places in the network: secure campus · third party internal non-campus capabilities trustsec...
TRANSCRIPT
SAFE Architecture Guide Places in the Network: Secure Campus | Contents January 2018
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Contents Overview
Business Flows
Threats
Security Capabilities
ArchitectureSecure Campus 14
Attack SurfaceHuman 15
Devices 16
Access Layer 17
Distribution Layer 18
Core Layer 19
Services Layer 20
Summary
AppendixA Proposed Design 22
Suggested Components
3
5
8
9
13
15
21
22
25
3
SAFE Architecture Guide Places in the Network: Secure Campus | Overview January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
OverviewThe Secure Campus is a place in the network (PIN), a cluster of buildings, where a company does business. This guide addresses campus business flows across all industries and the security used to defend them. Campus examples are company headquarters, or any group of buildings that requires network services. More complex than branches due to physical and logical scale, they support network access for employees, third parties, and customers across multiple buildings and floors.
The Secure Campus is one of the six places in the network within SAFE. SAFE is a holistic
approach in which Secure PINs model the physical infrastructure and Secure Domains represent the operational aspects of a network.
The Secure Campus architecture guide provides:
• Business flows typical for campus locations
• Campus threats and security capabilities
• Business flow security architecture
• Design examples and a parts list
Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and Secure Domains for operational guidance.
Management
Security Intelligence
Secure Services
Threat Defense
Compliance Segmentation
Places in the Network (PINs) Domains
4
SAFE Architecture Guide Places in the Network: Secure Campus | Overview January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Architecture Guides
SecureData Center
SecureCloud
SecureWAN
SecureInternet Edge
SecureBranch
SecureServices
Threat Defense
Segmentation
Compliance
SecurityIntelligence
Management SecureCampus
Design Guides
SAFEOverview
Capability Guide
Operations GuidesDesign Guides
SECU RE DOMAINSPL ACES IN THE NE T WO RK
T H E K E Y T O S A F E
YOU ARE
HERE
SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security
capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.
Figure 2 SAFE Guidance Hierarchy
5
SAFE Architecture Guide Places in the Network: Secure Campus | Business Flows January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Business FlowsThe Secure Campus is where physical presence is important for internal employees, third-party
partners, and customers over multiple physical buildings.
• Internally, employees use devices (PCs, laptops, phones, tablets, and other tools) that require access to campus-critical applications, collaboration services (voice, video, email) and the Internet.
• Third parties, such as service providers and partners, require remote access to applications and devices.
• Customers at the campus use guest Internet access on their phones or tablets.
Figure 3 Campus business use cases are color coded to define where they flow.
Employee researching product information
Subject matter expert consultation
Connected device with remote vendor support
Guest accessing the Internet to watch hosted video
CEO sending email to shareholder
Cus
tom
erTh
ird P
arty
Inte
rnal
6
SAFE Architecture Guide Places in the Network: Secure Campus | Business Flows January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Functional ControlsFunctional controls are common security considerations that are derived from the technical aspects of the business flows.
Secure Applications Applications require sufficient security controls for protection.
Secure Access Employees, third parties, customers, and devices securely accessing the network.
Secure Remote Access Secure remote access for employees and third-party partners that are external to the company network.
Secure Communications Email, voice, and video communications connect to potential threats outside of company control and must be secured.
Secure Web Access Web access controls enforce usage policy and help prevent network infection.
Figure 4 Campus business flows map to functional controls based on the types of risk they present.
