Places in the Network: Secure Campus · Third Party Internal Non-Campus Capabilities TrustSec...

January 2018

SAFE Architecture Guide Places in the Network: Secure Campus

SAFE Architecture Guide Places in the Network: Secure Campus | Contents January 2018

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Contents Overview

Business Flows

Threats

Security Capabilities

ArchitectureSecure Campus 14

Attack SurfaceHuman 15

Devices 16

Access Layer 17

Distribution Layer 18

Core Layer 19

Services Layer 20

Summary

AppendixA Proposed Design 22

Suggested Components

3

5

8

9

13

15

21

22

25

3

SAFE Architecture Guide Places in the Network: Secure Campus | Overview January 2018

Return to Contents© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

OverviewThe Secure Campus is a place in the network (PIN), a cluster of buildings, where a company does business. This guide addresses campus business flows across all industries and the security used to defend them. Campus examples are company headquarters, or any group of buildings that requires network services. More complex than branches due to physical and logical scale, they support network access for employees, third parties, and customers across multiple buildings and floors.

The Secure Campus is one of the six places in the network within SAFE. SAFE is a holistic

approach in which Secure PINs model the physical infrastructure and Secure Domains represent the operational aspects of a network.

The Secure Campus architecture guide provides:

• Business flows typical for campus locations

• Campus threats and security capabilities

• Business flow security architecture

• Design examples and a parts list

Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and Secure Domains for operational guidance.

Management

Security Intelligence

Secure Services

Threat Defense

Compliance Segmentation

Places in the Network (PINs) Domains

4

SAFE Architecture Guide Places in the Network: Secure Campus | Overview January 2018


Architecture Guides

SecureData Center

SecureCloud

SecureWAN

SecureInternet Edge

SecureBranch

SecureServices

Threat Defense

Segmentation

Compliance

SecurityIntelligence

Management SecureCampus

Design Guides

SAFEOverview

Capability Guide

Operations GuidesDesign Guides

SECU RE DOMAINSPL ACES IN THE NE T WO RK

T H E K E Y T O S A F E

YOU ARE

HERE

SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security

capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

Figure 2 SAFE Guidance Hierarchy

5

SAFE Architecture Guide Places in the Network: Secure Campus | Business Flows January 2018


Business FlowsThe Secure Campus is where physical presence is important for internal employees, third-party

partners, and customers over multiple physical buildings.

• Internally, employees use devices (PCs, laptops, phones, tablets, and other tools) that require access to campus-critical applications, collaboration services (voice, video, email) and the Internet.

• Third parties, such as service providers and partners, require remote access to applications and devices.

• Customers at the campus use guest Internet access on their phones or tablets.

Figure 3 Campus business use cases are color coded to define where they flow.

Employee researching product information

Subject matter expert consultation

Connected device with remote vendor support

Guest accessing the Internet to watch hosted video

CEO sending email to shareholder

Cus

tom

erTh

ird P

arty

Inte

rnal

6



Functional ControlsFunctional controls are common security considerations that are derived from the technical aspects of the business flows.

Secure Applications Applications require sufficient security controls for protection.

Secure Access Employees, third parties, customers, and devices securely accessing the network.

Secure Remote Access Secure remote access for employees and third-party partners that are external to the company network.

Secure Communications Email, voice, and video communications connect to potential threats outside of company control and must be secured.

Secure Web Access Web access controls enforce usage policy and help prevent network infection.

Figure 4 Campus business flows map to functional controls based on the types of risk they present.

Cus

tom

er

Secure web access for employees: Employee researching product information

Secure communications for collaboration: Subject matter expert consultation

Secure remote access for third party: Connected device with remote vendor support

