safe architecture guide - cisco.com · analysis. attacks using worms, viruses, or other techniques....

January 2018

SAFE Architecture Guide Places in the Network: Secure Branch

SAFE Architecture Guide Places in the Network: Secure Branch | Contents January 2018

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Contents Overview

Business Flows

Threats

Security Capabilities

ArchitectureSmall Branch 14

Medium Branch 15

Large Branch 16

Attack SurfaceHuman 17

Devices 18

Access Layer 19

Core and Distribution Layer 20

Services Layer 21

Summary

AppendixA Proposed Design 23

Suggested Components

3

5

8

9

13

17

22

23

26

3

SAFE Architecture Guide Places in the Network: Secure Branch | Overview January 2018

Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

OverviewThe Secure Branch is a place in the network (PIN) where a company does business across dispersed locations. This guide addresses the most common branch business flows across all industries and the security used to defend them. Branch examples are stores in retail, clinics in healthcare, banks in financial markets, etc. Typically less complex and smaller in footprint than campuses or data centers, branches can have large numbers of locations supporting network access for employees, third parties, and customers.

The Secure Branch is one of the six places in the network within SAFE. SAFE is a holistic approach in which Secure PINs model the physical infrastructure and Secure Domains represent the operational aspects of a network.

The Secure Branch architecture guide provides:

• Business flows typical for branch locations

• Branch threats and security capabilities

• Business flow security architecture

• Design examples and a parts list

Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and Secure Domains for operational guidance.

Management

Security Intelligence

Secure Services

Threat Defense

Compliance Segmentation

Places in the Network (PINs) Domains

4

SAFE Architecture Guide Places in the Network: Secure Branch | Overview January 2018


Architecture Guides

SecureData Center

SecureCloud

SecureWAN

SecureInternet Edge

SecureBranch

SecureServices

Threat Defense

Segmentation

Compliance

SecurityIntelligence

Management SecureCampus

Design Guides

SAFEOverview

Capability Guide

Operations GuidesDesign Guides

SECU RE DOMAINSPL ACES IN THE NE T WO RK

T H E K E Y T O S A F E

YOU ARE

HERE

SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding

security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

Figure 2 SAFE Guidance Hierarchy

5

SAFE Architecture Guide Places in the Network: Secure Branch | Business Flows January 2018


Business FlowsThe Secure Branch is where physical presence is important for internal employees, third-party partners, and customers.

• Internally, employees use devices (PCs, laptops, phones, tablets, and other tools) that require access to branch-critical applications (i.e. payments), collaboration services like (voice, video, email) and the Internet.

• Third parties, such as service providers and partners, require remote access to applications and devices.

• Customers at the branch use guest Internet access on their phones or tablets.

Figure 3 Branch business use cases are color coded to define where they flow.

Employee researching product information on website

Subject matter expert consulting with remote colleague

Connected device with remote vendor support

Guest accessing Internet website

Clerk processing credit card transaction to PCI server

Cus

tom

erTh

ird P

arty

Inte

rnal

6



Functional ControlsFunctional controls are common security considerations that are derived from the technical aspects of the business flows.

Secure Applications Applications require sufficient security controls for protection.

Secure Access Employees, third parties, customers, and devices securely accessing the network.

Secure Remote Access Secure remote access for employees and third-party partners that are external to the company network.

Secure Communications Email, voice, and video communications connect to potential threats outside of company control and must be secured.

Secure Web Access Web access controls enforce usage policy and help prevent network infection.

Figure 4 Branch business flows map to functional controls based on the types of risk they present.

Secure web access for employees: Employee researching product information on website

Secure communications for collaboration: Subject matter expert consulting with remote colleague

External access VPN: Connected device with remote vendor support

Secure guest Internet access: Guest accessing Internet website

Secure applications for PCI: Clerk processing credit card transaction to PCI server

