July 2019
SAFE Operations Guide Domain: Segmentation
SAFE Operations Guide Domain: Segmentation | Contents July 2019
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Contents The Challenge
Overview
Segmentation DefinedEntity Segmentation 7
Data Segmentation 8
Traffic Segmentation 9
Attack Surface and Segmentation CapabilitiesHumans 11
Devices 12
Network 13
Applications 14
Segmentation Considerations
Business FlowsPCI Use Case Example 16
Summary
Suggested Components
References
3
4
6
10
15
16
23
24
26
3
SAFE Operations Guide Domain: Segmentation | The Challenge July 2019
Return to Contents
The ChallengeCybercriminals are stealing company intellectual property, resources, and money. These valuable assets are like jewels and need protection.
Segmentation is the act of creating barriers around these assets to guard them.
Segmentation, Then and Now
Old Segmentation “This perimeter is sufficient.”
New Segmentation “We require security at every level, starting at the perimeter”
O U T S I D E O F C O M P A N Y
H U MA N
DEV I CES
NETWORK
AP
PLICATIONS
O U T S I D E O F C O M P A N Y
INS IDE OF COMPANY
In the past, threats were considered external. Building a security perimeter was good enough to protect a company’s property and resources.
That mindset has rapidly evolved along with the severity of today’s cyber threats. Now the challenge of connecting any user on any device across any network to any application increases the complexity of segmentation.
Applying these basic concepts protects an organization’s attack surface:
The identity of every human must be authenticated based on the permissions of their individual role.
Every device or thing on the network must be authenticated and policies applied based on its identity and posture.
The network is assumed to be hostile from internal as well as external threats.
Application enforcement happens across services, sessions, transactions, and storage.
Asset protection using automated policy enforcement is a sign of mature and successful segmentation.
4
SAFE Operations Guide Domain: Segmentation | Overview July 2019
Return to Contents
OverviewSegmentation is one of the six Operational Domains within SAFE. SAFE is a holistic approach where Operational Domains represent the functioning aspects of the physical infrastructure modeled by the Secure Places in the Network (PINs).
Although SAFE recommends that these operational layers be thought of as a progression stack, it is important to realize that all of these domains are active concurrently and heavily interdependent.
The SAFE Key illustrates how segmentation supports an overall threat defense of a company:
• First, Management identifies humans, devices, networks, and applications.
• Second, Visibility observes threats on the network.
• Segmentation creates secure partitions across entities, data, and traffic. These partitions restrict access based on role, function, and policy.
• Threat Defense provides accurate and timely threat response to reinforce segmentation policy dynamically, as reputations are augmented by the visibility of new threats.
There is no silver bullet for segmentation; as a practice and concept, it is maturing from static to automated.
The SAFE Segmentation operations guide provides:
• A segmentation model• Technical considerations • A business use case• Recommended products
Management
Visibility
Compliance
Threat Defense
Segmentation
Secure Services
Domains
Places in the Network (PINs)
WANData
Cen
ter
Edge
Cloud
Bran
ch
Cam
pus
Internet
Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and SAFE Operational Domains for guidance.
5
SAFE Operations Guide Domain: Segmentation | Overview July 2019
Return to Contents
Architecture Guides
SecureData Center
SecureCloud
SecureWAN
SecureInternet Edge
SecureBranch
SecureCampus
SecureInternet
Compliance
Threat Defense
SecureServices
Segmentation
Visibility
Management
Design Guides
SAFEOverview
Capability Guide
Operations GuidesDesign Guides
SECU RE DOMAINSPL ACES IN THE NE T WO RK
T H E K E Y T O S A F E
SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.
Figure 2 SAFE Guidance Hierarchy. The SAFE Overview Guide introduces the SAFE model and method. It supports the Architecture, Design, and Operations Guides that provide specific guidance in each area.
6
SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019
Return to Contents
Segmentation DefinedSegmentation creates secure partitions for entities, data, and traffic on the network.
Figure 3 The SAFE Segmentation Model. Entities, Data, and Traffic must be securely partitioned across the attack surface.
Segmentation can be simplified by thinking about these three classifications:
Entities are humans, devices, networks, and applications.
Data is information at rest on devices, networks, and applications.
Traffic is data in motion between devices, networks, and applications.
Entity
HUMAN DEVICES NETWORK APPLICATIONS
Tra�c
Data
7
SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019
Return to Contents
Entity SegmentationEntities are humans, devices, networks, and applications which represent the attackable surface.
