The goal of network security is to protect networks and their applications from attacks, to ensure the availability, confidentiality and integrity of information. Not all networks and related applications carry the same risks from the point of view of attacks, therefore, when developing a network security architecture, each company should analyze how investments in various technologies and network protection components will affect its performance.
Security policy
A strategically verified security policy is the basis for implementing a set of network protection measures in a company. Security policy is an official document developed with the active participation of company management and includes rules that are mandatory for employees who have access to a corporate resource. This document often includes an authentication policy that defines password levels and rights for each type of user (corporate, remote, virtual private networks, administrators, etc.). As business requirements and security technologies are constantly evolving, the security policy should also be a dynamic, regularly updated document.
Security architecture
The security architecture is being developed jointly by the network design team and the information technology security group. Usually it is integrated into the existing network of the enterprise and is determined by the set of services in the field of information technology offered through the network infrastructure. The requirements of each service in the field of information technology for access and security should be determined before dividing the network into modules with clearly defined levels of trust. Each module should be considered separately and have its own security model. The purpose of this division is to have such security levels at which the intruder’s access was limited to only a certain part of the network. In addition, the architecture should define the common security services that should be deployed on the network. Typically, these services include: Network security architecture
Authentication, authorization and accounting (AAA);
Confidentiality provided by virtual private networks (VPN);
Access (trust model);
Security Monitoring Using Intrusion Detection Systems (IDS).
After making key decisions, the security architecture should be deployed in stages, starting from the most critical areas.
Security technology
The network security structure requires the corporation to determine the level of investment for implementation and the total costs of network attacks. When determining the level of network protection that is adequate to the company's needs, the following five network security components must be considered:
Identity
Identity is the accurate and positive identification of network users, hosts, applications, services and resources. Identity mechanisms are important because they provide authorized users with access to the computing resources of the enterprise they need, while unauthorized users are denied access. For example, Cisco Systems networks use the AAA capabilities of the Cisco Secure Access Control Server (ACS), which provides the basis for user authentication, access privileges, and accounting logging.
Network Perimeter Security
Perimeter security solutions control access to critical network applications, data, and services so that only authorized users and information can travel across the network. Access control is provided by routers and switches with access control lists (ACLs) and dedicated firewalls. The firewall puts up a barrier that does not allow traffic to go beyond the "perimeter" of the network, and allows only authorized traffic to pass in accordance with the security policy. Additional tools, including virus scanners and content filters, also help control the network perimeter. Firewalls are usually the first security features that organizations establish to improve security procedures. Cisco firewalls have proven themselves in the market: The Cisco PIX (r) Firewall is the most common firewall providing network clients of all levels with unprecedented reliability, scalability, and functionality; The Cisco IOS (r) Firewall provides built-in firewall capabilities in routing and switching infrastructures.
Network Connection Security
Confidentiality of information, protection from listening or interference with data transmission can be effectively ensured through virtual private networks (VPNs). They allow you to establish a confidential secure connection in an open network, which is usually the Internet, and expand the boundaries of corporate networks to remote offices, mobile users, home users and business partners. Encryption technology eliminates the possibility of intercepting messages transmitted over a virtual private network, or reading them by persons other than authorized recipients, through the use of advanced mathematical algorithms for encrypting messages and applications to them. Cisco VPN 3000 Series Concentrators are recognized by many as the best in their category solution for remote access over virtual private networks. Cisco VPN 3000 Concentrators with the most advanced features with high reliability and a unique, focused architecture. Enables corporations to create high-performance, scalable, and powerful virtual private network infrastructures to support mission-critical remote access applications. The ideal tool for creating virtual private networks from one network object to another is Cisco routers optimized for building virtual private networks, which include the Cisco 800, 1700, 2600, 3600, 7100 and 7200 routers.
Security monitoring
To ensure continued security for their networks, companies must continuously monitor attacks and regularly test security infrastructures. Network vulnerability scanners can proactively identify weaknesses, and intrusion detection systems can monitor and respond to suspicious signs as they arise.
