20 Significance of Areas and Modules  Helps to layer the protection A different security measure in place at different points in the network Makes the security solution more resilient and scalable Modules become templates for the modifications to the network required by the addition of users and applications

21 Significance of Areas and Modules Modularization also reduces security issues caused by growth  security capabilities are considered in the module implementation

22 Benefits of Using SAFE  Benefits of using SAFE in network design and implementation: Provides a proven, detailed blueprint to securely compete in the Internet economy Provides the foundation for migrating to secure, cost-effective converged networks Enables organizations to stay within their budgets by deploying a modular, scalable security framework in stages Delivers integrated network protection by offering best-in-class security products and services

23 Security Ecosystem  Cisco envisions a community dedicated to providing customers the best solution by giving them access to the following resources: Best-of-breed consulting and vendor partners SAFE blueprint-based solutions such as managed services and vulnerability assessments

24 Security Ecosystem  includes solutions from vendors of supplemental products partners to provide assessment, planning, and integration capabilities providers of monitoring and management services

25 Essential Elements for Comprehensive Network Security  Five elements Identity—Ensure the accurate and positive identification of network users, hosts, applications, services, and resources. Perimeter security—Control access to critical network applications, data, and services  Firewalls, virus scanners and content filters.

26 Essential Elements for Comprehensive Network Security Secure connectivity—Protect confidential information by implementing VPNs Security monitoring—Proactively identify areas of weakness with Policy management—Specify, manage, and audit the state of a security policy

27 Summary  SAFE is a layered model  defense-in-depth approach  If one system is compromised, other security systems protect the network  There are six objectives of the SAFE Blueprint  The Blueprint focuses on five key areas  Cisco is trying to establish a “Security Ecosystem” of partners, vendors and service providers