Entity segmentation comprises identity and posture assessment according to policy:
• The identity of a person or device is established using authentication and authorization.
• Posture assessments verify that the system is policy-compliant, properly patched to participate in the appropriate segments, and not infected.
Examples of entities:
HUMAN• Doctors• Clerks• Managers• Administrators• Employees
DEVICES• Laptops• Smartphones• Tablets• Sensors• Servers
NETWORK• Firewalls• Routers• Switches• Access Points• Cloud IaaS
APPLICATIONS• Payments• Payroll• Workforce Automation• E-commerce• Email
Figure 4 Entity segmentation securely partitions Humans, Devices, Networks, and Applications based on policy.
Entity
HUMAN DEVICES NETWORK APPLICATIONS
PostureAssessment
Identity Identity Identity Identity
Mobile DeviceManagement (MDM)
PostureAssessment
8
SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019
Return to Contents
Data SegmentationData is information at rest that is segmented on devices, networks, and applications.
Data segmentation techniques can be logical or physical:
• Data can be segmented logically or physically.
• Logical separation allows segmented utilization of shared resources (e.g., disk encryption, virtual storage device, data store, drive partition, encrypted tables).
• Physical separation relies on dedicated hardware for each data storage need (e.g., multiple hard drives).
Figure 5 Data Segmentation secures data at rest on Devices, Networks, and Applications.
Data
DEVICES NETWORK APPLICATIONS
Disk Encryption Disk Encryption Disk Encryption
9
SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019
Return to Contents
Traffic SegmentationTraffic is data in motion between devices, networks and applications.
Traffic best practices:
• Companies must ensure separation of traffic flows (line of business, role-based, physical, etc.) for many purposes, including regulating information movement, network resource consumption, and threat reduction.
• Classify traffic (e.g., TCP/UDP port, packet header, IP address) and apply a particular policy to manipulate traffic physically or logically (e.g., allow traffic to go from A to B, but not A to C).
• Multiple policies are used consistently in different parts of the network by leveraging traffic classification conveyed via explicit marking, flow tables, state tables (e.g., group tagging, VLAN, ACL, VPN).
• Implement controls to facilitate appropriate differentiated entity access using enforcement mechanisms (e.g., VLANs, subnets, firewall rules).
Figure 6 Traffic segmentation securely partitions data in motion through filters and encryption.
Tra�c
DEVICES NETWORK APPLICATIONS
VPN Tagging TLS O�oad
Host Firewall Firewall Application Firewall
10
SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019
Return to Contents
Attack Surface and Segmentation CapabilitiesSAFE maps segmentation types to the attack surface. The attack surface is defined by the business flow and the entities present across it. The security capabilities needed to segment these flows are mapped in Figure 7.
Segmentation security capabilities are listed throughout the sections below. The placement of these capabilities are discussed in the architecture section.
Figure 7 Secure Segmentation Attack Surface and Security Capabilities
Data
Disk Encryption
Disk Encryption
Disk Encryption
Entity
PostureAssessment
IdentityIdentity
Identity
Mobile DeviceManagement (MDM)
PostureAssessment
Identity
Tra�c
DEVICES NETWORK APPLICATIONS
VPN Tagging TLS O�oad
Host Firewall Firewall Application Firewall
HUMAN
Data
Disk Encryption
Disk Encryption
Disk Encryption
Entity
PostureAssessment
IdentityIdentity
Identity
Mobile DeviceManagement (MDM)
PostureAssessment
Identity
Tra�c
DEVICES NETWORK APPLICATIONS
VPN Tagging TLS O�oad
Host Firewall Firewall Application Firewall
HUMAN
11
SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019
Return to Contents
Organization Attack Surface Segmentation
Human Type Capability
Users: Employees, third parties, customers, and administrators.
Entity Identity: Identity-based access.
Entity 1234
Multi-Factor Authentication in addition to passwords (something the user knows), i.e., something the user is (fingerprint) or something the user has (push notification code).
HumanHumans are entities such as employees, customers, and remote access users such as partners who provide assigned identity information to their devices for access.
All people must be considered potentially bad actors. Exploitation of Trust attacks happen most frequently at this layer through credential theft. Credential management of employees, partners, and customers with effective role-based segmentation helps minimize the risk of this threat.