Secure web access for guests: Guest accessing the Internet to watch hosted video

Secure communications for email: CEO sending email to shareholder

Cus

tom

erTh

ird P

arty

Inte

rnal

7



Figure 5 The Secure Campus Business Flow Capability Diagram

Identity

Identity

Client-BasedSecurity

FlowAnalytics

PostureAssessment

IntrusionPrevention

IdentityClient-BasedSecurity


FlowAnalytics

PostureAssessment

IdentityClient-BasedSecurity

PostureAssessment

PostureAssessment

IntrusionPrevention

Firewall

Firewall

ThreatIntelligence

ThreatIntelligence

Anti-Malware

Anti-Malware

FlowAnalytics

IntrusionPrevention

Firewall ThreatIntelligence

Anti-Malware

AVC

AVC

FlowAnalytics

IntrusionPrevention


Anti-Malware

WebSecurity

FlowAnalytics

IntrusionPrevention


Anti-Malware

Host-BasedSecurity

TrustSec

TrustSec

TrustSec

TrustSec

TrustSec

VPN

WirelessConnection

WirelessIntrusion

Prevention

EmailSecurity

WirelessRogue

Detection

IdentityDNS Security

Employee

Expert

Thermostat

Guest

CEO sending email to shareholders

Website

Colleague

Remote Technician

Website

Shareholder

Secure web access for employees: Employee researching product information

Secure communications for collaboration: Subject matter expert consultation

Secure remote access for third party: Connected device with remote vendor support

Secure web access for guests: Guest accessing the Internet to watch hosted video

Secure communications for email: CEO sending email to shareholder

Campus Capabilities

Cus

tom

erTh

ird P

arty

Inte

rnal

Non-Campus Capabilities

TrustSecWirelessRogue

Detection

BUSINESSFOUNDATIONALACCESS

Capability GroupsCampus security is simplified using foundational, access and business capability groups.

Each flow requires access and foundational groups. Additional business activity risks

require appropriate controls as shown in figure 5 which often reside outside the campus (Non-Campus Capabilities).

For more information regarding capability groups, refer to the SAFE overview guide.

Secure Campus threats and capabilities are defined in the following sections.

8

SAFE Architecture Guide Places in the Network: Secure Campus | Threats January 2018


Phishing

Phishing is social engineering to trick people into clicking on a malicious link or opening an infected attachment of an email.

Messages looks as if they are from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one

Unauthorized network access

The act of gaining access to a network, system, application or other resource without permission. The attacker could cause damage in many ways, perhaps by accessing sensitive files from a host, by planting a virus, or by hindering network performance by flooding your network with illegitimate packets.

Malware propagation

Devices present in the campus are a big source of contamination. Devices of employees, partners or customers can be infected from multiple sources such as web use, email use, or lateral infection from other devices on the network. Devices accepting credit cards and the Internet of Things are common attack points.

Web-based exploits

Malvertizing and compromised sites hosting exploit kits to take over employee devices using browser vulnerabilities.

BYOD - Larger attack surface

Mobile devices can roam networks increasing chances of compromise, and the spread of infection. The large variety of mobile devices makes security policies and posture checking almost impossible when no device standardization exists. Limited on-device security capabilities (e.g., firewall, anti-malware, browser sand-boxing)

Botnet infestation

Botnets are networks made up of remote-controlled computers, or “bots.” These computers have been infected with an advanced form of malware which allows the devices to be remotely controlled. The controller of a botnet is able to direct the activities of these compromised computers to perform other attacks, steal data, or send spam.

Threats Campuses have many employees, partner and guest users who use email, browse the web, collaborate. With a combination of wired and wireless access, the attack surface extends beyond the building.

The campus has six primary threats:

The defense is explained throughout the rest of the document

9

SAFE Architecture Guide Places in the Network: Secure Campus | Security Capabilities January 2018


Security CapabilitiesThe attack surface of the campus is defined by the business flow, which includes the people and the technology present. The security capabilities that are needed to

respond to the threats are mapped in Figure 6. The campus security capabilities are listed in table 1. The placement of these capabilities are discussed in the architecture section.

Figure 6 Secure Campus Attack Surface and Security Capabilities

Att

ack

Su

rfac

e

HUMAN APPLICATIONS

Users Devices Wired Wireless Analysis WAN Cloud

DEVICES NETWORK

Sec

uri

ty Identity Firewall Anti-Malware

Network WirelessConnection

ThreatIntelligence

FlowAnalytics

Client


Voice

Video

Employees,Third Parties,

Customers, andAdministrators

Cloud Security

Server-BasedSecurity

PostureAssessment

Virtual PrivateNetwork (VPN)

IntrusionPrevention

TrustSec

Applications

Public WAN Public/HybridCloud

Application

Wireless IntrusionPrevention System

Wireless RogueDetection

10



Table 1 Secure Campus Attack Surface, Security Capability, and Threat Mapping

Campus Attack Surface

Human Security Capability Threat

Users: Employees, third parties, customers, and administrators.