Cus

tom

erTh

ird P

arty

Inte

rnal

7



Figure 5 Branch security simplified into capability groups

Identity

Identity

Client-BasedSecurity

FlowAnalytics

PostureAssessment

IntrusionPrevention

IdentityClient-BasedSecurity


FlowAnalytics

PostureAssessment

IdentityClient-BasedSecurity

PostureAssessment

PostureAssessment

IntrusionPrevention

Firewall

Firewall

ThreatIntelligence

ThreatIntelligence

Anti-Malware

Anti-Malware

FlowAnalytics

IntrusionPrevention

Firewall ThreatIntelligence

Anti-Malware

AVC

AVC

FlowAnalytics

IntrusionPrevention


Anti-Malware

WebSecurity

FlowAnalytics

IntrusionPrevention


Anti-Malware

Host-BasedSecurity

TrustSec

TrustSec

TrustSec

TrustSec

TrustSecWirelessRogue

Detection

WirelessIntrusion

Prevention

Identity

Identity Client-BasedSecurity

PostureAssessment

VPN

WebApplication

Firewall

DNS Security

DNS Security

Employee

Expert

Thermostat

Guest

Clerk

Website

Colleague

Remote Technician

Website

Payment Application

Secure web access for employees: Employee researching product information

Secure communications for collaboration: Subject matter expert consultation

Secure remote access for third party: Connected device with remote vendor support

Secure web access for guests: Guest accessing the Internet for comparative shopping

Secure applications for PCI: Clerk processing credit card transaction

Branch Capabilities

Cus

tom

erTh

ird P

arty

Inte

rnal

Non-Branch Capabilities

BUSINESSFOUNDATIONALACCESS

Capability GroupsBranch security is simplified using foundational, access and business capability groups.

Each flow requires access and foundational groups. Additional business activity risks

require appropriate controls as shown in figure 5 which often reside outside the branch (non-branch capabilities).

For more information regarding capability groups, refer to the SAFE overview guide.

Secure Branch threats and capabilities are defined in the following sections.

8

SAFE Architecture Guide Places in the Network: Secure Branch | Threats January 2018


ThreatsThe branch has four primary threats, and the defense is explained throughout the rest of the document:

Exploitation of trust

People have a specific job to do. Unfortunately, the trust of employees can be compromised. Malicious employees (especially administrators) are very dangerous.

Partners can be compromised. If a trusted partner is breached, an attacker would have access via stolen credentials.

Endpoint malware

Devices present at the branch are a common source of contamination. Devices of employees, partners or customers can be infected from multiple sources such as web use, email use, or lateral infection from other devices on the network. Mobile devices can roam networks increasing chances of compromise. Devices accepting credit cards and the Internet of Things are primary attack points.

Unauthorized/malicious device activity

Devices at the branch range from Employee PCs to Temperature Controls Units. Although PCs can use client security software, zero- day attacks can bypass them. Worse, many devices are not constructed with strong security. Advanced persistent threats take advantage of exploits from various resources, and once compromised through vulnerability, can be used to contribute to a larger overall attack.

Wireless infrastructure exploits

Wireless networks expose companies to threats beyond their walls. A company’s wireless service allows attackers access that they would not normally have without physical access.

Attackers with physical access can place their own (rogue) wireless access points which allow them to continue attacks from parking lots or other locations outside the physical walls of the company.

9

SAFE Architecture Guide Places in the Network: Secure Branch | Security Capabilities January 2018


Figure 6 Secure Branch Attack Surface and Security Capabilities

Att

ack

Su

rfac

e

HUMAN APPLICATIONS

Users Endpoints Wired Wireless Analysis WAN Cloud Services

DEVICES NETWORK

Sec

uri

ty Identity Firewall Anti-Malware

Network WirelessConnection

ThreatIntelligence

FlowAnalytics

Client


Voice

Video

Public WAN Public/HybridCloud

Employees,Third Parties,

Customers, andAdministrators

Application

Cloud Security Server-BasedSecurity

PostureAssessment

Virtual PrivateNetwork (VPN)

Wireless IntrusionPrevention System

IntrusionPrevention

TrustSec

Wireless RogueDetection

Web Security

The branch primary threats are mitigated by security capabilities placed within architectural locations that are described in the following sections.

Security CapabilitiesThe attack surface of the branch is defined by the business flow, which includes the people and the technology present. The security capabilities that are needed to respond to the threats are mapped in Figure 6. The branch security capabilities are listed in table 1. The placement of these capabilities are discussed in the architecture section.

10



Table 1 Secure Branch Attack Surface, Security Capability, and Threat Mapping

Branch Attack Surface

Human Security Capability Threat

Users: Employees, third parties, customers, and administrators.

Identity: Identity-based access.

Attackers accessing restricted information resources.

Devices Security Capability Threat

Clients: Devices such as PCs, laptops, smartphones, tablets.

Client-based Security: Security software for devices with the following capabilities:

Anti-Malware Malware compromising systems.

