Chapter 11: Implementing a Secure Perimeter

Overview

A network is a Twinkie. I have heard numerous people make that reference, and it is a pretty accurate, albeit entertaining, reference. Much like a Twinkie, the good stuff in a network is on the inside, and you want to protect that stuff with a tough outer shell ”the network perimeter.

This chapter builds upon the device-hardening methods we have talked about in the previous ten chapters and looks at how we can use that information and those devices to provide a secure, hardened perimeter to protect our interior network.

The best methodology for hardening the perimeter that I have found is the Cisco SAFE blueprint (http://www.cisco.com/safe), and this chapter follows and builds on that methodology. We will look at a number of aspects of the network perimeter, including the following:

• DMZ implementation methods The different techniques of implementing secure access to resources in the network perimeter

• Internet access module The collection of devices that provides Internet connectivity

• VPN/remote access module The collection of devices that provides virtual private network (VPN) and remote access connectivity

• WAN access module The collection of devices that provides wide area network (WAN) connectivity

• Extranet access module The collection of devices that provides extranet connectivity to external partners

• Wireless access module The collection of devices that provides wireless network connectivity

• E-commerce access module The collection of devices that provides e-commerce services