July 2019

SAFE Operations Guide Domain: Segmentation

SAFE Operations Guide Domain: Segmentation | Contents July 2019

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Contents The Challenge

Overview

Segmentation DefinedEntity Segmentation 7

Data Segmentation 8

Traffic Segmentation 9

Attack Surface and Segmentation CapabilitiesHumans 11

Devices 12

Network 13

Applications 14

Segmentation Considerations

Business FlowsPCI Use Case Example 16

Summary

Suggested Components

References

3

4

6

10

15

16

23

24

26

3

SAFE Operations Guide Domain: Segmentation | The Challenge July 2019

Return to Contents

The ChallengeCybercriminals are stealing company intellectual property, resources, and money. These valuable assets are like jewels and need protection.

Segmentation is the act of creating barriers around these assets to guard them.

Segmentation, Then and Now

Old Segmentation “This perimeter is sufficient.”

New Segmentation “We require security at every level, starting at the perimeter”

O U T S I D E O F C O M P A N Y

H U MA N

DEV I CES

NETWORK

AP

PLICATIONS

O U T S I D E O F C O M P A N Y

INS IDE OF COMPANY

In the past, threats were considered external. Building a security perimeter was good enough to protect a company’s property and resources.

That mindset has rapidly evolved along with the severity of today’s cyber threats. Now the challenge of connecting any user on any device across any network to any application increases the complexity of segmentation.

Applying these basic concepts protects an organization’s attack surface:

The identity of every human must be authenticated based on the permissions of their individual role.

Every device or thing on the network must be authenticated and policies applied based on its identity and posture.

The network is assumed to be hostile from internal as well as external threats.

Application enforcement happens across services, sessions, transactions, and storage.

Asset protection using automated policy enforcement is a sign of mature and successful segmentation.

4

SAFE Operations Guide Domain: Segmentation | Overview July 2019

Return to Contents

OverviewSegmentation is one of the six Operational Domains within SAFE. SAFE is a holistic approach where Operational Domains represent the functioning aspects of the physical infrastructure modeled by the Secure Places in the Network (PINs).

Although SAFE recommends that these operational layers be thought of as a progression stack, it is important to realize that all of these domains are active concurrently and heavily interdependent.

The SAFE Key illustrates how segmentation supports an overall threat defense of a company:

• First, Management identifies humans, devices, networks, and applications.

• Second, Visibility observes threats on the network.

• Segmentation creates secure partitions across entities, data, and traffic. These partitions restrict access based on role, function, and policy.

• Threat Defense provides accurate and timely threat response to reinforce segmentation policy dynamically, as reputations are augmented by the visibility of new threats.

There is no silver bullet for segmentation; as a practice and concept, it is maturing from static to automated.

The SAFE Segmentation operations guide provides:

• A segmentation model• Technical considerations • A business use case• Recommended products

Management

Visibility

Compliance

Threat Defense

Segmentation

Secure Services

Domains

Places in the Network (PINs)

WANData

Cen

ter

Edge

Cloud

Bran

ch

Cam

pus

Internet

Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and SAFE Operational Domains for guidance.

5

SAFE Operations Guide Domain: Segmentation | Overview July 2019

Return to Contents

Architecture Guides

SecureData Center

SecureCloud

SecureWAN

SecureInternet Edge

SecureBranch

SecureCampus

SecureInternet

Compliance

Threat Defense

SecureServices

Segmentation

Visibility

Management

Design Guides

SAFEOverview

Capability Guide

Operations GuidesDesign Guides

SECU RE DOMAINSPL ACES IN THE NE T WO RK

T H E K E Y T O S A F E

SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

Figure 2 SAFE Guidance Hierarchy. The SAFE Overview Guide introduces the SAFE model and method. It supports the Architecture, Design, and Operations Guides that provide specific guidance in each area.

6

SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019

Return to Contents

Segmentation DefinedSegmentation creates secure partitions for entities, data, and traffic on the network.

Figure 3 The SAFE Segmentation Model. Entities, Data, and Traffic must be securely partitioned across the attack surface.

Segmentation can be simplified by thinking about these three classifications:

Entities are humans, devices, networks, and applications.

Data is information at rest on devices, networks, and applications.

Traffic is data in motion between devices, networks, and applications.

Entity

HUMAN DEVICES NETWORK APPLICATIONS

Tra�c

Data

7

SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019

Return to Contents

Entity SegmentationEntities are humans, devices, networks, and applications which represent the attackable surface.