Administrators have more authority than normal users. The systems they access must require additional controls like two-factor authentication, limited access to job function, and logging of their changes.
Humans with access to sensitive data should also be required to use similar added controls when identifying themselves following the policy of least-privilege access.
Table 1 Human
Figure 8 Humans must identify themselves.
Entity
Identity
HUMAN
Entity
Identity
HUMAN
12
SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019
Return to Contents
DevicesDevice entities include laptops, smart phones, tablets, sensors, and servers.
In contrast to Humans who can only be classified as entities, a device can store data and transmit/receive traffic. Devices participate in all three areas of segmentation as illustrated in Figure 9.
Segmentation at the device level is necessary to prevent the spread of threats across the network from an infected system by a zero-day attack. For example, administrators must separate building control systems from user devices.
Organization Attack Surface Segmentation
Devices Type Capability
Endpoints: Devices such as PCs, laptops, smartphones, tablets, phones, sensors, NAS drives.
EntityIdentity: Device-specific identity information and context.
Entity
Posture Assessment: Client endpoint compliance verification and authorization.
Data Disk Encryption: Encryption of data at rest.
Traffic
VPN: Encrypted communication tunnels between entities.
Traffic
Host Firewall: Stateful filtering and protocol inspection between entities.
Table 2 Devices
Figure 9 Devices can be segmented by Entity, Data, and Traffic based
on their activity.
Data
Disk Encryption
Entity
PostureAssessment
Identity
Trac
DEVICES
VPN
Host Firewall
Data
Disk Encryption
Entity
PostureAssessment
Identity
Trac
DEVICES
VPN
Host Firewall
13
SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019
Return to Contents
Data
Disk Encryption
Entity
PostureAssessment
Identity
Trac
DEVICES
VPN
Host Firewall
NetworkNetwork entities include firewalls, routers switches, wireless, cloud IaaS, and other devices that send and receive traffic. Network devices are entities that can store data and transmit/receive traffic, and therefore participate in all three areas of segmentation as illustrated in Figure 10.
Organization Attack Surface Segmentation
Network Type Capability
Wired Network: Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together.
EntityIdentity: Entity-specific identity information and context.
Entity
Mobile Device Management (MDM): Evaluation of the state of the device.
Entity
Cloud Access Security Broker (CASB): Contextual policy enforcement for cloud services.
Data Disk Encryption: Encryption of data at rest.
Traffic
Tagging: Software-based segmentation using EPGs/SGT/VLANs.
Traffic
Firewall: Stateful filtering and protocol inspection between entities.
Traffic
Software-Defined Perimeter (SDP/SD-WAN): Dynamic, multi-point encrypted communications fabric.
Segmentation at the network level is necessary to prevent the spread of threats across the network as well as to separate different classifications of data and their business-relevant value from each other.
For example, administrators must separate payment and financial systems from personal identifiable information or proprietary intellectual property.
Table 3 Network
Figure 10 Networks can be segmented by Entity, Data, and Traffic based on their activity.
Data
Disk Encryption
Entity
Identity
Mobile DeviceManagement (MDM)
Tra�c
NETWORK
Tagging
Firewall
14
SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019
Return to Contents
ApplicationsExamples of Applications entities are payments, payroll, workforce automation, e-commerce, email, etc.
Applications are entities on servers that can both store data and transmit/receive traffic, and therefore participate in all three areas of segmentation as illustrated in Figure 11.
Segmentation of applications at the session level is necessary to ensure the attack surface is minimized. If not supported by the application natively, a web application firewall (WAF) can add this capability.
Storage of application data must be encrypted to protect it in local and cloud deployments. Techniques for reducing the attack surface include proper key management and rotation.
For example, payment card security requires each transaction session to be encrypted plus all data at rest must be encrypted.
Organization Attack Surface Segmentation
Applications Type Capability
Applications: Management, servers, database, load balancer.
Entity Identity: Identity-based access.
Entity
Posture Assessment: Server compliance verification, authorization, and patching.
DataStorage Encryption: Encryption of data at rest in tables and databases.
TrafficTLS Encryption Offload: Accelerated encryption of traffic services.
Traffic
Web Application Firewalling: Advanced application inspection and monitoring.
Table 4 Application
Figure 11 Applications can be segmented by Entity, Data, and Traffic based on their activity.