Anti-Virus Viruses compromising systems.

Cloud Security Redirection of user to malicious website.

Personal FirewallUnauthorized access and malformed packets connecting to client.

Posture Assessment: Client endpoint compliance verification and authorization.

Compromised devices connecting to infrastructure.

Voice: Phone.

N/A: Covered in Secure Services domain.

Attackers accessing private information.

Video: Displays, collaboration.

N/A: Covered in Secure Services domain.

Attackers accessing private information.

11



Network Security Capability Threat

Wired Network: Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together.

Firewall: Stateful filtering and protocol inspection between branch layers and the outside Internet, and service provider connections to the data center.

Unauthorized access and malformed packets between and within the branch.

Intrusion Prevention: Blocking of attacks by signatures and anomaly analysis.

Attacks using worms, viruses, or other techniques.

TrustSec: Policy-based segmentation.

Unauthorized access and malicious traffic between branch layers.

Wireless Network: Branches vary from having robust local wireless controller security services to a central, cost-efficient model.

Wireless Rogue Detection: Detection and containment of malicious wireless devices that are not controlled by the company.

Unauthorized access and disruption of wireless network.

Wireless Intrusion Prevention (WIPS): Blocking of wireless attacks by signatures and anomaly analysis.

Attacks on the infrastructure via wireless technology.

Analysis: Analysis of network traffic within the branch.

Anti-Malware: Identify, block, and analyze malicious files and transmissions.

Malware distribution across networks or between servers and devices.

Threat Intelligence: Contextual knowledge of existing and emerging hazards.

Zero-day malware and attacks.

Flow Analytics: Network traffic metadata identifying security incidents.

Traffic, telemetry, and data exfiltration from successful attacks.

WAN: Public and untrusted Wide Area Networks that connect to the company, such as the Internet.

Web Security: Web, DNS, and IP-layer security and control for the branch.

Attacks from malware, viruses, and redirection to malicious URLs.

Virtual Private Network (VPN): Encrypted communication tunnels.

Exposed services and data theft of remote workers and third parties.

12



Cloud

Cloud Security: Web, DNS, and IP-layer security and control in the cloud for the campus.

Attacks from malware, viruses, and redirection to malicious URLs.

DNS Security Redirection of user to malicious website.

Cloud-based FirewallUnauthorized access and malformed packets connecting to services.

Software-Defined Perimeter (SDP/SD-WAN):

Easily collecting information and identities.

Web Security:Internet access integrity and protections.

Infiltration and exfiltration via HTTP.

Web Reputation/Filtering:Tracking against URL-based threats.

Attacks directing to a malicious URL.

Cloud Access Security Broker (CASB)

Unauthorized access and Data loss.

Applications Security Capability Threat

Applications

Server-based Security: Security software for servers with the following capabilities:

Anti-Malware: Identify, block, and analyze malicious files and transmissions.

Malware distribution across servers.

Anti-Virus Viruses compromising systems.

Cloud Security Redirection of session to malicious website.

Host-based FirewallUnauthorized access and malformed packets connecting to server.

Management Security Capability

These security capabilities are required across all PINs:

• Identity/authorization• Policy/configuration• Analysis/correlation• Monitoring• Vulnerability management• Logging/reporting• Time synchronization/NTP

Get details on these management security capabilities in the SAFE Management Architecture Guide.

13

SAFE Architecture Guide Places in the Network: Secure Branch | Architecture January 2018


vFirepower Appliance vSwitch

vSwitch

vFirepower Appliance

vRadware Appliance

vSwitch

Secure Server

Secure Server

vRouter

vFirepower Appliance vRadware Appliance vSwitch Secure Server

ComparativeShopping Website

Third-party Technicianaccessing logs

Customermaking purchase

Shareholder receivingemail from CEO

Techniciansubmitting task

Product InformationWebsite

Wholesaler Website

DatabaseZone

Work owApplication

PaymentApplication

vSwitch Storage ServervFirepower Appliance

Application VisibilityControl (AVC)