Entity segmentation comprises identity and posture assessment according to policy:

• The identity of a person or device is established using authentication and authorization.

• Posture assessments verify that the system is policy-compliant, properly patched to participate in the appropriate segments, and not infected.

Examples of entities:

HUMAN• Doctors• Clerks• Managers• Administrators• Employees

DEVICES• Laptops• Smartphones• Tablets• Sensors• Servers

NETWORK• Firewalls• Routers• Switches• Access Points• Cloud IaaS

APPLICATIONS• Payments• Payroll• Workforce Automation• E-commerce• Email

Figure 4 Entity segmentation securely partitions Humans, Devices, Networks, and Applications based on policy.

Entity

HUMAN DEVICES NETWORK APPLICATIONS

PostureAssessment

Identity Identity Identity Identity

Mobile DeviceManagement (MDM)

PostureAssessment

8

SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019

Return to Contents

Data SegmentationData is information at rest that is segmented on devices, networks, and applications.

Data segmentation techniques can be logical or physical:

• Data can be segmented logically or physically.

• Logical separation allows segmented utilization of shared resources (e.g., disk encryption, virtual storage device, data store, drive partition, encrypted tables).

• Physical separation relies on dedicated hardware for each data storage need (e.g., multiple hard drives).

Figure 5 Data Segmentation secures data at rest on Devices, Networks, and Applications.

Data

DEVICES NETWORK APPLICATIONS

Disk Encryption Disk Encryption Disk Encryption

9

SAFE Operations Guide Domain: Segmentation | Segmentation Defined July 2019

Return to Contents

Traffic SegmentationTraffic is data in motion between devices, networks and applications.

Traffic best practices:

• Companies must ensure separation of traffic flows (line of business, role-based, physical, etc.) for many purposes, including regulating information movement, network resource consumption, and threat reduction.

• Classify traffic (e.g., TCP/UDP port, packet header, IP address) and apply a particular policy to manipulate traffic physically or logically (e.g., allow traffic to go from A to B, but not A to C).

• Multiple policies are used consistently in different parts of the network by leveraging traffic classification conveyed via explicit marking, flow tables, state tables (e.g., group tagging, VLAN, ACL, VPN).

• Implement controls to facilitate appropriate differentiated entity access using enforcement mechanisms (e.g., VLANs, subnets, firewall rules).

Figure 6 Traffic segmentation securely partitions data in motion through filters and encryption.

Tra�c

DEVICES NETWORK APPLICATIONS

VPN Tagging TLS O�oad

Host Firewall Firewall Application Firewall

10

SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019

Return to Contents

Attack Surface and Segmentation CapabilitiesSAFE maps segmentation types to the attack surface. The attack surface is defined by the business flow and the entities present across it. The security capabilities needed to segment these flows are mapped in Figure 7.

Segmentation security capabilities are listed throughout the sections below. The placement of these capabilities are discussed in the architecture section.

Figure 7 Secure Segmentation Attack Surface and Security Capabilities

Data

Disk Encryption

Disk Encryption

Disk Encryption

Entity

PostureAssessment

IdentityIdentity

Identity

Mobile DeviceManagement (MDM)

PostureAssessment

Identity

Tra�c

DEVICES NETWORK APPLICATIONS

VPN Tagging TLS O�oad

Host Firewall Firewall Application Firewall

HUMAN

Data

Disk Encryption

Disk Encryption

Disk Encryption

Entity

PostureAssessment

IdentityIdentity

Identity

Mobile DeviceManagement (MDM)

PostureAssessment

Identity

Tra�c

DEVICES NETWORK APPLICATIONS

VPN Tagging TLS O�oad

Host Firewall Firewall Application Firewall

HUMAN

11

SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019

Return to Contents

Organization Attack Surface Segmentation

Human Type Capability

Users: Employees, third parties, customers, and administrators.

Entity Identity: Identity-based access.

Entity 1234

Multi-Factor Authentication in addition to passwords (something the user knows), i.e., something the user is (fingerprint) or something the user has (push notification code).

HumanHumans are entities such as employees, customers, and remote access users such as partners who provide assigned identity information to their devices for access.

All people must be considered potentially bad actors. Exploitation of Trust attacks happen most frequently at this layer through credential theft. Credential management of employees, partners, and customers with effective role-based segmentation helps minimize the risk of this threat.

Administrators have more authority than normal users. The systems they access must require additional controls like two-factor authentication, limited access to job function, and logging of their changes.

