SAFE Campus Design


Cisco has developed a guide, called the Cisco SAFE Blueprint, of best practices for designing and securing networks. The Cisco SAFE Blueprint addresses design issues by dividing a large network into layers of modularity. This modular approach helps to ensure that proper consideration is provided to each critical part of the network at the time of design, and it provides scalability.

As introduced in Chapter 1, "Network Design," the Cisco Enterprise Composite Network Model is the name given to the architecture used by the SAFE blueprint. At the highest layer, this model divides an enterprise network into the following three main functional areas:

  • Enterprise Campus

  • Enterprise Edge

  • Service Provider Edge

At the second layer of modularity, shown in Figure 4-10, the Enterprise Campus functional area is subdivided into multiple modules, which are listed in Table 4-2. Some of the key devices in each of those modules are listed in Table 4-2, as are some security design considerations.

Figure 4-10. Enterprise Campus Module Details


Table 4-2. Enterprise Campus Detail

Enterprise Campus Module

Key Devices

Special Security Design Considerations

Network Management Module

HIDS

Virus scanning

OTP server

Access Control Server

Network log server

Layer 2 switch

Out-of-band management should be preferred over in-band management. If in-band management must be used, employ IPsec, SSL, or SSH.

Core Module

Layer 3 switch

No special consideration, other than the fact that switches are a target and should be protected. We explain this in Chapter 2, "Switching Design."

Building Distribution Module

Layer 3 switch

VLANs can be used to further segment the different departments within a campus.

Building Module (corporate user access)

Layer 2 switch

Host virus scanning

Network Admission Control

A switched environment is recommended to reduce the risk of packet sniffing.

Server Module

Layer 3 switch

HIDS

Often the target of internal attacks, servers should not only be physically secured and running an IDS but should also be kept up to date with the latest patches.

Edge Distribution Module

Layer 3 switch

Depending on the size of the infrastructure, the Edge Distribution Module can be folded into the Core Module. In this case, an IDS should be included in the Core Module. This could be done with the insertion of an IDS card in the Layer 3 switch.


Removing some of the complexity of the redundancy presented in Figure 4-10 and integrating as many elements of security discussed in this chapter, a campus network design might look like what is shown in Figure 4-11.

Figure 4-11. Enterprise Campus Network Design


For more information on the Cisco Secure Blueprint for Enterprise Networks (SAFE) white paper, visit the http://www.cisco.com/go/safe.

In addition to SAFE, Cisco has been promoting the self-defending network concept. The philosophy for a self-defending network is to have security present in every aspect of an organization. In a self-defending network, every device, from the desktop PC through the LAN infrastructure and across the WAN, plays a role in securing the network. For more on self-defending networks, visit the Cisco website.

This chapter explores the following critical elements of campus security that make up the Self-Defending Network philosophy of Cisco:

  • Firewalls

  • Routers

  • VPN Concentrators

  • IDSs and IPSs

  • Encryption, VPN, and IPsec

  • End-point antivirus software and Cisco Secure Agent

  • Access Control Server

  • Network Admission Control

  • Public key infrastructure




Campus Network Design Fundamentals
Campus Network Design Fundamentals
ISBN: 1587052229
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net