FastTrack Training. "Network Basics". "Cisco Software Products for Security." Eddie Martin December 2012
About a year ago, I noticed an interesting and fascinating series of lectures by Eddie Martin, which, thanks to its history and real-life examples, as well as its tremendous learning experience, is amazingly comprehensible and allows you to gain an understanding of quite complex technologies.
We continue the cycle of 27 articles based on his lectures:
')
01/02: “Understanding the OSI Model” Part 1 / Part 2
03: "Understanding the Cisco Architecture"
04/05: “The Basics of Switching or Switches” Part 1 / Part 2
06: "Switches from Cisco"
07: "Area of ​​use of network switches, the value of Cisco switches"
08/09: "Basics of a Wireless LAN" Part 1 / Part 2
10: "Products in the field of wireless LAN"
11: The Value of Cisco Wireless LANs
12: Routing Basics
13: "The structure of routers, routing platforms from Cisco"
14: The Value of Cisco Routers
15/16: “The Basics of Data Centers” Part 1 / Part 2
17: "Equipment for data centers"
18: "The Value of Cisco in Data Centers"
19/20/21: "The Basics of Telephony" Part 1 / Part 2 / Part 3
22: "Cisco Collaboration Software"
23: The Value of Collaboration Products from Cisco
24: "The Basics of Security"
25: "Cisco Security Software"
26: "The Value of Cisco Security Products"
27: "Understanding Cisco Architectural Games (Review)"
And here are the twenty fifth of them.
So, we have email protection software in the form of an Ironport cloud solution or a physical device that runs on your site.
Perhaps a hybrid solution when you use both cloud security and a physical device to protect your site.
Next we have an intrusion prevention system based on the ASA 5500 series and IPS protection modules - these are the latest IPS 4300 and 4500 series.
IPS devices pass up to 5 Gbps and are used for SIO update. There is also an independent component of the Oracle Java software used on sites that lack other technical support, and we are constantly updating it for our customers using the Cisco ASA hardware firewall series.
The ASA line is represented by devices from the smallest to the largest size. The smallest is the 5505 device, this is a hardware PIX firewall.
The ASA 5540 PIX firewall has a 175 Mbps bandwidth per firewall, its price starts at $ 3000. ASA 5505 is designed for 150 Mbps and costs only $ 545. Thanks to this pricing policy, people can choose the most cost-effective equipment. We have different models for every need: for small offices, for large companies and for data centers.
If you see the letter X in the model designation, it means that you have the next generation equipment with updated hardware architecture. It provides increased performance by the number of connections per second, which is now a necessary requirement. Each such device is equipped with IP SEC VPN.
For large companies, 5550 X series equipment is recommended, it has various capabilities that allow you to use these devices in accordance with the needs of the network.
For data centers, hardware firewalls are recommended, providing protection of up to 1 million connections per second. Cisco is ranked 1st in the email security solutions market.
Protection of the branch network is usually quite good, but it should be noted that the switch cannot perform the role of a firewall. But if you send streaming data or a large amount of traffic in several portions and at the same time about 5% of the traffic disappears, which is completely abnormal, you must interrupt the broadcast, disable this port and report it to the SIO.
We have DHCP snooping, a switch feature designed to protect against attacks using the DHCP protocol. When you contact someone, the switch sees you and the IP address of the device with which you are connected through a DHCP server, and remembers them. And if someone tries to get into the network between you and tries to replace the server address or your address, it will be stopped. This is the security function used in our switches. So the firewall is only a small part of the overall network security architecture.
ASA checks switch traffic and in case of danger or firewall disconnection will not give you access to the network. There are only a few things that we cannot do with switches, especially with level 3 switches.
To protect branch offices, a solution with a router that is connected to our ASA via WAN is perfect. As I said before, the 5500 series is ideally suited as an ASA.
AnyConnect mobile security client is used as part of ASA and VPN and is best suited for the company's headquarters, it can be placed in the Cloud. It is software that can be downloaded to any stationary or mobile device.
Cisco ISE is a universal platform that can be used to provide security for a wide variety of architectures; an example is this illustration for a local network.
ISE is used to manage security policies that automate and implement secure access to network resources and provide monitoring of users and devices to support and control corporate mobile access. It uses the 802.1x or AnyConnect protocol. The platform allows you to configure ISE guest portals for access from mobile and desktop devices and quickly provide guest access, optimize BYOD and mobile access.
How does security affect teamwork? How can we connect a conversation about working together with a discussion of the security problem and vice versa? For example, when you talk about the possibility of BYOD, then it is simultaneously related to collaboration and security. You want people and devices inside our network to interact safely with people and devices outside of it. We must adhere to the same security policy in relation to external Web resources and in relation to internal traffic in the process of working together. Remember that you want to place some solutions in the Cloud, you can do it.
