Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Network Foundation Protection (NFP) is typically deployed the same way in all environments. Some factors that will influence the deployment are network size, network type (enterprise, service provider, small/medium business), and the type of equipment being deployed because this will determine the availability of NFP features. For enterprise networks that are large enough to have all three layers of the Cisco Hierarchical Network design model, employing security measures at the appropriate layer is important. Most of the techniques are configured at the access layer because that is typically the point at which most attacks, whether intentional or not, will occur. The deployment of the security tools is similar to how you deploy network features in the hierarchical design model. The core layer is where you focus on moving traffic at the highest rates possible so that there are minimal services at this layer. The core will have only device hardening and routing protocol authentication. Device hardening and routing protocol authentication are also important at the distribution layer, but there are other controls, such as Netflow Telemetry Export, for traffic analysis at the distribution layer. The access layer is where you configure the bulk of the security controls. This is the point at which users first enter your network. Therefore, this is where you want to have the controls that will prevent malicious actions as well as innocent mistakes. Figure 3-1 shows the enterprise model with each layers security controls.
Small and medium businesses (SMB) will not typically have the network deployed using the Cisco Hierarchical Network design model. These smaller networks will not always have dedicated routers and switches at each layer. This means that the services of the three layers will be configured on the same devices, which in turn means that the security controls found at the access layer of the enterprise model will need to be configured on all devices in this scenario. Figure 3-2 shows the SMB model and describes the controls that are deployed on all devices because of the collapsed nature of the model
The service provider network will generally be deployed using the Cisco Hierarchical Network design model. The deployment of the Network Foundation Protection strategy will follow the same principles as the enterprise model, with the following differences: Service providers can use dedicated links, Point-to-Point Protocol (PPP), or PPP over Ethernet (PPPoE) to authenticate users prior to allowing access to services. Service providers should provide separation between customers so that attacks cannot propagate from one customer to another. Service providers will benefit from infrastructure ACLs that will prevent undesired traffic from being sent directly to service provider devices control planes. Figure 3-3 shows the similarity of the service provider to the enterprise model, with some features that are specific to the service provider. Reference material to assist network and security professionals with deploying the Cisco Network Foundation Protection are found in the following documents: SAFE - Network Foundation Protection design guide SAFE - Enterprise Branch design guide Service Provider Infrastructure Security Techniques Cisco IOS Network Foundation Protection white papers Links to these resources can be found in the References section.
The following sections discuss the various Cisco Supporting Management components that complement the Cisco IOS Software Catalyst switches and the Cisco Integrated Services Routers (ISR).
Cisco Secure Access Control Server (CS ACS) The Cisco Secure Access Control Server (CS ACS) is an
authentication server that supports TACACS and RADIUS protocols. Despite the growing complexities in todays networks, Cisco Secure ACS provides authentication, authorization, and accounting (AAA) services for several connection types, devices, and user/groups: CS ACS provides AAA services for device administration by authenticating users and authorizing commands while maintaining logs that provide audit trails. CS ACS integrates with remote access devices to provide adherence to corporate security policies for remote access users and external connections to third-party vendors and partners. CS ACS provides authentication and authorization for wireless users and devices to mitigate any possible attacks being launched through wireless connections. CS ACS integrates with Network Admission Control access servers to validate and enforce posture requirements and access restrictions. CS ACS provides a centralized platform from which security administrators can manage a wide range of security policies, protocols, and other requirements. CS ACS provides support for other authentication platforms such as Microsoft Windows Active Directory, Lightweight Directory Access Protocol (LDAP) servers, and so on and allows organizations to capitalize on technologies that are already in place in an environment. CS ACS can be deployed in an environment in a software (a Microsoft Windows Server application), hardware (an appliance), or a virtual appliance (VMware vSphere) format.
information that can be used by security administrators to react efficiently to attacks and breaches: CS-MARS can identify threats by using the information it receives to become aware of your environment. Using the awareness and event correlation, CS-MARS makes recommendations for actions that can be taken to mitigate current threats. Integration with Cisco Security Manager allows administrators to simply approve the mitigation technique recommended by CS-MARS, and the change is deployed to stop the threat.