Part III: Appendixes
Appendix A. Deploying Effective Security Management
This appendix provides a short summary of security best practices for you to use when deploying the ASA/PIX Security Appliance in your network.
This appendix addresses the following topics:
Congratulations! If you have followed the steps outlined in this book, the
This appendix highlights some of the best practices that have been discussed in previous chapters as well as some additional best practices that you can implement to improve the security
This appendix is a summary by design. The hope is that you can go directly to any topic and immediately find best practice information for any security technology addressed in the previous chapters.
Layer 2 Best Practices
Layer 2 (network switching) is beyond of the scope of this book and, therefore, has not been addressed in great detail. However, it is very important to the deployment of your network from both an architectural and a security standpoint.
From a physical standpoint, Layer 2 is
From a security standpoint, a switch should keep each device on the network from seeing data going to or from another device. By default, switches do just that -they prevent one device from seeing the packets destined for another device. Unfortunately, switches might be misconfigured or compromised by a Layer 2 attack. If a switch is misconfigured, it could allow traffic for one or all PCs to be seen by other systems on the network.
You might be asking yourself how a hacker can gain access to your inside network to compromise a Layer 2 switch with all of this security that you put in place. The answer is simple. A hacker could be
If your switch is compromised, a hacker could easily see all the data that goes across your network, including the following:
Essentially, a hacker can "own" your network and own your corporate and customer information if Layer 2 is compromised.
You need to ensure that all Layer 2 devices on your network are locked down. It is recommended that you read the document titled "SAFE:L2 Application Note" located at http://www.cisco.com/go/safe. If you follow these best practices, you will ensure that the security