Continued:
FastTrack Training. "Network Basics". "The value of Cisco products for security." Eddie Martin December 2012
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
We continue the cycle of 27 articles based on his lectures:
')
01/02: “Understanding the OSI Model” Part 1 / Part 2
03: "Understanding the Cisco Architecture"
04/05: “The Basics of Switching or Switches” Part 1 / Part 2
06: "Switches from Cisco"
07: "Area of ​​use of network switches, the value of Cisco switches"
08/09: "Basics of a Wireless LAN" Part 1 / Part 2
10: "Products in the field of wireless LAN"
11: The Value of Cisco Wireless LANs
12: Routing Basics
13: "The structure of routers, routing platforms from Cisco"
14: The Value of Cisco Routers
15/16: “The Basics of Data Centers” Part 1 / Part 2
17: "Equipment for data centers"
18: "The Value of Cisco in Data Centers"
19/20/21: "The Basics of Telephony" Part 1 / Part 2 / Part 3
22: "Cisco Collaboration Software"
23: The Value of Collaboration Products from Cisco
24: "The Basics of Security"
25: "Cisco Security Software"
26: "The Value of Cisco Security Products"
27: "Understanding Cisco Architectural Games (Review)"
And here are the twenty fifth of them.
FastTrack Training. "Network Basics". "Cisco Security Software Products." Eddie Martin December 2012
So, we have email protection software in the form of an Ironport cloud solution or a physical device that runs on your site.
Perhaps a hybrid solution when you use both cloud security and a physical device to protect your site.
Next we have an intrusion prevention system based on the ASA 5500 series and IPS protection modules - these are the latest IPS 4300 and 4500 series.
IPS devices pass up to 5 Gbps and are used for SIO update. There is also an independent component of the Oracle Java software used on sites that lack other technical support, and we are constantly updating it for our customers using the Cisco ASA hardware firewall series.
The ASA line is represented by devices from the smallest to the largest size. The smallest is the 5505 device, this is a hardware PIX firewall.
The ASA 5540 PIX firewall has a 175 Mbps bandwidth per firewall, its price starts at $ 3000. ASA 5505 is designed for 150 Mbps and costs only $ 545. Thanks to this pricing policy, people can choose the most cost-effective equipment. We have different models for every need: for small offices, for large companies and for data centers.
If you see the letter X in the model designation, it means that you have the next generation equipment with updated hardware architecture. It provides increased performance by the number of connections per second, which is now a necessary requirement. Each such device is equipped with IP SEC VPN.
For large companies, 5550 X series equipment is recommended, it has various capabilities that allow you to use these devices in accordance with the needs of the network.
For data centers, hardware firewalls are recommended, providing protection of up to 1 million connections per second. Cisco is ranked 1st in the email security solutions market.
Protection of the branch network is usually quite good, but it should be noted that the switch cannot perform the role of a firewall. But if you send streaming data or a large amount of traffic in several portions and at the same time about 5% of the traffic disappears, which is completely abnormal, you must interrupt the broadcast, disable this port and report it to the SIO.
We have DHCP snooping, a switch feature designed to protect against attacks using the DHCP protocol. When you contact someone, the switch sees you and the IP address of the device with which you are connected through a DHCP server, and remembers them. And if someone tries to get into the network between you and tries to replace the server address or your address, it will be stopped. This is the security function used in our switches. So the firewall is only a small part of the overall network security architecture.
ASA checks switch traffic and in case of danger or firewall disconnection will not give you access to the network. There are only a few things that we cannot do with switches, especially with level 3 switches.
To protect branch offices, a solution with a router that is connected to our ASA via WAN is perfect. As I said before, the 5500 series is ideally suited as an ASA.
AnyConnect mobile security client is used as part of ASA and VPN and is best suited for the company's headquarters, it can be placed in the Cloud. It is software that can be downloaded to any stationary or mobile device.
Cisco ISE is a universal platform that can be used to provide security for a wide variety of architectures; an example is this illustration for a local network.
ISE is used to manage security policies that automate and implement secure access to network resources and provide monitoring of users and devices to support and control corporate mobile access. It uses the 802.1x or AnyConnect protocol. The platform allows you to configure ISE guest portals for access from mobile and desktop devices and quickly provide guest access, optimize BYOD and mobile access.
How does security affect teamwork? How can we connect a conversation about working together with a discussion of the security problem and vice versa? For example, when you talk about the possibility of BYOD, then it is simultaneously related to collaboration and security. You want people and devices inside our network to interact safely with people and devices outside of it. We must adhere to the same security policy in relation to external Web resources and in relation to internal traffic in the process of working together. Remember that you want to place some solutions in the Cloud, you can do it.
Continued:
FastTrack Training. "Network Basics". "The value of Cisco products for security." Eddie Martin December 2012
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/351958/
All Articles