Cus
tom
er
Secure web access for employees: Employee researching product information
Secure communications for collaboration: Subject matter expert consultation
Secure remote access for third party: Connected device with remote vendor support
Secure web access for guests: Guest accessing the Internet to watch hosted video
Secure communications for email: CEO sending email to shareholder
Cus
tom
erTh
ird P
arty
Inte
rnal
7
SAFE Architecture Guide Places in the Network: Secure Campus | Business Flows January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Figure 5 The Secure Campus Business Flow Capability Diagram
Identity
Identity
Client-BasedSecurity
FlowAnalytics
PostureAssessment
IntrusionPrevention
IdentityClient-BasedSecurity
Client-BasedSecurity
FlowAnalytics
PostureAssessment
IdentityClient-BasedSecurity
PostureAssessment
PostureAssessment
IntrusionPrevention
Firewall
Firewall
ThreatIntelligence
ThreatIntelligence
Anti-Malware
Anti-Malware
FlowAnalytics
IntrusionPrevention
Firewall ThreatIntelligence
Anti-Malware
AVC
AVC
FlowAnalytics
IntrusionPrevention
Firewall ThreatIntelligence
Anti-Malware
WebSecurity
FlowAnalytics
IntrusionPrevention
Firewall ThreatIntelligence
Anti-Malware
Host-BasedSecurity
TrustSec
TrustSec
TrustSec
TrustSec
TrustSec
VPN
WirelessConnection
WirelessIntrusion
Prevention
EmailSecurity
WirelessRogue
Detection
IdentityDNS Security
Employee
Expert
Thermostat
Guest
CEO sending email to shareholders
Website
Colleague
Remote Technician
Website
Shareholder
Secure web access for employees: Employee researching product information
Secure communications for collaboration: Subject matter expert consultation
Secure remote access for third party: Connected device with remote vendor support
Secure web access for guests: Guest accessing the Internet to watch hosted video
Secure communications for email: CEO sending email to shareholder
Campus Capabilities
Cus
tom
erTh
ird P
arty
Inte
rnal
Non-Campus Capabilities
TrustSecWirelessRogue
Detection
BUSINESSFOUNDATIONALACCESS
Capability GroupsCampus security is simplified using foundational, access and business capability groups.
Each flow requires access and foundational groups. Additional business activity risks
require appropriate controls as shown in figure 5 which often reside outside the campus (Non-Campus Capabilities).
For more information regarding capability groups, refer to the SAFE overview guide.
Secure Campus threats and capabilities are defined in the following sections.
8
SAFE Architecture Guide Places in the Network: Secure Campus | Threats January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Phishing
Phishing is social engineering to trick people into clicking on a malicious link or opening an infected attachment of an email.
Messages looks as if they are from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one
Unauthorized network access
The act of gaining access to a network, system, application or other resource without permission. The attacker could cause damage in many ways, perhaps by accessing sensitive files from a host, by planting a virus, or by hindering network performance by flooding your network with illegitimate packets.
Malware propagation
Devices present in the campus are a big source of contamination. Devices of employees, partners or customers can be infected from multiple sources such as web use, email use, or lateral infection from other devices on the network. Devices accepting credit cards and the Internet of Things are common attack points.
Web-based exploits
Malvertizing and compromised sites hosting exploit kits to take over employee devices using browser vulnerabilities.
BYOD - Larger attack surface
Mobile devices can roam networks increasing chances of compromise, and the spread of infection. The large variety of mobile devices makes security policies and posture checking almost impossible when no device standardization exists. Limited on-device security capabilities (e.g., firewall, anti-malware, browser sand-boxing)
Botnet infestation
Botnets are networks made up of remote-controlled computers, or “bots.” These computers have been infected with an advanced form of malware which allows the devices to be remotely controlled. The controller of a botnet is able to direct the activities of these compromised computers to perform other attacks, steal data, or send spam.
Threats Campuses have many employees, partner and guest users who use email, browse the web, collaborate. With a combination of wired and wireless access, the attack surface extends beyond the building.
The campus has six primary threats:
The defense is explained throughout the rest of the document
9
SAFE Architecture Guide Places in the Network: Secure Campus | Security Capabilities January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Security CapabilitiesThe attack surface of the campus is defined by the business flow, which includes the people and the technology present. The security capabilities that are needed to
respond to the threats are mapped in Figure 6. The campus security capabilities are listed in table 1. The placement of these capabilities are discussed in the architecture section.
Figure 6 Secure Campus Attack Surface and Security Capabilities
Att
ack
Su
rfac
e
HUMAN APPLICATIONS
Users Devices Wired Wireless Analysis WAN Cloud
DEVICES NETWORK
Sec
uri
ty Identity Firewall Anti-Malware
Network WirelessConnection
ThreatIntelligence
FlowAnalytics
Client
Client-BasedSecurity
Voice
Video
Employees,Third Parties,
Customers, andAdministrators
Cloud Security
Server-BasedSecurity
PostureAssessment
Virtual PrivateNetwork (VPN)
IntrusionPrevention
TrustSec
Applications
Public WAN Public/HybridCloud
Application
Wireless IntrusionPrevention System
Wireless RogueDetection
10
SAFE Architecture Guide Places in the Network: Secure Campus | Security Capabilities January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Table 1 Secure Campus Attack Surface, Security Capability, and Threat Mapping
Campus Attack Surface
Human Security Capability Threat
Users: Employees, third parties, customers, and administrators.
