An enterprise network design must include security measures to mitigate network attacks. Fortunately, with the modularity of the Cisco Enterprise Architecture, you can address security concerns on a module-by-module basis. This section introduces the concept of a security policy, reviews various types of network attacks, discusses the elements of the Cisco Self-Defending Network, and helps you select appropriate security design components for the various locations in an enterprise network.Network Security Concepts
Organizational requirements and potential threats drive the scope of a security design. At its essence, network security measures should not only defend against attacks and guard against unauthorized access, these measures should also prevent data theft and comply with security legislation, industry standards, and company policy.
Consider the following threats and risks facing today’s enterprise networks:
Threats:
- Reconnaissance—A reconnaissance attack gathers information about the target of an attack (for example, the customer’s network). For example, a reconnaissance attack might use a port-scanning utility to determine what ports (for example, Telnet or FTP ports) are open on various network hosts.
- Gaining system access—After attackers gather information about their target, they often attempt to gain access to the system. One approach is to use social egnineering, where they convince a legitimate user of the system to provide their login credentials. Other approaches for gaining access include exploiting known system vulnerabilities or physically accessing the system.
- Denial of service (DoS)—A DoS attack can flood a system with traffic, thereby consuming the system’s processor and bandwidth. Even though the attacker does not gain system access with a DoS attack, the system becomes unusable for legitimate users.
When designing a network security solution, realize that although hosts are the primary targets of an attack, other potential network targets also need protection. Other potential attack targets include routers, switches, DHCP/DNS (Dynamic Host Configuration Protocol/Domain Name System) servers, user PCs, IP phones, and IDS/IPS (intrusion detection system/intrusion prevention system) devices, in addition to the bandwidth available in the network nfrastructure.
To guide security design decisions and provide a guideline to future security enforcement, organizations need to formulate a security policy. A security policy is a documented set of rules that specify how people are allowed, or not allowed, to access an organization’s technology and data.
Other considerations in a security design include the following:
- Business needs—Determine what the organization wants to accomplish with their network.
- Risk analysis—Determine the risk/cost ratio for the design.
- Industry best practices—Evaluate commonly accepted industry best practices for securing a network.
- Security operations—Define the process for monitoring security, performing security audits, and responding to security incidents.
Network Security Solutions
To secure a network, integrate security solutions into all parts of the network. Consider how the following network elements integrate security solutions:
Cisco IOS router—Depending on the feature set, a Cisco IOS router can act as a firewall/IPS. Also, a router can be used to set up an IPsec tunnel. Trust and identity solutions include authentication, authorization, and accounting (AAA), public key infrastructure (PKI), Secure Shell Protocol (SSH), and Secure Sockegts Layer (SSL).
- Data confidentiality—Companies should ensure that sensitive data on their systems is protected against theft. Without such protection, the company might be subject to legal liabilities and damage to the organization.
- Data integrity—Besides stealing data, attackers could also modify sensitive data. Therefore, security measures should only allow authorized users to alter data.
- Data availability—As previously mentioned, a DoS attack could make a system (and therefore the system’s data) inaccessible by legitimate users. Therefore, security measures should be used to maintain system and data availability
No comments:
Post a Comment