Location Matters | CCSP CSI Exam Cram 2 (Exam Cram 642-541)

Although the SAFE architecture designates several categories of location (discussed in more detail when we address the different SAFE models), for this asset-value discussion, there are really two broad categories: internal-only assets and external- facing assets.

Internal-Only Assets

These are the assets completely inside your network space. There is no access to them except through paths under your control. These assets should be easier to protect because you have some sort of buffering device between them and the outside world. You no doubt noticed the words should be instead of are used when it comes to the ease of protecting them. Much depends on what kind of security policy is in place and how well it is adhered to. Remember, the SAFE Blueprint is based on the assumption that a security policy is in place and that it is supported (we'll discuss that more fully in Chapter 4, "The Security Policy"). Internal assets are found in any of Cisco's standard three-layer network design model: Access, Distribution, and Core.

Another Network Model?

Some people get confused when they look at a picture of the SAFE Blueprint because they see various modules with unfamiliar names . However, those modules contain the network components of the "standard" Access, Distribution, and Core layers . In fact, Cisco designed the routing and switching structure of the SAFE network design based on the Access, Distribution, and Core model; SAFE did not replace it.

It might help you to understand that the "standard" model is based on a transportation functionality approach, while the SAFE architecture is based on a security functionality approach. Both are valid ways to describe the parts of the network, and you should use the approach that is best suited to the problem you are trying to solve.

In fact, the Distribution and Core layers should be entirely internal-only assets. Access to them should always be filtered through other devices; reasons for that are covered when we discuss Cisco's SAFE Axioms in Chapters 6, "The SAFE Security Blueprint," and 7, "The Extended SAFE Blueprints." Much of the Access layer is composed of internal-only assets (which sometimes interact only with other internal assets); however, some elements of the Access layer face the dangerous outside world (they are accessible to outside users entering from the Internet or other networks). Cisco often refers to the internal-only part of the network, regardless of its layer, as the campus module .

External-Facing Assets

External-facing assets are those that you control but that connect directly to devices that you do not control. These are your edge or perimeter routers, NASs, and firewallsthe guardians of your gates. Cisco refers to this part of the network as the edge in the SAFE architecture. Although many of us learned about demilitarized zones (DMZs) as areas to host public-facing servers, the edge is much more than just the DMZ. In fact, the edge contains all the devices that connect to your Internet service provider (ISP), the public switched telephone network (PSTN), your wireless access points (WAPs), and so on. The edge often has more than one device, to ensure that the incoming traffic is acceptable, has been properly filtered, and is then distributed only to places where it has legitimate business going. SAFE is about traffic control, and the edge is the entire zone where incoming traffic meets that control.

Because incoming traffic can be of any type, from anyone , and from anywhere , much of the hardest work in the SAFE model goes into securing the edge. Cisco recommends tighter monitoring and surprisingly tight controls even inside the campus. To understand why, take a look at Chapter 3, "Threats," which discusses the threats your network faces.