Identity: Identity-based access.

Attackers accessing restricted information resources.

Devices Security Capability Threat

Clients: Devices such as PCs, laptops, smartphones, tablets.

Client-based Security: Security software for devices with the following capabilities:

Anti-Malware Malware compromising systems.

Anti-Virus Viruses compromising systems.

Cloud Security Redirection of user to malicious website.

Personal FirewallUnauthorized access and malformed packets connecting to client.

Posture Assessment: Client endpoint compliance verification and authorization.

Compromised devices connecting to infrastructure.

Voice: Phone.

N/A: Covered in Secure Services domain.

Attackers accessing private information.

Video: Displays, collaboration.

N/A: Covered in Secure Services domain.

Attackers accessing private information.

11



Network Security Capability Threat

Wired Network: Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together.

Firewall: Stateful filtering and protocol inspection between campus layers and the outside Internet, and service provider connections to the data center.

Unauthorized access and malformed packets between and within the campus.

Intrusion Prevention: Blocking of attacks by signatures and anomaly analysis.

Attacks using worms, viruses, or other techniques.

TrustSec: Policy-based segmentation.

Unauthorized access and malicious traffic between campus layers.

Wireless Network: Branches vary from having robust local wireless controller security services to a central, cost-efficient model.

Wireless Rogue Detection: Detection and containment of malicious wireless devices that are not controlled by the company.

Unauthorized access and disruption of wireless network.

Wireless Intrusion Prevention (WIPS): Blocking of wireless attacks by signatures and anomaly analysis.

Attacks on the infrastructure via wireless technology.

Analysis: Analysis of network traffic within the campus.

Anti-Malware: Identify, block, and analyze malicious files and transmissions.

Malware distribution across networks or between servers and devices.

Threat Intelligence: Contextual knowledge of existing and emerging hazards.

Zero-day malware and attacks.

Flow Analytics: Network traffic metadata identifying security incidents.

Traffic, telemetry, and data exfiltration from successful attacks.

WAN: Public and untrusted Wide Area Networks that connect to the company, such as the Internet.

Web Security: Web, DNS, and IP-layer security and control for the branch.

Attacks from malware, viruses, and redirection to malicious URLs.

Virtual Private Network (VPN): Encrypted communication tunnels.

Exposed services and data theft of remote workers and third parties.

12



Cloud

Cloud Security: Web, DNS, and IP-layer security and control in the cloud for the campus.

Attacks from malware, viruses, and redirection to malicious URLs.

DNS Security Redirection of user to malicious website.

Cloud-based FirewallUnauthorized access and malformed packets connecting to services.

Software-Defined Perimeter (SDP/SD-WAN):

Easily collecting information and identities.

Web Security:Internet access integrity and protections.

Infiltration and exfiltration via HTTP.

Web Reputation/Filtering:Tracking against URL-based threats.

Attacks directing to a malicious URL.

Cloud Access Security Broker (CASB)

Unauthorized access and Data loss.

Applications Security Capability Threat

Applications

Server-based Security: Security software for servers with the following capabilities:

Anti-Malware: Identify, block, and analyze malicious files and transmissions.

Malware distribution across servers.

Anti-Virus Viruses compromising systems.

Cloud Security Redirection of session to malicious website.

Host-based FirewallUnauthorized access and malformed packets connecting to server.

Management Security Capability

These security capabilities are required across all PINs:

• Identity/authorization• Policy/configuration• Analysis/correlation• Monitoring• Vulnerability management• Logging/reporting• Time synchronization/NTP

Get details on these management security capabilities in the SAFE Management Architecture Guide.

13

SAFE Architecture Guide Places in the Network: Secure Campus | Architecture January 2018


vFirepower Appliance vSwitch

vSwitch

vFirepower Appliance

vRadware Appliance

vSwitch

Secure Server

Secure Server

vRouter

vFirepower Appliance vRadware Appliance vSwitch Secure Server

ComparativeShopping Website

Third-party Technicianaccessing logs

Customermaking purchase

Shareholder receivingemail from CEO

Techniciansubmitting task

Product InformationWebsite

Wholesaler Website

DatabaseZone

Work owApplication

PaymentApplication

vSwitch Storage ServervFirepower Appliance

Application VisibilityControl (AVC)

