Will 802.1x increase your security for the wired network?


Perhaps. This depends primarily on the way you set up your trust domains and the mobility of your users. Chapter 9 discusses this in more detail. The three primary reasons to deploy 802.1x for basic wired authentication are a lack of physical security controls, a requirement for subnet consistency as your users move from place to place, and to help with attack source trace back on large networks.


Wouldn't going to L3 at the user access layer increase security?


Again, it might. Just now are switches starting to hit the price points that allow some organizations to consider deploying L3 at the first point of user connect. This is generally done out of a desire to avoid spanning tree. Based on my experience, I would stick with the established best practices in this area, which are L2 at the user access layer and L3 at the distribution layer. Using L3 at the access layer requires more management and does not provide a significant security benefit.


Where will your management network connect in these designs?


The management networks, discussed in Chapter 16, "Secure Network Management and Network Security Management," connect off of a dedicated segment in the medium and high-end campus designs and directly connect in the small network design. This increases the security risk, though, because a successful sniffing attack can lead to the capture of management information.


Where will the multiple paths available in the high-end resilient design come into play with security considerations?


The firewalls and NIDS are the affected devices because they are the only devices using state-aware security in the network. Among other things, flow-based rather than packet-based load balancing should be used. A number of other considerations around this asymmetric routing problem are discussed in Chapter 6.


Based on your understanding of this chapter, which campus design is currently closest to your own network?


Which changes would be needed to get your network to the level of security provided by these designs?


Looking at the design most similar to the design you envision for your own network, find at least one place where you disagree with the layout or function of the design. How and why would you do it differently?

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net