The Internet
Service Provider Area
The Internet Service Provider Area as
described by the SAFE blueprint provides companies and organizations with a
secure and high-speed transit network to the public Internet. While the ISP Area
is outside the enterprise-, small, and medium-sized business network
demarcation, it too includes security features to protect customers and the ISP
network itself.
The ISP Area contains the following three modules:
-
The ISP Module
-
The PSTN Module
-
The Frame/ATM Module
Of these modules, the PSTN and Frame/ATM Modules do not include
many security mechanisms other than self-protective ACLs and filters on network
equipment to protect the ISP routers, switches, and telephony
infrastructure.
The ISP module, however, typically includes spoof mitigation,
DoS limiting features, and some limited Layer 4 filtering capabilities. These
are typically intended to protect the ISP itself, yet as network-based attack
frequency and sophistication rises, ISPs face increased pressure to help combat
security incidents through additional security mechanisms.
SAFE
Axioms
The SAFE blueprint includes key devices to be deployed in
each module along with design guidelines and alternatives, and potential threats
mitigated by the solution. All of this design information is predicated on
several SAFE axioms that follow:
In the blueprint, each of these axioms has comprehensive
mitigation techniques and implementation guidelines.
The SAFE blueprint is a detailed and holistic approach to
securing the enterprise. It includes in-depth defense strategies and
multidisciplined approaches for security. Security administrators should be
familiar with the SAFE design. For additional information regarding Cisco SAFE,
go to www.cisco.com/go/safe.
Sections
Comments (0 posted)
Syndication