AnomalyDetection

Web Reputation/Filtering/DCS

Anti-Malware

Threat Intelligence

DistributedDenial of Service

Protection

IdentityAuthorization

DNS Security

HostedE-Commerce

Services BusinessUse Cases

Web Security Guest Wireless

Switch

CommunicationsManager

Switch Router

Wireless Controller

Firepower Appliance

Distribution Switch Core Switch

Corporate Device

WirelessAccess Point

Wireless Guest

Employee Phone

Environmental Controls

Corporate Device Switch

Switch

Firepower Appliance

AccessEndpoints

Endpoints

BusinessUse Cases

Distribution Core Services

Building Controls

Subject MatterExpert

CEO sending emailto Shareholders

Guest browsing

Employee browsing

BUILDING BLOCK CORE BLOCK

Blade Server

Router Switch Firepower Appliance Switch

Services

TrustedEnterpriseUntrusted

DMZ

VPN

Perimeter ServicesWireless Controller

FirepowerAppliance

Switch RadwareAppliance

Switch Secure Server SwitchSwitchRouter

FirepowerAppliance

DMVPNSwitchRA VPN

Services Core Distribution EndpointsAccess BusinessUse Cases

Database

PaymentApplication

Work owApplication

CommunicationServices

Communications Manager

Secure Server

Nexus SwitchDistribution Switch

FMC

Wireless Controller

Nexus SwitchFirepower Appliance

Radware Appliance

Radware Appliance

Nexus Fabric Switch

Nexus Fabric Switch

Blade Server

Hyper ex Server

Secure Server

Secure Server

Nexus Fabric SwitchNexus Switch

Adaptive SecurityAppliance

Firepower Appliance

Adaptive SecurityAppliance

Corporate Device

Access Switch

Employee Phone


Wireless Controller

Switch Router

AccessBusinessUse Cases


Services

Wireless Guest

Corporate Device

Building Controls


Branch Managerbrowsing information

Customer browsing prices

Clerk processingcredit card

Server

SwitchEmail Security

FirepowerAppliance

SwitchWeb Security

Internet

R E M O T E U S E R S

PaymentApplication

Cloud

Bran

ch

Cam

pus

WAN

Data

Cen

ter

Edge

SERVICESAPPLICATIONSNETWORK

NETWORK

SERVICES

DEVICESHUMAN NETWORK APPLICATIONS

NETWORK

SERVERS APPLICATIONSNETWORK

DEVICESHUMAN NETWORK APPLICATIONS

ArchitectureSAFE underscores the challenges of securing the business. It enhances traditional network diagrams to include a security-centric view of the company business. The Secure Campus architecture is a logical grouping of security and network technology that supports campus business use cases. It follows a classic access/distribution/core architecture, scaling as needed by increasing distribution blocks as floors or buildings are added.

SAFE business flow security architecture depicts a security focus. Traditional design diagrams that depict cabling, redundancy, interface addressing, and specificity are depicted in SAFE design diagrams. Note that a SAFE logical architecture can have many different physical designs.

Figure 7 SAFE Model. The SAFE Model simplifies complexity across a business by using Places in the Network (PINs) that it must secure.

14

SAFE Architecture Guide Places in the Network: Secure Campus | Architecture January 2018



Blade Server

Switch


Switch Router

Wireless Controller

Firepower Appliance


Corporate Device


Wireless Guest

Employee Phone



Switch

Firepower Appliance

Campus Architecture

AccessEndpointsBusinessUse Cases


Building Controls



Guest browsing

Employee browsing

Secure Email

Guest Wireless

Secure Web

Secure Communications

Secure Third Parties

Shareholderreceiving emailfrom CEO

Comparative Shopping Website

Wholesaler Website

Remote Colleague



HUMANATTACK

SURFACE

DEVICESATTACK

SURFACE

NETWORKATTACK

SURFACE

APPLICATIONSATTACK

SURFACE

Figure 8 Secure Campus. The Secure Campus business flows and security capabilities are arranged into a logical architecture. The colored business use cases flow through the green architecture icons with the required blue security capabilities.

Secure CampusThe Secure Campus architecture has the following characteristics:

• Location size consists of multiple buildings/floors that may have multiple business flows

• Many varied devices requiring network connectivity

• Devices (sensors, thermostats, printers, etc.)