AnomalyDetection

Web Reputation/Filtering/DCS

Anti-Malware

Threat Intelligence

DistributedDenial of Service

Protection

IdentityAuthorization

DNS Security

HostedE-Commerce

Services BusinessUse Cases

Web Security Guest Wireless

Switch

CommunicationsManager

Switch Router

Wireless Controller

Firepower Appliance

Distribution Switch Core Switch

Corporate Device

WirelessAccess Point

Wireless Guest

Employee Phone

Environmental Controls

Corporate Device Switch

Switch

Firepower Appliance

AccessEndpoints

Endpoints

BusinessUse Cases

Distribution Core Services

Building Controls

Subject MatterExpert

CEO sending emailto Shareholders

Guest browsing

Employee browsing

BUILDING BLOCK CORE BLOCK

Blade Server

Router Switch Firepower Appliance Switch

Services

TrustedEnterpriseUntrusted

DMZ

VPN

Perimeter ServicesWireless Controller

FirepowerAppliance

Switch RadwareAppliance

Switch Secure Server SwitchSwitchRouter

FirepowerAppliance

DMVPNSwitchRA VPN

Services Core Distribution EndpointsAccess BusinessUse Cases

Database

PaymentApplication

Work owApplication

CommunicationServices

Communications Manager

Secure Server

Nexus SwitchDistribution Switch

FMC

Wireless Controller

Nexus SwitchFirepower Appliance

Radware Appliance

Radware Appliance

Nexus Fabric Switch

Nexus Fabric Switch

Blade Server

Hyper ex Server

Secure Server

Secure Server

Nexus Fabric SwitchNexus Switch

Adaptive SecurityAppliance

Firepower Appliance

Adaptive SecurityAppliance

Corporate Device

Access Switch

Employee Phone


Wireless Controller

Switch Router

AccessBusinessUse Cases


Services

Wireless Guest

Corporate Device

Building Controls


Branch Managerbrowsing information

Customer browsing prices

Clerk processingcredit card

Server

SwitchEmail Security

FirepowerAppliance

SwitchWeb Security

Internet

R E M O T E U S E R S

PaymentApplication

Cloud

Bran

ch

Cam

pus

WAN

Data

Cen

ter

Edge

SERVICESAPPLICATIONSNETWORK

NETWORK

SERVICES

DEVICESHUMAN NETWORK APPLICATIONS

NETWORK

SERVERS APPLICATIONSNETWORK

DEVICESHUMAN NETWORK APPLICATIONS

Figure 7 SAFE Model. The SAFE Model simplifies complexity across a business by using Places in the Network (PINs) that it must secure.

ArchitectureSAFE underscores the challenges of securing the business. It enhances traditional network diagrams to include a security-centric view of the company’s business. The Secure Branch architectures are logical groupings of security and network capabilities that support branch business use cases. Branches are not easily defined across multiple industries; SAFE uses several sizes of branches to address a large cross-section of scenarios.

SAFE business flow security architecture depicts a security focus. Traditional design diagrams that depict cabling, redundancy, interface addressing, and specificity are depicted in SAFE design diagrams. Note that a SAFE logical architecture can have many different physical designs.

14



Firepower Appliance

Server

Corporate Device

Access Switch

Employee Phone


Router

Small Branch Architecture


Endpoints


Services

Wireless Guest

Corporate Device

Building Controls





Secure Web

Guest Wireless

Secure Applications

Secure Communications

Secure Third Parties

Product Information Website

Comparative Shopping Website

Payment Processing

Remote Colleague


HUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Figure 8 Secure Small Branch. The Secure Small Branch business flows and security capabilities are arranged into a logical architecture. The colored business use cases flow through the green architecture icons with the required blue security capabilities.

Small BranchThe Secure Small Branch architecture has the following characteristics:

• Location size averages between 1,000 and 6,000 square feet

• Preference for integrated services within fewer network components because of physical space requirements

• Wireless connectivity

• Single router with firewall/IPS, integrated Ethernet switch, compact switch, and power-over-Ethernet (PoE)

• Web security via the cloud

• Survivable Remote Site Telephony (SRST)

• Majority of applications in data center or cloud

• Fewer than 25 traditional devices (PCs, laptops, tablets, phones, etc.) requiring network connectivity

• Fewer than 25 low-bandwidth devices (sensors, thermostats, printers, etc.)