Data
Disk Encryption
Entity
Identity
PostureAssessment
Trac
APPLICATIONS
TLS O�oad
Application Firewall
Data
Disk Encryption
Entity
PostureAssessment
Identity
Trac
DEVICES
VPN
Host Firewall
15
SAFE Operations Guide Domain: Segmentation | Segmentation Considerations July 2019
Return to Contents
Segmentation ConsiderationsThe industry is moving away from manual segmentation and toward segmentation that is automated, adaptive, and holistically coordinated.
Cisco recommends a tiered approach to trusted segmented access:
1. Verify identity for any user; verify hygiene for any device.
2. Discover, classify, and verify profiles for on-prem devices. Verify application dependencies for any workload infrastructure.
3. Grant easier, safer access to specific workload apps.
4. Segment the network via software-defined access.
5. Implement consistent data access policy management.
6. Remediate network, cloud, and endpoint threats or Common Vulnerabilities and Exposures (CVE).
Figure 12 Segmentation Maturity Model
Figure 13 Cisco Zero Trust
LegacyManual
segmentation
Zero TrustCoordinated telemetry
with dynamic segmentation
based on policy
AppAccess
NetworkAccess
PolicyNormalization
ThreatResponse
1
2
3
4
5
6Automate adaptive policy
Using a practical zero-trust approach to security
Establish trust level
Establish SD-perimeter
User-DeviceTrust
IoT Trust— AND/OR —
WorkloadTrust
16
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
Business Flows
PCI Use Case ExampleSegmentation should restrict the flow of data. You can place appropriate controls for your particular use case by identifying where the source and destination of each flow of data traverses, tracking its journey from the Humans to Devices to the Network and to Applications.
For example, consider the secure business flow for PCI applications below. The data flow must be isolated from end to end: from the human clerk, the payment card device within a branch, across the WAN, and into the data center, ending in the payment application.
Figure 14 The PCI Business Flow
Figure 15 Segmentation capabilities for the PCI business flow.
After isolating the data flow, apply the capabilities that are appropriate for your use case across the entities, data, and traffic. Using this method, you can ensure controls are in place as the flow traverses to restrict the scope of the data (as described in Figure 13).
PaymentApplicationClerk
Clerk Processing Credit Card
Device Server
PaymentApplication
Disk Encryption
Data Tra�cEntity
Segmentation Capabilities
IdentityDevice PostureAssessment Tagging ServerFirewall
Clerk
17
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
PaymentProcessing
SecureApplications
Secure WAN
Secure Data Center
Secure Branch
Segmentation Across the EnterpriseEverything in your organization is open to attack without segmentation. Without segmentation controls, all humans, devices, networks, and applications that are compromised by an attack can be used to compromise everything else.
Figure 17 The PCI business flow segmented from the rest of the network.
However, when you use segmentation across your entities, devices, networks, and applications, you can isolate the business flow from the rest of your network to defend it.
Figure 16 The SAFE architecture and all business flows.
SERVICESAPPLICATIONSNETWORK
NETWORK
SERVICES
DEVICESHUMAN NETWORK APPLICATIONS
NETWORK
SERVERS APPLICATIONSNETWORK
DEVICESHUMAN NETWORK APPLICATIONS
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
Secure Edge
PaymentProcessing
SecureApplications
Secure Cloud
Secure Campus
Secure WAN
Secure Data Center
Secure Branch
ATTACK SURFACE Internet
vFirepower Appliance vSwitch
vSwitch
vFirepower Appliance
vRadware Appliance
vSwitch
Secure Server
Secure Server
vRouter
vFirepower Appliance vRadware Appliance vSwitch Secure Server
ComparativeShopping Website
Third-party Technicianaccessing logs
Customermaking purchase
Shareholder receivingemail from CEO
Techniciansubmitting task
Product InformationWebsite
Wholesaler Website
DatabaseZone
Work�owApplication
PaymentApplication
vSwitch Storage ServervFirepower Appliance
Application VisibilityControl (AVC)
AnomalyDetection
Web Reputation/Filtering/DCS
Anti-Malware
Threat Intelligence
DistributedDenial of Service
Protection
IdentityAuthorization
DNS Security
HostedE-Commerce
Services BusinessUse Cases
Web Security Guest Wireless
Switch
CommunicationsManager