Identity: Identity-based access.
Attackers accessing restricted information resources.
Devices Security Capability Threat
Clients: Devices such as PCs, laptops, smartphones, tablets.
Client-based Security: Security software for devices with the following capabilities:
Anti-Malware Malware compromising systems.
Anti-Virus Viruses compromising systems.
Cloud Security Redirection of user to malicious website.
Personal FirewallUnauthorized access and malformed packets connecting to client.
Posture Assessment: Client endpoint compliance verification and authorization.
Compromised devices connecting to infrastructure.
Voice: Phone.
N/A: Covered in Secure Services domain.
Attackers accessing private information.
Video: Displays, collaboration.
N/A: Covered in Secure Services domain.
Attackers accessing private information.
11
SAFE Architecture Guide Places in the Network: Secure Campus | Security Capabilities January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Network Security Capability Threat
Wired Network: Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together.
Firewall: Stateful filtering and protocol inspection between campus layers and the outside Internet, and service provider connections to the data center.
Unauthorized access and malformed packets between and within the campus.
Intrusion Prevention: Blocking of attacks by signatures and anomaly analysis.
Attacks using worms, viruses, or other techniques.
TrustSec: Policy-based segmentation.
Unauthorized access and malicious traffic between campus layers.
Wireless Network: Branches vary from having robust local wireless controller security services to a central, cost-efficient model.
Wireless Rogue Detection: Detection and containment of malicious wireless devices that are not controlled by the company.
Unauthorized access and disruption of wireless network.
Wireless Intrusion Prevention (WIPS): Blocking of wireless attacks by signatures and anomaly analysis.
Attacks on the infrastructure via wireless technology.
Analysis: Analysis of network traffic within the campus.
Anti-Malware: Identify, block, and analyze malicious files and transmissions.
Malware distribution across networks or between servers and devices.
Threat Intelligence: Contextual knowledge of existing and emerging hazards.
Zero-day malware and attacks.
Flow Analytics: Network traffic metadata identifying security incidents.
Traffic, telemetry, and data exfiltration from successful attacks.
WAN: Public and untrusted Wide Area Networks that connect to the company, such as the Internet.
Web Security: Web, DNS, and IP-layer security and control for the branch.
Attacks from malware, viruses, and redirection to malicious URLs.
Virtual Private Network (VPN): Encrypted communication tunnels.
Exposed services and data theft of remote workers and third parties.
12
SAFE Architecture Guide Places in the Network: Secure Campus | Security Capabilities January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Cloud
Cloud Security: Web, DNS, and IP-layer security and control in the cloud for the campus.
Attacks from malware, viruses, and redirection to malicious URLs.
DNS Security Redirection of user to malicious website.
Cloud-based FirewallUnauthorized access and malformed packets connecting to services.
Software-Defined Perimeter (SDP/SD-WAN):
Easily collecting information and identities.
Web Security:Internet access integrity and protections.
Infiltration and exfiltration via HTTP.
Web Reputation/Filtering:Tracking against URL-based threats.
Attacks directing to a malicious URL.
Cloud Access Security Broker (CASB)
Unauthorized access and Data loss.
Applications Security Capability Threat
Applications
Server-based Security: Security software for servers with the following capabilities:
Anti-Malware: Identify, block, and analyze malicious files and transmissions.
Malware distribution across servers.
Anti-Virus Viruses compromising systems.
Cloud Security Redirection of session to malicious website.
Host-based FirewallUnauthorized access and malformed packets connecting to server.
Management Security Capability
These security capabilities are required across all PINs:
• Identity/authorization• Policy/configuration• Analysis/correlation• Monitoring• Vulnerability management• Logging/reporting• Time synchronization/NTP
Get details on these management security capabilities in the SAFE Management Architecture Guide.
