network. Consider how the following network elements integrate secu- rity solutions:
nCisco IOS router—Depending on the feature set, a Cisco IOS router can act as a firewall/IPS. Also, a router can be used to set up an IPsec tunnel. Trust and identity solutions include authentica- tion, authorization, and accounting (AAA), public key infrastruc- ture (PKI), Secure Shell Protocol (SSH), and Secure Sockets Layer (SSL). ISP Router Internet NetFlow Router (Can detect an increase in network load and identify type of attack) PIX Firewall (Can block a network attack) Network IPS (Can recognize the signature of a “well-known” attack) Cisco Security MARS (Helps aggregate collected data and presents the data in a usable format) Campus Network
CCDA Quick Reference Sheets: Exam 640-863
CCDA Quick Reference Sheets: Exam 640-863 By Kevin Wallace ISBN: 9781587053115 Publisher: Cisco Press
Prepared for Minh Dang, Safari ID: [email protected] Licensed by Minh Dang
Print Publication Date: 2007/05/15 User number: 927500 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
nVPN concentrator—Cisco VPN 3000 series concentrators are appliances that can be used for remote-access VPNs. For example, remote offices can use VPN concentrators to provide secure connectivity between a remote office and an organization’s head- quarters, as depicted in Figure 6-3.
FIGURE 6-3 Site-to-site VPNs using VPN concentrators.
nPIX Security Appliance—A Cisco PIX Security Appliance is at its essence a firewall, which can provide application and protocol inspection to traffic flowing through the device.
© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 70 for more details. nAdaptive Security Appliance (ASA)—Cisco ASA provides PIX-
like firewall features, in addition to application security and support for advanced integration modules (for example, Cisco WebVPN Services Modules and Advanced Integration Modules [AIM]).
nIntrusion Prevention System (IPS)—Cisco offers a series of sensor appliances (for example, IPS 4215, 4240, 4255, and 4260 sensors) to provide IPS or IDS services. IPS works inline with data, and can stop suspicious traffic before the traffic reaches its destination. However, IDS is passive and receives a copy of network traffic, which it can analyze.
nCisco Catalyst Service Modules—The Cisco Catalyst 6500 series switch is a modular switch offering support for a wide variety of service modules that can help enhance network security. Examples of these modules include Cisco Firewall Services Module (FWSM), Cisco Intrusion Detection System Services Module (IDSM-2), and the Cisco SSL Services Module.
nCisco Security Agent (CSA)—CSA is software that can be installed on a host to defend against known and unknown (that is, “day zero”) attacks. For example, CSA can protect a host from spyware and adware, in addition to protecting the integrity of the host’s underlying operating system.
Headquarters VPN Concentrator Branch B VPN Concentrator Internet Branch C VPN Concentrator Branch A VPN Concentrator
CCDA Quick Reference Sheets: Exam 640-863
CCDA Quick Reference Sheets: Exam 640-863 By Kevin Wallace ISBN: 9781587053115 Publisher: Cisco Press
Prepared for Minh Dang, Safari ID: [email protected] Licensed by Minh Dang
Print Publication Date: 2007/05/15 User number: 927500 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
The Cisco Self-Defending Network allows network designers to specify security features throughout the network. Consider typical security solutions for the following enterprise network modules:
nEnterprise campus—The enterprise campus can benefit from the following security measures:
n Identity and access control—802.1x, Network Access Control (NAC), access control lists (ACLs), and firewalls
n Threat detection and mitigation—NetFlow, syslog, Simple Network Management Protocol (SNMP), Cisco Security MARS, Network IPS (NIPS), and Host IPS (HIPS)
n Infrastructure protection—AAA, SSH, SNMPv3, Interior/Exterior Gateway Protocol (IGP/EGP) message digest 5 algorithm (MD5), and Layer 2 security features
n Security management—Cisco Security Manager and MARS
nEnterprise data center—Similarly, the enterprise data center can leverage these security technologies:
n Identity and access control—802.1x, ACLs, and firewalls
n Threat detection and migration—NetFlow, syslog, SNMP, Cisco Security MARS, NIPS, and HIPS
n Infrastructure protection—AAA, SSH, SNMPv3, IGP/EGP MD5, and Layer 2 security features
n Security Management—Cisco Security Manager and Cisco Security MARS
© 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 70 for more details. nEnterprise edge—The enterprise edge module can benefit from
such security measures as
nIdentity and access control—Firewalls, IPsec, SSL, VPN, ACLs
nThreat detection and mitigation—NetFlow, syslog, SNMP, Cisco Security MARS, NIPS, and HIPS
nInfrastructure protection—AAA, Control Plane Policing (CoPP), SSH, RFC 2827 (an approach for defeating DoS attacks that use IP source address spoofing), SNMPv3, and IGP/EGP MD5
nSecurity management—Cisco Security Manager and Cisco Security MARS
CCDA Quick Reference Sheets: Exam 640-863
CCDA Quick Reference Sheets: Exam 640-863 By Kevin Wallace ISBN: 9781587053115 Publisher: Cisco Press
Prepared for Minh Dang, Safari ID: [email protected] Licensed by Minh Dang
Print Publication Date: 2007/05/15 User number: 927500 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.