Switch Router
Wireless Controller
Firepower Appliance
Distribution Switch Core Switch
Corporate Device
WirelessAccess Point
Wireless Guest
Employee Phone
Environmental Controls
Corporate Device Switch
Switch
Firepower Appliance
AccessEndpoints
Endpoints
BusinessUse Cases
Distribution Core Services
Building Controls
Subject MatterExpert
CEO sending emailto Shareholders
Guest browsing
Employee browsing
BUILDING BLOCK CORE BLOCK
Blade Server
Router Switch Firepower Appliance Switch
Services
TrustedEnterpriseUntrusted
DMZ
VPN
Perimeter ServicesWireless Controller
FirepowerAppliance
Switch RadwareAppliance
Switch Secure Server SwitchSwitchRouter
FirepowerAppliance
DMVPNSwitchRA VPN
Services Core Distribution EndpointsAccess BusinessUse Cases
Corporate Device
Access Switch
Employee Phone
Environmental Controls
Wireless Controller
Switch Router
AccessBusinessUse Cases
WirelessAccess Point
Services
Wireless Guest
Corporate Device
Building Controls
Subject MatterExpert
Branch Managerbrowsing information
Customer browsing prices
Clerk processingcredit card
Server
SwitchEmail Security
FirepowerAppliance
SwitchWeb Security
R E M O T E U S E R S
PaymentApplication
IdentityServer
Communications Manager
ManagementServer
L3 SwitchDistribution Switch
Firepower MgmtCenter
WirelessController
Leaf SwitchFirepower Appliance
Load BalancerAppliance
Load BalancerAppliance
Fabric Switch
Secure Server
Secure Server
Secure ServerController
Secure ServerLeaf Switch
L3 Switch
FirepowerAppliance
FirepowerAppliance
FirepowerAppliance
Software-de�ned
Database
Work�owApplication
CommunicationServices
Spine Switch
18
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
The Branch to the Data CenterThe PCI business flow begins with the humans in the branch.
Figure 18 The Human Clerk is the source of the PCI business flow.
To segment the human entity, use appropriate controls such as user name and password to identify employees with access to credit card devices.
Figure 19 Identity controls are used to segment the Human Entity.
Clerk processingcredit card
DEVICESHUMAN NETWORK APPLICATIONS
Secure Branch
Endpoints
Access Switch
Employee Phone
Environmental Controls
Router
AccessBusinessUse Cases
WirelessAccess Point
Services
Mobile Device
Corporate Device
Server
Secure Web
Guest Wireless
Secure Applications
Secure Communications
Secure Third Parties
Building Controls
Subject MatterExpert
Branch Managerbrowsing information
Customer browsing prices
Product Information Website
Comparative Shopping Website
Payment Processing
Remote Colleague
Third-party Technicianaccessing logs
Corporate Wi-Fi Device
Clerk processingcredit card
Secure Applications
Entity
Endpoints
Switch Router
Access Services
Device
Server
Corporate Wi-Fi Device
Identity
19
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
Figure 20 Payment card device segmentation for Entity, Data, and Traffic.
Next, the payment device require all three segmentation controls: identity for the device entity, encryption for the data at rest, and host-based firewall for traffic to and from the device.
The network in the branch assures the payment device conforms to policy using a posture assessment from the switch. The network entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN, enforced by firewalling and tagging.
Figure 21 The branch network segmented for Entity, Data, and Traffic.
Clerk processingcredit card
Entity
Device
Tra�cData
Endpoints
Switch Router
Access Services
Server
Corporate Wi-Fi Device
Identity
Disk Encryption Host Firewall
Clerk processingcredit card
Entity
Device
Entity Entity
Tra�c
Endpoints
Switch Router
Access Services
Server
Corporate Wi-Fi Device
Identity Identity
PostureAssessment
Tagging Firewall
20
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
Figure 22 The PCI business flow travels from the branch to the WAN.
Leaving the branch, the PCI traffic flow moves to the Wide Area Network (WAN) as it travels to the data center.
The WAN entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN.
Figure 23 The WAN is segmented using identity and traffic controls.
Router
Tra�c
Entity
Endpoints
Firewall SwitchSwitch
Access
IdentityIdentity Identity
Firewall
TaggingTagging
Identity
PaymentProcessing
SecureApplications
Secure WAN
Secure Data Center
Secure Branch
21
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
Leaving the WAN, the PCI traffic flow enters the data center.
