Although the SAFE architecture designates several categories of location (discussed in more detail when we address the different SAFE models), for this asset-value discussion, there are really two broad categories: internal-only assets and external- facing assets. Internal-Only AssetsThese are the assets completely inside your network space. There is no access to them except through paths under your control. These assets should be easier to protect because you have some sort of buffering device between them and the outside world. You no doubt noticed the words should be instead of are used when it comes to the ease of protecting them. Much depends on what kind of security policy is in place and how well it is adhered to. Remember, the SAFE Blueprint is based on the assumption that a security policy is in place and that it is supported (we'll discuss that more fully in Chapter 4, "The Security Policy"). Internal assets are found in any of Cisco's standard three-layer network design model: Access, Distribution, and Core.
In fact, the Distribution and Core layers should be entirely internal-only assets. Access to them should always be filtered through other devices; reasons for that are covered when we discuss Cisco's SAFE Axioms in Chapters 6, "The SAFE Security Blueprint," and 7, "The Extended SAFE Blueprints." Much of the Access layer is composed of internal-only assets (which sometimes interact only with other internal assets); however, some elements of the Access layer face the dangerous outside world (they are accessible to outside users entering from the Internet or other networks). Cisco often refers to the internal-only part of the network, regardless of its layer, as the campus module . External-Facing AssetsExternal-facing assets are those that you control but that connect directly to devices that you do not control. These are your edge or perimeter routers, NASs, and firewallsthe guardians of your gates. Cisco refers to this part of the network as the edge in the SAFE architecture. Although many of us learned about demilitarized zones (DMZs) as areas to host public-facing servers, the edge is much more than just the DMZ. In fact, the edge contains all the devices that connect to your Internet service provider (ISP), the public switched telephone network (PSTN), your wireless access points (WAPs), and so on. The edge often has more than one device, to ensure that the incoming traffic is acceptable, has been properly filtered, and is then distributed only to places where it has legitimate business going. SAFE is about traffic control, and the edge is the entire zone where incoming traffic meets that control. Because incoming traffic can be of any type, from anyone , and from anywhere , much of the hardest work in the SAFE model goes into securing the edge. Cisco recommends tighter monitoring and surprisingly tight controls even inside the campus. To understand why, take a look at Chapter 3, "Threats," which discusses the threats your network faces. |