WIXLIB

SAFE Architecture Guide Places in the Network: Secure Data CenterApril 2018

SAFE Architecture GuidePlaces in the Network: Secure Data Center ContentsContents3 Overview5 Business Flows8 Threats9 Security Capabilities14 ArchitectureSecure Data Center 1516 Attack SurfaceHumans 16Devices 17Network 18Applications 21Multi-site Data Center 2425 Summary26 AppendixA Proposed Design 2628 Suggested Components 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.April 2018

SAFE Architecture GuidePlaces in the Network: Secure Data Center OverviewApril 20183OverviewThe Secure Data Center is a place in thenetwork (PIN) where a company centralizesdata and performs services for business. Datacenters contain hundreds to thousands ofphysical and virtual servers that are segmentedby applications, zones, and other methods.This guide addresses data center businessflows and the security used to defend them.a holistic approach in which Secure PINs modelthe physical infrastructure and Secure Domainsrepresent the operational aspects of a network.The Secure Data Center is one of the six Business flow security architectureplaces in the network within SAFE. SAFE is Design examples and a parts listThe Secure Data Center architecture guideprovides: Business flows for the data center Data center threats and security capabilitiesComplianceSecurity IntelligenceManagementPlaces in the Network (PINs)SegmentationThreat DefenseSecure ServicesDomainsFigure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs)for infrastructure and Secure Domains for operational guidance.Return to Contents

SAFE Architecture GuidePlaces in the Network: Secure Data Center OverviewApril 20184SAFE simplifies security by starting withbusiness flows, then addressing theirrespective threats with corresponding securitycapabilities, architectures, and designs.SAFE provides guidance that is holisticand understandable.Y TO SAFETHE KEDesign GuidesDesign GuidesOperations GuidesArchitecture GuidesYOU ARECapability GuideHERESecureData efenseSecureWANSegmentationSecureInternet reCampusFigure 2 SAFE Guidance HierarchyReturn to ContentsManagementSECURE DOMAINSP L AC E S I N T H E N E T W O R K

SAFE Architecture GuidePlaces in the Network: Secure Data Center Business FlowsApril 20185Business FlowsThe Secure Data Center provides business services to the company’s users. It is the centraldestination and transit area that ties the company business flows together. Internally, employees in the branch, campus, and remote locations require access toapplications, collaboration services (voice, video, email), and the Internet. Systemscommunicate east/west within and between data centers. Third parties, such as service providers and partners, require remote access to applicationsand devices. Customer guest traffic transits the network en route to the Internet edge.Clerk processing credit card transactionEmployee researching product informationInternalCEO sending email to shareholderField engineer updating work orderCustomerThird PartyServers communicating with systemsConnected device with remote vendor supportGuest accessing the Internet to watch hosted videoFigure 3 Data center business use cases are color coded to define where they flow.Return to Contents

SAFE Architecture GuidePlaces in the Network: Secure Data Center Business FlowsApril 20186Functional ControlsFunctional controls are common security considerations that are derived from the technicalaspects of the business flows.Secure ApplicationsApplications require sufficient security controls for protection.Secure AccessServers and devices securely accessing the network.Secure East/West TrafficData moves securely; internally, externally, or to third-party resources.Secure Remote AccessSecure remote access for employees and third-party partners thatare external to the company network.Secure CommunicationsEmail, voice, and video communications connect to potential threatsoutside of company control and must be secured.Secure applications for PCI: Clerk processing credit card transactionSecure web access for employees: Employee researching product informationInternalSecure communications for email: CEO sending email to shareholderSecure remote access for employees: Field engineer updating work orderCustomerThird PartySecure east/west traffic for compliance: Servers communicating with systemsReturn to ContentsSecure remote access for a third party: Connected device with remote vendor supportSecure web access for guests: Guest accessing the Internet to watch hosted videoFigure 4 Data center business flows map to functional controls based on the types of risk they present.

Places in the Network: Secure Data Center Business FlowsSAFE Architecture GuideApril 20187Capability GroupsData center security is simplified by groupingcapabilities into three groups which alignto the functional controls: Foundational,Business, and Access.mitigate them as shown in Figure 5, whichoften reside within the data center. Userclients and devices also require security,but are non-data center capabilities.Each flow requires the access andfoundational groups. Business activity risksrequire appropriate capabilities to control orFor more information regarding capabilitygroups and functional controls, refer to theSAFE overview guide.Non-Data Center CapabilitiesClerkData Center wareTaggingAVCWebSecurityShareholderInternalSecure communications for email: CEO sending email to ld erver-BasedAssessmentSecurityWorkflow ApplicationSecure remote access for employees: Field engineer updating work reServer-BasedAssessmentSecurityPayment ApplicationSecure east/west traffic for compliance: Servers communicating with systemsFirewallThird PartyIntrusionPreventionSecure web access for employees: Employee researching product informationClient-BasedSecurityRemote rewallServer-BasedPostureSecurityAssessmentSecure remote access for a third party: Connected device with remote vendor yment ApplicationSecure applications for PCI: Clerk processing credit card ntityTaggingDNS SecuritySecure web access for guests: Guest accessing the Internet to watch hosted videoDNS ogueDetectionBUSINESSACCESSFigure 5 The Secure Data Center Business Flow Capability DiagramSecure Data Center threats and capabilities are defined in the following sections.Return to ContentsThermostatWebsite