13
SAFE Architecture Guide Places in the Network: Secure Campus | Architecture January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
vFirepower Appliance vSwitch
vSwitch
vFirepower Appliance
vRadware Appliance
vSwitch
Secure Server
Secure Server
vRouter
vFirepower Appliance vRadware Appliance vSwitch Secure Server
ComparativeShopping Website
Third-party Technicianaccessing logs
Customermaking purchase
Shareholder receivingemail from CEO
Techniciansubmitting task
Product InformationWebsite
Wholesaler Website
DatabaseZone
Work owApplication
PaymentApplication
vSwitch Storage ServervFirepower Appliance
Application VisibilityControl (AVC)
AnomalyDetection
Web Reputation/Filtering/DCS
Anti-Malware
Threat Intelligence
DistributedDenial of Service
Protection
IdentityAuthorization
DNS Security
HostedE-Commerce
Services BusinessUse Cases
Web Security Guest Wireless
Switch
CommunicationsManager
Switch Router
Wireless Controller
Firepower Appliance
Distribution Switch Core Switch
Corporate Device
WirelessAccess Point
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device Switch
Switch
Firepower Appliance
AccessEndpoints
Endpoints
BusinessUse Cases
Distribution Core Services
Building Controls
Subject MatterExpert
CEO sending emailto Shareholders
Guest browsing
Employee browsing
BUILDING BLOCK CORE BLOCK
Blade Server
Router Switch Firepower Appliance Switch
Services
TrustedEnterpriseUntrusted
DMZ
VPN
Perimeter ServicesWireless Controller
FirepowerAppliance
Switch RadwareAppliance
Switch Secure Server SwitchSwitchRouter
FirepowerAppliance
DMVPNSwitchRA VPN
Services Core Distribution EndpointsAccess BusinessUse Cases
Database
PaymentApplication
Work owApplication
CommunicationServices
Communications Manager
Secure Server
Nexus SwitchDistribution Switch
FMC
Wireless Controller
Nexus SwitchFirepower Appliance
Radware Appliance
Radware Appliance
Nexus Fabric Switch
Nexus Fabric Switch
Blade Server
Hyper ex Server
Secure Server
Secure Server
Nexus Fabric SwitchNexus Switch
Adaptive SecurityAppliance
Firepower Appliance
Adaptive SecurityAppliance
Corporate Device
Access Switch
Employee Phone
Environmental Controls
Wireless Controller
Switch Router
AccessBusinessUse Cases
WirelessAccess Point
Services
Wireless Guest
Corporate Device
Building Controls
Subject MatterExpert
Branch Managerbrowsing information
Customer browsing prices
Clerk processingcredit card
Server
SwitchEmail Security
FirepowerAppliance
SwitchWeb Security
Internet
R E M O T E U S E R S
PaymentApplication
Cloud
Bran
ch
Cam
pus
WAN
Data
Cen
ter
Edge
SERVICESAPPLICATIONSNETWORK
NETWORK
SERVICES
DEVICESHUMAN NETWORK APPLICATIONS
NETWORK
SERVERS APPLICATIONSNETWORK
DEVICESHUMAN NETWORK APPLICATIONS
ArchitectureSAFE underscores the challenges of securing the business. It enhances traditional network diagrams to include a security-centric view of the company business. The Secure Campus architecture is a logical grouping of security and network technology that supports campus business use cases. It follows a classic access/distribution/core architecture, scaling as needed by increasing distribution blocks as floors or buildings are added.
SAFE business flow security architecture depicts a security focus. Traditional design diagrams that depict cabling, redundancy, interface addressing, and specificity are depicted in SAFE design diagrams. Note that a SAFE logical architecture can have many different physical designs.
Figure 7 SAFE Model. The SAFE Model simplifies complexity across a business by using Places in the Network (PINs) that it must secure.
14
SAFE Architecture Guide Places in the Network: Secure Campus | Architecture January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch Router
Wireless Controller
Firepower Appliance
Distribution Switch Core Switch
Corporate Device
WirelessAccess Point
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device Switch
Switch
Firepower Appliance
Campus Architecture
AccessEndpointsBusinessUse Cases
Distribution Core Services
Building Controls
Subject MatterExpert
CEO sending emailto Shareholders
Guest browsing
Employee browsing
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Shareholderreceiving emailfrom CEO
Comparative Shopping Website
Wholesaler Website
Remote Colleague
Third-party Technicianaccessing logs
BUILDING BLOCK CORE BLOCK
HUMANATTACK
SURFACE
DEVICESATTACK
SURFACE
NETWORKATTACK
SURFACE
APPLICATIONSATTACK
SURFACE
Figure 8 Secure Campus. The Secure Campus business flows and security capabilities are arranged into a logical architecture. The colored business use cases flow through the green architecture icons with the required blue security capabilities.
Secure CampusThe Secure Campus architecture has the following characteristics:
• Location size consists of multiple buildings/floors that may have multiple business flows
• Many varied devices requiring network connectivity
• Devices (sensors, thermostats, printers, etc.)