Secure Data Center
Core Software-de�ned
PaymentProcessing
PaymentApplication
BusinessUse Cases
Tra�c
Entity
Entity
Entity
Identity
L3 Switch
Leaf Switch Secure ServerLeaf Switch
Firepower Appliance
Spine Switch
Tagging
Tagging
Tagging Tagging Tagging
Identity
Tagging
Identity
IdentityIdentity
Identity
Firewall
Figure 25 The core switches the PCI traffic in the virtualized data center server farm.
Figure 24 The PCI business flow moves to the data center.
The virtualized data center is segmented using the same methodology as the branch with its physical equipment. The network in the data center assures the payment system conforms to policy using a posture assessment from the switch. The network entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN, enforced by firewalling and tagging.
PaymentProcessing
SecureApplications
Secure WAN
Secure Data Center
Secure Branch
22
SAFE Operations Guide Domain: Segmentation | Business Flows July 2019
Return to Contents
Finally, the application data is encrypted.
Figure 26 Data from the PCI flow is encrypted at the application data layer.
When isolated and segmented using these best practices, the data within your business flows will be protected.
Figure 27 The PCI business flow segmented from the rest of the network.
PaymentProcessing
SecureApplications
Secure WAN
Secure Data Center
Secure Branch
Secure Data Center
Core
PaymentProcessing
PaymentApplication
Data
Firepower Appliance
Disk Encryption
Core Software-de�nedBusiness
Use Cases
L3 Switch
Leaf Switch Secure ServerLeaf SwitchSpine Switch
23
SAFE Operations Guide Domain: Segmentation | Summary July 2019
Return to Contents
SummarySegmentation is evolving. In the past, businesses focused primarily on the network perimeter. Today they’re looking for a holistic model that applies controls to their users, devices, networks, applications, and application processes. Although a comprehensive zero-trust design may not be achievable yet, this SAFE Segmentation Operations Guide provides the concepts and capabilities that can help your organization develop an appropriate segmentation solution.
SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the threats of tomorrow.
24
SAFE Operations Guide Domain: Segmentation | Suggested Components July 2019
Return to Contents
Suggested Components
Segmentation Attack Surface Segmentation Capability Suggested Cisco Components
Human Users
IdentityIdentity Services Engine
Meraki Management
1234Multi-Factor Authentication Cisco Duo
Devices Endpoints
Identity
Identity Services Engine (ISE)
Industrial Network Director
AnyConnect Agent
Host FirewallCisco Tetration
Device OS
VPN AnyConnect Agent
Disk Encryption Device OS
Posture Assessment
AnyConnect Agent
Identity Services Engine (ISE)
Meraki Mobile Device Management
Table 5 SAFE Design Components for Segmentation
25
SAFE Operations Guide Domain: Segmentation | Suggested Components July 2019
Return to Contents
Segmentation Attack Surface Segmentation Capability Suggested Cisco Components
Network Network SystemsFirewall Firepower Appliance, Adaptive
Security Appliance (ASA)
Tagging
Nexus/Catalyst Switch VLANs
Centralized Identity Services Engine
TrustSec
Application Centric Infrastructure (ACI) Endpoint Group (EPG)
Mobile Device Management (MDM)
Meraki Device Manager
Identity Services Engine (ISE)
Cloud Access Security Broker (CASB)
Cisco Cloudlock
Disk Encryption
Web Security Appliance (WAS)
Email Security Appliance (ESA)
Content Delivery (CDA)
Software-Defined Perimeter (SDP/SD-WAN)
AnyConnect Agent
Cisco Viptela
Meraki MX
Applications ServiceTLS Encryption Offload Partner Product
Web Application Firewalling Partner Product
Identity
Identity Services Engine (ISE)
Industrial Network Director
AnyConnect Agent
Host FirewallCisco Tetration
Device OS
Disk Encryption Device OS
Posture Assessment
AnyConnect Agent
Identity Services Engine (ISE)
Meraki Mobile Device Management
Table 5 SAFE Design Components for Segmentation (continued)
For more information on SAFE, see www.cisco.com/go/SAFE.
ReferencesA Framework to Protect Data Through Segmentation www.cisco.com/c/en/us/about/security-center/framework-segmentation.html
Software-Defined Access Segmentation Design Guide – May, 2018 (PDF – 2 MB) www.cisco.com/c/en/us/solutions/enterprise/design-zone-campus/design-guide-listing.html
Cisco TrustSec—Software-Defined Segmentationwww.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices
Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Americas HeadquartersCisco Systems, Inc.San Jose, CA
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)