| 0 comments ]

Summary

Add a note hereIn this chapter, you learned about security design principles with a focus on the following topics:

  • Add a note hereThe need for network security, including business and legal requirements

  • Add a note hereThe threats to network security, including reconnaissance, unauthorized access, and DoS

  • Add a note hereSecurity risks, including a breach of data confidentiality or integrity, and system and data availability interruptions

  • Add a note hereNetwork security policies and process

  • Add a note hereCalculating risk indices

  • Add a note hereThe Cisco Self-Defending Network, including three critical elements: trust and identity management, threat defense, and secure connectivity

  • Add a note hereSecurity management

  • Add a note hereHow security is integrated in Cisco network devices

  • Add a note hereHow security solutions are deployed in the Enterprise network


References

Add a note here For additional information, refer to the following resources:


Case Study 10-1: ACMC Hospital Network Security Design

Add a note hereThis case study is a continuation of the ACMC Hospital case study introduced in Chapter 2, “Applying a Methodology to Network Design.”

Add a note hereIn this case study, you create a high-level security design for the ACMC Hospital network. Figure 10-24 summarizes the design thus far.

Click to collapse
Add a note hereFigure 10-24: ACMC Hospital Network Design

Add a note here Case Study Questions

Add a note here Complete the following steps:

Add a note here Step 1

Add a note hereIdentify key business security requirements, risks, and threats about which ACMC should be concerned.

Add a note here Step 2

Add a note hereDesign the Enterprise Edge modules for ACMC (E-commerce, Internet Connectivity, Remote Access and VPN, and WAN and MAN and Site-to-Site VPN). Determine how they should connect to the rest of the ACMC Hospital network. The design can use a consolidated approach in which devices are shared between modules.

Add a note here Step 3

Add a note hereDesign the security for remote clinics, using the Internet with VPN for backup access.

Add a note here Step 4

Add a note hereDetermine suitable IP subnetting for the Internet, DMZ, and VPN.

Add a note here Step 5

Add a note hereWhich Cisco security products and features would you recommend in the Enterprise Campus and the data center or server switches?

Add a note here Step 6

Add a note hereIdentify some of the other security considerations, products, and features that should be part of deployment and where they should be used. For example, how should you handle infrastructure protection?


Case Study 10-2: ACMC Hospital Network—Connecting More Hospitals

Add a note here This case study is a continuation of ACMC Hospital Case Study 10-1.

Add a note hereIn this case study, you expand the ACMC hospital network as it merges with two other hospitals. The government of the state in which ACMC operates wants to improve patient service by networking hospitals; the network will be called MedNet. The legislature hopes to leverage large-city medical expertise for telemedicine at smaller locations. Short-term TDM circuits are funded; MedNet will move to Metro Ethernet service after terms for provider construction and contract are agreed on. Clinics will be associated with and connected via county hospitals.

Add a note here Case Study Questions

Add a note hereComplete the following steps:

Add a note here Step 1

Add a note hereHospital Omega is a nearby hospital that has been having financial difficulties. It is facing large licensing and application development costs to bring its financial and other applications up to date. To cut costs and stabilize finances, Hospital Omega will merge with ACMC. All data services will move to the ACMC data center and gradually migrate to the modern applications that ACMC already has in place. The Hospital Omega network was deployed between seven and ten years ago, and in many cases, the equipment vendors no longer exist. The following are some details about Hospital Omega:

  • Add a note hereHospital Omega does not use DHCP.

  • Add a note hereHospital Omega consists of one building of ten floors, with fewer than 250 computers per floor.

  • Add a note here Hospital Omega uses static routes.

  • Add a note hereThe Hospital Omega network is flat and Layer 2 switched. The switching equipment is from a third-party vendor and is seven and ten years old.

  • Add a note hereThe Hospital Omega network uses old copper and fiber cabling that was added by various people in a random manner over the years. For any given closet, about 50 percent of the cable (copper or fiber) goes to unknown locations and is of unknown quality.

  • Add a note hereServers are scattered around the building in random closets near the department that originally installed them.

  • Add a note hereHospital Omega accesses the Internet via the University Research Group.

Add a note here Figure 10-25 shows the Hospital Omega network.

