Summary
In this chapter, you learned about security design principles with a focus on the following topics:
-
The need for network security, including business and legal requirements
-
The threats to network security, including reconnaissance, unauthorized access, and DoS
-
Security risks, including a breach of data confidentiality or integrity, and system and data availability interruptions
-
Network security policies and process
-
Calculating risk indices
-
The Cisco Self-Defending Network, including three critical elements: trust and identity management, threat defense, and secure connectivity
-
Security management
-
How security is integrated in Cisco network devices
-
How security solutions are deployed in the Enterprise network
References
For additional information, refer to the following resources:
-
Cisco Systems, Inc., Security: Introduction, http://www.cisco.com/en/US/products/hw/vpndevc/index.html
-
Cisco Systems, Inc., Infrastructure Protection on Cisco IOS Software-Based Platforms, http://www.cisco.com/application/pdf/en/us/guest/products/ps1838/c1244/cdccont_0900aecd804ac831.pdf
-
Cisco Systems, Inc., Security: Support Resources, http://www.cisco.com/en/US/products/hw/vpndevc/tsd_products_support_category_home.html
-
Cisco Systems, Inc., Cisco Router and Security Device Manager: Introduction, http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html
-
Cisco Systems, Inc., Cisco Adaptive Security Device Manager: Introduction, http://www.cisco.com/en/US/products/ps6121/index.html
-
Cisco Systems, Inc., Cisco Intrusion Prevention System: Introduction, http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html
-
Cisco Systems, Inc., CiscoWorks Management Center for Cisco Security Agents: Introduction, http://www.cisco.com/en/US/products/sw/cscowork/ps5212/index.html
-
Cisco Systems, Inc., Cisco Secure Access Control Server for Windows: Introduction, http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
-
Cisco Systems, Inc., Cisco Security Management Suite: Introduction, http://www.cisco.com/en/US/netsol/ns647/networking_solutions_sub_solution_home.html
-
Cisco Systems, Inc., Cisco Security Manager: Introduction, http://www.cisco.com/en/US/products/ps6498/index.html
-
Cisco Systems, Inc., Cisco Security Monitoring, Analysis and Response System: Introduction, http://www.cisco.com/en/US/products/ps6241/index.html
-
Cisco Systems, Inc., Cisco IOS Firewall: Introduction, http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
-
Cisco Systems, Inc., Cisco IOS Intrusion Prevention System (IPS): Introduction, http://www.cisco.com/en/US/products/ps6634/products_ios_protocol_group_home.html
-
Cisco Systems, Inc., Cisco IOS IPsec: Introduction, http://www.cisco.com/en/US/products/ps6635/products_ios_protocol_group_home.html
-
Cisco Systems, Inc., Cisco IOS Trust and Identity: Introduction, http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html
-
Cisco Systems, Inc., Cisco Intrusion Prevention System: Introduction, http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html
-
Cisco Systems, Inc., Cisco Integrated Services Routers—1800/2800/3800 Series, at-a-Glance, http://www.cisco.com/warp/public/765/tools/quickreference/isr.pdf
-
Cisco Systems, Inc., Security Solutions for Large Enterprises, http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_package.html
-
Cisco Systems, Inc., Cisco Security Center, http://tools.cisco.com/security/center/home.x
Case Study 10-1: ACMC Hospital Network Security Design
This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2, “Applying a Methodology to Network Design.”
In this case study, you create a high-level security design for the ACMC Hospital network. Figure 10-24 summarizes the design thus far.
