This guide discusses the Cisco SAFE best practices, designs and configurations, and provides network and security engineers with the necessary information to help them succeed in designing, implementing and operating secure network infrastructures based on Cisco products and technologies.
Document Audience
While the target audience is technical in nature, business decision makers, senior IT leaders, and systems architects can benefit from understanding the design driving principles and fundamental security concepts.
Document Organization
The following table lists and briefly describes the chapters and appendices of this guide:
Describes the best practices for securing the enterprise network infrastructure. This includes setting a security baseline for protecting the control and management planes as well as setting a strong foundation on which more advanced methods and techniques can subsequently be built on.
Describes the core component of the Cisco SAFE design. It describes types of threats that targets the core and the best practices for implementing security within the core network.
Describes the intranet data center component of the Cisco SAFE design. It provide guidelines for integrating security services into Cisco recommended data center architectures.
Describes the enterprise campus component of the Cisco SAFE design. It covers the threat types that affect the enterprise campus and the best practices for implementing security within the campus network.
Describes the enterprise Internet edge component of the Cisco SAFE design. It covers the threat types that affect the Internet edge and the best practices for implementing security within the enterprise Internet edge network.
Describes the enterprise WAN edge component of the Cisco SAFE design. It covers the threat types that affect the enterprise WAN edge and the best practices for implementing security within the WAN edge network.
Describes enterprise branch component of the Cisco SAFE design. It covers the threat types that affect the enterprise branch and the best practices for implementing security within the branch network.
Describes the management component of the Cisco SAFE design. It covers the threat types that affects the management module and the best practices for mitigation those threats.
Provides a list of reference documents where users can obtain additional information.
Glossary
Lists and defines key terms and acronyms used in this guide.
About the Authors
This section provides information about the authors who developed the content of this guide.
Justin Chung, Manager, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
Justin is a Technical Marketing Manager with over twelve years of experience in the networking industry. During his eleven years at Cisco, he managed various security solutions such as Dynamic Multipoint VPN (DMVPN), Group Encrypted Transport VPN (GET VPN), VRF-Aware IPSec, Network Admission Control (NAC), and others. He is a recipient of the Pioneer Award for the GET VPN solution. He is currently managing the Enterprise WAN Edge, Branch, and Security solutions.
Martin Pueblas, CCIE#2133, CISSP#40844—Technical Leader, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
Martin is the lead system architect of the Cisco SAFE Security Reference Architecture.
He is a network security expert with over 17 years of experience in the networking industry. He obtained his CCIE certification in 1996 and CISSP in 2004. Martin joined Cisco in 1998 and has held a variety of technical positions. Started as a Customer Support Engineer in Cisco's Technical Assistance Center (TAC) in Brussels, Belgium. In 1999 moved to the United States where soon became technical leader for the Security Team. Martin's primary job responsibilities included acting as a primary escalation resource for the team and delivering training for the support organization. At the end of 2000, he joined the Advanced Engineering Services team as a Network Design Consultant, where he provided design and security consulting services to large corporations and Service Providers. During this period, Martin has written a variety of technical documents including design guides and white papers that define Cisco's best practices for security and VPNs. Martin joined Cisco's Central Marketing Organization in late 2001, where as a Technical Marketing Engineer, he focused on security and VPN technologies. In late 2004, he joined his current position acting as a security technical leader. As part of his current responsibilities, Martin is leading the development of security solutions for enterprises.
Alex Nadimi, Technical Marketing Engineer, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
Alex has been at Cisco for 14 years. His expertise include security, VPN technologies, MPLS, and Multicast. Alex has authored several design guides and technical notes.
Alex has over 15 years experience in the computer, communications, and networking fields. He is a graduate of University of London and Louisiana State University.
Dan Hamilton, CCIE #4080 —Technical Leader, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
Dan has over 15 years experience in the networking industry. He has been with Cisco for 9 years. He joined Cisco in 2000 as a Systems Engineer supporting a large Service Provider customer. In 2004, he became a Technical Marketing Engineer in the Security Technology Group (STG) supporting IOS security features such as infrastructure security, access control and Flexible Packet Matching (FPM) on the Integrated Security Routers (ISRs), mid-range routers and the Catalyst 6500 switches. He moved to a Product Manager role in STG in 2006, driving the development of new IOS security features before joining the ESE Team in 2008.
Prior to joining Cisco, Dan was a network architect for a large Service Provider, responsible for designing and developing their network managed service offerings.
Dan has a Bachelor of Science degree in Electrical Engineering from the University of Florida.
Sherelle is a technical leader at Cisco Systems with over fifteen years experience in the networking industry, encompassing service provider and enterprise environments in the US and Europe.
During her more than ten years at Cisco, she has worked on a variety of service provider and enterprise solutions, and started her current focus on network security integration over four years ago. She has presented and published on a number of topics, most recently as co-author of the Wireless and Network Security Integration Solution design guide, and the Network Security Baseline paper.
David Anderson, CCIE #7660, CISSP#57547—Senior Technical Marketing Engineer, CMO Enterprise Solutions Engineering (ESE), Cisco Systems
David is a Senior Technical Marketing Engineer in CMO - Enterprise Solutions Engineering (ESE), Cisco Systems. In this role, David focuses on security and virtualization in data center solutions. David also works cross-functionally to develop data center solutions with Cisco business units and partners.
David joined Cisco in 1999 as a solution engineer for service provider dial-access architectures. His roles at Cisco include Systems Engineer, Technical Marketing Engineer, and Senior Product Manager. In 2001 David was part of the initial team that began focusing on data center related solutions for Cisco. After several years, he moved to the role of Senior Technical Marketing Engineer and Product Manager to help establish and grow the Cisco Network Admission Control product line.
David is a frequent speaker at Cisco Live (Networkers) and other industry events and forums. Prior to joining Cisco, David was a Senior Network Engineer for the Department of Emergency Communications and E-911 Center in San Francisco. David holds CCIE and CISSP certifications and has a Bachelor of Science degree in Management Information Systems from Florida State University.
Srinivas is a Technical Marketing Engineer for WAN and branch architectures in Cisco's ESE team. Prior to joining the ESE team, Srinivas worked two years in Commercial System Engineering team where he worked on producing design guides, and SE presentations for channel partners and SEs. Before that, he worked for 5 years with other Cisco engineering teams. Srinivas has been at Cisco for 8 years.