15



Firepower Appliance

Corporate Device

Access Switch

Employee Phone


Wireless Controller

Switch Router

Medium Branch Architecture


Endpoints


Services

Wireless Guest

Corporate Device

Building Controls





Server

Secure Web

Guest Wireless

Secure Applications





Payment Processing

Remote Colleague


HUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Medium BranchThe Secure Medium Branch architecture uses the following characteristics:


• Redundant LAN and WAN infrastructures with firewall/IPS

• The physical size is smaller than a large branch, so a core and distribution layer of network switches is not required

• Web security via the cloud

• Wireless connectivity

• Survivable Remote Site Telephony (SRST)

• 25–100 traditional devices (PCs, laptops, tablets, phones, etc.) requiring network connectivity

• Fewer than 100 low-bandwidth devices (sensors, thermostats, printers, etc.)

Figure 9 Secure Medium Branch. The Secure Medium Branch business flows and security capabilities are arranged into a logical architecture. The colored business use cases flow through the green architecture icons with the required blue security capabilities.

16



Firepower Appliance

Corporate Device

Core/Distribution

Switch

Employee Phone


Wireless Controller

FirepowerAppliance

Router

Large Branch Architecture


Endpoints

Switch


Collapsed Core& Distribution

Switch

Web Security

Switch


Switch

Services

Wireless Guest

Corporate Device

Building Controls





Server

Secure Web

Guest Wireless

Secure Applications





Payment Processing

Remote Colleague


HUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Large BranchThe Large Branch architecture includes the following design requirements:


• Multiple routers for primary and backup network connectivity requirements

• Preference for a combination of network services distributed across the facility to meet resilience and application availability requirements

• Tiered network architecture within the

branch; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints (endpoints, wireless APs, servers)

• Unified Communications with centralized or distributed PSTN access and services

• 100 or more traditional devices (PCs, laptops, tablets, phones, etc.) requiring network connectivity

• 100 or more low-bandwidth devices (sensors, thermostats, printers, etc.)

Figure 10 Secure Large Branch. The Secure Large Branch business flows and security capabilities are arranged into a logical architecture. The colored business use cases flow through the green architecture icons with the required blue security capabilities.

17

SAFE Architecture Guide Places in the Network: Secure Branch | Attack Surface January 2018


Attack SurfaceThe Secure Branch attack surface of Human, Devices, Network, and Applications is consistent across all sizes of branch architectures. The sections below discuss the security capability that defends the threats associated with each layer of the surface. Note that the capability might be a service that

is supplied from another PIN. For example, the Identity service is prompted to a human, on a user’s device, enforced at the switch, and served from the Data Center. However, for the sake of simplifying, Identity is depicted logically where the risk exists of supplying credentials: the human.

HumanTypically, humans in the branch are employees, customers, and remote access users such as partners. Exploitation of Trust attacks happen most frequently at this layer. Credential management of employees, partners and customers with effective role based segmentation minimized the risk or this threat

Security technology should be augmented with security awareness training and acceptable use policies for internal, partner, and customer users. No amount of technology can prevent successful attacks if humans in your company, both internal and partner users, are not trained to keep security in mind. Security training and metrics of adoption are critical elements to reducing the risk of this attack surface.

Administrators have more authority than normal users and the systems they have access to. Additional controls should be used like two-factor authentication, limited access to job function, and logging of their changes.

Appropriate identity services defined by policy must be supplied with associated, approved clients and devices.

Primary Security Capability

Identity

Corporate Device

Employee Phone


BusinessUse Cases

Endpoints

Wireless Guest

Corporate Device

Building Controls





Secure Web

Guest Wireless

Secure Applications



Figure 11 Business Use Cases

18



DevicesDevices are part of the security reference architecture. Endpoint Malware and Malicious device activity attacks occur at this layer. Combining identity, posture assessments with the capabilities of the device layer minimize the risk of these threats.

Perimeter defenses are no longer (if ever) sufficient. A secure company uses the network and the devices connecting to it as baselines for comparison. If you are not using the network as a sensor, you are not secure. This visibility allows for effective containment through intelligent architectural design. It is equally important to ensure that clients (PCs, tablets, phones, and other connected devices) are participating in security and that malicious devices are quarantined.

Figure 12 Branch Devices

Corporate Device

Access Switch

Employee Phone



Endpoints


Wireless Guest

Corporate Device

Building Controls






Client-based Security

Client-Based Security

Anti-Virus Anti-Malware

Cloud Security Personal Firewall

19



Access LayerThe access layer is where users and devices connect to the company network. It is the first line of defense within the Secure Branch architecture. Its purpose is to identify the users, to assess compliance to policy of devices seeking access to the network, and to respond appropriately.

Wireless infrastructure exploits typically happen at the access layer. Unauthorized wireless access points and attacks on the wireless communication are mitigated by security capabilities.