Case Study Questions
Identify key business security requirements, risks, and threats about which ACMC should be concerned. | |
Design the Enterprise Edge modules for ACMC (E-commerce, Internet Connectivity, Remote Access and VPN, and WAN and MAN and Site-to-Site VPN). Determine how they should connect to the rest of the ACMC Hospital network. The design can use a consolidated approach in which devices are shared between modules. | |
Design the security for remote clinics, using the Internet with VPN for backup access. | |
Determine suitable IP subnetting for the Internet, DMZ, and VPN. | |
Which Cisco security products and features would you recommend in the Enterprise Campus and the data center or server switches? | |
Identify some of the other security considerations, products, and features that should be part of deployment and where they should be used. For example, how should you handle infrastructure protection? |
Case Study 10-2: ACMC Hospital Network—Connecting More Hospitals
This case study is a continuation of ACMC Hospital Case Study 10-1.
In this case study, you expand the ACMC hospital network as it merges with two other hospitals. The government of the state in which ACMC operates wants to improve patient service by networking hospitals; the network will be called MedNet. The legislature hopes to leverage large-city medical expertise for telemedicine at smaller locations. Short-term TDM circuits are funded; MedNet will move to Metro Ethernet service after terms for provider construction and contract are agreed on. Clinics will be associated with and connected via county hospitals.
Case Study Questions
Complete the following steps:
Hospital Omega is a nearby hospital that has been having financial difficulties. It is facing large licensing and application development costs to bring its financial and other applications up to date. To cut costs and stabilize finances, Hospital Omega will merge with ACMC. All data services will move to the ACMC data center and gradually migrate to the modern applications that ACMC already has in place. The Hospital Omega network was deployed between seven and ten years ago, and in many cases, the equipment vendors no longer exist. The following are some details about Hospital Omega:
Figure 10-25 shows the Hospital Omega network. The CIO wants a design to modernize the Hospital Omega network and allow robust access to the ACMC data center. Identify any issues you have with this merger and what design you would propose to the CIO. | |
What is the key security issue for the Hospital Omega network? How could this issue be resolved? | |
Hospital Beta is another nearby hospital. ACMC and Hospital Beta overlap in several areas of medical expertise and feel that pooling talent and facilities should lead to better depth of medical expertise and better patient care. Sharing financial and other applications should also reduce overhead costs. The following are some details about Hospital Beta:
Figure 10-26 shows the Hospital Beta network. The CIO wants a design to standardize the Hospital Beta network and allow robust access to the ACMC data center. Identify any issues you have with this merger and what design you would propose to the CIO. | |
The CIO wants to consolidate servers in the ACMC data center. What issues need to be examined before proceeding with such a migration? | |
Suppose that inexpensive Metro Ethernet is available between ACMC and Hospital Beta. How does this change your answer to the question in the previous step? | |
Hospital Beta already has deployed a Cisco Unified Communications Manager, IP phones, voice gateways, and so forth. Should the Cisco Unified Communications Manager and Cisco Unity servers be moved to the ACMC data center? Why or why not? If not, how should they interact with a Cisco Unified Communications Manager on the ACMC campus? | |
Should the WLCs at Hospital Beta be moved to the ACMC campus? | |
Hospital Omega uses static routes on its one Internet router. Hospital Beta uses the Intermediate System-to-Intermediate System (IS-IS) routing protocol. Make a recommendation for overall routing protocol and routing design for the merged networks. | |
The CIO at ACMC is concerned about HIPAA compliance and general security. She and you agree on running all Internet connectivity through ACMC and Hospital Beta. Assume that firewalls, firewall rules, DMZs, and properly configured IPsec VPN access are all in place. What additional steps can be taken to improve security in the combined ACMC-Omega-Beta network? | |
Hospital Omega is paying a large amount per phone for Centrex service. The CIO urgently wants to cut costs by moving to IP phones for Hospital Omega. The return on investment for doing this indicates that it would pay for itself in less than a year. The CIO has asked you for technical comments on doing this; what do you tell her? | |
ACMC has been assigned address block 10.1.0.0 /16. Could ACMC re-address within 10.1.0.0 /16? Assuming that it could, provide a revised addressing scheme that includes appropriate addressing for Hospital Beta and Hospital Omega. What are the summarized routes that each hospital should be advertising to the others? |
0 comments
Post a Comment