Click to collapse
Add a note hereFigure 10-25: Hospital Omega Network

Add a note here The CIO wants a design to modernize the Hospital Omega network and allow robust access to the ACMC data center. Identify any issues you have with this merger and what design you would propose to the CIO.

Add a note here Step 2

Add a note hereWhat is the key security issue for the Hospital Omega network? How could this issue be resolved?

Add a note here Step 3

Add a note hereHospital Beta is another nearby hospital. ACMC and Hospital Beta overlap in several areas of medical expertise and feel that pooling talent and facilities should lead to better depth of medical expertise and better patient care. Sharing financial and other applications should also reduce overhead costs. The following are some details about Hospital Beta:

  • Add a note hereHospital Beta uses DHCP.

  • Add a note hereHospital Beta consists of four buildings, each with four large floors (with fewer than 250 Ethernet users and ports each). Each floor uses eight 24-port Cisco Catalyst 3560 switches in intermediate distribution frame closets, with dual uplinks to the distribution layer switches. The data center and Internet complex is on one floor of one of the four buildings.

  • Add a note hereEach building uses two Cisco Catalyst 6506 switches at the distribution layer. The switches are dual-homed via single-mode fiber at 10 Gbps to the core switches.

  • Add a note hereThe two Cisco Catalyst 6506 core switches are interconnected with 10-Gbps links and have dual connections to two Cisco Catalyst 4948 switches for the servers.

  • Add a note hereThe campus network is based on high-speed Layer 3 Cisco switches.

  • Add a note hereWireless is supported using Cisco WLAN controllers (WLC).

  • Add a note hereThe hospital has a DMZ, dual firewalls in each of two layers, IPS monitoring for the DMZ, and so forth.

  • Add a note hereCisco IP telephony is in place.

  • Add a note hereHospital Beta has a connection to the University Research Group.

Add a note here Figure 10-26 shows the Hospital Beta network.

Click to collapse
Add a note hereFigure 10-26: Hospital Beta Network

Add a note here The CIO wants a design to standardize the Hospital Beta network and allow robust access to the ACMC data center. Identify any issues you have with this merger and what design you would propose to the CIO.

Add a note here Step 4

Add a note hereThe CIO wants to consolidate servers in the ACMC data center. What issues need to be examined before proceeding with such a migration?

Add a note here Step 5

Add a note hereSuppose that inexpensive Metro Ethernet is available between ACMC and Hospital Beta. How does this change your answer to the question in the previous step?

Add a note here Step 6

Add a note here Hospital Beta already has deployed a Cisco Unified Communications Manager, IP phones, voice gateways, and so forth. Should the Cisco Unified Communications Manager and Cisco Unity servers be moved to the ACMC data center? Why or why not? If not, how should they interact with a Cisco Unified Communications Manager on the ACMC campus?

Add a note here Step 7

Add a note hereShould the WLCs at Hospital Beta be moved to the ACMC campus?

Add a note here Step 8

Add a note hereHospital Omega uses static routes on its one Internet router. Hospital Beta uses the Intermediate System-to-Intermediate System (IS-IS) routing protocol. Make a recommendation for overall routing protocol and routing design for the merged networks.

Add a note here Step 9

Add a note hereThe CIO at ACMC is concerned about HIPAA compliance and general security. She and you agree on running all Internet connectivity through ACMC and Hospital Beta. Assume that firewalls, firewall rules, DMZs, and properly configured IPsec VPN access are all in place. What additional steps can be taken to improve security in the combined ACMC-Omega-Beta network?

Add a note here Step 10

Add a note hereHospital Omega is paying a large amount per phone for Centrex service. The CIO urgently wants to cut costs by moving to IP phones for Hospital Omega. The return on investment for doing this indicates that it would pay for itself in less than a year. The CIO has asked you for technical comments on doing this; what do you tell her?

Add a note here Step 11

Add a note hereACMC has been assigned address block 10.1.0.0 /16. Could ACMC re-address within 10.1.0.0 /16? Assuming that it could, provide a revised addressing scheme that includes appropriate addressing for Hospital Beta and Hospital Omega. What are the summarized routes that each hospital should be advertising to the others?

0 comments

Post a Comment