This layer connects to the distribution or core layer in a hierarchical organization that simplifies network troubleshooting and segments traffic for security. The network as a sensor utilizes flow analytics to capture anomalies and provide visibility to attacks. Violations of posture, identity, or anomalous behavior can be enforced.


Identity Flow Analytics

Posture Assessment

TrustSec

Wireless Rogue Detection

Figure 13 Access Layer

Corporate Device

Access Switch

Employee Phone


Wireless Controller

Switch

AccessEndpoints


Services

Wireless Guest

Corporate Device

Server

20



Core and Distribution LayerThe access/distribution/core is classic network hierarchy. Due to branches having smaller footprints, these functions may be collapsed. By segregating the access layer from the services layer, this layer provides a distribution method of services that discretely separates business-based traffic into flows.


Identity Flow Analytics

Posture Assessment

TrustSec

Figure 14 Collapsed Core and Distribution

Access Collapsed Core& Distribution

Services

Core/Distribution

Switch

Wireless Controller

FirepowerAppliance

Switch


Switch

Switch

Server

21



Services LayerThe services layer connects the Secure Branch to the outside data center and Internet via service providers. It connects the access and distribution layers inside the branch to the security and inspection capabilities that secure the separate business flows coming into and out of the branch.

Wireless Controller

FirepowerAppliance

Router

Switch

Web Security

Switch


Switch

Server

Services


Foundational Security Services

Firewall IPS Threat Intelligence

Anti-Malware Flow Analytics TrustSec

Identity

Business-based Security

Web Security

VPN Application Visibility Control

WIPS Wireless Rogue Detection

Server-based Security

Server-Based Security

Anti-Virus Anti-Malware

Cloud Security Host-Based Firewall

Figure 15 Services Layer

22

SAFE Architecture Guide Places in the Network: Secure Branch | Summary January 2018


SummaryToday’s companies are threatened by increasingly sophisticated attacks. Branches are commonly targeted because they are susceptible to physical access and have a large mix of services across increasingly complicated devices.

Cisco’s Secure Branch architecture and solutions defend the business against corresponding threats.

SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the threats of tomorrow.

23

SAFE Architecture Guide Places in the Network: Secure Branch | Appendix January 2018


Building Controls

Corporate Computer CP-9951-C-K9

Corporate Laptop AIR-CAP3702E-A-K9

Branch Point of Sale

Guest Device

TRUNK

DATA VLANVOICE VLAN

WIRELESS SSID:GUEST

WIRELESS SSID:EMPLOYEE

MANAGEMENT VLANWDATA VLANVOICE VLAN

VENDOR VLAN

PCI VLAN

ISR4351-K9

G3/0/1

G1/11

G1/10

G0/1

G1/6

G0/1G1/1P0

P0

WS-C3560CX-12PC-S

P1

L-FP4351-TAMC

UCS-E 1/0/0

UCS-E160S-M3

UCS-E 2/0/0

G1/5

ServicesAccessEndpointsBusinessUse Cases

Secure Web

Guest Wireless

Secure Applications



UMBRELLA-SUB

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

HUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Small Branch Design

Appendix

A Proposed DesignThe Secure Branch has been deployed in Cisco’s laboratories. Portions of the design have been validated and documentation is available on Cisco Design Zone.

Figures 16–18 depict the specific products that were selected within Cisco’s laboratories. It is important to note that the Secure Branch

architecture can produce many designs based on performance, redundancy, scale, and other factors. The architecture provides the required logical orientation of security capabilities that must be considered when selecting products to ensure that the documented business flows, threats, and requirements are met.

Figure 16 Secure Small Branch Proposed Design

24



Building Controls


Corporate Laptop AIR-CAP3702E-A-K9 (QTY:3)


Guest Device

TRUNK

DATA VLANVOICE VLAN

WIRELESS SSID:GUEST

PCI VLAN



VENDOR VLAN

ISR4451-K9

G3/0/1

G1/11-13

G1/1-2

G0/1

G1/1-2

G1/11-13G1/6

G0/1G1/48P0

To more APs

G1/48G1/5

G1/41

P0

ISR4451-K9

G3/0/1G0/1TRUNK

HS

RP

WS-C3650-48PQ-S

WS-C3650-48PQ-S

P1

L-FP4451-TAMC

UCS-E 1/0/0

UCS-E160S-M3

UCS-E 2/0/0

L-FP4451-TAMC

UCS-E 1/0/0

UCS-E160S-M3

UCS-E 2/0/0

ServicesAccessEndpointsBusinessUse Cases

Secure Web

Guest Wireless

Secure Applications



UMBRELLA-SUB

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

Medium Branch DesignHUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Figure 17 Secure Medium Branch Proposed Design