• Separate appliances for services for redundancy and maximum uptime

• Wireless connectivity

• Local application services (also in data center or cloud)

15

SAFE Architecture Guide Places in the Network: Secure Campus | Attack Surface January 2018


Attack SurfaceThe Secure Campus attack surface consists of Humans, Devices, Network, and Applications. The sections below discuss the security capability that defends the threats associated with that part of the surface. Note that the capability might be a service that is supplied from another PIN. For example, the

Identity service is prompted to a human, on a user’s device, enforced at the switch, and served from the Data Center. However, for the sake of simplifying, Identity is depicted logically where the risk exists of supplying credentials: the human.

HumanTypically, humans in the campus are employees, partners, or customers. No amount of technology can prevent successful attacks if the humans in the company, both internal and partner users, are not trained to keep security in mind. One of the biggest problems is that humans are prone to compromise by various types of social exploits such as phishing.

Security training and metrics of adoption are critical elements to reducing the risk of this attack surface.

Administrators have more authority than normal users and the systems they have access to. Additional controls should be used like two-factor authentication, limited access to job function, and logging of their changes.

It is not the purpose of this guide to advise on the specifics. Appropriate identity services defined by policy must be supplied with associated, approved clients and devices.

Primary Security Capability

Identity


Blade Server

Switch


Switch Router

Wireless Controller

Firepower Appliance


Corporate Device

Wireless Guest

Employee Phone


Corporate Device

Switch

Firepower Appliance

EndpointsBusinessUse Cases


Building Controls



Guest browsing

Employee browsing

Secure Email

Guest Wireless

Secure Web




Figure 9 Business Use Cases

16



DevicesMalware propagation, Botnet infestation and a large attack surface are campus threats targeting devices. Perimeter defenses are no longer (if ever) sufficient.

Devices are part of the security reference architecture. A secure company uses the network and the devices connecting to it as baselines for comparison. If you are not using the network as a sensor, you are not secure. This visibility allows for effective containment through intelligent architectural design. It is equally important to ensure that clients (PCs, tablets, phones, and other devices) are participating in security and that malicious devices are quarantined.

Figure 10 Campus Devices


Blade Server

Switch


Switch RouterCore Switch

Corporate Device


Wireless Guest

Employee Phone



Switch

Firepower Appliance


Core Services

Building Controls



Guest browsing

Employee browsing

CORE BLOCK


Client-based Security

Client-Based Security

Anti-Virus Anti-Malware

Cloud Security Personal Firewall

17



Access LayerUnauthorized network access is the primary threat addressable by the access layer.

The access/distribution/core is classic network hierarchy. The access layer is where users and devices connect to the company network. This layer connects to the distribution or core layer. Its hierarchical organization simplifies network troubleshooting and segments traffic for security. It is the first line of defense within the Secure Campus architecture. The network as a sensor utilizes flow analytics to capture anomalies and provide visibility to attacks.

Its purpose is to identify the users, to assess compliance to policy of devices seeking access to the network, and to respond appropriately. Violations of posture, identity, or anomalous behavior can be enforced.


Identity Flow Analytics

Posture Assessment

TrustSec

Wireless Rogue Detection

Figure 11 Access Layer

Wireless Controller

Core Switch

Distribution Core

Firepower Appliance

Distribution Switch


Blade Server

Switch


Switch Router

Corporate Device


Wireless Guest

Employee Phone



Switch

Firepower Appliance

AccessEndpoints Services

18




Switch

Access

Wireless Controller

Firepower Appliance


Distribution Core

Distribution Layer

Distribution layers segregate the access layer from the services layer. These layers provide a distribution method of services that discretely separates business-based traffic into flows, and allows scale as employees are moved, added, or changed.


Identity Flow Analytics

Posture Assessment

TrustSec

Figure 12 Distribution Layer

19



Core LayerThe core layer provides scale to the distribution blocks and connects them to the foundational security capabilities in the services layer.


Flow Analytics TrustSec

Figure 13 Core Layer

Core Switch

CoreDistribution Services

Core Switch

Core


Blade Server

Switch


Switch Router

Switch

Firepower Appliance

Firepower Appliance

Wireless Controller

Distribution Switch

20



Services LayerWeb-based exploits are threat vectors that large campus populations need protection from.

