Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : The Network Edge Area

The Network Edge Area

Nov 24,2008 by admin

small font medium font large font
image

The Network Edge Area

Similar to the Network Campus Area, the Network Edge Area consists of security architectural information specific to the size of the networks that includes details for small-, medium-, and enterprise-sized networks. The Network Edge Area also includes a Remote User Network Module focusing on home office and remote access networks. Furthermore, each specifically sized Network Edge Area addresses security regarding the more publicly available services a company may provide. This Area also includes the security features necessary to safeguard an organization's connection to the Internet.

Let's look more closely at the Network Edge Area as it applies to differently sized companies.

The Remote User Network Edge

The Remote User Network Edge Module provides security for users working from external locations such as home offices or small remote offices. There exist four connectivity options within the Remote User Network Edge Module as follows:

  • Software Access Option  Users connect to the central office via VPN and authentication software installed on their computer workstation. Users may have broadband connectivity, but most likely rely on dialup access for remote connectivity. This is the simplest option for remote connectivity.

  • Remote Site Firewall Option  A firewall device is used in this option for more permanent and robust secure remote connectivity. This option infers a broadband connection and provides stateful inspection and/or Layer 7 packet filtering. VPN access and authentication services can be located at the firewall or on the user's computer workstations in this option.

  • Hardware VPN Client Option  Similar to the Remote Site Firewall Option, the Hardware VPN Client Option uses broadband network connectivity and provides VPN and authentication services on behalf of the user. This option relies on user workstation personal firewall software for perimeter security, however.

  • Remote Site Router Option  Nearly identical to the Remote Site Firewall Option, this option uses a router with firewall capabilities to provide perimeter packet filtering and may include stateful inspection and/or Layer 7 filtering capabilities.

Regardless of the connectivity options, the Remote User Network Edge Module includes security infrastructure typical of user network areas such as virus scanning systems, HIDS, and personal firewalls.

The Small Network Edge

The Small Network Edge combines economical and appropriate security measures to protect smaller organizations. The Small Network Edge includes one module, the Corporate Internet Module.

The Corporate Internet Module

The Small Network Corporate Internet Module acts as the demarcation between the company's assets and the ISP Area. It also serves to protect the application systems that the company provides to the public, such as web, database, and mail servers.

The security infrastructure present in the Small Network Corporate Internet Module includes perimeter stateful inspection firewalls, Layer 7 filtering capabilities, and IDS in the form of NIDS and HIDS. The Small Network Corporate Internet Module also includes Remote Authentication services, VPN termination devices, and VLAN-capable switches.

The Medium Network Edge

The Medium Network Edge includes more advanced and comprehensive security mechanisms to protect the larger asset and employee base of the medium-sized company. It includes two modules, as discussed next.

The Corporate Internet Module

Like the Small Network Edge Corporate Internet Module, the Medium Network Edge Corporate Internet Module includes perimeter stateful inspection firewalls and Layer 7 filtering capabilities. These serve to protect the corporate internal networks and services. This module has more focused IDS capabilities, however, and also includes content inspection for mail services, more robust VPN termination, and scalable authentication services.

The WAN Edge Module

The Medium Network Edge has a second module to address WAN connectivity needs. This module may include packet-filtering capabilities, but most likely it simply provides reliable and secure transport to remote office locations.

The Enterprise Network Edge

The Enterprise Network Edge Area within the SAFE blueprint is targeted at large organizations with various customer-focused, publicly available services in several locations. The Enterprise Network Edge necessitates the creation of several modules, each addressing specific security requirements within the Edge Network. We'll discuss these modules in the following pages.

The E-Commerce Module

The E-Commerce Module is intended to house and protect the business-driving public infrastructure of the organization and includes database, application, and web services components, among others. To provide a comprehensive defense, the SAFE blueprint calls for focused Layer 4–7 IDS analysis and Host IDS capabilities. Furthermore, multitiered stateful inspection firewalls and packet-filtering devices are included for perimeter defense. Wire speed switching on VLAN-capable switches provides server connectivity in the E-Commerce Module for fast, efficient server access.

The Corporate Internet Module

The Corporate Internet Module provides secure connectivity for internal corporate users to the Internet. It also offers logical space for inbound and outbound services such as SMTP, web proxy, and content inspection servers. This business functionality is protected with stateful inspection firewalls, Layer 7 filtering, spoof mitigation, and other basic filtering. It also includes advanced and focused Network IDS analysis and host-based detection systems.

The VPN/Remote Access Module

Due to the potential size and scaling requirements of Enterprise-sized VPN solutions, the Enterprise Network Edge Area includes a VPN/Remote Access module. This module contains the required encryption, VPN termination points, and authentication mechanisms for the Enterprise environment. Included in this module are various IDS components that are placed at the encryption endpoint to inspect inbound and outbound VPN traffic. Stateful inspection firewalls are also integrated into the VPN/Remote Access Module for perimeter security from, and to, remote connections.

The Extranet Module

The Extranet Module is similar to the E-Commerce Module in that it houses application and web-based services. Extranets are typically intended to facilitate access by semi-trusted users such as partners or other remote entities. Like the E-Commerce Module, the Extranet Module includes NIDS and HIDS, as well as stateful inspection firewalls. It also includes authentication and VPN termination services for remote use.

The WAN Module

The Enterprise Network Edge WAN Module includes sparse security features to facilitate efficient network transport. The WAN Module may include Layer 3 access control mechanisms for secure transport.


289 times read

Related news
» The Network Campus Area
by admin posted on Nov 24,2008
» Exam Topics
by alperen posted on Mar 24,2010
» The Internet Service Provider Area
by admin posted on Nov 24,2008
» Enterprise SAFE block diagram
by alperen posted on Dec 02,2008
» Using Gigabit Ethernet in the Enterprise
by alperen posted on Dec 03,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.