SAFE Architecture GuidePlaces in the Network: Secure Data Center ThreatsApril 20188ThreatsData centers contain the majority of business information assets and intellectual property. Theseare the primary goals of targeted attacks and require the highest level of investment to secure.The data center has four primary threats:Data extraction (data loss)Malware propagationThe unauthorized ex-filtration or theft of acompany’s intellectual property, innovation,and proprietary company data.Assets in the data center are targets foreast/west contamination between servers,and north/south from employees, partners,Unauthorized network accessUnauthorized access gives attackers thepotential to cause damage, such as deletingsensitive files from a host, planting a virus,and hindering network performance with aflood of illegitimate packets.or customer devices on the network.Applications that process credit cardtransactions and Internet of Things devicesare the most prevalent targets.Botnet cultivationThe resources of a server farm are a valuabletarget for botnet cultivation.Botnets are networks made up of remotecontrolled computers, or “bots.” They areused to steal data, send spam, or performother attacks.The defense is explained throughoutthe rest of the document.Return to Contents

SAFE Architecture GuidePlaces in the Network: Secure Data Center Security CapabilitiesApril 20189Security CapabilitiesAttack SurfaceThe attack surface of the data center isdefined by the business flows, and includesthe people and the technology present. Thesecurity capabilities that are needed rkWirelessConnectionRemoteAdministratorsrespond to the threats are mapped in Figure 6.The data center security capabilities are listedin Table 1. The placement of these capabilitiesare discussed in the architecture section.APPLICATIONSNETWORKAnalysisWANCloudPublic WANPublic/HybridCloudApplicationsLoad BalancerServerWeb i-MalwareTaggingThreat IntelligenceIntrusion PreventionFlow AnalyticsApplication VisibilityCentralControlManagementFigure 6 Secure Data Center Attack Surface and Security CapabilitiesReturn to ContentsSSL/TLS on

SAFE Architecture GuidePlaces in the Network: Secure Data Center Security CapabilitiesApril 201810Table 1 Secure Data Center Attack Surface, Security Capability, and Threat MappingProducts that implement these capabilities can be found in Table 2.Data Center Attack SurfaceHumanSecurity CapabilityUsers:Employees, thirdparties, customers,and administrators.DevicesAttackers or disgruntledadmins accessingrestricted informationresources.Identity:Identity-based access.Security CapabilityThreatClients:Devices such as PCs,laptops, smartphones,tablets.N/A:Addressed in other PINSwhere clients reside.Compromisedadministrator systemsobtaining elevatedaccess.Voice/Video:Phone andteleconferencing.N/A:Covered in SecureServices domain.Attackers accessingprivate information.Autonomous Device:Building controls.N/A:Covered in IoT ThreatDefense.Attackers takingover systems.NetworkSecurity CapabilityWired Network:Physical networkinfrastructure; routers,switches, used toconnect access,distribution, core, andservices layers together.Wireless Network:Branches vary fromhaving robust localwireless controllersecurity services to acentral, cost-efficientmodel.Return to ContentsThreatThreatFirewall:Stateful filtering andprotocol inspectionbetween segments in thedata center.Unauthorized accessand malformed packetsbetween and within thedata center.Intrusion Prevention:Blocking of attacks bysignatures and anomalyanalysis.Attacks using worms,viruses, or othertechniques.Tagging:Software-basedsegmentation usingEPG’s/TrustSec/VLANsUnauthorized accessand malicious trafficbetween segments.N/A:Covered in Branch andCampus PINS.Attacks on theinfrastructure viawireless technology.

SAFE Architecture GuidePlaces in the Network: Secure Data Center Security CapabilitiesApril 201811Network (continued)Security CapabilityAnti-Malware:Identify, block, andanalyze malicious filesand transmissions.Malware distributionacross networks orbetween servers anddevices.Threat Intelligence:Contextual knowledgeof existing and emerginghazards.Zero-day malwareand attacks.Flow Analytics: Networktraffic metadataidentifying securityincidents.Traffic, telemetry, anddata exfiltration fromsuccessful attacks.WAN:Public and untrustedWide Area Networksthat connect to thecompany, such as theInternet.N/A:Covered in Branch,Campus, WAN, andEdge PINS.Exposed services anddata theft of remoteworkers and third parties.CloudN/A:Covered in Branch,Campus, Edge andCloud PINS.Unauthorized accessand malformed packetsconnecting to services.Analysis:Analysis of networktraffic within thecampus.ApplicationsSecurity CapabilityApplication VisibilityControl:Inspects networkcommunications.Central Management:Company-widemanagement, monitoring,and controls.Applications:Management, servers,database, load balancer.Storage:Drives, databases,media.Return to ContentsThreatMalware Sandbox:Inspects and analyzessuspicious files.ThreatUnauthorized accessand malformed packetsconnecting to services.Single target forcomplete companycontrol and destruction.Zero-day malwareand attacks.TLS Encryption Offload:Accelerated encryptionof data services.Theft of unencryptedtraffic.Web ApplicationFirewalling:Advanced applicationinspection andmonitoring.Attacks against poorlydeveloped applicationsand websitevulnerabilities.Disk Encryption:Encryption of data at rest.Theft of unencrypteddata.