Humans with access to sensitive data should also be required to use similar added controls when identifying themselves following the policy of least-privilege access.

Table 1 Human

Figure 8 Humans must identify themselves.

Entity

Identity

HUMAN

Entity

Identity

HUMAN

12

SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019

Return to Contents

DevicesDevice entities include laptops, smart phones, tablets, sensors, and servers.

In contrast to Humans who can only be classified as entities, a device can store data and transmit/receive traffic. Devices participate in all three areas of segmentation as illustrated in Figure 9.

Segmentation at the device level is necessary to prevent the spread of threats across the network from an infected system by a zero-day attack. For example, administrators must separate building control systems from user devices.

Organization Attack Surface Segmentation

Devices Type Capability

Endpoints: Devices such as PCs, laptops, smartphones, tablets, phones, sensors, NAS drives.

EntityIdentity: Device-specific identity information and context.

Entity

Posture Assessment: Client endpoint compliance verification and authorization.

Data Disk Encryption: Encryption of data at rest.

Traffic

VPN: Encrypted communication tunnels between entities.

Traffic

Host Firewall: Stateful filtering and protocol inspection between entities.

Table 2 Devices

Figure 9 Devices can be segmented by Entity, Data, and Traffic based

on their activity.

Data

Disk Encryption

Entity

PostureAssessment

Identity

Trac

DEVICES

VPN

Host Firewall

Data

Disk Encryption

Entity

PostureAssessment

Identity

Trac

DEVICES

VPN

Host Firewall

13

SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019

Return to Contents

Data

Disk Encryption

Entity

PostureAssessment

Identity

Trac

DEVICES

VPN

Host Firewall

NetworkNetwork entities include firewalls, routers switches, wireless, cloud IaaS, and other devices that send and receive traffic. Network devices are entities that can store data and transmit/receive traffic, and therefore participate in all three areas of segmentation as illustrated in Figure 10.

Organization Attack Surface Segmentation

Network Type Capability

Wired Network: Physical network infrastructure; routers, switches, used to connect access, distribution, core, and services layers together.

EntityIdentity: Entity-specific identity information and context.

Entity

Mobile Device Management (MDM): Evaluation of the state of the device.

Entity

Cloud Access Security Broker (CASB): Contextual policy enforcement for cloud services.

Data Disk Encryption: Encryption of data at rest.

Traffic

Tagging: Software-based segmentation using EPGs/SGT/VLANs.

Traffic

Firewall: Stateful filtering and protocol inspection between entities.

Traffic

Software-Defined Perimeter (SDP/SD-WAN): Dynamic, multi-point encrypted communications fabric.

Segmentation at the network level is necessary to prevent the spread of threats across the network as well as to separate different classifications of data and their business-relevant value from each other.

For example, administrators must separate payment and financial systems from personal identifiable information or proprietary intellectual property.

Table 3 Network

Figure 10 Networks can be segmented by Entity, Data, and Traffic based on their activity.

Data

Disk Encryption

Entity

Identity

Mobile DeviceManagement (MDM)

Tra�c

NETWORK

Tagging

Firewall

14

SAFE Operations Guide Domain: Segmentation | Attack Surface and Segmentation Capabilities July 2019

Return to Contents

ApplicationsExamples of Applications entities are payments, payroll, workforce automation, e-commerce, email, etc.

Applications are entities on servers that can both store data and transmit/receive traffic, and therefore participate in all three areas of segmentation as illustrated in Figure 11.

Segmentation of applications at the session level is necessary to ensure the attack surface is minimized. If not supported by the application natively, a web application firewall (WAF) can add this capability.

Storage of application data must be encrypted to protect it in local and cloud deployments. Techniques for reducing the attack surface include proper key management and rotation.

For example, payment card security requires each transaction session to be encrypted plus all data at rest must be encrypted.

Organization Attack Surface Segmentation

Applications Type Capability

Applications: Management, servers, database, load balancer.

Entity Identity: Identity-based access.

Entity

Posture Assessment: Server compliance verification, authorization, and patching.

DataStorage Encryption: Encryption of data at rest in tables and databases.

TrafficTLS Encryption Offload: Accelerated encryption of traffic services.

Traffic

Web Application Firewalling: Advanced application inspection and monitoring.

Table 4 Application

Figure 11 Applications can be segmented by Entity, Data, and Traffic based on their activity.