Intrusion detection systems and vulnerability scanners provide an additional layer of network security. Although firewalls allow or delay traffic depending on the source, destination, port, or other criteria, they actually do not analyze traffic for attacks and do not search for vulnerabilities in the system. In addition, firewalls usually do not deal with internal threats emanating from "their own". The Cisco Intrusion Detection System (IDS) can protect the perimeter network, real-time business partner networks, and increasingly vulnerable internal networks. The system uses agents, which are high-performance network devices, to analyze individual packets in order to detect suspicious activity. If unauthorized activity or a network attack occurs in the data stream in the network, agents can detect a violation in real time, send alarms to the administrator and block the intruder's access to the network. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in the user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in the user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in a user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them.
Security Policy Management
As networks grow and become more sophisticated, the requirement for centralized security policy controls that can manage security features becomes paramount. Intelligent tools that can indicate, manage, and audit security policies improve the usability and effectiveness of network security solutions. Cisco solutions in this area require a strategic approach to security management. Cisco Secure Policy Manager (CSPM) supports Cisco security elements in corporate networks, providing a comprehensive and consistent implementation of security policies. With CSPM, clients can define the appropriate security policy, implement it and test the security principles of hundreds of Cisco Secure PIX and Cisco IOS Firewall Feature Set and IDS agents. CSPM also supports the IPsec standard for building VPNs. In addition, CSPM is part of the widespread CiscoWorks2000 / VMS enterprise management system.
Cisco End-to-End Enterprise Network Security - Cisco SAFE Architecture
SAFE is a comprehensive, integrated security architecture designed for the Cisco AVVID voice, video, and integrated data architecture. The SAFE architecture consists of modules that meet the different needs of each network area. Using the SAFE architecture, security managers may not have to rethink the entire security architecture every time a new service is added to the network. Thanks to modular templates, protecting each new service as it becomes necessary and integrating it into the overall network architecture becomes easier and more economical.
SAFE is the industry's first architecture to recommend which security solutions should be included in specific network segments and why they should be included. Each SAFE architecture module delivers maximum e-business performance by enabling enterprises to maintain the security and integrity of data and services.
Security policy
A strategically verified security policy is the basis for implementing a set of network protection measures in a company. Security policy is an official document developed with the active participation of company management and includes rules that are mandatory for employees who have access to a corporate resource. This document often includes an authentication policy that defines password levels and rights for each type of user (corporate, remote, virtual private networks, administrators, etc.). As business requirements and security technologies are constantly evolving, the security policy should also be a dynamic, regularly updated document.
Security architecture
The security architecture is being developed jointly by the network design team and the information technology security group. Usually it is integrated into the existing network of the enterprise and is determined by the set of services in the field of information technology offered through the network infrastructure. The requirements of each service in the field of information technology for access and security should be determined before dividing the network into modules with clearly defined levels of trust. Each module should be considered separately and have its own security model. The purpose of this division is to have such security levels at which the intruder’s access was limited to only a certain part of the network. In addition, the architecture should define the common security services that should be deployed on the network. Typically, these services include: Network security architecture
Authentication, authorization and accounting (AAA);
Confidentiality provided by virtual private networks (VPN);
Access (trust model);
Security Monitoring Using Intrusion Detection Systems (IDS).
After making key decisions, the security architecture should be deployed in stages, starting from the most critical areas.
Security technology
The network security structure requires the corporation to determine the level of investment for implementation and the total costs of network attacks. When determining the level of network protection that is adequate to the company's needs, the following five network security components must be considered:
Identity
Identity is the accurate and positive identification of network users, hosts, applications, services and resources. Identity mechanisms are important because they provide authorized users with access to the computing resources of the enterprise they need, while unauthorized users are denied access. For example, Cisco Systems networks use the AAA capabilities of the Cisco Secure Access Control Server (ACS), which provides the basis for user authentication, access privileges, and accounting logging.