25



Building Controls


Corporate Laptop AIR-CAP3702E-A-K9 (QTY:3)


Guest Device

TRUNK

TRUNK



WIRELESS SSID:GUEST

VENDOR VLAN

PCI VLAN

DATA VLANVOICE VLAN

ISR4431-K9

G3/0/1E1/1E1/2

E1/7G1/11-13 G3/41

E1/8

E1/1E1/2

E1/2

E1/8

T1/1-4

T1/1-4

T1/5-7G3/11 G3/41 E1/7

G0/1G3/48

TRUNK

TRUNK

G3/48P0

ISR4431-K9

UCSC-C220-M4S (QTY:3)

3560CX-12PC-S AIR-CTVM-K9

G3/0/1G0/1

E0

TRUNK

HS

RP

WS-C4507 R+E FP4110-X

WS-C4507 R+E FP4110-X

G1/5 T1/5-7

G1/1

E1

P1

P0

G0/1

Uni�edCommunications

Manager Web Security

AccessEndpointsBusinessUse Cases

Collapsed Coreand Distribution

Services

Secure Web

Guest Wireless

Secure Applications



UMBRELLA-SUB

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

Large Branch DesignHUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Figure 18 Secure Large Branch Proposed Design

26

SAFE Architecture Guide Places in the Network: Secure Branch | Suggested Components January 2018


Suggested ComponentsBranch Attack Surface Branch Security Suggested Cisco Components

Human UsersIdentity

Identity Services Engine(ISE)

Meraki Management

Devices EndpointsClient-Based Security

Advanced Malware Protection (AMP) for Endpoints

Cisco Umbrella

AnyConnect

Posture Assessment

AnyConnect Agent

Identity Services Engine(ISE)

Meraki Mobile Device Management

Network Wired Network

Firewall

Firepower Appliance, Adaptive Security Appliance (ASA)

Integrated Services Router (ISR)

Meraki MX

Intrusion Prevention

Firepower Appliance (ASA)

Firepower Services on UCS-E

Meraki MX

Access Control + TrustSec

Wireless Controller/Catalyst Switch

Centralized Identity Services Engine

Meraki MX

Wireless Network Wireless Rogue Detection

Meraki Wireless

Mobility Services Engines (MSE)

Wireless APs

Wireless LAN Controller

Wireless Intrusion Prevention (WIPS)

Table 2 SAFE Design Components for Secure Branch

27

SAFE Architecture Guide Places in the Network: Secure Branch | Suggested Components January 2018


Branch Attack Surface Branch Security Suggested Cisco Components

Network (continued) Analysis

Anti-Malware


Advanced Malware Protection (AMP) for Email Security

Advanced Malware Protection (AMP) for Networks

Advanced Malware Protection (AMP) for Web Security

Stealthwatch Integrated Services Router (ISR) with Stealthwatch Learning Network (SLN)

AMP ThreatGrid

Threat Intelligence

Cisco Collective Security Intelligence

Talos Security Intelligence

AMP ThreatGrid

Cognitive Threat Analytics (CTA)

Flow Analytics

Adaptive Security Appliance

Catalyst Switches

ISR with Stealthwatch Learning Network (SLN)

Stealthwatch (Flow Sensor and Collectors)

Wireless LAN Controller

Meraki MX

WAN

Web Security

Firepower URL

Web Security Appliance

Umbrella Secure Internet Gateway (SIG)

Meraki MX

VPN

Firepower

Integrated Services Router (ISR)

Aggregation Services Router (ASR)

Adaptive Security Appliance (ASA)

Meraki MX

Cloud

Cloud Security

Umbrella Secure Internet Gateway(SIG)

Cloudlock

Meraki MX

Applications ServiceServer-based Security


Cisco Umbrella

Table 2 SAFE Design Components for Secure Branch (continued)


For more information on SAFE, see www.cisco.com/go/SAFE.

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the

word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.

safe architecture guide - cisco.com · analysis. attacks using worms, viruses, or other techniques....

Documents