The SAFE document outlines best practice
for securing an enterprise network. Since the release of the
SAFE document for enterprise networks, other SAFE documents have
been released extending the original SAFE blueprint. New topics
include a Security Blueprint for Small, Midsize, and Remote-User
Networks, IPSEC VPNs, Wireless network security, and IP
Telephony security. Recently, Cisco released the Cisco SAFE
Implementation exam in beta (9E1-131), which covers the material
in the Security Blueprint for Small, Midsize, and Remote-User
Networks (Safe: SMR). In this week's article, I will look at
the information covered in the SAFE: SMR.
The SAFE: SMR begins with several caveats. One is that Cisco
does not endorse implementing any security technology without
having an associated security policy in place. One of the
fundamental concepts of the SAFE architecture is that there is
a formal security policy before security is implemented. Another
caveat introduced in the SAFE: SMR is that no network is totally
secure, and that following the SAFE blueprint does not guarantee
a secure environment. Once the warnings are out of the way, the
SAFE: SMR gets into the meat of document.
Immediately following the caveats, the SAFE: SMR describes the
architecture of the SAFE blueprint. The basic design objectives
for SAFE are (in order):
* Security and attack mitigation based on policy
* Security implementation through the infrastructure (not just
on specialized security devices)
* Cost-effective deployment
* Secure management and reporting
* Authentication and authorization of users and administrators
to critical network resources
* Intrusion detection for critical resources and subnets
The SAFE: SMR then discusses the different types of targets and
the basic precautions that should be taken to secure the devices.
Following the basic theory behind the blueprint, the SAFE: SMR
launches into actual examples of how a secure small or medium
network could be configured. The examples take a modular
approach, dividing the network into separate segments that can
be looked at separately. The diagrams show where to place
specialized security devices. The examples are divided into
small and medium networks, and provide information for head
office/branch office scenarios. Every network component's place
in the security architecture is described, as well as expected
attacks, and mitigation strategies.
The appendices that follow this information are very helpful.
The first contains detailed configuration information for the
various devices described in the SAFE: SMR. These configuration
examples provide helpful tips for developing your own device
configurations. The next appendix is a network security primer.
The primer covers the need for network security, different types
of network attacks, why a security policy is necessary, and the
different network management protocols. The primer conveys only
very basic concepts, but is a good starting point for security
information.
The document ends with what is call the architecture taxonomy,
which is a combination of glossary, index of diagrams, and
bibliography.
The Cisco SAFE Implementation exam covers all of the information
found in the SAFE: SMR. There are a few additional exam
objectives that should be studied outside of the SAFE: SMR. The
capabilities and specifications of the different types of
hardware in the Cisco security portfolio are also tested.
Devices included in this list are the 3000 access concentrator
series, PIX firewalls, and the Cisco secure scanner. The exam
objectives also reference something called a security wheel.
The security wheel is not mentioned in the SAFE: SMR, and
documents on Cisco's website reference a four-step and a
five-step wheel, making it difficult to study for this
objective. It is also necessary to be familiar with the actual
commands used to configure these devices, as well as the IOS
firewall and IPSEC VPN tunnels. It will be very difficult to
pass the exam without some hands-on experience, as the exam does
include simulations.
The Cisco SAFE blueprints are a great idea whose time has
definitely come. The principals outlined in SAFE could be
applied to almost any situation, including non-Cisco equipment.
The SAFE documents should be required reading for any network
professional.
Earn an affordable, online bachelor's degree in Information Technology—Security Emphasis plus nine IT certifications including Sun Certified Programmer for the Java Platform, MySQL Core, and Security+. Your prior college and IT certifications may waive some degree requirements FREE subscription to Network World. Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals
Email this Article
Print this Article