• Separate appliances for services for redundancy and maximum uptime
• Wireless connectivity
• Local application services (also in data center or cloud)
15
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Attack SurfaceThe Secure Campus attack surface consists of Humans, Devices, Network, and Applications. The sections below discuss the security capability that defends the threats associated with that part of the surface. Note that the capability might be a service that is supplied from another PIN. For example, the
Identity service is prompted to a human, on a user’s device, enforced at the switch, and served from the Data Center. However, for the sake of simplifying, Identity is depicted logically where the risk exists of supplying credentials: the human.
HumanTypically, humans in the campus are employees, partners, or customers. No amount of technology can prevent successful attacks if the humans in the company, both internal and partner users, are not trained to keep security in mind. One of the biggest problems is that humans are prone to compromise by various types of social exploits such as phishing.
Security training and metrics of adoption are critical elements to reducing the risk of this attack surface.
Administrators have more authority than normal users and the systems they have access to. Additional controls should be used like two-factor authentication, limited access to job function, and logging of their changes.
It is not the purpose of this guide to advise on the specifics. Appropriate identity services defined by policy must be supplied with associated, approved clients and devices.
Primary Security Capability
Identity
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch Router
Wireless Controller
Firepower Appliance
Distribution Switch Core Switch
Corporate Device
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device
Switch
Firepower Appliance
EndpointsBusinessUse Cases
Distribution Core Services
Building Controls
Subject MatterExpert
CEO sending emailto Shareholders
Guest browsing
Employee browsing
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
BUILDING BLOCK CORE BLOCK
Figure 9 Business Use Cases
16
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
DevicesMalware propagation, Botnet infestation and a large attack surface are campus threats targeting devices. Perimeter defenses are no longer (if ever) sufficient.
Devices are part of the security reference architecture. A secure company uses the network and the devices connecting to it as baselines for comparison. If you are not using the network as a sensor, you are not secure. This visibility allows for effective containment through intelligent architectural design. It is equally important to ensure that clients (PCs, tablets, phones, and other devices) are participating in security and that malicious devices are quarantined.
Figure 10 Campus Devices
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch RouterCore Switch
Corporate Device
WirelessAccess Point
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device Switch
Switch
Firepower Appliance
AccessEndpointsBusinessUse Cases
Core Services
Building Controls
Subject MatterExpert
CEO sending emailto Shareholders
Guest browsing
Employee browsing
CORE BLOCK
Primary Security Capability
Client-based Security
Client-Based Security
Anti-Virus Anti-Malware
Cloud Security Personal Firewall
17
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Access LayerUnauthorized network access is the primary threat addressable by the access layer.
The access/distribution/core is classic network hierarchy. The access layer is where users and devices connect to the company network. This layer connects to the distribution or core layer. Its hierarchical organization simplifies network troubleshooting and segments traffic for security. It is the first line of defense within the Secure Campus architecture. The network as a sensor utilizes flow analytics to capture anomalies and provide visibility to attacks.
Its purpose is to identify the users, to assess compliance to policy of devices seeking access to the network, and to respond appropriately. Violations of posture, identity, or anomalous behavior can be enforced.
Primary Security Capability
Identity Flow Analytics
Posture Assessment
TrustSec
Wireless Rogue Detection
Figure 11 Access Layer
Wireless Controller
Core Switch
Distribution Core
Firepower Appliance
Distribution Switch
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch Router
Corporate Device
WirelessAccess Point
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device Switch
Switch
Firepower Appliance
AccessEndpoints Services
18
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
WirelessAccess Point
Switch
Access
Wireless Controller
Firepower Appliance
Distribution Switch Core Switch
Distribution Core
Distribution Layer
Distribution layers segregate the access layer from the services layer. These layers provide a distribution method of services that discretely separates business-based traffic into flows, and allows scale as employees are moved, added, or changed.
Primary Security Capability
Identity Flow Analytics
Posture Assessment
TrustSec
Figure 12 Distribution Layer
19
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Core LayerThe core layer provides scale to the distribution blocks and connects them to the foundational security capabilities in the services layer.
Primary Security Capability
Flow Analytics TrustSec
Figure 13 Core Layer
Core Switch
CoreDistribution Services
Core Switch
Core
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch Router
Switch
Firepower Appliance
Firepower Appliance
Wireless Controller
Distribution Switch
20
SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Services LayerWeb-based exploits are threat vectors that large campus populations need protection from.