Data

Disk Encryption

Entity

Identity

PostureAssessment

Trac

APPLICATIONS

TLS O�oad

Application Firewall

Data

Disk Encryption

Entity

PostureAssessment

Identity

Trac

DEVICES

VPN

Host Firewall

15

SAFE Operations Guide Domain: Segmentation | Segmentation Considerations July 2019

Return to Contents

Segmentation ConsiderationsThe industry is moving away from manual segmentation and toward segmentation that is automated, adaptive, and holistically coordinated.

Cisco recommends a tiered approach to trusted segmented access:

1. Verify identity for any user; verify hygiene for any device.

2. Discover, classify, and verify profiles for on-prem devices. Verify application dependencies for any workload infrastructure.

3. Grant easier, safer access to specific workload apps.

4. Segment the network via software-defined access.

5. Implement consistent data access policy management.

6. Remediate network, cloud, and endpoint threats or Common Vulnerabilities and Exposures (CVE).

Figure 12 Segmentation Maturity Model

Figure 13 Cisco Zero Trust

LegacyManual

segmentation

Zero TrustCoordinated telemetry

with dynamic segmentation

based on policy

AppAccess

NetworkAccess

PolicyNormalization

ThreatResponse

1

2

3

4

5

6Automate adaptive policy

Using a practical zero-trust approach to security

Establish trust level

Establish SD-perimeter

User-DeviceTrust

IoT Trust— AND/OR —

WorkloadTrust

16

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

Business Flows

PCI Use Case ExampleSegmentation should restrict the flow of data. You can place appropriate controls for your particular use case by identifying where the source and destination of each flow of data traverses, tracking its journey from the Humans to Devices to the Network and to Applications.

For example, consider the secure business flow for PCI applications below. The data flow must be isolated from end to end: from the human clerk, the payment card device within a branch, across the WAN, and into the data center, ending in the payment application.

Figure 14 The PCI Business Flow

Figure 15 Segmentation capabilities for the PCI business flow.

After isolating the data flow, apply the capabilities that are appropriate for your use case across the entities, data, and traffic. Using this method, you can ensure controls are in place as the flow traverses to restrict the scope of the data (as described in Figure 13).

PaymentApplicationClerk

Clerk Processing Credit Card

Device Server

PaymentApplication

Disk Encryption

Data Tra�cEntity

Segmentation Capabilities

IdentityDevice PostureAssessment Tagging ServerFirewall

Clerk

17

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

PaymentProcessing

SecureApplications

Secure WAN

Secure Data Center

Secure Branch

Segmentation Across the EnterpriseEverything in your organization is open to attack without segmentation. Without segmentation controls, all humans, devices, networks, and applications that are compromised by an attack can be used to compromise everything else.

Figure 17 The PCI business flow segmented from the rest of the network.

However, when you use segmentation across your entities, devices, networks, and applications, you can isolate the business flow from the rest of your network to defend it.

Figure 16 The SAFE architecture and all business flows.

SERVICESAPPLICATIONSNETWORK

NETWORK

SERVICES

DEVICESHUMAN NETWORK APPLICATIONS

NETWORK

SERVERS APPLICATIONSNETWORK

DEVICESHUMAN NETWORK APPLICATIONS

ATTACK SURFACE

ATTACK SURFACE

ATTACK SURFACE

ATTACK SURFACE

ATTACK SURFACE

Secure Edge

PaymentProcessing

SecureApplications

Secure Cloud

Secure Campus

Secure WAN

Secure Data Center

Secure Branch

ATTACK SURFACE Internet

vFirepower Appliance vSwitch

vSwitch

vFirepower Appliance

vRadware Appliance

vSwitch

Secure Server

Secure Server

vRouter

vFirepower Appliance vRadware Appliance vSwitch Secure Server

ComparativeShopping Website

Third-party Technicianaccessing logs

Customermaking purchase

Shareholder receivingemail from CEO

Techniciansubmitting task

Product InformationWebsite

Wholesaler Website

DatabaseZone

Work�owApplication

PaymentApplication

vSwitch Storage ServervFirepower Appliance

Application VisibilityControl (AVC)

