| Recall from Chapter 1 that the Enterprise Composite Network Model Enterprise Campus functional area includes a Management module that encompasses the network management functions. The Management module provides monitoring, logging, security, and other management features to the campus. The Cisco SAFE blueprint (available at http://www.cisco.com/go/safe) provides recommendations for what should be included in this module and how it should be secured. The devices and services provided within this module are illustrated in Figure 9-6. Figure 9-6. Management Module Provides Monitoring, Logging, and Security Functions [9] 
The Management module contains one or more of the following: Authentication server Provides strong authentication services for remote and local users on the network. An example is a two-factor, one-time password (OTP) system based on token cards (as described in Chapter 4, "Network Security Design"). Access control server Provides centralized command and control for all user authentication, authorization, and accounting (AAA). Network-monitoring server Is responsible for monitoring the devices in the network. Host intrusion prevention system (HIPS)/network intrusion detection system (NIDS) management server Provides configuration and viewing of alarms on IDS and IPS sensors deployed throughout the campus network. Syslog server Collects network events and traps. System administration server Configures network management and other network devices.
Because the management network provides administrative access to the rest of the network it must be secure. The previously mentioned servers, and the routers that act as terminal servers (to provide a reverse Telnet to the console port of devices throughout the rest of the network), are on the inside segment of a firewall router. An outside segment connects to all the devices that require management, on a separate network, for SNMP and other management traffic. These two segments provide out-of-band (OOB) managementthe management data is separate from other traffic, providing a first level of security for this critical data. A third interface connects to the production network for in-band management where it is required; this segment should be encrypted with IPsec so that management traffic cannot be compromised. Other security features implemented in the management module can include the following:[10] Use of secure shell (SSH), a protocol similar to Telnet, but with encryption, for configuration. SNMP read-only access, so that SNMP's clear-text password cannot be used to make configuration changes. Possible use of SNMPv3 with encryption, on either the in-band or out-of-band management network. Private virtual LANs (VLANs) on the management module switches so that traffic cannot travel from one device to another over the management network; it instead goes to the firewall to ensure only authorized access.
Other design considerations for the network management module include the following: The number of network management systems required, depending on the number of end-user and other devices, the amount of data to be collected, and the capacity of the systems. The effect of Network Address Translation (NAT) (described in Chapter 3, "IPv4 Routing Design") and firewalls on management protocols. For example, SNMP is not compatible with NAT because addresses are embedded within the SNMP data. The bandwidth required for management data. For example, if a lot of syslog messages are sent across a WAN, the bandwidth can become a bottleneck.
|