The services layer connects the Secure Campus to the data center via service providers. It connects the access and distribution layers inside the campus to the security and inspection capabilities that secure the separate business flows coming into and out of the campus. Depending on the size of the campus, some security controls are brought into the campus as appliances rather than being served centrally as a service. See the Appendix for proposed options.
Figure 14 Services Layer
Web Security Guest Wireless
Blade Server
Switch
CommunicationsManager
Switch RouterCore Switch
Switch
Firepower Appliance
Core Services
Shareholderreceiving emailfrom CEO
Comparative Shopping Website
Wholesaler Website
Remote Colleague
Third-party Technicianaccessing logs
Primary Security Capability
Foundational Security Services
Firewall IPS Threat Intelligence
Anti-Malware Flow Analytics
TrustSec
Identity
Business-based Security
Web Security
VPN Application Visibility Control
WIPS Wireless Rogue Detection
Server-based Security
Anti-Virus Anti-Malware
Cloud Security Host-based Firewall
Server-Based Security
21
SAFE Architecture Guide Places in the Network: Secure Campus | Summary January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
SummaryToday’s companies are threatened by increasingly sophisticated attacks. Campuses are commonly targeted because they are susceptible to physical access and have a large mix of services across increasingly complicated devices.
Cisco’s Secure Campus architecture and
solutions defend the business against corresponding threats.
SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the threats of tomorrow.
22
SAFE Architecture Guide Places in the Network: Secure Campus | Appendix January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
E0
BUILDING BLOCK CORE BLOCK
Building Controls
Corporate Computer CP-9951-C-K9WS-C3650-48FQ
Corporate Laptop AIR-AP3802e-x-K9 (QTY:3)
C6807-XL
C6807-XL
UCSB-5108-AC2
Guest Device
DATA VLANVOICE VLAN
T1/1-4
T1/1-4
P1
P0
AIR-CT5520-K9WSA-S390-K9
Corporate Desktop
UCS-FI-6248UP
ISR4431-K9
ISR4431-K9
WS-C3850-24XU-L
G1/1
G2/1
G1/4
G2/4
DATA VLAN
WIRELESS SSID:EMPLOYEE
WIRELESS SSID:GUEST
VENDOR VLAN
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
UMBRELLA-SUB WS-C3650-48FQ
FP-AMP-LC
UMBRELLA-SUB
Host Firewall
FP-AMP-LC
UMBRELLA-SUB
Host Firewall
FP-AMP-LC
UMBRELLA-SUB
Host Firewall
AccessEndpointsBusinessUse Cases
Distribution Core Services
G3/1/1G3/0/1
G3/1/1G3/0/1E1/1T1/5
E1/1T1/5
E1/2
E1/4
G1/1 G2/1
E1/3
E1/2
E1/4
E1/3
E1/8
E1/8
E1/1-8
E1/1-8
E1/1-8
E1/1-8
E1/6E1/6
E1/4
T1/7
G0/2
G0/3
G0
E0E0 E1E1E0E0
G1/6G1/5 G2/6G2/5G2/2G1/2
T1/7
G0/1
E1
E0
C6807-XL
AIR-CT5520-K9
C6807-XL
T1/5
T1/1-4
G2/3G2/11
G2/12 G2/1
G0/21-44
T1/5
T1/1-4
G2/3G2/12
G2/11 G2/1
G0/2
G0/11-13
G0/1
G0/2
G0/21-44
P0
G0/1
FP2130-X
ATTACK SURFACE
Campus Design
DEVICES NETWORK APPLICATIONSHUMAN
FP4110-X
FP4110-X
Figure 15 Secure Campus Proposed Design, part 1. The building block is connected to the core block.
Appendix
A Proposed DesignThe Secure Campus has been deployed in Cisco’s laboratories. Portions of the design have been validated and documentation is available on Cisco Design Zone.
Figure 15 depicts the specific products that were selected within Cisco’s laboratories. It is important to note that the Secure Campus
architecture can produce many designs based on performance, redundancy, scale, and other factors. The architecture provides the required logical orientation of security capabilities that must be considered when selecting products to ensure that the documented business flows, threats, and requirements are met.
23
SAFE Architecture Guide Places in the Network: Secure Campus | Appendix January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Figure 16 Secure Campus Proposed Design, part 2 shows how multiple floors can be connected to the distribution layer.