AnomalyDetection

Web Reputation/Filtering/DCS

Anti-Malware

Threat Intelligence

DistributedDenial of Service

Protection

IdentityAuthorization

DNS Security

HostedE-Commerce

Services BusinessUse Cases

Web Security Guest Wireless

Switch

CommunicationsManager

Switch Router

Wireless Controller

Firepower Appliance

Distribution Switch Core Switch

Corporate Device

WirelessAccess Point

Wireless Guest

Employee Phone

Environmental Controls

Corporate Device Switch

Switch

Firepower Appliance

AccessEndpoints

Endpoints

BusinessUse Cases

Distribution Core Services

Building Controls

Subject MatterExpert

CEO sending emailto Shareholders

Guest browsing

Employee browsing

BUILDING BLOCK CORE BLOCK

Blade Server

Router Switch Firepower Appliance Switch

Services

TrustedEnterpriseUntrusted

DMZ

VPN

Perimeter ServicesWireless Controller

FirepowerAppliance

Switch RadwareAppliance

Switch Secure Server SwitchSwitchRouter

FirepowerAppliance

DMVPNSwitchRA VPN

Services Core Distribution EndpointsAccess BusinessUse Cases

Corporate Device

Access Switch

Employee Phone

Environmental Controls

Wireless Controller

Switch Router

AccessBusinessUse Cases

WirelessAccess Point

Services

Wireless Guest

Corporate Device

Building Controls

Subject MatterExpert

Branch Managerbrowsing information

Customer browsing prices

Clerk processingcredit card

Server

SwitchEmail Security

FirepowerAppliance

SwitchWeb Security

R E M O T E U S E R S

PaymentApplication

IdentityServer

Communications Manager

ManagementServer

L3 SwitchDistribution Switch

Firepower MgmtCenter

WirelessController

Leaf SwitchFirepower Appliance

Load BalancerAppliance

Load BalancerAppliance

Fabric Switch

Secure Server

Secure Server

Secure ServerController

Secure ServerLeaf Switch

L3 Switch

FirepowerAppliance

FirepowerAppliance

FirepowerAppliance

Software-de�ned

Database

Work�owApplication

CommunicationServices

Spine Switch

18

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

The Branch to the Data CenterThe PCI business flow begins with the humans in the branch.

Figure 18 The Human Clerk is the source of the PCI business flow.

To segment the human entity, use appropriate controls such as user name and password to identify employees with access to credit card devices.

Figure 19 Identity controls are used to segment the Human Entity.

Clerk processingcredit card

DEVICESHUMAN NETWORK APPLICATIONS

Secure Branch

Endpoints

Access Switch

Employee Phone

Environmental Controls

Router

AccessBusinessUse Cases

WirelessAccess Point

Services

Mobile Device

Corporate Device

Server

Secure Web

Guest Wireless

Secure Applications

Secure Communications

Secure Third Parties

Building Controls

Subject MatterExpert

Branch Managerbrowsing information

Customer browsing prices

Product Information Website

Comparative Shopping Website

Payment Processing

Remote Colleague

Third-party Technicianaccessing logs

Corporate Wi-Fi Device

Clerk processingcredit card

Secure Applications

Entity

Endpoints

Switch Router

Access Services

Device

Server

Corporate Wi-Fi Device

Identity

19

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

Figure 20 Payment card device segmentation for Entity, Data, and Traffic.

Next, the payment device require all three segmentation controls: identity for the device entity, encryption for the data at rest, and host-based firewall for traffic to and from the device.

The network in the branch assures the payment device conforms to policy using a posture assessment from the switch. The network entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN, enforced by firewalling and tagging.

Figure 21 The branch network segmented for Entity, Data, and Traffic.

Clerk processingcredit card

Entity

Device

Tra�cData

Endpoints

Switch Router

Access Services

Server

Corporate Wi-Fi Device

Identity

Disk Encryption Host Firewall

Clerk processingcredit card

Entity

Device

Entity Entity

Tra�c

Endpoints

Switch Router

Access Services

Server

Corporate Wi-Fi Device

Identity Identity

PostureAssessment

Tagging Firewall

20

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

Figure 22 The PCI business flow travels from the branch to the WAN.

Leaving the branch, the PCI traffic flow moves to the Wide Area Network (WAN) as it travels to the data center.

The WAN entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN.

Figure 23 The WAN is segmented using identity and traffic controls.

Router

Tra�c

Entity

Endpoints

Firewall SwitchSwitch

Access

IdentityIdentity Identity

Firewall

TaggingTagging

Identity

PaymentProcessing

SecureApplications

Secure WAN

Secure Data Center

Secure Branch

21

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

Leaving the WAN, the PCI traffic flow enters the data center.

Secure Data Center

Core Software-de�ned

PaymentProcessing

PaymentApplication

BusinessUse Cases

Tra�c

Entity

Entity

Entity

Identity

L3 Switch

Leaf Switch Secure ServerLeaf Switch

Firepower Appliance

Spine Switch

Tagging

Tagging

Tagging Tagging Tagging

Identity

Tagging

Identity

IdentityIdentity

Identity

Firewall

Figure 25 The core switches the PCI traffic in the virtualized data center server farm.