The services layer connects the Secure Campus to the data center via service providers. It connects the access and distribution layers inside the campus to the security and inspection capabilities that secure the separate business flows coming into and out of the campus. Depending on the size of the campus, some security controls are brought into the campus as appliances rather than being served centrally as a service. See the Appendix for proposed options.

Figure 14 Services Layer


Blade Server

Switch


Switch RouterCore Switch

Switch

Firepower Appliance

Core Services

Shareholderreceiving emailfrom CEO

Comparative Shopping Website

Wholesaler Website

Remote Colleague



Foundational Security Services

Firewall IPS Threat Intelligence

Anti-Malware Flow Analytics

TrustSec

Identity

Business-based Security

Web Security

VPN Application Visibility Control

WIPS Wireless Rogue Detection

Server-based Security

Anti-Virus Anti-Malware

Cloud Security Host-based Firewall

Server-Based Security

21

SAFE Architecture Guide Places in the Network: Secure Campus | Summary January 2018


SummaryToday’s companies are threatened by increasingly sophisticated attacks. Campuses are commonly targeted because they are susceptible to physical access and have a large mix of services across increasingly complicated devices.

Cisco’s Secure Campus architecture and

solutions defend the business against corresponding threats.

SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the threats of tomorrow.

22

SAFE Architecture Guide Places in the Network: Secure Campus | Appendix January 2018


E0


Building Controls

Corporate Computer CP-9951-C-K9WS-C3650-48FQ

Corporate Laptop AIR-AP3802e-x-K9 (QTY:3)

C6807-XL

C6807-XL

UCSB-5108-AC2

Guest Device

DATA VLANVOICE VLAN

T1/1-4

T1/1-4

P1

P0

AIR-CT5520-K9WSA-S390-K9

Corporate Desktop

UCS-FI-6248UP

ISR4431-K9

ISR4431-K9

WS-C3850-24XU-L

G1/1

G2/1

G1/4

G2/4

DATA VLAN

WIRELESS SSID:EMPLOYEE

WIRELESS SSID:GUEST

VENDOR VLAN

Secure Email

Guest Wireless

Secure Web



UMBRELLA-SUB WS-C3650-48FQ

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall

FP-AMP-LC

UMBRELLA-SUB

Host Firewall



G3/1/1G3/0/1

G3/1/1G3/0/1E1/1T1/5

E1/1T1/5

E1/2

E1/4

G1/1 G2/1

E1/3

E1/2

E1/4

E1/3

E1/8

E1/8

E1/1-8

E1/1-8

E1/1-8

E1/1-8

E1/6E1/6

E1/4

T1/7

G0/2

G0/3

G0

E0E0 E1E1E0E0

G1/6G1/5 G2/6G2/5G2/2G1/2

T1/7

G0/1

E1

E0

C6807-XL

AIR-CT5520-K9

C6807-XL

T1/5

T1/1-4

G2/3G2/11

G2/12 G2/1

G0/21-44

T1/5

T1/1-4

G2/3G2/12

G2/11 G2/1

G0/2

G0/11-13

G0/1

G0/2

G0/21-44

P0

G0/1

FP2130-X

ATTACK SURFACE

Campus Design

DEVICES NETWORK APPLICATIONSHUMAN

FP4110-X

FP4110-X

Figure 15 Secure Campus Proposed Design, part 1. The building block is connected to the core block.

Appendix

A Proposed DesignThe Secure Campus has been deployed in Cisco’s laboratories. Portions of the design have been validated and documentation is available on Cisco Design Zone.

Figure 15 depicts the specific products that were selected within Cisco’s laboratories. It is important to note that the Secure Campus

architecture can produce many designs based on performance, redundancy, scale, and other factors. The architecture provides the required logical orientation of security capabilities that must be considered when selecting products to ensure that the documented business flows, threats, and requirements are met.

23



Figure 16 Secure Campus Proposed Design, part 2 shows how multiple floors can be connected to the distribution layer.

E0

BUILDING BLOCK

FLOOR BLOCK

CORE BLOCK

BUILDING ONE

Secure Email

Guest Wireless

Secure Web



Secure Email

Guest Wireless

Secure Web



AccessEndpointsBusinessUse Cases Core Services

T1/5G1/6

T1/5G2/13

G0/1

G0/2

T1/6

T1/6

Distribution

Campus Design with Additional Floors

24



Figure 17 Secure Campus Proposed Design, part 3 illustrates multiple buildings connected to the core block.

