3.1 Key Terms
Secure
X = Cisco’s security framework to establish and enforce security
policies across a distributed network.
Context-aware
security = Security enforcement that involves the observation of users
and roles in addition to things like interface-based controls. An example is an
ACS server providing full access to an administrator who is logged in from his
local computer, but restricted access when that same user is logged in through
a remote device or through a smart phone.
ASA
= Adaptive Security Appliance firewall, such as the ASA 5510 Firewall.
IPS
= Intrusion prevention system. Intrusion prevention systems, primarily using
signature matching, can alert administrators about an attack on the network and
can prevent the initial packet from entering the network.
AnyConnect
= Cisco’s secure mobility client solution, supporting full-tunnel VPN. Requires
a small client on the workstation, but then tunnels all traffic through the SSL
or IPsec tunnel, allowing other nonsecure protocols to be transported and
secured.
3.2 Things to
Remember
3.2.1 Borderless Network Components
Component >
Explanation
Borderless
end zone > This is where devices connect to the network. It is here
that we are concerned with viruses, malware, and other malicious software.
Using techniques such as Network Admissions Control (NAC) and Identity Services
Engine (ISE), we can properly interrogate devices before they are allowed onto
the network to verify they meet certain minimum requirements (installations of
virus scanning tools, service packs, patch revision levels, and so on).
Borderless
data center > This represents a cloud-driven business environment
that could provide services. It is in this borderless data center where we
implement firewalls such as the Adaptive Security Appliance (ASA) and intrusion
prevention systems (IPS) to protect network resources there. Virtual tools can
also be used inside virtual environments in the data center, such as virtual
switches that can enforce policy on virtual devices that are connected to that
virtual switch.
Borderless
Internet > This represents the biggest IP network on the planet,
which we are all familiar with. Service providers and other individuals
connected to the Internet use various techniques for security, including IPSs,
firewalls, and protocol inspection (all the way from Layer 2 to Layer 7 of the
OSI model).
Policy
management point > In a perfect environment, we would have a single
point of control that could implement appropriate security measures across the
entire network. Cisco Security Manager (CSM) is an example of one of these
enterprise tools. Another example is Cisco Access Control Server (ACS), which
provides contextual access. For example, if you want to allow administrators
full access to a router only if they are logging in from a specific location,
you could enforce that with ACS and authentication, authorization, accounting
(AAA) rules. Under that same system, administrators could also potentially gain
access from other locations.
Comments
Post a Comment