Figure 24 The PCI business flow moves to the data center.

The virtualized data center is segmented using the same methodology as the branch with its physical equipment. The network in the data center assures the payment system conforms to policy using a posture assessment from the switch. The network entities are segmented using identity controls. Firewalls and tagging assure the PCI business flow does not co-mingle with other business flows by putting the PCI traffic onto its own subnet/VLAN, enforced by firewalling and tagging.

PaymentProcessing

SecureApplications

Secure WAN

Secure Data Center

Secure Branch

22

SAFE Operations Guide Domain: Segmentation | Business Flows July 2019

Return to Contents

Finally, the application data is encrypted.

Figure 26 Data from the PCI flow is encrypted at the application data layer.

When isolated and segmented using these best practices, the data within your business flows will be protected.

Figure 27 The PCI business flow segmented from the rest of the network.

PaymentProcessing

SecureApplications

Secure WAN

Secure Data Center

Secure Branch

Secure Data Center

Core

PaymentProcessing

PaymentApplication

Data

Firepower Appliance

Disk Encryption

Core Software-de�nedBusiness

Use Cases

L3 Switch

Leaf Switch Secure ServerLeaf SwitchSpine Switch

23

SAFE Operations Guide Domain: Segmentation | Summary July 2019

Return to Contents

SummarySegmentation is evolving. In the past, businesses focused primarily on the network perimeter. Today they’re looking for a holistic model that applies controls to their users, devices, networks, applications, and application processes. Although a comprehensive zero-trust design may not be achievable yet, this SAFE Segmentation Operations Guide provides the concepts and capabilities that can help your organization develop an appropriate segmentation solution.

SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the threats of tomorrow.

24

SAFE Operations Guide Domain: Segmentation | Suggested Components July 2019

Return to Contents

Suggested Components

Segmentation Attack Surface Segmentation Capability Suggested Cisco Components

Human Users

IdentityIdentity Services Engine

Meraki Management

1234Multi-Factor Authentication Cisco Duo

Devices Endpoints

Identity

Identity Services Engine (ISE)

Industrial Network Director

AnyConnect Agent

Host FirewallCisco Tetration

Device OS

VPN AnyConnect Agent

Disk Encryption Device OS

Posture Assessment

AnyConnect Agent

Identity Services Engine (ISE)

Meraki Mobile Device Management

Table 5 SAFE Design Components for Segmentation

25

SAFE Operations Guide Domain: Segmentation | Suggested Components July 2019

Return to Contents

Segmentation Attack Surface Segmentation Capability Suggested Cisco Components

Network Network SystemsFirewall Firepower Appliance, Adaptive

Security Appliance (ASA)

Tagging

Nexus/Catalyst Switch VLANs

Centralized Identity Services Engine

TrustSec

Application Centric Infrastructure (ACI) Endpoint Group (EPG)

Mobile Device Management (MDM)

Meraki Device Manager

Identity Services Engine (ISE)

Cloud Access Security Broker (CASB)

Cisco Cloudlock

Disk Encryption

Web Security Appliance (WAS)

Email Security Appliance (ESA)

Content Delivery (CDA)

Software-Defined Perimeter (SDP/SD-WAN)

AnyConnect Agent

Cisco Viptela

Meraki MX

Applications ServiceTLS Encryption Offload Partner Product

Web Application Firewalling Partner Product

Identity

Identity Services Engine (ISE)

Industrial Network Director

AnyConnect Agent

Host FirewallCisco Tetration

Device OS

Disk Encryption Device OS

Posture Assessment

AnyConnect Agent

Identity Services Engine (ISE)

Meraki Mobile Device Management

Table 5 SAFE Design Components for Segmentation (continued)

For more information on SAFE, see www.cisco.com/go/SAFE.

ReferencesA Framework to Protect Data Through Segmentation www.cisco.com/c/en/us/about/security-center/framework-segmentation.html

Software-Defined Access Segmentation Design Guide – May, 2018 (PDF – 2 MB) www.cisco.com/c/en/us/solutions/enterprise/design-zone-campus/design-guide-listing.html

Cisco TrustSec—Software-Defined Segmentationwww.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices

Europe HeadquartersCisco Systems International BV Amsterdam, The Netherlands

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Americas HeadquartersCisco Systems, Inc.San Jose, CA

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)