E0

BUILDING BLOCK

FLOOR BLOCK

BUILDING BLOCK

FLOOR BLOCK

BUILDING BLOCK

FLOOR BLOCK

CORE BLOCK

BUILDING ONE BUILDING TWO BUILDING THREE

Secure Email

Guest Wireless

Secure Web



Secure Email

Guest Wireless

Secure Web



AccessEndpointsBusinessUse Cases Core Services

T1/5

T1/5

Secure Email

Guest Wireless

Secure Web



Secure Email

Guest Wireless

Secure Web



Secure Email

Guest Wireless

Secure Web



Secure Email

Guest Wireless

Secure Web



T1/7

T1/8

Distribution Distribution

T1/6

T1/7

T1/8

T1/6

Campus Design with Additional Buildings

Distribution

25

SAFE Architecture Guide Places in the Network: Secure Campus | Suggested Components January 2018


Suggested ComponentsCampus Attack Surface Campus Security Suggested Cisco Components

Human Users

IdentityIdentity Services Engine

Meraki Management

Devices EndpointsClient-Based Security

Advanced Malware Protection (AMP) for Endpoints

Cisco Umbrella

AnyConnect

Posture Assessment

AnyConnect Agent

Identity Services Engine(ISE)

Meraki Mobile Device Management

Network Wired Network

FirewallFirepower Appliance, Adaptive Security Appliance (ASA)

Integrated Services Router (ISR)

Intrusion Prevention

Firepower Appliance (ASA)


Access Control + TrustSec

Wireless Controller/Catalyst Switch

Centralized Identity Services Engine

Wireless Network Wireless Rogue Detection

Meraki Wireless

Mobility Services Engines (MSE)

Wireless APs

Wireless LAN ControllerWireless Intrusion Prevention (WIPS)

Table 2 SAFE Design Components for Secure Campus

26

SAFE Architecture Guide Places in the Network: Secure Campus | Suggested Components January 2018


Campus Attack Surface Campus Security Suggested Cisco Components

Network (continued) Analysis

Anti-Malware

Advanced Malware Protection (AMP) for Endpoints

Advanced Malware Protection (AMP) for Email Security

Advanced Malware Protection (AMP) for Networks

Advanced Malware Protection (AMP) for Web Security

Stealthwatch Integrated Services Router (ISR) with Stealthwatch Learning Network (SLN)

AMP ThreatGrid

Threat Intelligence

Cisco Collective Security Intelligence

Talos Security Intelligence

AMP ThreatGrid

Cognitive Threat Analytics (CTA)

Flow Analytics

Adaptive Security Appliance

Catalyst Switches

ISR with Stealthwatch Learning Network (SLN)

Stealthwatch (Flow Sensor and Collectors)

Wireless LAN Controller

WAN

Web Security

Firepower URL

Web Security Appliance

Umbrella Secure Internet Gateway (SIG)

VPN

Firepower


Aggregation Services Router (ASR)

Adaptive Security Appliance (ASA)

Table 2 SAFE Design Components for Secure Campus (Continued)

Return to Contents

For more information on SAFE, see www.cisco.com/go/SAFE.

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the

word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/o�ces.

Campus Attack Surface Campus Security Suggested Cisco Components

Network (continued) CloudCloud Security

Cisco Umbrella Secure Internet Gateway(SIG)

Cisco Cloudlock

DNS Security Cisco Umbrella Secure Internet Gateway (SIG)

Cloud-based Firewall

Cisco Umbrella Secure Internet Gateway (SIG)

Software-Defined Perimeter (SDP/SD-WAN)

AnyConnect Agent

Cisco Viptela

Meraki MX

Web Security:Internet access integrity and protections.

Firepower virtual URL

Cisco Umbrella Secure Internet Gateway (SIG)

Web Reputation/Filtering:Tracking against URL-based threats.

Web Security Appliance

Cloud Web Security

Meraki MX

Cloud Access Security Broker (CASB)

Cloudlock

Applications ServiceServer-based Security

Advanced Malware Protection (AMP)

Cisco Umbrella

Places in the Network: Secure Campus · Third Party Internal Non-Campus Capabilities TrustSec...

Documents

Transcript of Places in the Network: Secure Campus · Third Party Internal Non-Campus Capabilities TrustSec...