E0
BUILDING BLOCK
FLOOR BLOCK
CORE BLOCK
BUILDING ONE
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
AccessEndpointsBusinessUse Cases Core Services
T1/5G1/6
T1/5G2/13
G0/1
G0/2
T1/6
T1/6
Distribution
Campus Design with Additional Floors
24
SAFE Architecture Guide Places in the Network: Secure Campus | Appendix January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Figure 17 Secure Campus Proposed Design, part 3 illustrates multiple buildings connected to the core block.
E0
BUILDING BLOCK
FLOOR BLOCK
BUILDING BLOCK
FLOOR BLOCK
BUILDING BLOCK
FLOOR BLOCK
CORE BLOCK
BUILDING ONE BUILDING TWO BUILDING THREE
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
AccessEndpointsBusinessUse Cases Core Services
T1/5
T1/5
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
Secure Email
Guest Wireless
Secure Web
Secure Communications
Secure Third Parties
T1/7
T1/8
Distribution Distribution
T1/6
T1/7
T1/8
T1/6
Campus Design with Additional Buildings
Distribution
25
SAFE Architecture Guide Places in the Network: Secure Campus | Suggested Components January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Suggested ComponentsCampus Attack Surface Campus Security Suggested Cisco Components
Human Users
IdentityIdentity Services Engine
Meraki Management
Devices EndpointsClient-Based Security
Advanced Malware Protection (AMP) for Endpoints
Cisco Umbrella
AnyConnect
Posture Assessment
AnyConnect Agent
Identity Services Engine(ISE)
Meraki Mobile Device Management
Network Wired Network
FirewallFirepower Appliance, Adaptive Security Appliance (ASA)
Integrated Services Router (ISR)
Intrusion Prevention
Firepower Appliance (ASA)
Integrated Services Router (ISR)
Access Control + TrustSec
Wireless Controller/Catalyst Switch
Centralized Identity Services Engine
Wireless Network Wireless Rogue Detection
Meraki Wireless
Mobility Services Engines (MSE)
Wireless APs
Wireless LAN ControllerWireless Intrusion Prevention (WIPS)
Table 2 SAFE Design Components for Secure Campus
26
SAFE Architecture Guide Places in the Network: Secure Campus | Suggested Components January 2018
Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Campus Attack Surface Campus Security Suggested Cisco Components
Network (continued) Analysis
Anti-Malware
Advanced Malware Protection (AMP) for Endpoints
Advanced Malware Protection (AMP) for Email Security
Advanced Malware Protection (AMP) for Networks
Advanced Malware Protection (AMP) for Web Security
Stealthwatch Integrated Services Router (ISR) with Stealthwatch Learning Network (SLN)
AMP ThreatGrid
Threat Intelligence
Cisco Collective Security Intelligence
Talos Security Intelligence
AMP ThreatGrid
Cognitive Threat Analytics (CTA)
Flow Analytics
Adaptive Security Appliance
Catalyst Switches
ISR with Stealthwatch Learning Network (SLN)
Stealthwatch (Flow Sensor and Collectors)
Wireless LAN Controller
WAN
Web Security
Firepower URL
Web Security Appliance
Umbrella Secure Internet Gateway (SIG)
VPN
Firepower
Integrated Services Router (ISR)
Aggregation Services Router (ASR)
Adaptive Security Appliance (ASA)
Table 2 SAFE Design Components for Secure Campus (Continued)
Return to Contents
For more information on SAFE, see www.cisco.com/go/SAFE.
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands
Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands
Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.
Campus Attack Surface Campus Security Suggested Cisco Components
Network (continued) CloudCloud Security
Cisco Umbrella Secure Internet Gateway(SIG)
Cisco Cloudlock
DNS Security Cisco Umbrella Secure Internet Gateway (SIG)
Cloud-based Firewall
Cisco Umbrella Secure Internet Gateway (SIG)
Software-Defined Perimeter (SDP/SD-WAN)
AnyConnect Agent
Cisco Viptela
Meraki MX
Web Security:Internet access integrity and protections.
Firepower virtual URL
Cisco Umbrella Secure Internet Gateway (SIG)
Web Reputation/Filtering:Tracking against URL-based threats.
Web Security Appliance
Cloud Web Security
Meraki MX
Cloud Access Security Broker (CASB)
Cloudlock
Applications ServiceServer-based Security
Advanced Malware Protection (AMP)
Cisco Umbrella