Network Perimeter Security
Perimeter security solutions control access to critical network applications, data, and services so that only authorized users and information can travel across the network. Access control is provided by routers and switches with access control lists (ACLs) and dedicated firewalls. The firewall puts up a barrier that does not allow traffic to go beyond the "perimeter" of the network, and allows only authorized traffic to pass in accordance with the security policy. Additional tools, including virus scanners and content filters, also help control the network perimeter. Firewalls are usually the first security features that organizations establish to improve security procedures. Cisco firewalls have proven themselves in the market: The Cisco PIX (r) Firewall is the most common firewall providing network clients of all levels with unprecedented reliability, scalability, and functionality; The Cisco IOS (r) Firewall provides built-in firewall capabilities in routing and switching infrastructures.
Network Connection Security
Confidentiality of information, protection from listening or interference with data transmission can be effectively ensured through virtual private networks (VPNs). They allow you to establish a confidential secure connection in an open network, which is usually the Internet, and expand the boundaries of corporate networks to remote offices, mobile users, home users and business partners. Encryption technology eliminates the possibility of intercepting messages transmitted over a virtual private network, or reading them by persons other than authorized recipients, through the use of advanced mathematical algorithms for encrypting messages and applications to them. Cisco VPN 3000 Series Concentrators are recognized by many as the best in their category solution for remote access over virtual private networks. Cisco VPN 3000 Concentrators with the most advanced features with high reliability and a unique, focused architecture. Enables corporations to create high-performance, scalable, and powerful virtual private network infrastructures to support mission-critical remote access applications. The ideal tool for creating virtual private networks from one network object to another is Cisco routers optimized for building virtual private networks, which include the Cisco 800, 1700, 2600, 3600, 7100 and 7200 routers.
Security monitoring
To ensure continued security for their networks, companies must continuously monitor attacks and regularly test security infrastructures. Network vulnerability scanners can proactively identify weaknesses, and intrusion detection systems can monitor and respond to suspicious signs as they arise.
Intrusion detection systems and vulnerability scanners provide an additional layer of network security. Although firewalls allow or delay traffic depending on the source, destination, port, or other criteria, they actually do not analyze traffic for attacks and do not search for vulnerabilities in the system. In addition, firewalls usually do not deal with internal threats emanating from "their own". The Cisco Intrusion Detection System (IDS) can protect the perimeter network, real-time business partner networks, and increasingly vulnerable internal networks. The system uses agents, which are high-performance network devices, to analyze individual packets in order to detect suspicious activity. If unauthorized activity or a network attack occurs in the data stream in the network, agents can detect a violation in real time, send alarms to the administrator and block the intruder's access to the network. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in the user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in the user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them. In addition to network intrusion detection tools, Cisco also offers server-based intrusion detection systems that provide effective protection for specific servers in a user's network, primarily WEB and e-commerce servers. Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them.
Security Policy Management
As networks grow and become more sophisticated, the requirement for centralized security policy controls that can manage security features becomes paramount. Intelligent tools that can indicate, manage, and audit security policies improve the usability and effectiveness of network security solutions. Cisco solutions in this area require a strategic approach to security management. Cisco Secure Policy Manager (CSPM) supports Cisco security elements in corporate networks, providing a comprehensive and consistent implementation of security policies. With CSPM, clients can define the appropriate security policy, implement it and test the security principles of hundreds of Cisco Secure PIX and Cisco IOS Firewall Feature Set and IDS agents. CSPM also supports the IPsec standard for building VPNs. In addition, CSPM is part of the widespread CiscoWorks2000 / VMS enterprise management system.
Cisco End-to-End Enterprise Network Security - Cisco SAFE Architecture
SAFE is a comprehensive, integrated security architecture designed for the Cisco AVVID voice, video, and integrated data architecture. The SAFE architecture consists of modules that meet the different needs of each network area. Using the SAFE architecture, security managers may not have to rethink the entire security architecture every time a new service is added to the network. Thanks to modular templates, protecting each new service as it becomes necessary and integrating it into the overall network architecture becomes easier and more economical.
SAFE is the industry's first architecture to recommend which security solutions should be included in specific network segments and why they should be included. Each SAFE architecture module delivers maximum e-business performance by enabling enterprises to maintain the security and integrity of data and services.
No comments:
Post a Comment